feat(lead verifier): CMW composite evidence parser

yogeshbdeshpande · thomas-fossati · commit c97bc07fecd0 · 2026-01-28T21:39:05.000+01:00
Signed-off-by: Yogesh Deshpande &lt;yogesh.deshpande@arm.com&gt;
diff --git a/go.mod b/go.mod
@@ -37,7 +37,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/tbaehler/gin-keycloak v1.6.1
 	github.com/veraison/ccatoken v1.3.2-0.20250512122414-b26aba0635c4
-	github.com/veraison/cmw v0.2.0
+	github.com/veraison/cmw v0.3.0
 	github.com/veraison/corim v1.1.3-0.20251002172919-3c18c66c77b0
 	github.com/veraison/dice v0.0.1
 	github.com/veraison/ear v1.1.2
diff --git a/go.sum b/go.sum
@@ -1223,8 +1223,8 @@ github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4d
 github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/veraison/ccatoken v1.3.2-0.20250512122414-b26aba0635c4 h1:t2GQueIc1SrErZpprs2ll9ETaXln/nOCPVRq7OejzfQ=
 github.com/veraison/ccatoken v1.3.2-0.20250512122414-b26aba0635c4/go.mod h1:vMqdbW4H/8A3oT+24qssuIK3Aefy06XqzTELGg+gWAg=
-github.com/veraison/cmw v0.2.0 h1:BWEvwZnD4nn5osq6XwQpTRcGxwV+Su4t6ytdAbVXAJY=
-github.com/veraison/cmw v0.2.0/go.mod h1:OiYKk1t6/Fmmg30ZpSMzi4nKr5kt3374sNTkgxC5BDs=
+github.com/veraison/cmw v0.3.0 h1:Uu+Kf76sGseSBXPY6MIGo6CZAqkUUFDt7r6sBN7sB7k=
+github.com/veraison/cmw v0.3.0/go.mod h1:V7OMAyNVrMEWGu1d1LItZRuGJzlO0/KN84ju9XIXmFE=
 github.com/veraison/corim v1.1.3-0.20251002172919-3c18c66c77b0 h1:rl3ANdIHIStRQEYVhU0BaNc87j0W38iWqTwu0HYcuMA=
 github.com/veraison/corim v1.1.3-0.20251002172919-3c18c66c77b0/go.mod h1:NDUWXTTPOnpwTa79HULq+o/6dkgK6XymHdSRGP9YP8M=
 github.com/veraison/dice v0.0.1 h1:dOm7ByDN/r4WlDsGkEUXzdPMXgTvAPTAksQ8+BwBrD4=
diff --git a/vts/compositeevidenceparser/cmw.go b/vts/compositeevidenceparser/cmw.go
@@ -2,10 +2,126 @@
 // SPDX-License-Identifier: Apache-2.0
 package compositeevidenceparser
 
-import "github.com/pkg/errors"
+import (
+	"fmt"
 
-type cmw struct{}
+	"github.com/veraison/cmw"
+)
 
-func (o cmw) Parse(evidence []byte) ([]ComponentEvidence, error) {
-	return nil, errors.New("not implemented")
+const MaxCollectionDepth = 4
+
+type cmwParser struct{}
+
+func (o cmwParser) Parse(evidence []byte) ([]ComponentEvidence, error) {
+	cmwCollection := &cmw.CMW{}
+
+	if err := cmwCollection.Deserialize(evidence); err != nil {
+		return nil, fmt.Errorf("unable to unmarshal CMW collection: %w", err)
+	}
+
+	if cmwCollection.GetKind() != cmw.KindCollection {
+		return nil, fmt.Errorf("evidence is not a CMW collection")
+	}
+
+	if err := cmwCollection.Valid(); err != nil {
+		return nil, fmt.Errorf("unable to validate CMW collection: %w", err)
+	}
+
+	depth := uint(0)
+	parentLabel := ""
+
+	ces, err := parse(cmwCollection, depth, parentLabel)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse CMW collection: %w", err)
+	}
+
+	return ces, nil
+}
+
+func parse(c *cmw.CMW, depth uint, parentLabel string) ([]ComponentEvidence, error) {
+	var ce []ComponentEvidence
+
+	meta, err := c.GetCollectionMeta()
+	if err != nil {
+		return ce, fmt.Errorf("unable to get collection meta at depth %d: %w", depth, err)
+	}
+
+	for _, k := range meta {
+		switch k.Kind {
+		case cmw.KindMonad:
+			collectionItem, err := c.GetCollectionItem(k.Key)
+			if err != nil {
+				return ce, fmt.Errorf("unable to get item for key %v at depth %d: %w", k.Key, depth, err)
+			}
+			e, err := componentEvidenceFromMonad(collectionItem, k.Key, depth, parentLabel)
+			if err != nil {
+				return ce, fmt.Errorf("unable to create Component Evidence for key %v at depth %d: %w", k.Key, depth, err)
+			}
+			ce = append(ce, *e)
+		case cmw.KindCollection:
+			depth++
+			if depth > MaxCollectionDepth {
+				return ce, fmt.Errorf("collection depth %d: exceeded the maximum limit %d:", depth, MaxCollectionDepth)
+			}
+			collectionItem, err := c.GetCollectionItem(k.Key)
+			if err != nil {
+				return ce, fmt.Errorf("unable to get item for key %v at depth %d: %w", k.Key, depth, err)
+			}
+			parentLabel, err := stringify(k.Key)
+			if err != nil {
+				return ce, fmt.Errorf("invalid key %v at depth %d: %w", k.Key, depth, err)
+			}
+			ces, err := parse(collectionItem, depth, parentLabel)
+			if err != nil {
+				return ce, fmt.Errorf("unable to parse nested collection for key %s at depth %d: %w", parentLabel, depth, err)
+			}
+			ce = append(ce, ces...)
+		case cmw.KindUnknown:
+			fallthrough
+		default:
+			return ce, fmt.Errorf("unknown kind %s for key %v at depth %d", k.Kind.String(), k.Key, depth)
+		}
+	}
+
+	return ce, nil
+}
+
+func componentEvidenceFromMonad(c *cmw.CMW, key any, depth uint, parentLabel string) (*ComponentEvidence, error) {
+	mt, err := c.GetMonadType()
+	if err != nil {
+		return nil, fmt.Errorf("invalid monad type: %w", err)
+	}
+
+	d, err := c.GetMonadValue()
+	if err != nil {
+		return nil, fmt.Errorf("invalid monad data: %w", err)
+	}
+
+	k, err := stringify(key)
+	if err != nil {
+		return nil, fmt.Errorf("invalid key: %w", err)
+	}
+
+	return &ComponentEvidence{
+		label:       k,
+		data:        d,
+		mediaType:   mt,
+		parentLabel: parentLabel,
+		depth:       depth,
+	}, nil
+}
+
+func stringify(key any) (string, error) {
+	switch t := key.(type) {
+	case string:
+		return t, nil
+	case uint64:
+		return fmt.Sprintf("%d", t), nil
+	default:
+		return "", fmt.Errorf("key with unknown type %T", t)
+	}
+}
+
+func (o cmwParser) SupportedMediaTypes() []string {
+	return []string{"application/cmw+cbor", "application/cmw+json"}
 }
diff --git a/vts/compositeevidenceparser/cmw_test.go b/vts/compositeevidenceparser/cmw_test.go
@@ -0,0 +1,165 @@
+// Copyright 2026 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package compositeevidenceparser
+
+import (
+	"encoding/hex"
+	"os"
+	"regexp"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_Parse_CBORCollection_OK(t *testing.T) {
+	expected := []ComponentEvidence{
+		{
+			label:       "bretwaldadom",
+			data:        []byte{0xa1, 0x0a},
+			mediaType:   "application/eat-ucs+cbor",
+			parentLabel: "",
+			depth:       0,
+		},
+		{
+			label:       "polyscopic",
+			data:        []byte(`{"eat_nonce": ...}`),
+			mediaType:   "application/eat-ucs+json",
+			parentLabel: "murmurless",
+			depth:       1,
+		},
+		{
+			label:       "photoelectrograph",
+			data:        []byte{0x82, 0x78, 0x18},
+			mediaType:   "application/eat-ucs+cbor",
+			parentLabel: "",
+			depth:       1,
+		},
+	}
+
+	b := mustReadFile(t, "testdata/collection-1.cbor")
+
+	var cmwParser cmwParser
+	ev, err := cmwParser.Parse(b)
+	require.NoError(t, err)
+
+	assert.ElementsMatch(t, expected, ev)
+}
+
+func Test_ParseJSONCollection_OK(t *testing.T) {
+	expected := []ComponentEvidence{
+		{
+			label:       "bretwaldadom",
+			data:        []byte{0xa1, 0x0a},
+			mediaType:   "application/eat-ucs+cbor",
+			parentLabel: "",
+			depth:       0,
+		},
+		{
+			label:       "polyscopic",
+			data:        []byte(`{"eat_nonce": ...}`),
+			mediaType:   "application/eat-ucs+json",
+			parentLabel: "murmurless",
+			depth:       1,
+		},
+		{
+			label:       "photoelectrograph",
+			data:        []byte{0x82, 0x78, 0x18},
+			mediaType:   "application/eat-ucs+cbor",
+			parentLabel: "",
+			depth:       1,
+		},
+	}
+
+	b := mustReadFile(t, "testdata/collection-1.json")
+
+	var cmwParser cmwParser
+	ev, err := cmwParser.Parse(b)
+	require.NoError(t, err)
+
+	assert.ElementsMatch(t, expected, ev)
+}
+
+func Test_Parse_MixedKey_Collection_OK(t *testing.T) {
+	expected := []ComponentEvidence{
+		{
+			label:       "1024",
+			data:        []byte{0xaa},
+			mediaType:   "text/plain; charset=utf-8",
+			parentLabel: "",
+			depth:       0,
+		},
+		{
+			label:       "string",
+			data:        []byte{0xff},
+			mediaType:   "text/plain; charset=utf-8",
+			parentLabel: "",
+			depth:       0,
+		},
+	}
+
+	tv := mustReadFile(t, "testdata/collection-cbor-mixed-keys.cbor")
+
+	var cmwParser cmwParser
+	ev, err := cmwParser.Parse(tv)
+	require.NoError(t, err)
+
+	assert.ElementsMatch(t, expected, ev)
+}
+
+func Test_Parse_Collection_NOK(t *testing.T) {
+	tests := []struct {
+		name        string
+		data        string
+		expectedErr string
+	}{
+		{
+			"CMW monad instead of collection",
+			`83781d6170706c69636174696f6e2f7369676e65642d636f72696d2b63626f724dd901f6d28440a044d901f5a04003`,
+			`evidence is not a CMW collection`,
+		},
+		{
+			"Invalid CMW CBOR header",
+			`63781d6170706c69636174696f6e2f7369676e65642d636f72696d2b63626f724dd901f6d28440a044d901f5a04003`,
+			"unable to unmarshal CMW collection: unknown start symbol for CMW",
+		},
+	}
+
+	for _, tt := range tests {
+		var cmwParser cmwParser
+		cmw, err := hexDecode(tt.data)
+		require.Nil(t, err)
+
+		_, err = cmwParser.Parse(cmw)
+		assert.ErrorContains(t, err, tt.expectedErr)
+	}
+}
+
+func Test_SupportedMediaTypes(t *testing.T) {
+	expected := []string{"application/cmw+cbor", "application/cmw+json"}
+
+	var cmwParser cmwParser
+	mtList := cmwParser.SupportedMediaTypes()
+
+	assert.ElementsMatch(t, expected, mtList)
+}
+
+func hexDecode(s string) ([]byte, error) {
+	// allow a long hex string to be split over multiple lines (with soft or
+	// hard tab indentation)
+	m := regexp.MustCompile("[ \t\n]")
+	s = m.ReplaceAllString(s, "")
+
+	data, err := hex.DecodeString(s)
+	if err != nil {
+		return nil, err
+	}
+
+	return data, nil
+}
+
+func mustReadFile(t *testing.T, fname string) []byte {
+	b, err := os.ReadFile(fname)
+	require.NoError(t, err)
+	return b
+}
diff --git a/vts/compositeevidenceparser/icompositeevidenceparser.go b/vts/compositeevidenceparser/icompositeevidenceparser.go
@@ -4,6 +4,9 @@
 package compositeevidenceparser
 
 type ICompositeEvidenceParser interface {
+	// SupportedMediaTypes returns a list of supported Collection Media Types
+	// supported by the Parser
+	SupportedMediaTypes() []string
 	// Parse returns a list of component evidence payloads together with
 	// relevant identifying metadata.
 	Parse(evidence []byte) ([]ComponentEvidence, error)
diff --git a/vts/compositeevidenceparser/testdata/Makefile b/vts/compositeevidenceparser/testdata/Makefile
@@ -0,0 +1,13 @@
+# Copyright 2026 Contributors to the Veraison project.
+# SPDX-License-Identifier: Apache-2.0
+
+DIAG_TESTDATA := $(wildcard *.diag)
+CBOR_TESTDATA := $(DIAG_TESTDATA:.diag=.cbor)
+
+%.cbor: %.diag ; diag2cbor.rb $< > $@
+
+CLEANFILES += $(CBOR_TESTDATA)
+
+all: $(CBOR_TESTDATA)
+
+clean: ; $(RM) -f $(CLEANFILES)
diff --git a/vts/compositeevidenceparser/testdata/collection-1.cbor b/vts/compositeevidenceparser/testdata/collection-1.cbor
@@ -0,0 +1,2 @@
+�h__cmwc_tstag:ietf.org,2024:Xjmurmurless�h__cmwc_tstag:ietf.org,2024:Yjpolyscopic�xapplication/eat-ucs+jsonR{"eat_nonce": ...}lbretwaldadom�xapplication/eat-ucs+cborB�
+qphotoelectrograph�xapplication/eat-ucs+cborC�x
diff --git a/vts/compositeevidenceparser/testdata/collection-1.diag b/vts/compositeevidenceparser/testdata/collection-1.diag
@@ -0,0 +1,20 @@
+{
+  "__cmwc_t":"tag:ietf.org,2024:X",
+  "murmurless":{
+    "__cmwc_t":"tag:ietf.org,2024:Y",
+    "polyscopic":[
+      "application/eat-ucs+json",
+      h'7B226561745F6E6F6E6365223A202E2E2E7D',
+      4
+    ]
+  },
+  "bretwaldadom":[
+    "application/eat-ucs+cbor",
+    h'A10A'
+  ],
+  "photoelectrograph":[
+    "application/eat-ucs+cbor",
+    h'827818',
+    4
+  ]
+}
diff --git a/vts/compositeevidenceparser/testdata/collection-1.json b/vts/compositeevidenceparser/testdata/collection-1.json
@@ -0,0 +1,20 @@
+{
+  "__cmwc_t": "tag:ietf.org,2024:X",
+  "bretwaldadom": [
+    "application/eat-ucs+cbor",
+    "oQo"
+  ],
+  "murmurless": {
+    "__cmwc_t": "tag:ietf.org,2024:Y",
+    "polyscopic": [
+      "application/eat-ucs+json",
+      "eyJlYXRfbm9uY2UiOiAuLi59",
+      4
+    ]
+  },
+  "photoelectrograph": [
+    "application/eat-ucs+cbor",
+    "gngY",
+    4
+  ]
+}
diff --git a/vts/compositeevidenceparser/testdata/collection-cbor-mixed-keys.cbor b/vts/compositeevidenceparser/testdata/collection-cbor-mixed-keys.cbor
diff --git a/vts/compositeevidenceparser/testdata/collection-cbor-mixed-keys.diag b/vts/compositeevidenceparser/testdata/collection-cbor-mixed-keys.diag
@@ -0,0 +1,7 @@
+{
+  "string": [
+    0,
+    h'ff'
+  ],
+  1024: 1668546817(h'aa')
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+�h__cmwc_tstag:ietf.org,2024:Xjmurmurless�h__cmwc_tstag:ietf.org,2024:Yjpolyscopic�xapplication/eat-ucs+jsonR{"eat_nonce": ...}lbretwaldadom�xapplication/eat-ucs+cborB�`
	`2`	`+qphotoelectrograph�xapplication/eat-ucs+cborC�x`