Update UVM endorsements test with fresh endorsements from C-AKS (#6621)

2024-11-09 17:49:26 +00:00 · 2024-11-09 17:49:26 +00:00 · 99b0b1034b
--- a/src/node/test/endorsements.cpp
+++ b/src/node/test/endorsements.cpp
@ -24,13 +24,7 @@ TEST_CASE("Check RSA Production endorsement")
  ccf::pal::PlatformAttestationMeasurement uvm_measurement(measurement);
  auto endorsements =
    ccf::verify_uvm_endorsements(endorsement, uvm_measurement);
-  REQUIRE(
-    endorsements ==
-    ccf::UVMEndorsements{
-      "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3."
-      "6.1.4.1.311.76.59.1.2",
-      "ContainerPlat-AMD-UVM",
-      "100"});
+  REQUIRE(endorsements == ccf::default_uvm_roots_of_trust[0]);
 }

 TEST_CASE("Check ECDSA Test endorsement")
@ -42,27 +36,28 @@ TEST_CASE("Check ECDSA Test endorsement")
  REQUIRE(!endorsement.empty());

  ccf::pal::SnpAttestationMeasurement measurement(
-    "5a84c66e9c8dd1a991e6d8b43a8aaae488940f87ce25ef6a62ad180cc3c73554ed7e4ccd10"
-    "13456602758778d9d65c48");
+    "1b66347ceafca663690ff17ed2144b8acdee661edc5d28e69a7c85dde7ba0c3a6f9862096e"
+    "8b38da7aa622ddeed75c37");
  ccf::pal::PlatformAttestationMeasurement uvm_measurement(measurement);
-  REQUIRE_THROWS_WITH_AS(
-    ccf::verify_uvm_endorsements(endorsement, uvm_measurement),
-    "UVM endorsements did "
-    "did:x509:0:sha256:VFsRLNBh5Zy1HRtVl2IIXAl0lUs-xobEbskZ3XRDpCY::subject:CN:"
-    "Test%20Leaf%20%28DO%20NOT%20TRUST%29, feed ConfAKS-AMD-UVM-Test, svn 0 do "
-    "not match any of the known UVM roots of trust",
-    std::logic_error);

  std::vector<ccf::UVMEndorsements> custom_roots_of_trust = {
    ccf::UVMEndorsements{
-      "did:x509:0:sha256:VFsRLNBh5Zy1HRtVl2IIXAl0lUs-xobEbskZ3XRDpCY::subject:"
-      "CN:Test%20Leaf%20%28DO%20NOT%20TRUST%29",
-      "ConfAKS-AMD-UVM-Test",
-      "0"}};
+      "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3."
+      "6.1.4.1.311.76.59.1.5",
+      "Malicious-ConfAKS-AMD-UVM",
+      "1"}};
+  REQUIRE_THROWS_WITH_AS(
+    ccf::verify_uvm_endorsements(
+      endorsement, uvm_measurement, custom_roots_of_trust),
+    "UVM endorsements did "
+    "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6."
+    "1.4.1.311.76.59.1.5, feed ConfAKS-AMD-UVM, svn 1 do not match any of the "
+    "known UVM roots of trust",
+    std::logic_error);

-  auto endorsements = ccf::verify_uvm_endorsements(
-    endorsement, uvm_measurement, custom_roots_of_trust);
-  REQUIRE(endorsements == custom_roots_of_trust[0]);
+  auto endorsements =
+    ccf::verify_uvm_endorsements(endorsement, uvm_measurement);
+  REQUIRE(endorsements == ccf::default_uvm_roots_of_trust[1]);
 }

 int main(int argc, char** argv)
--- a/src/node/uvm_endorsements.h
+++ b/src/node/uvm_endorsements.h
@ -63,7 +63,7 @@ namespace ccf
    {"did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6."
     "1.4.1.311.76.59.1.5",
     "ConfAKS-AMD-UVM",
-     "0"}};
+     "1"}};

  bool inline matches_uvm_roots_of_trust(
    const UVMEndorsements& endorsements,
--- a/tests/uvm_endorsements/ecdsa_test1.cose
+++ b/tests/uvm_endorsements/ecdsa_test1.cose