Regroup remaining testdata into attestation triples.

ACKNOWLEDGE_FAILING_COPYBARA_IMPORT=Will fix manually

Change-Id: I7010f07909aa30a1bc90ea2b652d53ff49f35508

cc/utils/cose/BUILD

@@ -62,7 +62,7 @@ cc_test(
     name = "cwt_test",
     size = "small",
     srcs = ["cwt_test.cc"],
-    data = ["//oak_attestation_verification/testdata:evidence"],
+    data = ["//oak_attestation_verification/testdata:oc_attestation_legacy"],
     deps = [
         ":cwt",
         "//proto/attestation:evidence_cc_proto",

oak_attestation_verification/BUILD

@@ -63,8 +63,10 @@ rust_test(
     data = [
         "//oak_attestation_verification/data:amd_ark_certs",
         "//oak_attestation_verification/data:amd_ask_certs",
+        "//oak_attestation_verification/testdata:certs",
         "//oak_attestation_verification/testdata:endorsement",
-        "//oak_attestation_verification/testdata:evidence",
+        "//oak_attestation_verification/testdata:oc_attestation_legacy",
+        "//oak_attestation_verification/testdata:rk_attestation_legacy",
     ],
     deps = [
         "//oak_file_utils",
@@ -83,10 +85,15 @@ rust_test_suite(
     data = [
         "//oak_attestation_verification/data:amd_ark_certs",
         "//oak_attestation_verification/data:amd_ask_certs",
+        "//oak_attestation_verification/testdata:cb_attestation",
+        "//oak_attestation_verification/testdata:certs",
         "//oak_attestation_verification/testdata:endorsement",
-        "//oak_attestation_verification/testdata:evidence",
+        "//oak_attestation_verification/testdata:fake_attestation",
+        "//oak_attestation_verification/testdata:genoa_oc_attestation",
         "//oak_attestation_verification/testdata:oc_attestation",
+        "//oak_attestation_verification/testdata:oc_attestation_legacy",
         "//oak_attestation_verification/testdata:rk_attestation",
+        "//oak_attestation_verification/testdata:rk_attestation_legacy",
     ],
     deps = [
         ":oak_attestation_verification",
@@ -141,8 +148,10 @@ rust_test(
     data = [
         "//oak_attestation_verification/data:amd_ark_certs",
         "//oak_attestation_verification/data:amd_ask_certs",
+        "//oak_attestation_verification/testdata:certs",
         "//oak_attestation_verification/testdata:endorsement",
-        "//oak_attestation_verification/testdata:evidence",
+        "//oak_attestation_verification/testdata:oc_attestation_legacy",
+        "//oak_attestation_verification/testdata:rk_attestation_legacy",
     ],
     deps = [
         "//oak_file_utils",
@@ -165,10 +174,15 @@ rust_test_suite(
     data = [
         "//oak_attestation_verification/data:amd_ark_certs",
         "//oak_attestation_verification/data:amd_ask_certs",
+        "//oak_attestation_verification/testdata:cb_attestation",
+        "//oak_attestation_verification/testdata:certs",
         "//oak_attestation_verification/testdata:endorsement",
-        "//oak_attestation_verification/testdata:evidence",
+        "//oak_attestation_verification/testdata:fake_attestation",
+        "//oak_attestation_verification/testdata:genoa_oc_attestation",
         "//oak_attestation_verification/testdata:oc_attestation",
+        "//oak_attestation_verification/testdata:oc_attestation_legacy",
         "//oak_attestation_verification/testdata:rk_attestation",
+        "//oak_attestation_verification/testdata:rk_attestation_legacy",
     ],
     deps = [
         ":oak_attestation_verification_with_regex",

oak_attestation_verification/testdata/BUILD

@@ -19,7 +19,34 @@ package(
     licenses = ["notice"],
 )
 
-# A valid Transparent Release endorsement bundle with `normal` usage.
+filegroup(
+    name = "cb_attestation",
+    srcs = [
+        "cb_endorsement.binarypb",
+        "cb_evidence.binarypb",
+        "cb_reference_values.binarypb",
+    ],
+)
+
+filegroup(
+    name = "certs",
+    srcs = [
+        # The VCEK cert needs to match the hardware ID of the attestation report in the
+        # test evidence proto. The additional parameters in the URL encode the reported
+        # TCB version in the attestation report.
+        #
+        # URL for downloading the VCEK cert:
+        # https://kdsintf.amd.com/vcek/v1/Milan/cd3c4e6b5b64026ac135d76f888ea6bcc1351ec610d64b0af4028422b84c17ad2571905acfe2eb2181c119df4241e94a926d1b06c02e82845416202151212fdd?ucodeSPL=168&snpSPL=8&teeSPL=0&blSPL=3
+        # ARPT reported TCB version: ucodeSPL=168&snpSPL=8&teeSPL=0&blSPL=3
+        # ARPT current  TCB version: ucodeSPL=209&snpSPL=14&teeSPL=0&blSPL=3
+        "oc_vcek_milan.der",
+        "oc_vcek_milan.pem",
+        "rk_vcek_milan.der",
+        "vcek_genoa.der",
+    ],
+)
+
+# A valid recent Transparent Release endorsement bundle.
 filegroup(
     name = "endorsement",
     srcs = [
@@ -34,48 +61,25 @@ filegroup(
 )
 
 filegroup(
-    name = "cb_evidence",
-    srcs = [
-        "cb_endorsement.binarypb",
-        "cb_evidence.binarypb",
-        "cb_reference_values.binarypb",
-    ],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "fake_evidence",
+    name = "fake_attestation",
     srcs = [
         "fake_evidence.binarypb",
+        # Generated by running verification on the fake evidence.
         "fake_expected_values.binarypb",
     ],
 )
 
+# Attestation for an Oak Containers stack running on AMD Genoa platform.
+# The endorsements are generated during the test.
 filegroup(
-    name = "evidence",
+    name = "genoa_oc_attestation",
     srcs = [
-        ":cb_evidence",
-        ":fake_evidence",
         "genoa_oc_evidence.binarypb",
         "genoa_oc_reference_values.binarypb",
-        "oc_evidence.binarypb",
-        # The VCEK cert needs to match the hardware ID of the attestation report in the
-        # test evidence proto. The additional parameters in the URL encode the reported
-        # TCB version in the attestation report.
-        #
-        # URL for downloading the VCEK cert:
-        # https://kdsintf.amd.com/vcek/v1/Milan/cd3c4e6b5b64026ac135d76f888ea6bcc1351ec610d64b0af4028422b84c17ad2571905acfe2eb2181c119df4241e94a926d1b06c02e82845416202151212fdd?ucodeSPL=168&snpSPL=8&teeSPL=0&blSPL=3
-        # ARPT reported TCB version: ucodeSPL=168&snpSPL=8&teeSPL=0&blSPL=3
-        # ARPT current  TCB version: ucodeSPL=209&snpSPL=14&teeSPL=0&blSPL=3
-        "oc_vcek_milan.der",
-        "oc_vcek_milan.pem",
-        "rk_evidence.binarypb",
-        "rk_evidence_20240312.binarypb",
-        "rk_vcek_milan.der",
-        "vcek_genoa.der",
     ],
 )
 
+# A recent attestation triple for an Oak Containers stack.
 filegroup(
     name = "oc_attestation",
     srcs = [
@@ -85,6 +89,16 @@ filegroup(
     ],
 )
 
+# Legacy Oak Containers evidence. Endorsements and reference values are
+# created during the test.
+filegroup(
+    name = "oc_attestation_legacy",
+    srcs = [
+        "oc_evidence.binarypb",
+    ],
+)
+
+# A recent attestation triple for an Restricted Kernel stack.
 filegroup(
     name = "rk_attestation",
     srcs = [
@@ -93,3 +107,13 @@ filegroup(
         "rk_reference_values_20241205.binarypb",
     ],
 )
+
+# Legacy Restricted Kernel evidences. Endorsements and reference values are
+# created during the test.
+filegroup(
+    name = "rk_attestation_legacy",
+    srcs = [
+        "rk_evidence.binarypb",
+        "rk_evidence_20240312.binarypb",
+    ],
+)

oak_attestation_verification/tests/verifier_tests.rs

@@ -45,35 +45,43 @@ use oak_proto_rust::oak::{
 };
 use prost::Message;
 
+// Transparent Release endorsement
 const ENDORSEMENT_PATH: &str = "oak_attestation_verification/testdata/endorsement.json";
 const SIGNATURE_PATH: &str = "oak_attestation_verification/testdata/endorsement.json.sig";
 const LOG_ENTRY_PATH: &str = "oak_attestation_verification/testdata/logentry.json";
 const ENDORSER_PUBLIC_KEY_PATH: &str =
     "oak_attestation_verification/testdata/endorser_public_key.pem";
 const REKOR_PUBLIC_KEY_PATH: &str = "oak_attestation_verification/testdata/rekor_public_key.pem";
 
-const CONTAINERS_VCEK_MILAN_CERT_DER: &str =
-    "oak_attestation_verification/testdata/oc_vcek_milan.der";
+// Certificates
+const OC_VCEK_MILAN_CERT_DER: &str = "oak_attestation_verification/testdata/oc_vcek_milan.der";
+const GENOA_VCEK_CERT_DER: &str = "oak_attestation_verification/testdata/vcek_genoa.der";
 const RK_VCEK_MILAN_CERT_DER: &str = "oak_attestation_verification/testdata/rk_vcek_milan.der";
-const CONTAINERS_EVIDENCE_PATH: &str = "oak_attestation_verification/testdata/oc_evidence.binarypb";
+
+// CB attestation
 const CB_EVIDENCE_PATH: &str = "oak_attestation_verification/testdata/cb_evidence.binarypb";
 const CB_ENDORSEMENT_PATH: &str = "oak_attestation_verification/testdata/cb_endorsement.binarypb";
 const CB_REFERENCE_VALUES_PATH: &str =
     "oak_attestation_verification/testdata/cb_reference_values.binarypb";
-const RK_EVIDENCE_PATH: &str = "oak_attestation_verification/testdata/rk_evidence.binarypb";
-const RK_OBSOLETE_EVIDENCE_PATH: &str =
-    "oak_attestation_verification/testdata/rk_evidence_20240312.binarypb";
+
+// Fake attestation
 const FAKE_EVIDENCE_PATH: &str = "oak_attestation_verification/testdata/fake_evidence.binarypb";
+const FAKE_EXPECTED_VALUES_PATH: &str =
+    "oak_attestation_verification/testdata/fake_expected_values.binarypb";
+
+// AMD Genoa attestation with Oak Containers
 const GENOA_OC_EVIDENCE_PATH: &str =
     "oak_attestation_verification/testdata/genoa_oc_evidence.binarypb";
-const GENOA_VCEK_CERT_DER: &str = "oak_attestation_verification/testdata/vcek_genoa.der";
 const GENOA_OC_REFERENCE_PATH: &str =
     "oak_attestation_verification/testdata/genoa_oc_reference_values.binarypb";
 
-// These expected values were generated by running verification on the fake
-// evidence.
-const FAKE_EXPECTED_VALUES_PATH: &str =
-    "oak_attestation_verification/testdata/fake_expected_values.binarypb";
+// Legacy Oak Containers attestation
+const OC_EVIDENCE_PATH: &str = "oak_attestation_verification/testdata/oc_evidence.binarypb";
+
+// Legacy Restricted Kernel attestation
+const RK_EVIDENCE_PATH: &str = "oak_attestation_verification/testdata/rk_evidence.binarypb";
+const RK_OBSOLETE_EVIDENCE_PATH: &str =
+    "oak_attestation_verification/testdata/rk_evidence_20240312.binarypb";
 
 // Pretend the tests run at this time: 1 March 2024, 12:00 UTC. This date must
 // be valid with respect to the endorsement behind ENDORSEMENT_PATH.
@@ -100,8 +108,7 @@ fn create_cb_reference_values() -> ReferenceValues {
 
 // Creates a valid AMD SEV-SNP evidence instance for Oak Containers.
 fn create_oc_evidence() -> Evidence {
-    let serialized =
-        fs::read(data_path(CONTAINERS_EVIDENCE_PATH)).expect("could not read evidence");
+    let serialized = fs::read(data_path(OC_EVIDENCE_PATH)).expect("could not read evidence");
     Evidence::decode(serialized.as_slice()).expect("could not decode evidence")
 }
 
@@ -151,7 +158,7 @@ fn create_stage1_endorsement() -> TransparentReleaseEndorsement {
 // Creates mock endorsements for an Oak Containers chain.
 fn create_oc_endorsements() -> Endorsements {
     let vcek_milan_cert =
-        fs::read(data_path(CONTAINERS_VCEK_MILAN_CERT_DER)).expect("couldn't read TEE cert");
+        fs::read(data_path(OC_VCEK_MILAN_CERT_DER)).expect("couldn't read TEE cert");
     let root_layer = RootLayerEndorsements { tee_certificate: vcek_milan_cert, stage0: None };
     let kernel_layer = KernelLayerEndorsements {
         kernel: None,