Skip to content

Commit

Permalink
WIP
Browse files Browse the repository at this point in the history
Signed-off-by: Appu Goundan <[email protected]>
  • Loading branch information
loosebazooka committed Sep 11, 2023
1 parent dfe3807 commit 0a3be1e
Show file tree
Hide file tree
Showing 27 changed files with 614 additions and 2,404 deletions.
1 change: 1 addition & 0 deletions fuzzing/build.gradle.kts
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ repositories {

dependencies {
implementation(project(":sigstore-java"))
implementation("com.google.guava:guava:31.1-jre")
implementation("com.code-intelligence:jazzer-api:0.16.1")
}

Expand Down
12 changes: 6 additions & 6 deletions fuzzing/src/main/java/fuzzing/FulcioVerifierFuzzer.java
Original file line number Diff line number Diff line change
Expand Up @@ -29,24 +29,24 @@
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.List;
import util.Tuf;

public class FulcioVerifierFuzzer {
public static void fuzzerTestOneInput(FuzzedDataProvider data) {
try {
int[] intArray = data.consumeInts(data.consumeInt(1, 10));
byte[] byteArray = data.consumeRemainingAsBytes();

List<Certificate> certList = new ArrayList<Certificate>();
List<byte[]> byteArrayList = new ArrayList<byte[]>();
var cas = Tuf.certificateAuthoritiesFrom(data);
var ctLogs = Tuf.transparencyLogsFrom(data);

byte[] byteArray = data.consumeRemainingAsBytes();
List<Certificate> certList = new ArrayList<Certificate>();
CertificateFactory cf = CertificateFactory.getInstance("X.509");
certList.add(cf.generateCertificate(new ByteArrayInputStream(byteArray)));
certList.add(cf.generateCertificate(new ByteArrayInputStream(byteArray)));
byteArrayList.add(byteArray);
byteArrayList.add(byteArray);

SigningCertificate sc = SigningCertificate.from(cf.generateCertPath(certList));
FulcioVerifier fv = FulcioVerifier.newFulcioVerifier(byteArray, byteArrayList);
FulcioVerifier fv = FulcioVerifier.newFulcioVerifier(cas, ctLogs);

for (int choice : intArray) {
switch (choice % 4) {
Expand Down
14 changes: 4 additions & 10 deletions fuzzing/src/main/java/fuzzing/RekorVerifierFuzzer.java
Original file line number Diff line number Diff line change
Expand Up @@ -21,33 +21,27 @@
import dev.sigstore.rekor.client.RekorResponse;
import dev.sigstore.rekor.client.RekorVerificationException;
import dev.sigstore.rekor.client.RekorVerifier;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import util.Tuf;

public class RekorVerifierFuzzer {
private static final String URL = "https://false.url.for.RekorTypes.fuzzing.com";

public static void fuzzerTestOneInput(FuzzedDataProvider data) {
try {
var tLogs = Tuf.transparencyLogsFrom(data);
byte[] byteArray = data.consumeRemainingAsBytes();
String string = new String(byteArray, StandardCharsets.UTF_8);

URI uri = new URI(URL);
RekorEntry entry = RekorResponse.newRekorResponse(uri, string).getEntry();
RekorVerifier verifier = RekorVerifier.newRekorVerifier(byteArray);
RekorVerifier verifier = RekorVerifier.newRekorVerifier(tLogs);

verifier.verifyEntry(entry);
verifier.verifyInclusionProof(entry);
} catch (URISyntaxException
| InvalidKeySpecException
| NoSuchAlgorithmException
| IOException
| RekorParseException
| RekorVerificationException e) {
} catch (URISyntaxException | RekorParseException | RekorVerificationException e) {
// Known exception
}
}
Expand Down
93 changes: 93 additions & 0 deletions fuzzing/src/main/java/util/Tuf.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
/*
* Copyright 2023 The Sigstore Authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package util;

import com.code_intelligence.jazzer.api.FuzzedDataProvider;
import com.google.common.hash.Hashing;
import dev.sigstore.trustroot.CertificateAuthorities;
import dev.sigstore.trustroot.CertificateAuthority;
import dev.sigstore.trustroot.ImmutableCertificateAuthorities;
import dev.sigstore.trustroot.ImmutableCertificateAuthority;
import dev.sigstore.trustroot.ImmutableLogId;
import dev.sigstore.trustroot.ImmutablePublicKey;
import dev.sigstore.trustroot.ImmutableSubject;
import dev.sigstore.trustroot.ImmutableTransparencyLog;
import dev.sigstore.trustroot.ImmutableTransparencyLogs;
import dev.sigstore.trustroot.ImmutableValidFor;
import dev.sigstore.trustroot.TransparencyLog;
import dev.sigstore.trustroot.TransparencyLogs;
import java.io.ByteArrayInputStream;
import java.net.URI;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.time.Instant;
import java.util.ArrayList;
import java.util.List;

public final class Tuf {

// arbitrarily decided max certificate size in bytes
private static final int MAX_CERT_SIZE = 10240;

// ecdsa key size in bytes
private static final int ECDSA_KEY_BYTES = 91;

public static TransparencyLogs transparencyLogsFrom(FuzzedDataProvider data) {
return ImmutableTransparencyLogs.builder().addTransparencyLog(genTlog(data)).build();
}

public static CertificateAuthorities certificateAuthoritiesFrom(FuzzedDataProvider data)
throws CertificateException {
return ImmutableCertificateAuthorities.builder().addCertificateAuthority(genCA(data)).build();
}

private static CertPath genCertPath(FuzzedDataProvider data) throws CertificateException {
List<Certificate> certList = new ArrayList<Certificate>();
CertificateFactory cf = CertificateFactory.getInstance("X.509");
certList.add(
cf.generateCertificate(new ByteArrayInputStream(data.consumeBytes(MAX_CERT_SIZE))));
certList.add(
cf.generateCertificate(new ByteArrayInputStream(data.consumeBytes(MAX_CERT_SIZE))));
return cf.generateCertPath(certList);
}

private static CertificateAuthority genCA(FuzzedDataProvider data) throws CertificateException {
return ImmutableCertificateAuthority.builder()
.validFor(ImmutableValidFor.builder().start(Instant.EPOCH).build())
.subject(ImmutableSubject.builder().commonName("test").organization("test").build())
.certPath(genCertPath(data))
.uri(URI.create("test"))
.build();
}

private static TransparencyLog genTlog(FuzzedDataProvider data) {
var pk =
ImmutablePublicKey.builder()
.keyDetails("PKIX_ECDSA_P256_SHA_256")
.rawBytes(data.consumeBytes(ECDSA_KEY_BYTES))
.validFor(ImmutableValidFor.builder().start(Instant.EPOCH).build())
.build();
var logId = Hashing.sha256().hashBytes(pk.getRawBytes()).asBytes();
return ImmutableTransparencyLog.builder()
.baseUrl(URI.create("test"))
.hashAlgorithm("SHA2_256")
.publicKey(pk)
.logId(ImmutableLogId.builder().keyId(logId).build())
.build();
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package dev.sigstore.sign.work
import dev.sigstore.KeylessSigner
import dev.sigstore.bundle.BundleFactory
import dev.sigstore.oidc.client.OidcClient
import dev.sigstore.oidc.client.OidcClients
import dev.sigstore.sign.OidcClientConfiguration
import org.gradle.api.file.RegularFileProperty
import org.gradle.api.provider.Property
Expand Down Expand Up @@ -50,8 +51,7 @@ abstract class SignWorkAction : WorkAction<SignWorkParameters> {
val signer = clients.computeIfAbsent(oidcClient.key()) {
KeylessSigner.builder().apply {
sigstorePublicDefaults()
@Suppress("DEPRECATION")
oidcClient(oidcClient.build() as OidcClient)
oidcClients(OidcClients.of(oidcClient.build() as OidcClient))
}.build()
}

Expand Down
107 changes: 44 additions & 63 deletions sigstore-java/src/main/java/dev/sigstore/KeylessSigner.java
Original file line number Diff line number Diff line change
Expand Up @@ -21,19 +21,26 @@
import com.google.common.hash.Hashing;
import com.google.errorprone.annotations.CanIgnoreReturnValue;
import com.google.errorprone.annotations.CheckReturnValue;
import com.google.errorprone.annotations.InlineMe;
import com.google.errorprone.annotations.concurrent.GuardedBy;
import dev.sigstore.encryption.certificates.Certificates;
import dev.sigstore.encryption.signers.Signer;
import dev.sigstore.encryption.signers.Signers;
import dev.sigstore.fulcio.client.*;
import dev.sigstore.oidc.client.OidcClient;
import dev.sigstore.fulcio.client.CertificateRequest;
import dev.sigstore.fulcio.client.FulcioClient;
import dev.sigstore.fulcio.client.FulcioVerificationException;
import dev.sigstore.fulcio.client.FulcioVerifier;
import dev.sigstore.fulcio.client.SigningCertificate;
import dev.sigstore.fulcio.client.UnsupportedAlgorithmException;
import dev.sigstore.oidc.client.OidcClients;
import dev.sigstore.oidc.client.OidcException;
import dev.sigstore.oidc.client.OidcToken;
import dev.sigstore.rekor.client.*;
import dev.sigstore.rekor.client.HashedRekordRequest;
import dev.sigstore.rekor.client.RekorClient;
import dev.sigstore.rekor.client.RekorParseException;
import dev.sigstore.rekor.client.RekorVerificationException;
import dev.sigstore.rekor.client.RekorVerifier;
import dev.sigstore.tuf.SigstoreTufClient;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.InvalidAlgorithmParameterException;
Expand Down Expand Up @@ -120,37 +127,17 @@ public static Builder builder() {
}

public static class Builder {
private FulcioClient fulcioClient;
private FulcioVerifier fulcioVerifier;
private RekorClient rekorClient;
private RekorVerifier rekorVerifier;
private SigstoreTufClient sigstoreTufClient;
private OidcClients oidcClients;
private Signer signer;
private Duration minSigningCertificateLifetime = DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME;

@CanIgnoreReturnValue
public Builder fulcioClient(FulcioClient fulcioClient, FulcioVerifier fulcioVerifier) {
this.fulcioClient = fulcioClient;
this.fulcioVerifier = fulcioVerifier;
public Builder sigstoreTufClient(SigstoreTufClient sigstoreTufClient) {
this.sigstoreTufClient = sigstoreTufClient;
return this;
}

@CanIgnoreReturnValue
public Builder rekorClient(RekorClient rekorClient, RekorVerifier rekorVerifier) {
this.rekorClient = rekorClient;
this.rekorVerifier = rekorVerifier;
return this;
}

@CanIgnoreReturnValue
@Deprecated
@InlineMe(
replacement = "this.oidcClients(OidcClients.of(oidcClient))",
imports = "dev.sigstore.oidc.client.OidcClients")
public final Builder oidcClient(OidcClient oidcClient) {
return oidcClients(OidcClients.of(oidcClient));
}

@CanIgnoreReturnValue
public Builder oidcClients(OidcClients oidcClients) {
this.oidcClients = oidcClients;
Expand Down Expand Up @@ -182,13 +169,16 @@ public Builder minSigningCertificateLifetime(Duration minSigningCertificateLifet
}

@CheckReturnValue
public KeylessSigner build() {
Preconditions.checkNotNull(fulcioClient, "fulcioClient");
Preconditions.checkNotNull(fulcioVerifier, "fulcioVerifier");
Preconditions.checkNotNull(rekorClient, "rekorClient");
Preconditions.checkNotNull(rekorVerifier, "rekorVerifier");
Preconditions.checkNotNull(oidcClients, "oidcClients");
Preconditions.checkNotNull(signer, "signer");
public KeylessSigner build()
throws CertificateException, IOException, NoSuchAlgorithmException, InvalidKeySpecException,
InvalidKeyException, InvalidAlgorithmParameterException {
Preconditions.checkNotNull(sigstoreTufClient, "sigstoreTufClient");
sigstoreTufClient.update();
var trustedRoot = sigstoreTufClient.getSigstoreTrustedRoot();
var fulcioClient = FulcioClient.builder().setCertificateAuthority(trustedRoot).build();
var fulcioVerifier = FulcioVerifier.newFulcioVerifier(trustedRoot);
var rekorClient = RekorClient.builder().setTransparencyLog(trustedRoot).build();
var rekorVerifier = RekorVerifier.newRekorVerifier(trustedRoot);
return new KeylessSigner(
fulcioClient,
fulcioVerifier,
Expand All @@ -199,38 +189,26 @@ public KeylessSigner build() {
minSigningCertificateLifetime);
}

/**
* Initialize a builder with the sigstore public good instance tuf root and oidc targets with
* ecdsa signing.
*/
@CanIgnoreReturnValue
public Builder sigstorePublicDefaults()
throws IOException, InvalidAlgorithmParameterException, CertificateException,
InvalidKeySpecException, NoSuchAlgorithmException {
fulcioClient(
FulcioClient.builder().build(),
FulcioVerifier.newFulcioVerifier(
VerificationMaterial.Production.fulioCert(),
VerificationMaterial.Production.ctfePublicKeys()));
rekorClient(
RekorClient.builder().build(),
RekorVerifier.newRekorVerifier(VerificationMaterial.Production.rekorPublicKey()));
public Builder sigstorePublicDefaults() throws IOException, NoSuchAlgorithmException {
sigstoreTufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
oidcClients(OidcClients.DEFAULTS);
signer(Signers.newEcdsaSigner());
minSigningCertificateLifetime(DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME);
return this;
}

/**
* Initialize a builder with the sigstore staging instance tuf root and oidc targets with ecdsa
* signing.
*/
@CanIgnoreReturnValue
public Builder sigstoreStagingDefaults()
throws IOException, InvalidAlgorithmParameterException, CertificateException,
InvalidKeySpecException, NoSuchAlgorithmException {
fulcioClient(
FulcioClient.builder()
.setServerUrl(URI.create(FulcioClient.STAGING_FULCIO_SERVER))
.build(),
FulcioVerifier.newFulcioVerifier(
VerificationMaterial.Staging.fulioCert(),
VerificationMaterial.Staging.ctfePublicKeys()));
rekorClient(
RekorClient.builder().setServerUrl(URI.create(RekorClient.STAGING_REKOR_SERVER)).build(),
RekorVerifier.newRekorVerifier(VerificationMaterial.Staging.rekorPublicKey()));
public Builder sigstoreStagingDefaults() throws IOException, NoSuchAlgorithmException {
sigstoreTufClient = SigstoreTufClient.builder().useStagingInstance().build();
oidcClients(OidcClients.STAGING_DEFAULTS);
signer(Signers.newEcdsaSigner());
minSigningCertificateLifetime(DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME);
Expand All @@ -251,7 +229,7 @@ public List<KeylessSignature> sign(List<byte[]> artifactDigests)
throws OidcException, NoSuchAlgorithmException, SignatureException, InvalidKeyException,
UnsupportedAlgorithmException, CertificateException, IOException,
FulcioVerificationException, RekorVerificationException, InterruptedException,
RekorParseException {
RekorParseException, InvalidKeySpecException {

if (artifactDigests.size() == 0) {
throw new IllegalArgumentException("Require one or more digests");
Expand Down Expand Up @@ -350,7 +328,8 @@ private void renewSigningCertificate()
public KeylessSignature sign(byte[] artifactDigest)
throws FulcioVerificationException, RekorVerificationException, UnsupportedAlgorithmException,
CertificateException, NoSuchAlgorithmException, SignatureException, IOException,
OidcException, InvalidKeyException, InterruptedException, RekorParseException {
OidcException, InvalidKeyException, InterruptedException, RekorParseException,
InvalidKeySpecException {
return sign(List.of(artifactDigest)).get(0);
}

Expand All @@ -364,7 +343,8 @@ public KeylessSignature sign(byte[] artifactDigest)
public Map<Path, KeylessSignature> signFiles(List<Path> artifacts)
throws FulcioVerificationException, RekorVerificationException, UnsupportedAlgorithmException,
CertificateException, NoSuchAlgorithmException, SignatureException, IOException,
OidcException, InvalidKeyException, InterruptedException, RekorParseException {
OidcException, InvalidKeyException, InterruptedException, RekorParseException,
InvalidKeySpecException {
if (artifacts.size() == 0) {
throw new IllegalArgumentException("Require one or more paths");
}
Expand All @@ -391,7 +371,8 @@ public Map<Path, KeylessSignature> signFiles(List<Path> artifacts)
public KeylessSignature signFile(Path artifact)
throws FulcioVerificationException, RekorVerificationException, UnsupportedAlgorithmException,
CertificateException, NoSuchAlgorithmException, SignatureException, IOException,
OidcException, InvalidKeyException, InterruptedException, RekorParseException {
OidcException, InvalidKeyException, InterruptedException, RekorParseException,
InvalidKeySpecException {
return signFiles(List.of(artifact)).get(artifact);
}
}
Loading

0 comments on commit 0a3be1e

Please sign in to comment.