From 0c74ea2fa544a0689829fbd06785665e2ceac5a7 Mon Sep 17 00:00:00 2001 From: Appu Goundan Date: Fri, 13 Dec 2024 10:59:44 -0500 Subject: [PATCH] DONT MERGE: test-fix Signed-off-by: Appu Goundan --- .github/workflows/byob-slsa.yaml | 28 -------- .github/workflows/ci.yaml | 67 ----------------- .github/workflows/conformance.yml | 42 ----------- .github/workflows/depsreview.yml | 24 ------- .github/workflows/examples.yaml | 50 ------------- .../workflows/gradle-wrapper-validation.yaml | 11 --- ...lease-sigstore-gradle-plugin-from-tag.yaml | 58 --------------- .../release-sigstore-java-from-tag.yaml | 71 ------------------- .github/workflows/tuf-conformance.yml | 41 ----------- fuzzing/build.gradle.kts | 2 + .../main/java/fuzzing/BundleReaderFuzzer.java | 32 --------- .../java/fuzzing/BundleVerifierFuzzer.java | 30 -------- .../java/fuzzing/CertificateEntryFuzzer.java | 57 --------------- .../main/java/fuzzing/CertificatesFuzzer.java | 39 ---------- .../java/fuzzing/DigitallySignedFuzzer.java | 37 ---------- .../FulcioCertificateMatcherFuzzer.java | 55 -------------- .../java/fuzzing/FulcioVerifierFuzzer.java | 59 --------------- .../java/fuzzing/JsonCanonicalizerFuzzer.java | 38 ---------- .../main/java/fuzzing/KeysParsingFuzzer.java | 47 ------------ .../main/java/fuzzing/RekorTypesFuzzer.java | 47 ------------ .../java/fuzzing/RekorVerifierFuzzer.java | 47 ------------ .../java/fuzzing/SerializationFuzzer.java | 45 ------------ .../java/fuzzing/SignerVerifierFuzzer.java | 45 ------------ fuzzing/src/main/java/fuzzing/TestFuzzer.java | 52 ++++++++++++++ .../main/java/fuzzing/TufVerifierFuzzer.java | 45 ------------ 25 files changed, 54 insertions(+), 1015 deletions(-) delete mode 100644 .github/workflows/byob-slsa.yaml delete mode 100644 .github/workflows/ci.yaml delete mode 100644 .github/workflows/conformance.yml delete mode 100644 .github/workflows/depsreview.yml delete mode 100644 .github/workflows/examples.yaml delete mode 100644 .github/workflows/gradle-wrapper-validation.yaml delete mode 100644 .github/workflows/release-sigstore-gradle-plugin-from-tag.yaml delete mode 100644 .github/workflows/release-sigstore-java-from-tag.yaml delete mode 100644 .github/workflows/tuf-conformance.yml delete mode 100644 fuzzing/src/main/java/fuzzing/BundleReaderFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/BundleVerifierFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/CertificateEntryFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/CertificatesFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/DigitallySignedFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/FulcioCertificateMatcherFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/FulcioVerifierFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/JsonCanonicalizerFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/KeysParsingFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/RekorTypesFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/RekorVerifierFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/SerializationFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/SignerVerifierFuzzer.java create mode 100644 fuzzing/src/main/java/fuzzing/TestFuzzer.java delete mode 100644 fuzzing/src/main/java/fuzzing/TufVerifierFuzzer.java diff --git a/.github/workflows/byob-slsa.yaml b/.github/workflows/byob-slsa.yaml deleted file mode 100644 index 657e0f05..00000000 --- a/.github/workflows/byob-slsa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# This builds a SLSA provenance statement based on BYOB. -# For now it is under heavy development and is not yet suited for releases. ---- -name: SLSA Provenance -on: - - workflow_dispatch - -permissions: read-all - -env: - GH_TOKEN: ${{ github.token }} - ISSUE_REPOSITORY: ${{ github.repository }} -jobs: - usetrw: - permissions: - contents: write - id-token: write - actions: read - packages: write - uses: AdamKorcz/java-slsa-generator/.github/workflows/gradle-trw.yml@main - with: - rekor-log-public: true - artifact-list: | - ./sigstore-java/build/local-maven-repo/dev/sigstore/sigstore-java/GRADLE_VERSION/sigstore-java-GRADLE_VERSION.module, - ./sigstore-java/build/libs/sigstore-java-GRADLE_VERSION.jar, - ./sigstore-java/build/local-maven-repo/dev/sigstore/sigstore-java/GRADLE_VERSION/sigstore-java-GRADLE_VERSION.pom, - ./sigstore-java/build/local-maven-repo/dev/sigstore/sigstore-java/GRADLE_VERSION/sigstore-java-GRADLE_VERSION-sources.jar, - ./sigstore-java/build/libs/sigstore-java-GRADLE_VERSION-javadoc.jar diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml deleted file mode 100644 index f2cf650b..00000000 --- a/.github/workflows/ci.yaml +++ /dev/null @@ -1,67 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow will build a Java project with Gradle and -# cache/restore any dependencies to improve the workflow execution time -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle - -name: Test - -on: - push: - branches: - - '*' - pull_request: - branches: - - main - workflow_call: # allow this workflow to be called by other workflows - -concurrency: - # On master/release, we don't want any jobs cancelled - # On PR branches, we cancel the job if new commits are pushed - # More info: https://stackoverflow.com/a/70972844/1261287 - group: ${{ github.ref }}-ci - cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} - -jobs: - build: - strategy: - matrix: - java-version: [11, 17] - fail-fast: false - - runs-on: ubuntu-latest - permissions: - id-token: write - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up JDK ${{ matrix.java-version }} - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 - with: - java-version: ${{ matrix.java-version }} - distribution: 'temurin' - - name: Setup Go environment - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 - with: - go-version: '1.21.x' - - # at some point this should just be replaced with something that can bring up a sigstore test env - - name: Install Fulcio - run: go install github.com/sigstore/fulcio@main - - - name: Setup Gradle - uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0 - - # if you need to skip staging due to flakiness use "-PskipStaging" - - name: Test sigstore-java - run: ./gradlew build - - - name: Ensure sigstore-java self signing still works - run: ./gradlew sigstore-java:publishToMavenLocal -Prelease -PskipPgpSigning - - - name: Test sigstore-java/sandbox - run: | - cd sandbox - ./gradlew build diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml deleted file mode 100644 index eb994d15..00000000 --- a/.github/workflows/conformance.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Conformance Tests - -on: - push: - branches: - - '**' - pull_request: - # TODO: add cron - -jobs: - conformance: - strategy: - max-parallel: 1 - matrix: - java-version: [11, 17] - sigstore-env: [production, staging] - fail-fast: false - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Set up JDK ${{ matrix.java-version }} - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 - with: - java-version: ${{ matrix.java-version }} - distribution: 'temurin' - - - name: Setup Gradle - uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0 - - - name: Build sigstore-java cli - run: ./gradlew :sigstore-cli:build - - - name: Unpack sigstore-java distribution - run: tar -xvf ${{ github.workspace }}/sigstore-cli/build/distributions/sigstore-cli-*.tar --strip-components 1 - - - uses: sigstore/sigstore-conformance@b0635d4101f11dbd18a50936568a1f7f55b17760 # v0.0.14 - with: - entrypoint: ${{ github.workspace }}/bin/sigstore-cli - environment: ${{ matrix.sigstore-env }} - xfail: "test_verify_dsse_bundle_with_trust_root test_verify_in_toto_in_dsse_envelope" diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml deleted file mode 100644 index d46e55bf..00000000 --- a/.github/workflows/depsreview.yml +++ /dev/null @@ -1,24 +0,0 @@ -# -# Copyright 2022 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -name: 'Dependency Review' -on: [pull_request] - -permissions: - contents: read - -jobs: - dependency-review: - name: License and Vulnerability Scan - uses: sigstore/community/.github/workflows/reusable-dependency-review.yml@ee857eaeeffdc524bdcb7dd14e2b9970558d0758 diff --git a/.github/workflows/examples.yaml b/.github/workflows/examples.yaml deleted file mode 100644 index 95c1747b..00000000 --- a/.github/workflows/examples.yaml +++ /dev/null @@ -1,50 +0,0 @@ -name: Examples - -on: - push: - branches: - - '*' - pull_request: - branches: - - main - -concurrency: - group: ${{ github.ref }}-examples - cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} - -jobs: - examples: - name: Build and run examples - runs-on: ubuntu-latest - - permissions: - id-token: write - - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Setup Java - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 - with: - java-version: 11 - distribution: 'temurin' - - - name: Setup Gradle - uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0 - - - name: run examples against released sigstore - working-directory: examples/hello-world - run: ./test.sh - - - name: install sigstore java development jars into mavenLocal - run: ./gradlew publishToMavenLocal -Prelease -PskipSigning - - - name: calculate development version - id: dev_version - run: | - set -Exeo pipefail - echo "version=$(grep "^version=" gradle.properties | cut -d'=' -f2)" >> $GITHUB_OUTPUT - - - name: run examples against development version - working-directory: examples/hello-world - run: ./test.sh -Dsigstore.version=${{ steps.dev_version.outputs.version }} diff --git a/.github/workflows/gradle-wrapper-validation.yaml b/.github/workflows/gradle-wrapper-validation.yaml deleted file mode 100644 index d6e2a75c..00000000 --- a/.github/workflows/gradle-wrapper-validation.yaml +++ /dev/null @@ -1,11 +0,0 @@ -name: "Validate Gradle Wrapper" -on: [push, pull_request] - -jobs: - validation: - name: "Validation" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - # allstar complains if we don't use tags here (https://github.com/ossf/scorecard/issues/2477) - - uses: gradle/wrapper-validation-action@v3 diff --git a/.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml b/.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml deleted file mode 100644 index e4298c44..00000000 --- a/.github/workflows/release-sigstore-gradle-plugin-from-tag.yaml +++ /dev/null @@ -1,58 +0,0 @@ -name: Release sigstore gradle plugins to Gradle Plugin Portal -on: - workflow_dispatch: - -jobs: - process-tag: - runs-on: ubuntu-latest - outputs: - version: ${{ steps.version.outputs.version }} - steps: - - name: checkout tag - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: process tag - id: version - run: | - TAG=${{ github.ref_name }} - echo "version=${TAG#"v"}" >> $GITHUB_OUTPUT - - name: verify tag matches gradle version - run: | - set -Eeo pipefail - version=$(grep "^version=" gradle.properties | cut -d'=' -f2) - if [[ ! "$version" == "${{ steps.version.outputs.version }}" ]]; then - echo "tagged version ${{ github.ref }} (as ${{ steps.version.outputs.version }}) does not match gradle.properties $version" - exit 1 - fi - - ci: - needs: [process-tag] - permissions: - id-token: write # To run github oidc tests - uses: ./.github/workflows/ci.yaml - - build: - permissions: - id-token: write # To sign the artifacts - runs-on: ubuntu-latest - needs: [ci] - steps: - - name: Checkout tag - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Set up JDK 11 - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 - with: - java-version: 11 - distribution: 'temurin' - - - name: Setup Gradle - uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0 - - - name: Build, Sign and Release to Gradle Plugin Portal - run: | - ./gradlew publishPlugins -Prelease -Pgradle.publish.key=$GRADLE_PUBLISH_KEY -Pgradle.publish.secret=$GRADLE_PUBLISH_SECRET - env: - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_PRIVATE_KEY }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.PGP_PASSPHRASE }} - GRADLE_PUBLISH_KEY: ${{ secrets.GRADLE_PUBLISH_KEY }} - GRADLE_PUBLISH_SECRET: ${{ secrets.GRADLE_PUBLISH_SECRET }} diff --git a/.github/workflows/release-sigstore-java-from-tag.yaml b/.github/workflows/release-sigstore-java-from-tag.yaml deleted file mode 100644 index 32298207..00000000 --- a/.github/workflows/release-sigstore-java-from-tag.yaml +++ /dev/null @@ -1,71 +0,0 @@ -name: Release sigstore-java and sigstore-maven-plugin to Maven Central -on: - workflow_dispatch: - # user is expected to use a tag as the branch to run the action on - -jobs: - process-tag: - runs-on: ubuntu-latest - outputs: - version: ${{ steps.version.outputs.version }} - steps: - - name: checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: process tag - id: version - run: | - TAG=${{ github.ref_name }} - echo "version=${TAG#"v"}" >> $GITHUB_OUTPUT - - name: verify tag matches gradle version - run: | - set -Eeo pipefail - version=$(grep "^version=" gradle.properties | cut -d'=' -f2) - if [[ ! "$version" == "${{ steps.version.outputs.version }}" ]]; then - echo "tagged version ${{ github.ref }} (as ${{ steps.version.outputs.version }}) does not match gradle.properties $version" - exit 1 - fi - - ci: - needs: [process-tag] - permissions: - id-token: write # To run github oidc tests - uses: ./.github/workflows/ci.yaml - - build: - permissions: - id-token: write # To sign the artifacts - runs-on: ubuntu-latest - needs: [ci] - steps: - - name: checkout tag - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Set up JDK 11 - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 - with: - java-version: 11 - distribution: 'temurin' - - - name: Setup Gradle - uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0 - - - name: Build, Sign and Release to Maven Central - run: | - ./gradlew clean :sigstore-java:publishMavenJavaPublicationToSonatypeRepository :sigstore-maven-plugin:publishMavenJavaPublicationToSonatypeRepository -Prelease - env: - ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_PRIVATE_KEY }} - ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.PGP_PASSPHRASE }} - ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_USERNAME }} - ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_PASSWORD }} - - create-release-on-github: - runs-on: ubuntu-latest - needs: [build] - permissions: - contents: write - steps: - - name: Create release - uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 - with: - tag_name: ${{ github.ref_name }} - body: "See [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/main/CHANGELOG.md) for more details." diff --git a/.github/workflows/tuf-conformance.yml b/.github/workflows/tuf-conformance.yml deleted file mode 100644 index b813b895..00000000 --- a/.github/workflows/tuf-conformance.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: TUF Conformance Tests - -on: - push: - branches: - - '**' - pull_request: - workflow_dispatch: - # TODO: add cron - -jobs: - conformance: - strategy: - max-parallel: 1 - matrix: - java-version: [11, 17] - fail-fast: false - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Set up JDK ${{ matrix.java-version }} - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 - with: - java-version: ${{ matrix.java-version }} - distribution: 'temurin' - - - name: Setup Gradle - uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4.1.0 - - - name: Build tuf cli - run: ./gradlew :tuf-cli:build - - - name: Unpack tuf distribution - run: tar -xvf ${{ github.workspace }}/tuf-cli/build/distributions/tuf-cli-*.tar --strip-components 1 - - - uses: theupdateframework/tuf-conformance@v2 - with: - entrypoint: ${{ github.workspace }}/bin/tuf-cli - artifact-name: test repositories for tuf-cli java ${{ matrix.java-version }} diff --git a/fuzzing/build.gradle.kts b/fuzzing/build.gradle.kts index 89440fc2..df559634 100644 --- a/fuzzing/build.gradle.kts +++ b/fuzzing/build.gradle.kts @@ -10,6 +10,8 @@ dependencies { implementation(project(":sigstore-java")) implementation("com.code-intelligence:jazzer-api:0.22.1") implementation("com.google.guava:guava:33.3.1-jre") + implementation("org.bouncycastle:bcutil-jdk18on:1.79") + implementation("org.bouncycastle:bcpkix-jdk18on:1.79") } // copy to the fuzzing builder's output directory. This is an existing directory with diff --git a/fuzzing/src/main/java/fuzzing/BundleReaderFuzzer.java b/fuzzing/src/main/java/fuzzing/BundleReaderFuzzer.java deleted file mode 100644 index f6d33d1d..00000000 --- a/fuzzing/src/main/java/fuzzing/BundleReaderFuzzer.java +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.bundle.Bundle; -import dev.sigstore.bundle.BundleParseException; -import java.io.StringReader; - -public class BundleReaderFuzzer { - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - String string = data.consumeRemainingAsString(); - Bundle.from(new StringReader(string)); - } catch (BundleParseException | IllegalArgumentException e) { - // Known exception - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/BundleVerifierFuzzer.java b/fuzzing/src/main/java/fuzzing/BundleVerifierFuzzer.java deleted file mode 100644 index 75df7e72..00000000 --- a/fuzzing/src/main/java/fuzzing/BundleVerifierFuzzer.java +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.bundle.BundleVerifier; - -public class BundleVerifierFuzzer { - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - String string = data.consumeRemainingAsString(); - BundleVerifier.allMissingFields(string); - } catch (IllegalArgumentException e) { - // Known exception - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/CertificateEntryFuzzer.java b/fuzzing/src/main/java/fuzzing/CertificateEntryFuzzer.java deleted file mode 100644 index f6e19176..00000000 --- a/fuzzing/src/main/java/fuzzing/CertificateEntryFuzzer.java +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.encryption.certificates.transparency.CertificateEntry; -import dev.sigstore.encryption.certificates.transparency.SerializationException; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; -import java.util.Arrays; - -public class CertificateEntryFuzzer { - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - - byte[] byteArray = data.consumeRemainingAsBytes(); - byte[] byteArray1 = Arrays.copyOfRange(byteArray, 0, byteArray.length / 2); - byte[] byteArray2 = Arrays.copyOfRange(byteArray, byteArray.length / 2, byteArray.length); - - X509Certificate cert = - (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(byteArray)); - X509Certificate cert1 = - (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(byteArray1)); - X509Certificate cert2 = - (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(byteArray2)); - - CertificateEntry ce1 = CertificateEntry.createForPrecertificate(byteArray1, byteArray2); - CertificateEntry ce2 = CertificateEntry.createForPrecertificate(cert1, cert2); - CertificateEntry ce3 = CertificateEntry.createForX509Certificate(byteArray); - CertificateEntry ce4 = CertificateEntry.createForX509Certificate(cert); - - ce1.encode(new ByteArrayOutputStream()); - ce2.encode(new ByteArrayOutputStream()); - ce3.encode(new ByteArrayOutputStream()); - ce4.encode(new ByteArrayOutputStream()); - } catch (CertificateException | SerializationException e) { - // Known exception - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/CertificatesFuzzer.java b/fuzzing/src/main/java/fuzzing/CertificatesFuzzer.java deleted file mode 100644 index 225de549..00000000 --- a/fuzzing/src/main/java/fuzzing/CertificatesFuzzer.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.encryption.certificates.Certificates; -import java.io.IOException; -import java.nio.charset.StandardCharsets; -import java.security.cert.CertificateException; - -public class CertificatesFuzzer { - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - byte[] byteArray = data.consumeRemainingAsBytes(); - - Certificates.toPemBytes(Certificates.fromPem(byteArray)); - Certificates.toPemString(Certificates.fromPem(new String(byteArray, StandardCharsets.UTF_8))); - - Certificates.toPemBytes(Certificates.fromPemChain(byteArray)); - Certificates.toPemString( - Certificates.fromPemChain(new String(byteArray, StandardCharsets.UTF_8))); - } catch (IOException | CertificateException e) { - // known exceptions - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/DigitallySignedFuzzer.java b/fuzzing/src/main/java/fuzzing/DigitallySignedFuzzer.java deleted file mode 100644 index a8531b47..00000000 --- a/fuzzing/src/main/java/fuzzing/DigitallySignedFuzzer.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.encryption.certificates.transparency.DigitallySigned; -import dev.sigstore.encryption.certificates.transparency.SerializationException; - -public class DigitallySignedFuzzer { - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - byte[] byteArray = data.consumeRemainingAsBytes(); - - DigitallySigned object = DigitallySigned.decode(byteArray); - - object.getHashAlgorithm(); - object.getSignatureAlgorithm(); - object.getSignature(); - object.getAlgorithm(); - } catch (IllegalArgumentException | SerializationException e) { - // known exceptions - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/FulcioCertificateMatcherFuzzer.java b/fuzzing/src/main/java/fuzzing/FulcioCertificateMatcherFuzzer.java deleted file mode 100644 index e7b4f135..00000000 --- a/fuzzing/src/main/java/fuzzing/FulcioCertificateMatcherFuzzer.java +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.VerificationOptions.UncheckedCertificateException; -import dev.sigstore.fulcio.client.FulcioCertificateMatcher; -import dev.sigstore.fulcio.client.ImmutableFulcioCertificateMatcher; -import dev.sigstore.strings.StringMatcher; -import java.io.ByteArrayInputStream; -import java.nio.charset.Charset; -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; - -public class FulcioCertificateMatcherFuzzer { - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - byte[] byteArray = data.consumeRemainingAsBytes(); - String san = new String(byteArray, Charset.defaultCharset()); - String issuer = new String(byteArray, Charset.defaultCharset()); - - X509Certificate certificate; - try { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - certificate = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(byteArray)); - } catch (Exception e) { - // Skipping this iteration if exceptions thrown during certificate creation - return; - } - - try { - FulcioCertificateMatcher matcher = - ImmutableFulcioCertificateMatcher.builder() - .subjectAlternativeName(StringMatcher.string(san)) - .issuer(StringMatcher.string(issuer)) - .build(); - - matcher.test(certificate); - } catch (UncheckedCertificateException e) { - // Known exception - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/FulcioVerifierFuzzer.java b/fuzzing/src/main/java/fuzzing/FulcioVerifierFuzzer.java deleted file mode 100644 index b332867c..00000000 --- a/fuzzing/src/main/java/fuzzing/FulcioVerifierFuzzer.java +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.fulcio.client.FulcioVerificationException; -import dev.sigstore.fulcio.client.FulcioVerifier; -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertPath; -import java.security.cert.Certificate; -import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; -import java.security.spec.InvalidKeySpecException; -import java.util.ArrayList; -import java.util.List; -import util.Tuf; - -public class FulcioVerifierFuzzer { - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - var cas = Tuf.certificateAuthoritiesFrom(data); - var ctLogs = Tuf.transparencyLogsFrom(data); - - List certList = new ArrayList<>(); - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - certList.add(cf.generateCertificate(new ByteArrayInputStream(data.consumeBytes(10240)))); - certList.add( - cf.generateCertificate(new ByteArrayInputStream(data.consumeRemainingAsBytes()))); - - CertPath sc = cf.generateCertPath(certList); - FulcioVerifier fv = FulcioVerifier.newFulcioVerifier(cas, ctLogs); - - fv.verifySigningCertificate(sc); - } catch (CertificateException - | FulcioVerificationException - | InvalidKeySpecException - | NoSuchAlgorithmException - | InvalidAlgorithmParameterException - | IOException e) { - // Known exception - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/JsonCanonicalizerFuzzer.java b/fuzzing/src/main/java/fuzzing/JsonCanonicalizerFuzzer.java deleted file mode 100644 index 0d8df8de..00000000 --- a/fuzzing/src/main/java/fuzzing/JsonCanonicalizerFuzzer.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.json.canonicalizer.JsonCanonicalizer; -import dev.sigstore.json.canonicalizer.NumberToJSON; -import java.io.IOException; -import java.nio.charset.StandardCharsets; - -public class JsonCanonicalizerFuzzer { - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - Double value = data.consumeDouble(); - byte[] byteArray = data.consumeRemainingAsBytes(); - - NumberToJSON.serializeNumber(value); - - new JsonCanonicalizer(byteArray); - new JsonCanonicalizer(new String(byteArray, StandardCharsets.UTF_8)); - } catch (IOException e) { - // Known exception - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/KeysParsingFuzzer.java b/fuzzing/src/main/java/fuzzing/KeysParsingFuzzer.java deleted file mode 100644 index 39373821..00000000 --- a/fuzzing/src/main/java/fuzzing/KeysParsingFuzzer.java +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import com.google.errorprone.annotations.CanIgnoreReturnValue; -import dev.sigstore.encryption.Keys; -import java.security.PublicKey; -import java.security.spec.InvalidKeySpecException; - -public class KeysParsingFuzzer { - - @FunctionalInterface - interface Parser { - @CanIgnoreReturnValue - PublicKey parse(byte[] contents) throws InvalidKeySpecException; - } - - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - Parser parser = - data.pickValue( - new Parser[] { - Keys::parseRsaPkcs1, Keys::parseRsa, Keys::parseEcdsa, Keys::parseEd25519, - }); - byte[] keyContents = data.consumeRemainingAsBytes(); - - parser.parse(keyContents); - - } catch (InvalidKeySpecException e) { - // known exceptions - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/RekorTypesFuzzer.java b/fuzzing/src/main/java/fuzzing/RekorTypesFuzzer.java deleted file mode 100644 index 17fcfb9f..00000000 --- a/fuzzing/src/main/java/fuzzing/RekorTypesFuzzer.java +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.rekor.client.RekorEntry; -import dev.sigstore.rekor.client.RekorParseException; -import dev.sigstore.rekor.client.RekorResponse; -import dev.sigstore.rekor.client.RekorTypeException; -import dev.sigstore.rekor.client.RekorTypes; -import java.net.URI; -import java.net.URISyntaxException; - -public class RekorTypesFuzzer { - private static final String URL = "https://false.url.for.RekorTypes.fuzzing.com"; - - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - int type = data.pickValue(new int[] {0, 1}); - String string = data.consumeRemainingAsString(); - - URI uri = new URI(URL); - RekorEntry entry = RekorResponse.newRekorResponse(uri, string).getEntry(); - - if (type == 0) { - RekorTypes.getHashedRekord(entry); - } else { - RekorTypes.getDsse(entry); - } - } catch (URISyntaxException | RekorTypeException | RekorParseException e) { - // Known exception - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/RekorVerifierFuzzer.java b/fuzzing/src/main/java/fuzzing/RekorVerifierFuzzer.java deleted file mode 100644 index 5a12a580..00000000 --- a/fuzzing/src/main/java/fuzzing/RekorVerifierFuzzer.java +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.rekor.client.RekorEntry; -import dev.sigstore.rekor.client.RekorParseException; -import dev.sigstore.rekor.client.RekorResponse; -import dev.sigstore.rekor.client.RekorVerificationException; -import dev.sigstore.rekor.client.RekorVerifier; -import java.net.URI; -import java.net.URISyntaxException; -import java.nio.charset.StandardCharsets; -import util.Tuf; - -public class RekorVerifierFuzzer { - private static final String URL = "https://false.url.for.RekorTypes.fuzzing.com"; - - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - var tLogs = Tuf.transparencyLogsFrom(data); - byte[] byteArray = data.consumeRemainingAsBytes(); - String string = new String(byteArray, StandardCharsets.UTF_8); - - URI uri = new URI(URL); - RekorEntry entry = RekorResponse.newRekorResponse(uri, string).getEntry(); - RekorVerifier verifier = RekorVerifier.newRekorVerifier(tLogs); - - verifier.verifyEntry(entry); - } catch (URISyntaxException | RekorParseException | RekorVerificationException e) { - // Known exception - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/SerializationFuzzer.java b/fuzzing/src/main/java/fuzzing/SerializationFuzzer.java deleted file mode 100644 index f478356f..00000000 --- a/fuzzing/src/main/java/fuzzing/SerializationFuzzer.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.encryption.certificates.transparency.Serialization; -import dev.sigstore.encryption.certificates.transparency.SerializationException; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; - -public class SerializationFuzzer { - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - Integer num1 = data.consumeInt(); - Integer num2 = data.consumeInt(); - byte[] byteArray = data.consumeRemainingAsBytes(); - - Serialization.readDEROctetString(byteArray); - Serialization.readList(byteArray, num1, num2); - Serialization.readVariableBytes(new ByteArrayInputStream(byteArray), num1); - Serialization.readFixedBytes(new ByteArrayInputStream(byteArray), num1); - Serialization.readNumber(new ByteArrayInputStream(byteArray), num1); - Serialization.readLong(new ByteArrayInputStream(byteArray), num1); - Serialization.readByte(new ByteArrayInputStream(byteArray)); - Serialization.writeVariableBytes(new ByteArrayOutputStream(), byteArray, num1); - Serialization.writeFixedBytes(new ByteArrayOutputStream(), byteArray); - Serialization.writeNumber(new ByteArrayOutputStream(), num1, num2); - } catch (SerializationException e) { - // Known exception - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/SignerVerifierFuzzer.java b/fuzzing/src/main/java/fuzzing/SignerVerifierFuzzer.java deleted file mode 100644 index 5bc765b6..00000000 --- a/fuzzing/src/main/java/fuzzing/SignerVerifierFuzzer.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.encryption.signers.Signer; -import dev.sigstore.encryption.signers.Signers; -import dev.sigstore.encryption.signers.Verifier; -import dev.sigstore.encryption.signers.Verifiers; -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; -import java.security.SignatureException; - -public class SignerVerifierFuzzer { - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - Integer choice = data.consumeInt(0, 1); - byte[] byteArray = data.consumeRemainingAsBytes(); - - Signer signer = (choice == 1) ? Signers.newEcdsaSigner() : Signers.newRsaSigner(); - Verifier verifier = Verifiers.newVerifier(signer.getPublicKey()); - - byte[] signature1 = signer.sign(byteArray); - byte[] signature2 = signer.signDigest(byteArray); - - var unused1 = verifier.verify(byteArray, signature1); - var unused2 = verifier.verifyDigest(byteArray, signature2); - } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) { - // Known exception - } - } -} diff --git a/fuzzing/src/main/java/fuzzing/TestFuzzer.java b/fuzzing/src/main/java/fuzzing/TestFuzzer.java new file mode 100644 index 00000000..88733f5b --- /dev/null +++ b/fuzzing/src/main/java/fuzzing/TestFuzzer.java @@ -0,0 +1,52 @@ +/* + * Copyright 2024 The Sigstore Authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package fuzzing; + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import java.security.KeyFactory; +import java.security.spec.ECPoint; +import java.security.spec.ECPublicKeySpec; +import org.bouncycastle.jce.ECNamedCurveTable; +import org.bouncycastle.jce.ECPointUtil; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec; +import org.bouncycastle.jce.spec.ECNamedCurveSpec; + +// test fuzzer to find an old bouncy castle null pointer error +public class TestFuzzer { + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + try { + byte[] byteArray = data.consumeRemainingAsBytes(); + + ECNamedCurveParameterSpec spec = ECNamedCurveTable.getParameterSpec("P-256"); + // create a KeyFactory with ECDSA (Elliptic Curve Diffie-Hellman) algorithm and use + // BouncyCastle as the provider + var kf = KeyFactory.getInstance("ECDSA", BouncyCastleProvider.PROVIDER_NAME); + + // code below just creates the public key from key contents using the curve parameters + // (spec variable) + ECNamedCurveSpec params = + new ECNamedCurveSpec("P-256", spec.getCurve(), spec.getG(), spec.getN()); + ECPoint point = ECPointUtil.decodePoint(params.getCurve(), byteArray); + ECPublicKeySpec pubKeySpec = new ECPublicKeySpec(point, params); + kf.generatePublic(pubKeySpec); + } catch (IllegalArgumentException iae) { + // expected + } catch (Exception e) { + // all checked exception + } + } +} diff --git a/fuzzing/src/main/java/fuzzing/TufVerifierFuzzer.java b/fuzzing/src/main/java/fuzzing/TufVerifierFuzzer.java deleted file mode 100644 index 8cb8efa0..00000000 --- a/fuzzing/src/main/java/fuzzing/TufVerifierFuzzer.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package fuzzing; - -import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import dev.sigstore.tuf.encryption.Verifiers; -import dev.sigstore.tuf.model.ImmutableKey; -import dev.sigstore.tuf.model.Key; -import java.io.IOException; -import java.security.InvalidKeyException; -import java.util.Map; - -public class TufVerifierFuzzer { - public static void fuzzerTestOneInput(FuzzedDataProvider data) { - try { - String keyType = data.consumeString(10); - String scheme = data.consumeString(20); - String keyData = data.consumeRemainingAsString(); - - Key key = - ImmutableKey.builder() - .keyType(keyType) - .keyVal(Map.of("public", keyData)) - .scheme(scheme) - .build(); - - Verifiers.newVerifier(key); - } catch (IOException | InvalidKeyException e) { - // known exceptions - } - } -}