From b5016428206ea83c49fde303b4b541152d0cb7ac Mon Sep 17 00:00:00 2001
From: Tommy Chiu <tommychiu@google.com>
Date: Tue, 10 Sep 2024 09:50:02 +0000
Subject: [PATCH] Correct the UDS_pub source

The UDS_pub is supposed to be the first element of DiceCertChain
according to generateCertificateRequestV2.cddl.

Bug: 365711214
Test: rkp_factory_extraction_tool
Change-Id: I454a99058d92ce9743810a9334c7ccacccc694e0
---
 security/keymint/support/remote_prov_utils.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp
index 646037cf31..115b80ba3b 100644
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp
@@ -1040,14 +1040,15 @@ ErrMsgOr<bytevec> parseAndValidateAuthenticatedRequest(const std::vector<uint8_t
         return diceContents.message() + "\n" + prettyPrint(diceCertChain);
     }
 
-    auto& udsPub = diceContents->back().pubKey;
+    auto udsPub = diceCertChain->get(0)->asMap()->encode();
+    auto& kmDiceKey = diceContents->back().pubKey;
 
     auto error = validateUdsCerts(*udsCerts, udsPub);
     if (!error.empty()) {
         return error;
     }
 
-    auto signedPayload = verifyAndParseCoseSign1(signedData, udsPub, {} /* aad */);
+    auto signedPayload = verifyAndParseCoseSign1(signedData, kmDiceKey, {} /* aad */);
     if (!signedPayload) {
         return signedPayload.message();
     }