From fc0dbfee704e95ae87f9020caa11ae3e0d841a51 Mon Sep 17 00:00:00 2001
From: Shikha Panwar <shikhapanwar@google.com>
Date: Thu, 11 Jan 2024 14:24:14 +0000
Subject: [PATCH] InitialPayload of ExplicitKeyDiceCertChain

Change the spec for DiceCertChainInitialPayload, removing the map &
directly equating it to bstr .cbor PubKey. Also mandate it to stick to
Core Deterministic Encoding Requirements. The deterministic encoding is
essential to ensure DicePolicies can be applied on the root key.

Test: Builds
Bug: 319613231
Change-Id: I5e12ecbcbae84ae608d784a12f8ae4afc49b5a9d
---
 .../security/authgraph/ExplicitKeyDiceCertChain.cddl     | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/security/authgraph/aidl/android/hardware/security/authgraph/ExplicitKeyDiceCertChain.cddl b/security/authgraph/aidl/android/hardware/security/authgraph/ExplicitKeyDiceCertChain.cddl
index 3de5617028..2d6c69614a 100644
--- a/security/authgraph/aidl/android/hardware/security/authgraph/ExplicitKeyDiceCertChain.cddl
+++ b/security/authgraph/aidl/android/hardware/security/authgraph/ExplicitKeyDiceCertChain.cddl
@@ -19,11 +19,10 @@ ExplicitKeyDiceCertChain = [
     * DiceChainEntry
 ]
 
-DiceCertChainInitialPayload = {
-    -4670552 : bstr .cbor PubKeyEd25519 /
-               bstr .cbor PubKeyECDSA256 /
-               bstr .cbor PubKeyECDSA384 ; subjectPublicKey
-}
+; Encoded in accordance with Core Deterministic Encoding Requirements [RFC 8949 s4.2.1]
+DiceCertChainInitialPayload = bstr .cbor PubKeyEd25519
+                            / bstr .cbor PubKeyECDSA256
+                            / bstr .cbor PubKeyECDSA384 ; subjectPublicKey
 
 ; INCLUDE generateCertificateRequestV2.cddl for: PubKeyEd25519, PubKeyECDSA256, PubKeyECDSA384,
 ;                                                DiceChainEntry