sevsnp tests: add unit tests

Add unit tests for endorsement, evidence and storage handlers

Signed-off-by: Jagannathan Raman <[email protected]>

Author: jraman567

scheme/sevsnp/endorsement_handler_test.go

@@ -0,0 +1,46 @@
+// Copyright 2025 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package sevsnp
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDecoder_GetName(t *testing.T) {
+	d := &EndorsementHandler{}
+
+	expected := SchemeName
+
+	actual := d.GetName()
+
+	assert.Equal(t, expected, actual)
+}
+
+func TestDecoder_GetAttestationScheme(t *testing.T) {
+	d := &EndorsementHandler{}
+
+	expected := SchemeName
+
+	actual := d.GetAttestationScheme()
+
+	assert.Equal(t, expected, actual)
+}
+
+func TestDecoder_GetSupportedMediaTypes(t *testing.T) {
+	d := &EndorsementHandler{}
+
+	expected := EndorsementMediaTypes
+
+	actual := d.GetSupportedMediaTypes()
+
+	assert.Equal(t, expected, actual)
+}
+
+func TestDecoder_Decode_OK(t *testing.T) {
+	d := &EndorsementHandler{}
+
+	_, err := d.Decode(unsignedCorimSevSnp)
+	assert.NoError(t, err)
+}

scheme/sevsnp/evidence_handler_test.go

@@ -0,0 +1,105 @@
+// Copyright 2025 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package sevsnp
+
+import (
+	"encoding/json"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/veraison/ear"
+	"github.com/veraison/services/proto"
+)
+
+var testNonce = []byte{
+	0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01, 0x00,
+	0x0f, 0x0e, 0x0d, 0x0c, 0x0b, 0x0a, 0x09, 0x08,
+	0x17, 0x16, 0x15, 0x14, 0x13, 0x12, 0x11, 0x10,
+	0x1f, 0x1e, 0x1d, 0x1c, 0x1b, 0x1a, 0x19, 0x18,
+}
+
+func Test_ExtractClaims_ok(t *testing.T) {
+	tokenBytes, err := os.ReadFile("test/sevsnp-token.cbor")
+	require.NoError(t, err)
+
+	taEndValBytes, err := os.ReadFile("test/ta-endorsement.json")
+	require.NoError(t, err)
+
+	handler := &EvidenceHandler{}
+
+	token := proto.AttestationToken{
+		TenantId: "0",
+		Data:     tokenBytes,
+		Nonce:    testNonce,
+	}
+	ta := string(taEndValBytes)
+	claims, err := handler.ExtractClaims(&token, []string{ta})
+
+	require.NoError(t, err)
+	assert.Equal(t, "http://amd.com/2024/snp-corim-profile", claims["profile"].(string))
+}
+
+func Test_ValidateEvidenceIntegrity_ok(t *testing.T) {
+	tokenBytes, err := os.ReadFile("test/sevsnp-token.cbor")
+	require.NoError(t, err)
+
+	taEndValBytes, err := os.ReadFile("test/ta-endorsement.json")
+	require.NoError(t, err)
+
+	handler := &EvidenceHandler{}
+
+	token := proto.AttestationToken{
+		TenantId: "0",
+		Data:     tokenBytes,
+		Nonce:    testNonce,
+	}
+
+	ta := string(taEndValBytes)
+	err = handler.ValidateEvidenceIntegrity(&token, []string{ta}, nil)
+
+	assert.NoError(t, err)
+}
+
+func Test_ValidateEvidenceIntegrity_BadTA(t *testing.T) {
+	tokenBytes, err := os.ReadFile("test/sevsnp-token.cbor")
+	require.NoError(t, err)
+
+	taEndValBytes, err := os.ReadFile("test/ta-endorsement-bad.json")
+	require.NoError(t, err)
+
+	handler := &EvidenceHandler{}
+
+	token := proto.AttestationToken{
+		TenantId: "0",
+		Data:     tokenBytes,
+		Nonce:    testNonce,
+	}
+
+	ta := string(taEndValBytes)
+	err = handler.ValidateEvidenceIntegrity(&token, []string{ta}, nil)
+
+	assert.EqualError(t, err, "ARK in evidence does not match provisioned ARK")
+}
+
+func Test_AppraiseEvidence_ok(t *testing.T) {
+	extractedBytes, err := os.ReadFile("test/extracted.json")
+	require.NoError(t, err)
+
+	var ec proto.EvidenceContext
+	err = json.Unmarshal(extractedBytes, &ec)
+	require.NoError(t, err)
+
+	endorsementsBytes, err := os.ReadFile("test/refval-endorsement.json")
+	require.NoError(t, err)
+
+	handler := &EvidenceHandler{}
+
+	result, err := handler.AppraiseEvidence(&ec, []string{string(endorsementsBytes)})
+	require.NoError(t, err)
+
+	attestation := result.Submods["SEVSNP"]
+
+	assert.Equal(t, ear.TrustTierAffirming, *attestation.Status)
+}

scheme/sevsnp/store_handler_test.go

@@ -0,0 +1,85 @@
+// Copyright 2025 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package sevsnp
+
+import (
+	"encoding/json"
+	"github.com/veraison/services/proto"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/veraison/services/handler"
+)
+
+func Test_SynthKeysFromRefValue_ok(t *testing.T) {
+	var e handler.Endorsement
+
+	endorsementsBytes, err := os.ReadFile("test/refval-endorsement.json")
+	require.NoError(t, err)
+
+	err = json.Unmarshal(endorsementsBytes, &e)
+	require.NoError(t, err)
+	expectedKey := "SEVSNP://0/7a505b428ce2feddb2453f19c5a6d3b4b6e6cd079eacccd4de2400924cdee86b7a9285c62327536448048b977dccc4a8"
+
+	scheme := &StoreHandler{}
+	keys, err := scheme.SynthKeysFromRefValue("0", &e)
+	require.NoError(t, err)
+	assert.Equal(t, expectedKey, keys[0])
+
+}
+
+func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) {
+	var e handler.Endorsement
+
+	endorsementsBytes, err := os.ReadFile("test/ta-endorsement.json")
+	require.NoError(t, err)
+
+	err = json.Unmarshal(endorsementsBytes, &e)
+	require.NoError(t, err)
+
+	expectedKey := "SEVSNP://ARK-Milan"
+
+	scheme := &StoreHandler{}
+	keys, err := scheme.SynthKeysFromTrustAnchor("0", &e)
+	require.NoError(t, err)
+	assert.Equal(t, expectedKey, keys[0])
+
+}
+
+func Test_GetTrustAnchorIDs_ok(t *testing.T) {
+	tokenBytes, err := os.ReadFile("test/sevsnp-token.cbor")
+	require.NoError(t, err)
+
+	token := proto.AttestationToken{
+		TenantId: "0",
+		Data:     tokenBytes,
+		Nonce:    testNonce,
+	}
+
+	expectedTaID := "SEVSNP://ARK-Milan"
+
+	handler := &StoreHandler{}
+
+	taIDs, err := handler.GetTrustAnchorIDs(&token)
+	require.NoError(t, err)
+	assert.Equal(t, 1, len(taIDs))
+	assert.Equal(t, expectedTaID, taIDs[0])
+}
+
+func Test_GetRefValueIDs_ok(t *testing.T) {
+	rawToken, err := os.ReadFile("test/sevsnp-token.json")
+	require.NoError(t, err)
+
+	claims := make(map[string]interface{})
+	err = json.Unmarshal(rawToken, &claims)
+	require.NoError(t, err)
+
+	expectedRefvalIDs := []string{"SEVSNP://0/7a505b428ce2feddb2453f19c5a6d3b4b6e6cd079eacccd4de2400924cdee86b7a9285c62327536448048b977dccc4a8"}
+
+	scheme := &StoreHandler{}
+	refvalIDs, err := scheme.GetRefValueIDs("0", nil, claims)
+	require.NoError(t, err)
+	assert.Equal(t, expectedRefvalIDs, refvalIDs)
+}

scheme/sevsnp/test/corim/unsignedCorimSevSnp.cbor

@@ -0,0 +1,16 @@
+{
+  "tenant-id": "0",
+  "trust-anchor-ids": [
+    "SEVSNP://ARK-Milan"
+  ],
+  "reference-ids": [
+    "SEVSNP://0/7a505b428ce2feddb2453f19c5a6d3b4b6e6cd079eacccd4de2400924cdee86b7a9285c62327536448048b977dccc4a8"
+  ],
+  "evidence": {
+    "corim-id": "unknown type for tag-id",
+    "profile": "http://amd.com/2024/snp-corim-profile",
+    "tags": [
+      "2QH6owBlZW4tR0IBoQBQID5rEAv7TbOnMFdvpjTnDAShAIGCogChANhvSSsGAQQBnHgDAQHZAjBYQMKmUotzZOB+n1xlOrOqDb1zhPmoDf3lTMZD3buJ2JNkJf+KMlaMpu13ECDcOcM8z/s7Q8rAxQGgCTytYBLf0+2VogAAAaEAogBhMwEEogABAaEB2QIpAKIAAgGhBNkCMEgAAAAAAAMAAKIAAwGhBNkCMFAAAAAAAAAAAAAAAAAAAAAAogAEAaEE2QIwUAAAAAAAAAAAAAAAAAAAAACiAAUBoQTZAjBEAAAAAKIABgGhAdkCKBvbGAAAAAAABKIABwGhBNkCMEgAAAAAAAAAJaIAGQKAAaEE2QIwWEB1GEqFFca9sVESgVS/smsUbXNIigXFjWwRffBdyN5+s1gXYPHYA5nvNf1j4pAgYY4CR5YdjjZHeo9aObAp7qB1ogAZAoEBoQKBggdYMHpQW0KM4v7dskU/GcWm07S25s0HnqzM1N4kAJJM3uhrepKFxiMnU2RIBIuXfczEqKIAGQKFAaEE2QIwWCD/5zoLo3n7Jeq7bC+3UBuZpm6s+Sv3raCnVqOxZCtc5KIAGQKGAaEE2QIwWCD//////////////////////////////////////////6IAGQKHAaEB2QIoG9sYAAAAAAAEogAZAogBoQTZAjBBGaIAGQKJAaEE2QIwQQGiABkCigGhBNkCMEEBogAZDQABoQTZAjBYQMKmUotzZOB+n1xlOrOqDb1zhPmoDf3lTMZD3buJ2JNkJf+KMlaMpu13ECDcOcM8z/s7Q8rAxQGgCTytYBLf0+2iABkNAQGhAdkCKBvbGAAAAAAABKIAGQ0CAaEAogBnMS41NS4yOQEZQACiABkPYAGhAKIAZzEuNTUuMjkBGUAAogAZD4ABoQHZAigb2xgAAAAAAAQ="
+    ]
+  }
+}