veraison · joydeep049 · Aug 19, 2025
diff --git a/coev/coswid_evidence.go b/coev/coswid_evidence.go
@@ -10,9 +10,9 @@ import (
 
 // CoSWIDEvidenceMap is the Map to carry CoSWID Evidence
 type CoSWIDEvidenceMap struct {
-	TagID        *swid.TagID      `cbor:"0,keyasint,omitempty" json:"tagId,omitempty"`
-	Evidence     swid.Evidence    `cbor:"1,keyasint,omitempty" json:"evidence,omitempty"`
-	AuthorizedBy *comid.CryptoKey `cbor:"2,keyasint,omitempty" json:"authorized-by,omitempty"`
+	TagID        *swid.TagID        `cbor:"0,keyasint,omitempty" json:"tagId,omitempty"`
+	Evidence     swid.Evidence      `cbor:"1,keyasint,omitempty" json:"evidence,omitempty"`
+	AuthorizedBy []*comid.CryptoKey `cbor:"2,keyasint,omitempty" json:"authorized-by,omitempty"`
 }
 
 type CoSWIDEvidence []CoSWIDEvidenceMap

diff --git a/coev/example_test.go b/coev/example_test.go
@@ -298,10 +298,12 @@ func Example_decode_JSON() {
                             "raw-value-mask": "/////w==",
                             "mac-addr": "02:00:5e:10:00:00:00:02"
                         },
-                        "authorized-by": {
-                            "type": "pkix-base64-key",
-                            "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----"
-                        }
+                        "authorized-by": [
+                            {
+                                "type": "pkix-base64-key",
+                                "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----"
+                            }
+                        ]
                     }
                 ]
             }

diff --git a/comid/measurement.go b/comid/measurement.go
@@ -493,9 +493,9 @@ func (o Mval) Valid() error {
 
 // Measurement stores a measurement-map with CBOR and JSON serializations.
 type Measurement struct {
-	Key          *Mkey      `cbor:"0,keyasint,omitempty" json:"key,omitempty"`
-	Val          Mval       `cbor:"1,keyasint" json:"value"`
-	AuthorizedBy *CryptoKey `cbor:"2,keyasint,omitempty" json:"authorized-by,omitempty"`
+	Key          *Mkey        `cbor:"0,keyasint,omitempty" json:"key,omitempty"`
+	Val          Mval         `cbor:"1,keyasint" json:"value"`
+	AuthorizedBy []*CryptoKey `cbor:"2,keyasint,omitempty" json:"authorized-by,omitempty"`
 }
 
 func NewMeasurement(val any, typ string) (*Measurement, error) {
@@ -768,6 +768,27 @@ func (o *Measurement) SetName(name string) *Measurement {
 	return o
 }
 
+// SetAuthorizedBy sets the supplied crypto keys in the AuthorizedBy field of the
+// target measurement
+func (o *Measurement) SetAuthorizedBy(keys []*CryptoKey) *Measurement {
+	if o != nil {
+		o.AuthorizedBy = keys
+	}
+	return o
+}
+
+// AddAuthorizedBy adds a crypto key to the AuthorizedBy field of the
+// target measurement
+func (o *Measurement) AddAuthorizedBy(key *CryptoKey) *Measurement {
+	if o != nil {
+		if o.AuthorizedBy == nil {
+			o.AuthorizedBy = make([]*CryptoKey, 0)
+		}
+		o.AuthorizedBy = append(o.AuthorizedBy, key)
+	}
+	return o
+}
+
 // nolint:gocritic
 func (o Measurement) Valid() error {
 	if o.Key != nil && o.Key.IsSet() {

diff --git a/comid/tdx-profile/common_extract_test.go b/comid/tdx-profile/common_extract_test.go
@@ -153,10 +153,16 @@ func testextractTeeTcbEvalNum(tcbEvalNum *TeeTcbEvalNumber) error {
 }
 
 func TestdecodeAuthorisedBy(m *comid.Measurement) error {
-	if err := m.AuthorizedBy.Valid(); err != nil {
-		return fmt.Errorf("invalid cryptokey: %w", err)
+	if len(m.AuthorizedBy) == 0 {
+		return fmt.Errorf("no authorized by cryptokeys")
+	}
+
+	for i, key := range m.AuthorizedBy {
+		if err := key.Valid(); err != nil {
+			return fmt.Errorf("invalid cryptokey at index %d: %w", i, err)
+		}
+		fmt.Printf("\nCryptoKey %d Type: %s", i, key.Type())
+		fmt.Printf("\nCryptoKey %d Value: %s", i, key.String())
 	}
-	fmt.Printf("\nCryptoKey Type: %s", m.AuthorizedBy.Type())
-	fmt.Printf("\nCryptoKey Value: %s", m.AuthorizedBy.String())
 	return nil
 }
diff --git a/comid/tdx-profile/example_pce_refval_test.go b/comid/tdx-profile/example_pce_refval_test.go
@@ -76,8 +76,8 @@ func Example_decode_PCE_JSON() {
 	// SVN Value: 10
 	// SVN Operator: greater_or_equal
 	// SVN Value: 10
-	// CryptoKey Type: pkix-base64-key
-	// CryptoKey Value: -----BEGIN PUBLIC KEY-----
+	// CryptoKey 0 Type: pkix-base64-key
+	// CryptoKey 0 Value: -----BEGIN PUBLIC KEY-----
 	// MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==
 	// -----END PUBLIC KEY-----
 }
@@ -121,7 +121,7 @@ func extractPCEMeasurements(meas *comid.Measurements) error {
 			return fmt.Errorf("extracting measurement at index %d: %w", i, err)
 		}
 
-		if m.AuthorizedBy != nil {
+		if len(m.AuthorizedBy) > 0 {
 			err := TestdecodeAuthorisedBy(m)
 			if err != nil {
 				return fmt.Errorf("extracting measurement at index %d: %w", i, err)
@@ -280,8 +280,8 @@ func Example_decode_PCE_CBOR() {
 	// SVN Value: 0
 	// SVN Operator: greater_or_equal
 	// SVN Value: 0
-	// CryptoKey Type: pkix-base64-key
-	// CryptoKey Value: -----BEGIN PUBLIC KEY-----
+	// CryptoKey 0 Type: pkix-base64-key
+	// CryptoKey 0 Value: -----BEGIN PUBLIC KEY-----
 	// MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==
 	// -----END PUBLIC KEY-----
 }

diff --git a/comid/tdx-profile/example_qe_refval_test.go b/comid/tdx-profile/example_qe_refval_test.go
@@ -53,8 +53,8 @@ func Example_decode_QE_JSON() {
 	// mrsigner Digest Value: 87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7
 	// mrsigner Digest Alg: 8
 	// mrsigner Digest Value: a314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6aa314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6a
-	// CryptoKey Type: pkix-base64-key
-	// CryptoKey Value: -----BEGIN PUBLIC KEY-----
+	// CryptoKey 0 Type: pkix-base64-key
+	// CryptoKey 0 Value: -----BEGIN PUBLIC KEY-----
 	// MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==
 	// -----END PUBLIC KEY-----
 }
@@ -98,7 +98,7 @@ func extractQEMeasurements(meas *comid.Measurements) error {
 			return fmt.Errorf("extracting measurement at index %d: %w", i, err)
 		}
 
-		if m.AuthorizedBy != nil {
+		if len(m.AuthorizedBy) > 0 {
 			err := TestdecodeAuthorisedBy(m)
 			if err != nil {
 				return fmt.Errorf("extracting measurement at index %d: %w", i, err)
@@ -306,8 +306,8 @@ func Example_decode_QE_CBOR() {
 	// mrsigner Digest Value: a314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6a
 	// mrsigner Digest Alg: 8
 	// mrsigner Digest Value: a314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6aa314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6a
-	// CryptoKey Type: pkix-base64-key
-	// CryptoKey Value: -----BEGIN PUBLIC KEY-----
+	// CryptoKey 0 Type: pkix-base64-key
+	// CryptoKey 0 Value: -----BEGIN PUBLIC KEY-----
 	// MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==
 	// -----END PUBLIC KEY-----
 }
diff --git a/comid/tdx-profile/example_seam_refval_test.go b/comid/tdx-profile/example_seam_refval_test.go
@@ -60,8 +60,8 @@ func Example_decode_JSON() {
 	// mrsigner Digest Value: 87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7
 	// mrsigner Digest Alg: 8
 	// mrsigner Digest Value: a314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6aa314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6a
-	// CryptoKey Type: pkix-base64-key
-	// CryptoKey Value: -----BEGIN PUBLIC KEY-----
+	// CryptoKey 0 Type: pkix-base64-key
+	// CryptoKey 0 Value: -----BEGIN PUBLIC KEY-----
 	// MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==
 	// -----END PUBLIC KEY-----
 }
@@ -423,8 +423,8 @@ func Example_decode_CBOR() {
 	// mrsigner Digest Value: a314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6a
 	// mrsigner Digest Alg: 8
 	// mrsigner Digest Value: a314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6aa314fc2dc663ae7a6b6bc6787594057396e6b3f569cd50fd5ddb4d1bbafd2b6a
-	// CryptoKey Type: pkix-base64-key
-	// CryptoKey Value: -----BEGIN PUBLIC KEY-----
+	// CryptoKey 0 Type: pkix-base64-key
+	// CryptoKey 0 Value: -----BEGIN PUBLIC KEY-----
 	// MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==
 	// -----END PUBLIC KEY-----
 
@@ -468,7 +468,7 @@ func extractSeamMeasurements(meas *comid.Measurements) error {
 			return fmt.Errorf("extracting measurement at index %d: %w", i, err)
 		}
 
-		if m.AuthorizedBy != nil {
+		if len(m.AuthorizedBy) > 0 {
 			err := TestdecodeAuthorisedBy(m)
 			if err != nil {
 				return fmt.Errorf("extracting measurement at index %d: %w", i, err)

diff --git a/comid/tdx-profile/test_vars.go b/comid/tdx-profile/test_vars.go
@@ -215,10 +215,12 @@ const (
                             ],
                             "pceid": "0000"
                         },
-                        "authorized-by": {
-                            "type": "pkix-base64-key",
-                            "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----"
-                        }
+                        "authorized-by": [
+                            {
+                                "type": "pkix-base64-key",
+                                "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----"
+                            }
+                        ]
                     }
                 ]
             }
@@ -285,10 +287,12 @@ const (
                                 "value": "AwM="
                             }
                         },
-                        "authorized-by": {
-                            "type": "pkix-base64-key",
-                            "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----"
-                        }
+                        "authorized-by": [
+                            {
+                                "type": "pkix-base64-key",
+                                "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----"
+                            }
+                        ]
                     }
                 ]
             }
@@ -374,10 +378,12 @@ const (
                                 }
                             }
                         },
-                        "authorized-by": {
-                            "type": "pkix-base64-key",
-                            "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----"
-                        }
+                        "authorized-by": [
+                            {
+                                "type": "pkix-base64-key",
+                                "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----"
+                            }
+                        ]
                     }
                 ]
             }

diff --git a/comid/tdx-profile/testcases/comid_pce_refval.cbor b/comid/tdx-profile/testcases/comid_pce_refval.cbor
diff --git a/comid/tdx-profile/testcases/comid_qe_refval.cbor b/comid/tdx-profile/testcases/comid_qe_refval.cbor
diff --git a/comid/tdx-profile/testcases/comid_seam_refval.cbor b/comid/tdx-profile/testcases/comid_seam_refval.cbor
diff --git a/comid/tdx-profile/testcases/src/comid_pce_refval.diag b/comid/tdx-profile/testcases/src/comid_pce_refval.diag
@@ -43,7 +43,7 @@
                ],
               / pceid / -80 : "0000"
           },
-          / authorized-by / 2: 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----")
+          / authorized-by / 2: [ 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----") ]
         }
       ]
     ] ]

diff --git a/comid/tdx-profile/testcases/src/comid_qe_refval.diag b/comid/tdx-profile/testcases/src/comid_qe_refval.diag
@@ -40,7 +40,7 @@
               / advisory-ids /  -89 : 60021([ /member/ 6, [ "INTEL-SA-00078", "INTEL-SA-00079"  ]]),
               / tcbstatus /  -88 : 60021([ /member/ 6, [ "UpToDate"  ]])
           },
-          / authorized-by / 2: 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----")
+          / authorized-by / 2: [ 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----") ]
         }
       ]
     ] ]

diff --git a/comid/tdx-profile/testcases/src/comid_seam_refval.diag b/comid/tdx-profile/testcases/src/comid_seam_refval.diag
@@ -47,7 +47,7 @@
               ]),
               / tcb-eval-num / -86 : 60010([ / op.ge / 2, 11 ])
           },
-          2: 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----")
+          / authorized-by / 2: [ 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----") ]
         }
       ]
     ] ]
-Original file line number
+Diff line change
@@ Expand Up / @@ -43,7 +43,7 @@ @@
                    ],
                   / pceid / -80 : "0000"
               },
-              / authorized-by / 2: 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----")
+              / authorized-by / 2: [ 554("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFn0taoAwR3PmrKkYLtAsD9o05KSM6mbgfNCgpuL0g6VpTHkZl73wk5BDxoV7n+Oeee0iIqkW3HMZT3ETiniJdg==\n-----END PUBLIC KEY-----") ]
             }
           ]
         ] ]
@@ Expand Down @@