Correct the UDS_pub source
The UDS_pub is supposed to be the first element of DiceCertChain
according to generateCertificateRequestV2.cddl.
Bug: 365711214
Test: rkp_factory_extraction_tool
Change-Id: I454a99058d92ce9743810a9334c7ccacccc694e0
diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp
index 646037c..115b80b 100644
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp
@@ -1040,14 +1040,15 @@
return diceContents.message() + "\n" + prettyPrint(diceCertChain);
}
- auto& udsPub = diceContents->back().pubKey;
+ auto udsPub = diceCertChain->get(0)->asMap()->encode();
+ auto& kmDiceKey = diceContents->back().pubKey;
auto error = validateUdsCerts(*udsCerts, udsPub);
if (!error.empty()) {
return error;
}
- auto signedPayload = verifyAndParseCoseSign1(signedData, udsPub, {} /* aad */);
+ auto signedPayload = verifyAndParseCoseSign1(signedData, kmDiceKey, {} /* aad */);
if (!signedPayload) {
return signedPayload.message();
}