veraison · jraman567 · Mar 26, 2026 · Mar 16, 2026
diff --git a/scheme/sevsnp/scheme_test.go b/scheme/sevsnp/scheme_test.go
@@ -0,0 +1,162 @@
+// Copyright 2026 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package sevsnp
+
+import (
+	_ "embed"
+	"encoding/hex"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/veraison/corim/comid"
+	"github.com/veraison/corim/corim"
+	"github.com/veraison/ear"
+	"github.com/veraison/services/vts/appraisal"
+)
+
+//go:embed test/evidence/sevsnp-ratsd-token
+var sevsnpRatsdToken []byte
+
+//go:embed test/evidence/sevsnp-ratsd-claims.json
+var sevsnpRatsdClaimsMapJson []byte
+
+//go:embed test/evidence/sevsnp-ratsd-env.json
+var sevsnpRatsdEnv []byte
+
+//go:embed test/corim/corim-sevsnp-valid.cbor
+var sevsnpCorimValidEndorsements []byte
+
+func Test_GetTrustAnchorIDs_ok(t *testing.T) {
+	Impl := NewImplementation()
+	evidence := appraisal.Evidence{Data: sevsnpRatsdToken, MediaType: `application/eat+cwt; eat_profile="tag:github.com,2025:veraison/ratsd/cmw"`}
+	env, err := Impl.GetTrustAnchorIDs(&evidence)
+	require.NoError(t, err)
+
+	expectedVendor := "Advanced Micro Devices"
+	expectedModel := "ARK-Genoa"
+	expectedEnv := comid.Environment{Class: &comid.Class{Vendor: &expectedVendor, Model: &expectedModel}}
+
+	require.Len(t, env, 1)
+	assert.Equal(t, *env[0], expectedEnv)
+}
+
+func Test_GetReferenceValueIDs_ok(t *testing.T) {
+	var (
+		claims      map[string]any
+		expectedEnv comid.Environment
+	)
+
+	err := json.Unmarshal(sevsnpRatsdClaimsMapJson, &claims)
+	require.NoError(t, err)
+
+	Impl := NewImplementation()
+	env, err := Impl.GetReferenceValueIDs(nil, claims)
+	require.NoError(t, err)
+	require.Len(t, env, 1)
+
+	err = json.Unmarshal(sevsnpRatsdEnv, &expectedEnv)
+	require.NoError(t, err)
+
+	assert.Equal(t, *env[0], expectedEnv)
+}
+
+func Test_ExtractClaims_ok(t *testing.T) {
+	var expectedClaims map[string]any
+
+	err := json.Unmarshal(sevsnpRatsdClaimsMapJson, &expectedClaims)
+	require.NoError(t, err)
+
+	expectedMeasurementMap, err := transformClaimsToMeasurementsMap(expectedClaims)
+	require.NoError(t, err)
+
+	Impl := NewImplementation()
+	evidence := appraisal.Evidence{Data: sevsnpRatsdToken, MediaType: `application/eat+cwt; eat_profile="tag:github.com,2025:veraison/ratsd/cmw"`}
+	claims, err := Impl.ExtractClaims(&evidence, nil)
+	require.NoError(t, err)
+	measurementMap, err := transformClaimsToMeasurementsMap(claims)
+	require.NoError(t, err)
+
+	assert.Equal(t, expectedMeasurementMap, measurementMap)
+}
+
+func Test_ValidateEvidenceIntegrity_ok(t *testing.T) {
+	var (
+		endCorim     corim.UnsignedCorim
+		endComid     comid.Comid
+		trustAnchors []*comid.KeyTriple
+	)
+
+	err := endCorim.FromCBOR(sevsnpCorimValidEndorsements)
+	require.NoError(t, err)
+	require.Len(t, endCorim.Tags, 2)
+	err = endComid.FromCBOR(endCorim.Tags[1].Content)
+	require.NoError(t, err)
+	keyTriples := *endComid.Triples.AttestVerifKeys
+	trustAnchors = append(trustAnchors, &keyTriples[0])
+
+	nonce, err := hex.DecodeString("4d4944424e48323869696f69736a5079787878787878787878787878787878784d4944424e48323869696f69736a507978787878787878787878787878787878")
+	require.NoError(t, err)
+
+	incorrectNonce := make([]byte, len(nonce))
+	copy(incorrectNonce, nonce)
+	incorrectNonce[0] ^= 0xff
+
+	Impl := NewImplementation()
+
+	testCases := []struct {
+		name    string
+		nonce   []byte
+		wantErr bool
+	}{
+		{name: "valid nonce", nonce: nonce},
+		{name: "invalid nonce", nonce: incorrectNonce, wantErr: true},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			evidence := appraisal.Evidence{
+				Data:      sevsnpRatsdToken,
+				MediaType: `application/eat+cwt; eat_profile="tag:github.com,2025:veraison/ratsd/cmw"`,
+				Nonce:     tc.nonce,
+			}
+
+			err := Impl.ValidateEvidenceIntegrity(&evidence, trustAnchors, nil)
+			if tc.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+		})
+	}
+}
+
+func Test_AppraiseClaims_ok(t *testing.T) {
+	var (
+		claims       map[string]any
+		endCorim     corim.UnsignedCorim
+		endComid     comid.Comid
+		endorsements []*comid.ValueTriple
+	)
+
+	err := json.Unmarshal(sevsnpRatsdClaimsMapJson, &claims)
+	require.NoError(t, err)
+
+	err = endCorim.FromCBOR(sevsnpCorimValidEndorsements)
+	require.NoError(t, err)
+	require.Len(t, endCorim.Tags, 2)
+	err = endComid.FromCBOR(endCorim.Tags[0].Content)
+	require.NoError(t, err)
+
+	Impl := NewImplementation()
+	endorsements = append(endorsements, &endComid.Triples.ReferenceValues.Values[0])
+	attestationResult, err := Impl.AppraiseClaims(claims, endorsements)
+	require.NoError(t, err)
+
+	sevsnpSubmod := attestationResult.Submods["SEVSNP"]
+
+	assert.Equal(t, ear.TrustTierAffirming, *sevsnpSubmod.Status)
+	assert.Equal(t, ear.GenuineHardwareClaim, sevsnpSubmod.TrustVector.Hardware)
+	assert.Equal(t, ear.EncryptedMemoryRuntimeClaim, sevsnpSubmod.TrustVector.RuntimeOpaque)
+}
diff --git a/scheme/sevsnp/test/evidence/sevsnp-ratsd-claims.json b/scheme/sevsnp/test/evidence/sevsnp-ratsd-claims.json
@@ -0,0 +1 @@
+{"corim-id":"unknown type for tag-id","tags":["2QH6WQLGowBlZW4tR0IBoQBQy16WJCanSW2LmkQNO2vOEAShAIGCogChANhvSSsGAQQBnHgDAQHZAjBYQHsVhMlMekJhZLLbEZiQPbBoW39f2r30LU2pgbDeUh0dXV2KkZMru8GxP11crkWnMEZX2anQHFDENWcPBWKllwuVogAAAaEAogBhMwEEogABAaEB2QIpAKIAAgGhBNkCMEgAAAAAAAMAAKIAAwGhBNkCMFAAAAAAAAAAAAAAAAAAAAAAogAEAaEE2QIwUAAAAAAAAAAAAAAAAAAAAACiAAUBoQTZAjBEAAAAAKIABgGhAdkCKBtUFwAAAAAACqIABwGhBNkCMEgAAAAAAAAAJaIAGQKAAaEE2QIwWEBNSURCTkgyOGlpb2lzalB5eHh4eHh4eHh4eHh4eHh4eE1JREJOSDI4aWlvaXNqUHl4eHh4eHh4eHh4eHh4eHh4ogAZAoEBoQKBggdYMHaZ5qwSzN/R36xw5knOHwRssq+7ADQ49M3d/izL4YL6X/vo3NuTBFQyThDFLHiJgKIAGQKFAaEE2QIwWCCDf+blwwCyREa0gOZ4W0lHS+p1j5gGX9mE/WzvPgBoD6IAGQKGAaEE2QIwWCD//////////////////////////////////////////6IAGQKHAaEB2QIoG1QXAAAAAAAKogAZAogBoQTZAjBBGaIAGQKJAaEE2QIwQRGiABkCigGhBNkCMEEBogAZDQABoQTZAjBYQHsVhMlMekJhZLLbEZiQPbBoW39f2r30LU2pgbDeUh0dXV2KkZMru8GxP11crkWnMEZX2anQHFDENWcPBWKllwuiABkNAQGhAdkCKBtUFwAAAAAACqIAGQ0CAaEAogBnMS41NS40MAEZQACiABkPYAGhAKIAZzEuNTUuNDABGUAAogAZD4ABoQHZAigbVBcAAAAAAAo="]}
diff --git a/scheme/sevsnp/test/evidence/sevsnp-ratsd-env.json b/scheme/sevsnp/test/evidence/sevsnp-ratsd-env.json
@@ -0,0 +1 @@
+{"class":{"id":{"type":"oid","value":"1.3.6.1.4.1.3704.3.1"}},"instance":{"type":"bytes","value":"dpnmrBLM39HfrHDmSc4fBGyyr7sANDj0zd3+LMvhgvpf++jc25MEVDJOEMUseImA"}}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"corim-id":"unknown type for tag-id","tags":["2QH6WQLGowBlZW4tR0IBoQBQy16WJCanSW2LmkQNO2vOEAShAIGCogChANhvSSsGAQQBnHgDAQHZAjBYQHsVhMlMekJhZLLbEZiQPbBoW39f2r30LU2pgbDeUh0dXV2KkZMru8GxP11crkWnMEZX2anQHFDENWcPBWKllwuVogAAAaEAogBhMwEEogABAaEB2QIpAKIAAgGhBNkCMEgAAAAAAAMAAKIAAwGhBNkCMFAAAAAAAAAAAAAAAAAAAAAAogAEAaEE2QIwUAAAAAAAAAAAAAAAAAAAAACiAAUBoQTZAjBEAAAAAKIABgGhAdkCKBtUFwAAAAAACqIABwGhBNkCMEgAAAAAAAAAJaIAGQKAAaEE2QIwWEBNSURCTkgyOGlpb2lzalB5eHh4eHh4eHh4eHh4eHh4eE1JREJOSDI4aWlvaXNqUHl4eHh4eHh4eHh4eHh4eHh4ogAZAoEBoQKBggdYMHaZ5qwSzN/R36xw5knOHwRssq+7ADQ49M3d/izL4YL6X/vo3NuTBFQyThDFLHiJgKIAGQKFAaEE2QIwWCCDf+blwwCyREa0gOZ4W0lHS+p1j5gGX9mE/WzvPgBoD6IAGQKGAaEE2QIwWCD//////////////////////////////////////////6IAGQKHAaEB2QIoG1QXAAAAAAAKogAZAogBoQTZAjBBGaIAGQKJAaEE2QIwQRGiABkCigGhBNkCMEEBogAZDQABoQTZAjBYQHsVhMlMekJhZLLbEZiQPbBoW39f2r30LU2pgbDeUh0dXV2KkZMru8GxP11crkWnMEZX2anQHFDENWcPBWKllwuiABkNAQGhAdkCKBtUFwAAAAAACqIAGQ0CAaEAogBnMS41NS40MAEZQACiABkPYAGhAKIAZzEuNTUuNDABGUAAogAZD4ABoQHZAigbVBcAAAAAAAo="]}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"class":{"id":{"type":"oid","value":"1.3.6.1.4.1.3704.3.1"}},"instance":{"type":"bytes","value":"dpnmrBLM39HfrHDmSc4fBGyyr7sANDj0zd3+LMvhgvpf++jc25MEVDJOEMUseImA"}}