Accept UVM endorsements with integer SVN (#7316)

achamayou · web-flow · commit b502534c31e4 · 2025-09-29T13:39:56.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Added `ccf.gov.validateConstitution` function to JS API, which can be used to confirm some basic properties of a proposed constitution (it is a string, parseable by our JS interpreter, exporting functions named `validate`, `resolve` and `apply` with the correct number of arguments). This is called in the default sample constitution's `set_constitution.validate`.
 - Added logging of the initial node attestation value ("Initial node attestation...") (#7256).
 - Improved handling of socket errors in curlm callbacks (#7308)
+- Accept UVM endorsements with SVNs encoded as integers (#7316)
 
 ### Fixed
 
diff --git a/src/node/test/endorsements.cpp b/src/node/test/endorsements.cpp
@@ -68,6 +68,43 @@ TEST_CASE("Check ECDSA Test endorsement")
   REQUIRE(endorsements == ccf::default_uvm_roots_of_trust[1]);
 }
 
+TEST_CASE("Check Test endorsement with integer SVN")
+{
+  char* end_path = std::getenv("TEST_ENDORSEMENTS_PATH");
+  REQUIRE(end_path != nullptr);
+
+  auto endorsement = files::slurp(fmt::format("{}/int_svn.cose", end_path));
+  REQUIRE(!endorsement.empty());
+
+  ccf::pal::SnpAttestationMeasurement measurement(
+    "d0c9e2be22046e60779be88868cff64c2aa22047c15d3127ba495cee3fbc2854c5633f9da2"
+    "096e6c64ae2b69bbff8082");
+  ccf::pal::PlatformAttestationMeasurement uvm_measurement(measurement);
+
+  std::vector<ccf::pal::UVMEndorsements> custom_roots_of_trust = {
+    ccf::pal::UVMEndorsements{
+      "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3."
+      "6.1.4.1.311.76.59.1.5",
+      "Malicious-ConfAKS-AMD-UVM",
+      "1"}};
+  REQUIRE_THROWS_WITH_AS(
+    ccf::verify_uvm_endorsements_against_roots_of_trust(
+      endorsement, uvm_measurement, custom_roots_of_trust),
+    "UVM endorsements did "
+    "did:x509:0:sha256:I__iuL25oXEVFdTP_aBLx_eT1RPHbCQ_ECBQfYZpt9s::eku:1.3.6."
+    "1.4.1.311.76.59.1.2, feed ContainerPlat-AMD-UVM, svn 102 do not match any "
+    "of the "
+    "known UVM roots of trust",
+    std::logic_error);
+
+  auto endorsements = ccf::verify_uvm_endorsements_against_roots_of_trust(
+    endorsement, uvm_measurement, ccf::default_uvm_roots_of_trust);
+
+  REQUIRE(endorsements.did == ccf::default_uvm_roots_of_trust[0].did);
+  REQUIRE(endorsements.feed == ccf::default_uvm_roots_of_trust[0].feed);
+  REQUIRE(endorsements.svn == "102");
+}
+
 TEST_CASE("Check UVM roots of trust matching")
 {
   ccf::pal::UVMEndorsements old{"issuer1", "subject1", "0"};
diff --git a/src/node/uvm_endorsements.cpp b/src/node/uvm_endorsements.cpp
@@ -13,9 +13,32 @@ namespace ccf
   {
     return std::ranges::any_of(
       uvm_roots_of_trust, [&](const auto& uvm_root_of_trust) {
+        size_t root_of_trust_svn = 0;
+        auto result = std::from_chars(
+          uvm_root_of_trust.svn.data(),
+          uvm_root_of_trust.svn.data() + uvm_root_of_trust.svn.size(),
+          root_of_trust_svn);
+        if (result.ec != std::errc())
+        {
+          throw std::runtime_error(fmt::format(
+            "Unable to parse svn value {} to unsigned in UVM root of trust",
+            uvm_root_of_trust.svn));
+        }
+        size_t endorsement_svn = 0;
+        result = std::from_chars(
+          endorsements.svn.data(),
+          endorsements.svn.data() + endorsements.svn.size(),
+          endorsement_svn);
+        if (result.ec != std::errc())
+        {
+          throw std::runtime_error(fmt::format(
+            "Unable to parse svn value {} to unsigned in UVM endorsements",
+            endorsements.svn));
+        }
+
         return uvm_root_of_trust.did == endorsements.did &&
           uvm_root_of_trust.feed == endorsements.feed &&
-          uvm_root_of_trust.svn <= endorsements.svn;
+          root_of_trust_svn <= endorsement_svn;
       });
   }
 
@@ -269,25 +292,58 @@ namespace ccf
         cose::headers::CONTENT_TYPE_APPLICATION_JSON_VALUE));
     }
 
-    UVMEndorsementsPayload payload = nlohmann::json::parse(raw_payload);
-    if (payload.sevsnpvm_launch_measurement != uvm_measurement.hex_str())
+    auto payload = nlohmann::json::parse(raw_payload);
+    std::string sevsnpvm_launch_measurement =
+      payload["x-ms-sevsnpvm-launchmeasurement"].get<std::string>();
+    auto sevsnpvm_guest_svn_obj = payload["x-ms-sevsnpvm-guestsvn"];
+    std::string sevsnpvm_guest_svn;
+    if (sevsnpvm_guest_svn_obj.is_string())
+    {
+      sevsnpvm_guest_svn = sevsnpvm_guest_svn_obj.get<std::string>();
+      size_t uintval = 0;
+      auto result = std::from_chars(
+        sevsnpvm_guest_svn.data(),
+        sevsnpvm_guest_svn.data() + sevsnpvm_guest_svn.size(),
+        uintval);
+      if (result.ec != std::errc())
+      {
+        throw std::logic_error(fmt::format(
+          "Unable to parse sevsnpvm_guest_svn value {} to unsigned in UVM "
+          "endorsements "
+          "payload",
+          sevsnpvm_guest_svn));
+      }
+    }
+    else if (sevsnpvm_guest_svn_obj.is_number_unsigned())
+    {
+      sevsnpvm_guest_svn = std::to_string(sevsnpvm_guest_svn_obj.get<size_t>());
+    }
+    else
+    {
+      throw std::logic_error(fmt::format(
+        "Unexpected type {} for sevsnpvm_guest_svn in UVM endorsements "
+        "payload, expected string or unsigned integer",
+        sevsnpvm_guest_svn_obj.type_name()));
+    }
+
+    if (sevsnpvm_launch_measurement != uvm_measurement.hex_str())
     {
       throw std::logic_error(fmt::format(
         "Launch measurement in UVM endorsements payload {} is not equal "
         "to UVM attestation measurement {}",
-        payload.sevsnpvm_launch_measurement,
+        sevsnpvm_launch_measurement,
         uvm_measurement.hex_str()));
     }
 
     LOG_INFO_FMT(
       "Successfully verified endorsements for attested measurement {} against "
       "{}, feed {}, svn {}",
-      payload.sevsnpvm_launch_measurement,
+      sevsnpvm_launch_measurement,
       did,
       phdr.feed,
-      payload.sevsnpvm_guest_svn);
+      sevsnpvm_guest_svn);
 
-    pal::UVMEndorsements end{did, phdr.feed, payload.sevsnpvm_guest_svn};
+    pal::UVMEndorsements end{did, phdr.feed, sevsnpvm_guest_svn};
 
     if (
       enforce_uvm_roots_of_trust &&
diff --git a/src/node/uvm_endorsements.h b/src/node/uvm_endorsements.h
@@ -19,19 +19,6 @@
 
 namespace ccf
 {
-  struct UVMEndorsementsPayload
-  {
-    std::string sevsnpvm_guest_svn;
-    std::string sevsnpvm_launch_measurement;
-  };
-  DECLARE_JSON_TYPE(UVMEndorsementsPayload);
-  DECLARE_JSON_REQUIRED_FIELDS_WITH_RENAMES(
-    UVMEndorsementsPayload,
-    sevsnpvm_guest_svn,
-    "x-ms-sevsnpvm-guestsvn",
-    sevsnpvm_launch_measurement,
-    "x-ms-sevsnpvm-launchmeasurement");
-
   struct UvmEndorsementsProtectedHeader
   {
     int64_t alg;
diff --git a/tests/uvm_endorsements/int_svn.cose b/tests/uvm_endorsements/int_svn.cose
