Inform Java BigInteger that the input bytes are positive
The COSE spec requires exact sizes for signatures, so any leading zeros
(which indicate a positive integer) are removed. This causes BigInteger
to assume the input is negative if the leading byte is 0xff, and it strips
that byte off. This breaks conversion from COSE -> DER signatures.
Explicitly tell BigInteger the input is always positive (per the COSE
spec) so that it leaves leading 0xff alone.
Test: identity-credential-util-tests
Fixes: 201574298
Change-Id: Ib2e587964125ea15fedd8a6e3ddb2bc422c211e3
diff --git a/identity/util/src/java/com/android/security/identity/internal/Util.java b/identity/util/src/java/com/android/security/identity/internal/Util.java
index b74efb7..4ec54a7 100644
--- a/identity/util/src/java/com/android/security/identity/internal/Util.java
+++ b/identity/util/src/java/com/android/security/identity/internal/Util.java
@@ -401,8 +401,10 @@
if (signature.length != 64) {
throw new RuntimeException("signature.length is " + signature.length + ", expected 64");
}
- BigInteger r = new BigInteger(Arrays.copyOfRange(signature, 0, 32));
- BigInteger s = new BigInteger(Arrays.copyOfRange(signature, 32, 64));
+ // r and s are always positive and may use all 256 bits so use the constructor which
+ // parses them as unsigned.
+ BigInteger r = new BigInteger(1, Arrays.copyOfRange(signature, 0, 32));
+ BigInteger s = new BigInteger(1, Arrays.copyOfRange(signature, 32, 64));
byte[] rBytes = encodePositiveBigInteger(r);
byte[] sBytes = encodePositiveBigInteger(s);
ByteArrayOutputStream baos = new ByteArrayOutputStream();