Update hardcoded UVM endorsements + tests for conf AKS

microsoft · Nov 8, 2024 · d5459fc · d5459fc
1 parent 005b5cd
commit d5459fc
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 24 deletions.
diff --git a/src/node/test/endorsements.cpp b/src/node/test/endorsements.cpp
@@ -24,13 +24,7 @@ TEST_CASE("Check RSA Production endorsement")
   ccf::pal::PlatformAttestationMeasurement uvm_measurement(measurement);
   auto endorsements =
     ccf::verify_uvm_endorsements(endorsement, uvm_measurement);
-  REQUIRE(
-    endorsements ==
-    ccf::UVMEndorsements{
-      "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3."
-      "6.1.4.1.311.76.59.1.2",
-      "ContainerPlat-AMD-UVM",
-      "100"});
+  REQUIRE(endorsements == ccf::default_uvm_roots_of_trust[0]);
 }
 
 TEST_CASE("Check ECDSA Test endorsement")
@@ -42,27 +36,28 @@ TEST_CASE("Check ECDSA Test endorsement")
   REQUIRE(!endorsement.empty());
 
   ccf::pal::SnpAttestationMeasurement measurement(
-    "5a84c66e9c8dd1a991e6d8b43a8aaae488940f87ce25ef6a62ad180cc3c73554ed7e4ccd10"
-    "13456602758778d9d65c48");
+    "1b66347ceafca663690ff17ed2144b8acdee661edc5d28e69a7c85dde7ba0c3a6f9862096e"
+    "8b38da7aa622ddeed75c37");
   ccf::pal::PlatformAttestationMeasurement uvm_measurement(measurement);
-  REQUIRE_THROWS_WITH_AS(
-    ccf::verify_uvm_endorsements(endorsement, uvm_measurement),
-    "UVM endorsements did "
-    "did:x509:0:sha256:VFsRLNBh5Zy1HRtVl2IIXAl0lUs-xobEbskZ3XRDpCY::subject:CN:"
-    "Test%20Leaf%20%28DO%20NOT%20TRUST%29, feed ConfAKS-AMD-UVM-Test, svn 0 do "
-    "not match any of the known UVM roots of trust",
-    std::logic_error);
 
   std::vector<ccf::UVMEndorsements> custom_roots_of_trust = {
     ccf::UVMEndorsements{
-      "did:x509:0:sha256:VFsRLNBh5Zy1HRtVl2IIXAl0lUs-xobEbskZ3XRDpCY::subject:"
-      "CN:Test%20Leaf%20%28DO%20NOT%20TRUST%29",
-      "ConfAKS-AMD-UVM-Test",
-      "0"}};
+      "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3."
+      "6.1.4.1.311.76.59.1.5",
+      "Malicious-ConfAKS-AMD-UVM",
+      "1"}};
+  REQUIRE_THROWS_WITH_AS(
+    ccf::verify_uvm_endorsements(
+      endorsement, uvm_measurement, custom_roots_of_trust),
+    "UVM endorsements did "
+    "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6."
+    "1.4.1.311.76.59.1.5, feed ConfAKS-AMD-UVM, svn 1 do not match any of the "
+    "known UVM roots of trust",
+    std::logic_error);
 
-  auto endorsements = ccf::verify_uvm_endorsements(
-    endorsement, uvm_measurement, custom_roots_of_trust);
-  REQUIRE(endorsements == custom_roots_of_trust[0]);
+  auto endorsements =
+    ccf::verify_uvm_endorsements(endorsement, uvm_measurement);
+  REQUIRE(endorsements == ccf::default_uvm_roots_of_trust[1]);
 }
 
 int main(int argc, char** argv)

diff --git a/src/node/uvm_endorsements.h b/src/node/uvm_endorsements.h
@@ -63,7 +63,7 @@ namespace ccf
     {"did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6."
      "1.4.1.311.76.59.1.5",
      "ConfAKS-AMD-UVM",
-     "0"}};
+     "1"}};
 
   bool inline matches_uvm_roots_of_trust(
     const UVMEndorsements& endorsements,

diff --git a/tests/uvm_endorsements/ecdsa_test1.cose b/tests/uvm_endorsements/ecdsa_test1.cose