From 99b0b1034bde09be81debbf6d42e8714d2406b0a Mon Sep 17 00:00:00 2001 From: Max Date: Sat, 9 Nov 2024 17:49:26 +0000 Subject: [PATCH] Update UVM endorsements test with fresh endorsements from C-AKS (#6621) --- src/node/test/endorsements.cpp | 41 +++++++++++------------- src/node/uvm_endorsements.h | 2 +- tests/uvm_endorsements/ecdsa_test1.cose | Bin 1721 -> 10843 bytes 3 files changed, 19 insertions(+), 24 deletions(-) diff --git a/src/node/test/endorsements.cpp b/src/node/test/endorsements.cpp index 743d615e4b96..b04e3ff718ab 100644 --- a/src/node/test/endorsements.cpp +++ b/src/node/test/endorsements.cpp @@ -24,13 +24,7 @@ TEST_CASE("Check RSA Production endorsement") ccf::pal::PlatformAttestationMeasurement uvm_measurement(measurement); auto endorsements = ccf::verify_uvm_endorsements(endorsement, uvm_measurement); - REQUIRE( - endorsements == - ccf::UVMEndorsements{ - "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3." - "6.1.4.1.311.76.59.1.2", - "ContainerPlat-AMD-UVM", - "100"}); + REQUIRE(endorsements == ccf::default_uvm_roots_of_trust[0]); } TEST_CASE("Check ECDSA Test endorsement") @@ -42,27 +36,28 @@ TEST_CASE("Check ECDSA Test endorsement") REQUIRE(!endorsement.empty()); ccf::pal::SnpAttestationMeasurement measurement( - "5a84c66e9c8dd1a991e6d8b43a8aaae488940f87ce25ef6a62ad180cc3c73554ed7e4ccd10" - "13456602758778d9d65c48"); + "1b66347ceafca663690ff17ed2144b8acdee661edc5d28e69a7c85dde7ba0c3a6f9862096e" + "8b38da7aa622ddeed75c37"); ccf::pal::PlatformAttestationMeasurement uvm_measurement(measurement); - REQUIRE_THROWS_WITH_AS( - ccf::verify_uvm_endorsements(endorsement, uvm_measurement), - "UVM endorsements did " - "did:x509:0:sha256:VFsRLNBh5Zy1HRtVl2IIXAl0lUs-xobEbskZ3XRDpCY::subject:CN:" - "Test%20Leaf%20%28DO%20NOT%20TRUST%29, feed ConfAKS-AMD-UVM-Test, svn 0 do " - "not match any of the known UVM roots of trust", - std::logic_error); std::vector custom_roots_of_trust = { ccf::UVMEndorsements{ - "did:x509:0:sha256:VFsRLNBh5Zy1HRtVl2IIXAl0lUs-xobEbskZ3XRDpCY::subject:" - "CN:Test%20Leaf%20%28DO%20NOT%20TRUST%29", - "ConfAKS-AMD-UVM-Test", - "0"}}; + "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3." + "6.1.4.1.311.76.59.1.5", + "Malicious-ConfAKS-AMD-UVM", + "1"}}; + REQUIRE_THROWS_WITH_AS( + ccf::verify_uvm_endorsements( + endorsement, uvm_measurement, custom_roots_of_trust), + "UVM endorsements did " + "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6." + "1.4.1.311.76.59.1.5, feed ConfAKS-AMD-UVM, svn 1 do not match any of the " + "known UVM roots of trust", + std::logic_error); - auto endorsements = ccf::verify_uvm_endorsements( - endorsement, uvm_measurement, custom_roots_of_trust); - REQUIRE(endorsements == custom_roots_of_trust[0]); + auto endorsements = + ccf::verify_uvm_endorsements(endorsement, uvm_measurement); + REQUIRE(endorsements == ccf::default_uvm_roots_of_trust[1]); } int main(int argc, char** argv) diff --git a/src/node/uvm_endorsements.h b/src/node/uvm_endorsements.h index c59514a63bd8..f78d7aa75575 100644 --- a/src/node/uvm_endorsements.h +++ b/src/node/uvm_endorsements.h @@ -63,7 +63,7 @@ namespace ccf {"did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6." "1.4.1.311.76.59.1.5", "ConfAKS-AMD-UVM", - "0"}}; + "1"}}; bool inline matches_uvm_roots_of_trust( const UVMEndorsements& endorsements, diff --git a/tests/uvm_endorsements/ecdsa_test1.cose b/tests/uvm_endorsements/ecdsa_test1.cose index e167c8c80a8a5a060f20f50b4365b0d42ea978cf..2fa983d5a927b4ab567bc958f2cc038943948fa4 100644 GIT binary patch literal 10843 zcmds-cT^P1x9^!@$RIgN7$l=W4=_VUa!xXUWEhwsXNI64VF-#6B`8r4L@|JpMS^4$ zB`FyLLCHx(f&y>A<2icHxxe#!Z>`_EcilgxSMBNQuIj4Z^{M^cJrHd{-*6iw%}3~i z^6~L-bwpuZy}iWT{Jp(cxT7qHF#wJj1>hjs`GjB)7)&ogKtRAq!q#O)x~_i-U&dPi z6)~A`tXAw66$nI0L;#q;C;&2ILQ@DaJ=hcp;{@0b4RU%$eOE_6Z+~wmEL7Fo&&S*E zs3{m9z;k$>ke>aI^GH=SDDs>?7USs;HAX5!Rh0owW-4(>00x7J1Ar7DVTm{4coX=| z1Teq0`db%B>A`1}VKl(8!zM`RNsKXQPj4^uKX!^4VEo>xW6HWnT@)6j>h0xZ8t4h& zKsSGWUJwxhAr6#8fdBt87zc_ZSPj0JCyCYP?X^YKN_eoj`At4LU1}G#xIPg4FzoFt zro=JPG^KySnc0_vqc^3^U`y$YUagLu@u|=4b96a@=?U{g>AK0&3~4E@->lw_=iKt1 z2{Mxtf zjREARIR-yk^=aabB$Lgaz0%P_>kqP6rY8lhK@{nZIVJvL5fibR3@)fU3@8$cJd%Re ziTE&~MaM5(b?9_cz6Wv}vriX`-gGW`l?~8!HP|)YeO%tr=W!lWlFaN4CIk_H3UQ!J z{EVa@O*;oQ2y_5}5Q0e}j@~p5J_tL&Moe*%7z6>~r1a!Kpq~vQfD%9R9Q215fdK-5 zq zwoZI*kT>IHFmDiyK@&83s6W-}PC6;Z)cJ|%R!5E#1441;G-owO z&C=SIk4@4b%VR9@41L%847or_WnF2I0EaXK^k&t@A>y}jVaem$O8TFrmzk3A~8GvWrIjE`& z%GK)#G{)ZEcseOV#Q|~gBjn%Nc&W)j1pzg@``JXJ@$$lwUFF?_MPx zd*xSJzM1toFLAiip$1G>p2+lN6$_q;9VQv0SQ{k@jcE>-Jm#g@u_jOi(Fw*3s_lup z9T&K9&Y}KVhKr)8;1*Q!)g1?Aor;IoSgQ^$f7o5PrWy80b3P#^nKLyoBBjd65>(vYUpQ zmeerMm7$2VWb&0O@7na#`l}oSn47gJP$z+d+ErX=*lMawB?K&@49NtB50u*w@`-9w z#9V`%$m?f6&)*jJ!-Sm&KW`YLt%7tnZ@t|tiuI8QGOJjAOLDS9(iH_bh#vrf02fTBb#ODuKWS?NV8U`A^ zE>NV#$BUz;x7{NO<~FJqHk5?PzScd>PF_`|G$6NSggj(ky1$;SclJr0R&HM}nbCU3aeXdy;~Jl1^HW70$8Voq(p2W+*>cym`M7z0gvzC!T^o{ zD&H>OCf4d7aq?$y9XaVCs}9}tcXA!N>Jh;3heLNg;@G(#+`@Cr6L1Gyf7p1A+5BU} zf92S}-SppLO*NvkFmRYDBcw_wI%yNi5U7+oF?rRfa=5tXZmdg-m*H8Z)*ywdCw(WS z!bx9tSdIct(=K$KWJ>d&tVtjhTTic4dG?&jTJ2)k+6ssat)G?=?pK4Y&l3a+7+q?7 z8ycJ$Fx2D6f)&OeIQLXudYTngzM;(m@~n*HAE{j*F}gM+!qN1PNx z9<4UT5}bPP$b%*gZ#v(a70WjL*6))mbw=uQMd*tVZr%HGL@AvE(4gk~=1Z;&JS47? ze#uxmvNz){ce+})ec^!Y%W{FfA%YT;Wa7(6@1k%7OF_7xo_I)X_^GwFG7sd8ar9R= z{?OwfK{JkCXO3e;=^n7VibUjJ8~sY+)^H8)?@0Sb?kuSjE9s3t@2lYhV<@_X6gqBt zPFa}u4eMx;y@Q$xOIOyWzzmc)7#i+kMt5I=Cxi9J79*%Yp}|P!`!n&w1_+vVPWu zBtXMe&INKZ^s>m1qs@ZnkW5|!v7*(A7_F6{`)%VQ7hAoeh0-3LCOw4jSfsj9;`7*^ z17vHhY6b5K$@!a=yPf15AsxnW*b*sMbi`Gw?MGuWL(gVE#6iN&gn$0%hStJ1039<9H6zww`w* zUUmabxqqD_bt=j1mLrm<*2|wsovnH+g!*NX_<`kqM#AL9;BlX*JG?Qj&=yZRst@PB z2wU_H-J6a4nE&XK2x&aUquyZ;L|NVrq4TJ+f5|=dT3>r}me)+DFm?SzZ?Co+(afoT+zFWKS>BCdVD zn)7weY3zf{`+)(6*4wYES+WGO`Hgh^t_@aL2^a0ziG_W1C=_s_+#O|oLCXQV12QK4 zXhNCkcyeJR`gJ8K(`uuR)g|-K#7y~%=WQlC)rOvknVRvfUTD4vr<-eb!(NY zGma!-T;eRQB|er{ch2RQzYc5ivq5T{^eW7>ABu^03StT@n`&pVnzA893^_?LW7b4_ z3qI6;OrXM4njvj&bd?!+o$0;Qcy$5zdTKV{w2FP3@9ec3{+&0T_t$#xEEoxL98-O< zS#n%yvH1Fj57g~f#cpME4)4mdtZ*Dh5$?s#@+wO-jBHffhiY0m!M4PUe(2(Y8h+)on)31I5Bf5SB=2!-W&+^ zSiIIJ{jXkD$s}G85;Qhs9Kn#YjVz~h9bNtXgRRl7XxU&mAR`ON`n#aS;Rso6J3H3^ zJ#o0Vxw@GK+Qi5XrJ@&XhcST}8)-SHp0QI`RXO8iVd;aF@t2jwxCh9>L?uKKqA*cO z{7(V~6O}@U!e#JfINAw=L3*|SVW^<-gODk|a zEc;_oo<0@~mH>{y>~}ei1e}j!(8T|x3I-9vs1IRdAFBnz5JJHCumZn-3?QcXO}QhZ z0YUO{AT$IAvd5pW2IEx`@}r$(v;{dK2!Q?RVhB|GQ${+uYImEP!PN<9(4=|Nl=wCs z$xf_w`rumPY{CSX*lAJ5gNKHN9=|)2gaI%Kd`Kk)lNObPOIrev2r%d~n3do`^TMm5 z>eY+aAzfTC9%!fu5(!mD z8pw((!<0n;xH=%BCL<~Jw_2tNes)BVhtmT^V*CPK9WnX1V+8p!p-*1?_M- zCj{IpT7N_UA|L?m{Jb@wz|U6be`F;10p7z$Bc$i}V4AgP82@o{@1a1rGg$;Xaoo9rP(u;Z74EnLntUum-4GoDSe2=LQD)Z zZj0`kj_h$OGtCzP@@MT0__VG^)wBxO!&uLh-`o_5aIznt%&IjmdUJjHVdedjIr9_k zG^IrQWt&R+x9Y!5n{}5MbUFDr<=CA?F;C@lFF1XPxvf;UWu;+bbkfR>*d*w}Fpdb+ z_^f`9*DQFZBCxoZ%HP_38X2l0^4#R=h@Dn8?L*$HZNZ*TBq-!YcDIa6;pKv){qvVt zV)8AiX%T|rfsY{S40dlLPU+w-aWDsH@kd1OxtD+Lj*b$xbwBg=%42o5EnVf59sY!5 z&Fq9vEb;yw!OINVwJ|uErAq>40vduhz0z4%y&o1IP#9eK+!cnK!G=@!Mi^dMsN4_X zhA&a~^~%P6tCsUPw=tn~E!$}1?z3;HV%K-R-KY+lOd@MtX$v0Q95*AA< zr|{t~M?v7-Wpg1jRlA|ZuGmM{i}E9FsIR)@CiWd)t4#|r?xJ@o#3p^a@n%<(T3du` zl9z7sT18*8*vXKglMl@F1Y1XvGlit{arL@SPfEHO%Sn|!dHseTaC~%+zxGD;y|n49 zTF6PBw{HL;u&})E#A)xdAh63a&l6X8%(>INS`!cSW8c3I)!IoF>R|qQ^TnQiE%p)f zX28|nFO}SarGhyUad7#xSA=RU@k2Ak_SO#x`P${1bKQk=XdZ07OA8vboQPK-?qT

vG|W$!HxD5&;-O$;^T5R2T<+%9d@a-`$kpjEd5VE52Vh;i{amr<@FMbW;KTz{0)R=2i;KhY;FQ28ehy9ieh6;)-;DKt z0^H1GvEFQ@A2-Fho87~_=NgU;;$H2o#(cq!1N}%rz5`Rj=GG~9m%{WS}rZ`cYL?fIZJ$7BLjx9vuL4;LUJPmuU z@qYE31K)%jb+66m{X}H%&{B+<{_30hgrez`q;i>4XL9C!T&bQTM0^rqU2wsM>B@_| zt?!>Dg;kj(P3#hxUiWm7%hG6AE-F1QBz3=gF-m<_!|S>D;L}*Z+VIqrL;1_cQwf)5 zGVX(Po;3QFFk3m>zumr?!pWhq2krI0pq!-<@UqQL@(o?w(B3WRg|KgL6ULv?&#YL26A^MEQRDXjTizN!=|J?be?XX}VcuIoBZ}>KJt!0;veAv;O z@)-hs#VWrzirdBxz^0_7jXXBmp@>6mAc)~C(VF8E$NTrnU$eKnf3Y?`V?#I2S6604 zbl#(#mcwr~VaK>FhB@`AJmWZeZW^7j4Iq@|gTwJ4!=pY82h3L?8SB z+#5XLMgh9tg<-t7{5?{~r&NCzoWX}#QsLXi`{=f;MqG-#23)9@=0FUx@)H^V7JSx+ zY=A;c0VHsSnDR$rHtGTh1SkWif4~9^Vv_hLNU3={`imK3e7yZ#vEF{?L|w3+0R0hp z{)C->p>b0j)~7zq7~}QyzlaV$XKDw(m~|)3-L!Ua=~qZgwi@oqVrc`+4ln0|7y|l$ zZoYQDW~};eoyO-`|C*^iO4IuId7}dyzvoc#>xnAH55I`m9WEat0767u;t1Zqr)2T) zHURVhogd?ZhqvOt8W%CgAG-E`aqnNW>mSg~HNEgn_`&2UE@u#o*J?7)Pxo7i_kuM; zwW5J0I`|QB>NN$JM3u~Ni!b8z7}_JWFF?lg2{mk{CF!e2e?c0{iIsULXIZ5Fo9lJe zoWUaq(VP;T83Ex#qQnOy+%%J1%O6b-g@FFH$8bwW`dCcyk{T3 zxv`O`(6Qn24)dkR?Cw^2wV3CscsYrPB^m)^43Y~W_f+( zHgR`Tr`0T3uPN=Ci?cP%9q7{wtU7B#_Q(~a78Y87^6=j$f3l?Pq~N;O-K?w~7M9xB zy)8FW!`M{Wqj(E;Cc3@}+>E;!!py-Km*BHMTh%AX7DthU7^~CU$vz;Tm)z!sJD+?{ zRr@hMb7=C!!kU1J0$z?doSyG4aQ6ER7 ze!>dQ^A-_JvoEn5O(ln^gn31QkJBd@4nl>`$CBZN03b5;zZX+SpB?>OeEgG|ffp}y z@Sk=3_!5bX5JvTjxB-a$aSj4I0fDmkWtcT~6BUbODDce1_)G!C%%hwE#WJAcb@UsDSme&b({PWoons3q$|cA z4kI)`tx|M;w|R;+f)H@=?oi+@D+U1iI?&9;3z-7P7BDeQ~S{&taY-Y^rG(^+Wb$wmrDmSyfrHX_b-wM5( z)T4Bwl`uN>9!nGQHFwZEc3iD;Z{>OAE1Uy&O!>IJeE@EtcPnPzINqa=IoWpkx_E`_ zlA`WDDv9W}TH7n9X;ZG+CkV#5PQ8^@%&U9S@oqc19|>;cI%DoTh_g99*AbM zy;_`@f6O&O&z5>;8eV6;C#H30%y5JG!fth!@J`3v^=6AgW;?WZwXd~nx>9m} zkZ;YoFu%pcshoX{RPUrrQMET;j2=`SaKAE5`wLyO|FQfnE@`r?BVycCn-Yxj@ z&8~V_V%7y|^DyE3(&Lv+BtSt)!eP4=&+{poXcLZo>|$80BZ;D)R+^@)860(~->u^v z*NsGO+-gWW?a8djvPMMKFS=U15K8cpFO2_j90P&j7#r87n!w5^&V0D4`+Dl7Xt)R&i5v@+@bPLy8f{JdVE3r zyE!>td1E@6y2~-iAok3{K#M19?g-o2H{X^lkGBcD?2DA(G-l`8hX|Qt5g&&x_Fokp zkTY+o<{;lxlDH>lLTwhdkr#6xCcYk*^k6$;Ute^LT=|Clo=NcsQrM*ONXPPi=47Uz z+}uZo+C)M@s!@|X@hvWC8xop8W8<@zg{(bCx{c6f3ztM=$jCXhw~E>ouwy<9R=c$9 ZV;2P1!h6OoyH;!UKJITF^94+^C*X;7MCb^=9Q!t<))@& zCYGcsI6Eq6xcDph`G+Wk1ce5NXd1|g^BS2Lm>8KES{N9b8b$%Rrbt`^WkW>+d5C!u zVDo%Z6VuQQDKijYV+T8diII&}yOD)Ki8+aZWr|ky{@;tdDsGf(&WsBabd*W$D?7OD z4|m@FrLh%BKKW0|I4YMEEw+l^eeCPx2{SvTooWP5P2|_i*35fgAKUcz%j<&&g)H4e zPkYq$z4baR92E4Tt@7pHbjKFvSAOluOOZX!oWWp_%4A^A!}=!lNzbPEGfQrNnAA9} zH_Ud@?!*u&F=5NB-a^rn&)BOOD%(~le%s>9IP)y4HA%cgSEj{B z-k!FR*4??}eV2H0m41x;m7wrk&5yHt^3E0%OY9R+&$}MUxE&Z5n}OJJ0W%XL6O)L- zHyMX1^6w+GgB^Gar87;V=U+EQcAJ5kp^AYLBoL*+ff$sZUqVJ?kQ%u-;w5EPf}#BJ z&K2*uRQ7+}Gg-h?Z9VJcZIUylXyuz_H(Kev+k7UWbnSYP?Iygd<*vPb7kIa#ckkr% zsrxtCobHa&RhZ9stiq^Nd&eYqF?;sS-SLr+`0u@(Q`x9oYJ5`k!i5cs6%6DI_<{bF z6=r1o&%$cJ45SRWK?3|Nz(mT_f*d-~m=jCba3nuwV~C)h(`BhAZ!%Z?^f+T^Wc2Aq ze8RoQ-$H#i8m#t<-TV9GPhYKmt+!j=0b_2%vh9vyux*rF+UHh1@m zWxVn?`!>J-DQEe#W{c{reUo=^Pc3kLU5H?|+tOU*~dpXE^U)mWJIlFNNL3WtX0BXxmb; zdb;)8VAuZ+zRv9H1pCN}vD6UzioL!ETC6mC@5Qg}eK9X(qL-}N`R#A6>|NdS;iOXC zS6!iRvQ5>0uWxvq|v@6m9^Yi>?O3vZsP zIPh@Gxe4xO6<*0oFH^Dt1d=n0i!1U{GE=N7Obslp46KSX5{*pFtis%igM9p)GEAc? z4LyQN!g7o}JtG`*401w?bu03dT$75kql_bhTnd~ct*nYmld@8iORSvztU#Gh)yM!; zh5;#6BMTRQAPp=Ifh4#Y(|IIo~AS2w*BC{Nj)VG36Z5{mEIS+qbXTa3^2eVAIj;Uwie+ vt~{7O{fvLHyyNrRoX+uUPlP@HyH#dUkYMHJvJbm9G8x