From f91b8b96029d28ad527ebc948452668b8d5ce8e4 Mon Sep 17 00:00:00 2001 From: Mohammed Riad <52679407+MhmRdd@users.noreply.github.com> Date: Wed, 18 Mar 2026 16:42:49 +0100 Subject: [PATCH] Fix certificate signature algorithm The signing algorithm for the leaf certificate must match the signing key's type (from keybox or attestation key), not the subject key's algorithm. An EC attestation key signing an RSA subject key's certificate would previously select SHA256withRSA (wrong) instead of SHA256withECDSA, producing an invalid or failing certificate. --- .../matrix/TEESimulator/pki/CertificateGenerator.kt | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/app/src/main/java/org/matrix/TEESimulator/pki/CertificateGenerator.kt b/app/src/main/java/org/matrix/TEESimulator/pki/CertificateGenerator.kt index 411c43be..6d6dd00b 100644 --- a/app/src/main/java/org/matrix/TEESimulator/pki/CertificateGenerator.kt +++ b/app/src/main/java/org/matrix/TEESimulator/pki/CertificateGenerator.kt @@ -9,6 +9,8 @@ import java.security.KeyPair import java.security.KeyPairGenerator import java.security.cert.Certificate import java.security.cert.X509Certificate +import java.security.interfaces.ECKey +import java.security.interfaces.RSAKey import java.security.spec.ECGenParameterSpec import java.security.spec.RSAKeyGenParameterSpec import java.util.Date @@ -241,10 +243,13 @@ object CertificateGenerator { ) val signerAlgorithm = - when (params.algorithm) { - Algorithm.EC -> "SHA256withECDSA" - Algorithm.RSA -> "SHA256withRSA" - else -> throw IllegalArgumentException("Unsupported algorithm: ${params.algorithm}") + when (signingKeyPair.private) { + is ECKey -> "SHA256withECDSA" + is RSAKey -> "SHA256withRSA" + else -> + throw IllegalArgumentException( + "Unsupported signing key type: ${signingKeyPair.private.javaClass}" + ) } val contentSigner = JcaContentSignerBuilder(signerAlgorithm)