From 1865b9f3f6cb9994a74ce16552d235886f7fa0a1 Mon Sep 17 00:00:00 2001 From: joydeep049 Date: Tue, 19 Aug 2025 17:14:47 +0530 Subject: [PATCH] fix: cryptokeys error Signed-off-by: joydeep049 --- coev/coswid_evidence.go | 6 ++-- coev/example_test.go | 10 +++--- comid/measurement.go | 27 ++++++++++++++-- comid/tdx-profile/common_extract_test.go | 14 +++++--- comid/tdx-profile/example_pce_refval_test.go | 10 +++--- comid/tdx-profile/example_qe_refval_test.go | 10 +++--- comid/tdx-profile/example_seam_refval_test.go | 10 +++--- comid/tdx-profile/test_vars.go | 30 +++++++++++------- .../testcases/comid_pce_refval.cbor | Bin 462 -> 463 bytes .../testcases/comid_qe_refval.cbor | Bin 497 -> 498 bytes .../testcases/comid_seam_refval.cbor | Bin 476 -> 477 bytes .../testcases/src/comid_pce_refval.diag | 2 +- .../testcases/src/comid_qe_refval.diag | 2 +- .../testcases/src/comid_seam_refval.diag | 2 +- 14 files changed, 79 insertions(+), 44 deletions(-) diff --git a/coev/coswid_evidence.go b/coev/coswid_evidence.go index 323f4618..5c45b1fd 100644 --- a/coev/coswid_evidence.go +++ b/coev/coswid_evidence.go @@ -10,9 +10,9 @@ import ( // CoSWIDEvidenceMap is the Map to carry CoSWID Evidence type CoSWIDEvidenceMap struct { - TagID *swid.TagID `cbor:"0,keyasint,omitempty" json:"tagId,omitempty"` - Evidence swid.Evidence `cbor:"1,keyasint,omitempty" json:"evidence,omitempty"` - AuthorizedBy *comid.CryptoKey `cbor:"2,keyasint,omitempty" json:"authorized-by,omitempty"` + TagID *swid.TagID `cbor:"0,keyasint,omitempty" json:"tagId,omitempty"` + Evidence swid.Evidence `cbor:"1,keyasint,omitempty" json:"evidence,omitempty"` + AuthorizedBy []*comid.CryptoKey `cbor:"2,keyasint,omitempty" json:"authorized-by,omitempty"` } type CoSWIDEvidence []CoSWIDEvidenceMap diff --git a/coev/example_test.go b/coev/example_test.go index e00d717a..3c8f3038 100644 --- a/coev/example_test.go +++ b/coev/example_test.go @@ -298,10 +298,12 @@ func Example_decode_JSON() { "raw-value-mask": "/////w==", "mac-addr": "02:00:5e:10:00:00:00:02" }, - "authorized-by": { - "type": "pkix-base64-key", - "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----" - } + "authorized-by": [ + { + "type": "pkix-base64-key", + "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----" + } + ] } ] } diff --git a/comid/measurement.go b/comid/measurement.go index ff105e09..265bfe59 100644 --- a/comid/measurement.go +++ b/comid/measurement.go @@ -493,9 +493,9 @@ func (o Mval) Valid() error { // Measurement stores a measurement-map with CBOR and JSON serializations. type Measurement struct { - Key *Mkey `cbor:"0,keyasint,omitempty" json:"key,omitempty"` - Val Mval `cbor:"1,keyasint" json:"value"` - AuthorizedBy *CryptoKey `cbor:"2,keyasint,omitempty" json:"authorized-by,omitempty"` + Key *Mkey `cbor:"0,keyasint,omitempty" json:"key,omitempty"` + Val Mval `cbor:"1,keyasint" json:"value"` + AuthorizedBy []*CryptoKey `cbor:"2,keyasint,omitempty" json:"authorized-by,omitempty"` } func NewMeasurement(val any, typ string) (*Measurement, error) { @@ -768,6 +768,27 @@ func (o *Measurement) SetName(name string) *Measurement { return o } +// SetAuthorizedBy sets the supplied crypto keys in the AuthorizedBy field of the +// target measurement +func (o *Measurement) SetAuthorizedBy(keys []*CryptoKey) *Measurement { + if o != nil { + o.AuthorizedBy = keys + } + return o +} + +// AddAuthorizedBy adds a crypto key to the AuthorizedBy field of the +// target measurement +func (o *Measurement) AddAuthorizedBy(key *CryptoKey) *Measurement { + if o != nil { + if o.AuthorizedBy == nil { + o.AuthorizedBy = make([]*CryptoKey, 0) + } + o.AuthorizedBy = append(o.AuthorizedBy, key) + } + return o +} + // nolint:gocritic func (o Measurement) Valid() error { if o.Key != nil && o.Key.IsSet() { diff --git a/comid/tdx-profile/common_extract_test.go b/comid/tdx-profile/common_extract_test.go index b4c6d315..0b53a531 100644 --- a/comid/tdx-profile/common_extract_test.go +++ b/comid/tdx-profile/common_extract_test.go @@ -153,10 +153,16 @@ func testextractTeeTcbEvalNum(tcbEvalNum *TeeTcbEvalNumber) error { } func TestdecodeAuthorisedBy(m *comid.Measurement) error { - if err := m.AuthorizedBy.Valid(); err != nil { - return fmt.Errorf("invalid cryptokey: %w", err) + if len(m.AuthorizedBy) == 0 { + return fmt.Errorf("no authorized by cryptokeys") + } + + for i, key := range m.AuthorizedBy { + if err := key.Valid(); err != nil { + return fmt.Errorf("invalid cryptokey at index %d: %w", i, err) + } + fmt.Printf("\nCryptoKey %d Type: %s", i, key.Type()) + fmt.Printf("\nCryptoKey %d Value: %s", i, key.String()) } - fmt.Printf("\nCryptoKey Type: %s", m.AuthorizedBy.Type()) - fmt.Printf("\nCryptoKey Value: %s", m.AuthorizedBy.String()) return nil } diff --git a/comid/tdx-profile/example_pce_refval_test.go b/comid/tdx-profile/example_pce_refval_test.go index 168f10b3..5318b317 100644 --- a/comid/tdx-profile/example_pce_refval_test.go +++ b/comid/tdx-profile/example_pce_refval_test.go @@ -76,8 +76,8 @@ func Example_decode_PCE_JSON() { // SVN Value: 10 // SVN Operator: greater_or_equal // SVN Value: 10 - // CryptoKey Type: pkix-base64-key - // CryptoKey Value: -----BEGIN PUBLIC KEY----- + // CryptoKey 0 Type: pkix-base64-key + // CryptoKey 0 Value: -----BEGIN PUBLIC KEY----- // MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg== // -----END PUBLIC KEY----- } @@ -121,7 +121,7 @@ func extractPCEMeasurements(meas *comid.Measurements) error { return fmt.Errorf("extracting measurement at index %d: %w", i, err) } - if m.AuthorizedBy != nil { + if len(m.AuthorizedBy) > 0 { err := TestdecodeAuthorisedBy(m) if err != nil { return fmt.Errorf("extracting measurement at index %d: %w", i, err) @@ -280,8 +280,8 @@ func Example_decode_PCE_CBOR() { // SVN Value: 0 // SVN Operator: greater_or_equal // SVN Value: 0 - // CryptoKey Type: pkix-base64-key - // CryptoKey Value: -----BEGIN PUBLIC KEY----- + // CryptoKey 0 Type: pkix-base64-key + // CryptoKey 0 Value: -----BEGIN PUBLIC KEY----- // MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg== // -----END PUBLIC KEY----- } diff --git a/comid/tdx-profile/example_qe_refval_test.go b/comid/tdx-profile/example_qe_refval_test.go index 37fe8c39..04c2bdf0 100644 --- a/comid/tdx-profile/example_qe_refval_test.go +++ b/comid/tdx-profile/example_qe_refval_test.go @@ -53,8 +53,8 @@ func Example_decode_QE_JSON() { // mrsigner Digest Value: 87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7 // mrsigner Digest Alg: 8 // mrsigner Digest Value: a314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6aa314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6a - // CryptoKey Type: pkix-base64-key - // CryptoKey Value: -----BEGIN PUBLIC KEY----- + // CryptoKey 0 Type: pkix-base64-key + // CryptoKey 0 Value: -----BEGIN PUBLIC KEY----- // MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg== // -----END PUBLIC KEY----- } @@ -98,7 +98,7 @@ func extractQEMeasurements(meas *comid.Measurements) error { return fmt.Errorf("extracting measurement at index %d: %w", i, err) } - if m.AuthorizedBy != nil { + if len(m.AuthorizedBy) > 0 { err := TestdecodeAuthorisedBy(m) if err != nil { return fmt.Errorf("extracting measurement at index %d: %w", i, err) @@ -306,8 +306,8 @@ func Example_decode_QE_CBOR() { // mrsigner Digest Value: a314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6a // mrsigner Digest Alg: 8 // mrsigner Digest Value: a314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6aa314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6a - // CryptoKey Type: pkix-base64-key - // CryptoKey Value: -----BEGIN PUBLIC KEY----- + // CryptoKey 0 Type: pkix-base64-key + // CryptoKey 0 Value: -----BEGIN PUBLIC KEY----- // MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg== // -----END PUBLIC KEY----- } diff --git a/comid/tdx-profile/example_seam_refval_test.go b/comid/tdx-profile/example_seam_refval_test.go index 4365bf07..f934cea0 100644 --- a/comid/tdx-profile/example_seam_refval_test.go +++ b/comid/tdx-profile/example_seam_refval_test.go @@ -60,8 +60,8 @@ func Example_decode_JSON() { // mrsigner Digest Value: 87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7 // mrsigner Digest Alg: 8 // mrsigner Digest Value: a314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6aa314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6a - // CryptoKey Type: pkix-base64-key - // CryptoKey Value: -----BEGIN PUBLIC KEY----- + // CryptoKey 0 Type: pkix-base64-key + // CryptoKey 0 Value: -----BEGIN PUBLIC KEY----- // MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg== // -----END PUBLIC KEY----- } @@ -423,8 +423,8 @@ func Example_decode_CBOR() { // mrsigner Digest Value: a314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6a // mrsigner Digest Alg: 8 // mrsigner Digest Value: a314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6aa314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6a - // CryptoKey Type: pkix-base64-key - // CryptoKey Value: -----BEGIN PUBLIC KEY----- + // CryptoKey 0 Type: pkix-base64-key + // CryptoKey 0 Value: -----BEGIN PUBLIC KEY----- // MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg== // -----END PUBLIC KEY----- @@ -468,7 +468,7 @@ func extractSeamMeasurements(meas *comid.Measurements) error { return fmt.Errorf("extracting measurement at index %d: %w", i, err) } - if m.AuthorizedBy != nil { + if len(m.AuthorizedBy) > 0 { err := TestdecodeAuthorisedBy(m) if err != nil { return fmt.Errorf("extracting measurement at index %d: %w", i, err) diff --git a/comid/tdx-profile/test_vars.go b/comid/tdx-profile/test_vars.go index 601a7bd8..910d34aa 100644 --- a/comid/tdx-profile/test_vars.go +++ b/comid/tdx-profile/test_vars.go @@ -215,10 +215,12 @@ const ( ], "pceid": "0000" }, - "authorized-by": { - "type": "pkix-base64-key", - "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----" - } + "authorized-by": [ + { + "type": "pkix-base64-key", + "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----" + } + ] } ] } @@ -285,10 +287,12 @@ const ( "value": "AwM=" } }, - "authorized-by": { - "type": "pkix-base64-key", - "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----" - } + "authorized-by": [ + { + "type": "pkix-base64-key", + "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----" + } + ] } ] } @@ -374,10 +378,12 @@ const ( } } }, - "authorized-by": { - "type": "pkix-base64-key", - "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----" - } + "authorized-by": [ + { + "type": "pkix-base64-key", + "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----" + } + ] } ] } diff --git a/comid/tdx-profile/testcases/comid_pce_refval.cbor b/comid/tdx-profile/testcases/comid_pce_refval.cbor index fc6ef7f2bad595fe88584347c6c974f3fba0abf1..4d33c132df7e5e8da0fe013c2338cc1fde0e4541 100644 GIT binary patch delta 13 UcmX@de4crOBqL+vWJ$)Y03d<{QUCw| delta 11 ScmX@le2#g8B;#Z$#;pJuAOq0= diff --git a/comid/tdx-profile/testcases/comid_qe_refval.cbor b/comid/tdx-profile/testcases/comid_qe_refval.cbor index a25455535445bfd2a70e0ed903be00e11038d23f..e2586a3be299c5013790b5a22aa41a6ad3929667 100644 GIT binary patch delta 13 Ucmey!{E2yk4I^XYWE;k<03}NV-T(jq delta 11 Scmeyw{E>Ns4dY~6#;pJy7X)1Z diff --git a/comid/tdx-profile/testcases/comid_seam_refval.cbor b/comid/tdx-profile/testcases/comid_seam_refval.cbor index cbf4287108c470711ce42d01dd15781f3fa6a770..6e4dbebf101df61b5a3139c7db0d238bf30f07fc 100644 GIT binary patch delta 13 Ucmcb^e3yBHIwND_WOc@^03vJziU0rr delta 11 Scmcc1e2001I^$#w#;pJvwgd?P diff --git a/comid/tdx-profile/testcases/src/comid_pce_refval.diag b/comid/tdx-profile/testcases/src/comid_pce_refval.diag index f6dd910a..1adf4c85 100644 --- a/comid/tdx-profile/testcases/src/comid_pce_refval.diag +++ b/comid/tdx-profile/testcases/src/comid_pce_refval.diag @@ -43,7 +43,7 @@ ], / pceid / -80 : "0000" }, - / authorized-by / 2: 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----") + / authorized-by / 2: [ 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----") ] } ] ] ] diff --git a/comid/tdx-profile/testcases/src/comid_qe_refval.diag b/comid/tdx-profile/testcases/src/comid_qe_refval.diag index 090c72be..3dac7207 100644 --- a/comid/tdx-profile/testcases/src/comid_qe_refval.diag +++ b/comid/tdx-profile/testcases/src/comid_qe_refval.diag @@ -40,7 +40,7 @@ / advisory-ids / -89 : 60021([ /member/ 6, [ "INTEL-SA-00078", "INTEL-SA-00079" ]]), / tcbstatus / -88 : 60021([ /member/ 6, [ "UpToDate" ]]) }, - / authorized-by / 2: 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----") + / authorized-by / 2: [ 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----") ] } ] ] ] diff --git a/comid/tdx-profile/testcases/src/comid_seam_refval.diag b/comid/tdx-profile/testcases/src/comid_seam_refval.diag index 6f51a828..54acdd2b 100644 --- a/comid/tdx-profile/testcases/src/comid_seam_refval.diag +++ b/comid/tdx-profile/testcases/src/comid_seam_refval.diag @@ -47,7 +47,7 @@ ]), / tcb-eval-num / -86 : 60010([ / op.ge / 2, 11 ]) }, - 2: 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----") + / authorized-by / 2: [ 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----") ] } ] ] ]