Skip to content

Commit

Permalink
Fix KeysFuzzer
Browse files Browse the repository at this point in the history
Signed-off-by: Arthur Chan <[email protected]>
Signed-off-by: Appu Goundan <[email protected]>
  • Loading branch information
arthurscchan authored and loosebazooka committed Mar 29, 2024
1 parent 36a6b2e commit b2a3278
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 9 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,12 @@
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;

public class KeysFuzzer {
public class KeysParsingFuzzer {
public static void fuzzerTestOneInput(FuzzedDataProvider data) {
try {
String[] schemes = {"rsassa-pss-sha256", "ed25519", "ecdsa-sha2-nistp256"};
String scheme = data.pickValue(schemes);
byte[] byteArray = data.consumeRemainingAsBytes();

Keys.parsePublicKey(byteArray);
Keys.constructTufPublicKey(byteArray, scheme);
} catch (IOException | InvalidKeySpecException | NoSuchAlgorithmException e) {
// known exceptions
}
Expand Down
39 changes: 39 additions & 0 deletions fuzzing/src/main/java/fuzzing/TufKeysFuzzer.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
/*
* Copyright 2023 The Sigstore Authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package fuzzing;

import com.code_intelligence.jazzer.api.FuzzedDataProvider;
import dev.sigstore.encryption.Keys;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;

public class TufKeysFuzzer {
public static void fuzzerTestOneInput(FuzzedDataProvider data) {
try {
String[] schemes = {"rsassa-pss-sha256", "ed25519", "ecdsa-sha2-nistp256", "ecdsa"};
String scheme = data.pickValue(schemes);
byte[] byteArray = data.consumeRemainingAsBytes();

Keys.constructTufPublicKey(byteArray, scheme);
} catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
// known exceptions
} catch (RuntimeException e) {
if (!e.toString().contains("not currently supported")) {
throw e;
}
}
}
}
17 changes: 12 additions & 5 deletions sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,9 @@ public static PublicKey parsePkcs1RsaPublicKey(byte[] contents)
*/
public static PublicKey constructTufPublicKey(byte[] contents, String scheme)
throws NoSuchAlgorithmException, InvalidKeySpecException {
if (contents == null || contents.length == 0) {
throw new InvalidKeySpecException("key contents was empty");
}
switch (scheme) {
case "ed25519":
{
Expand Down Expand Up @@ -172,11 +175,15 @@ public static PublicKey constructTufPublicKey(byte[] contents, String scheme)

// code below just creates the public key from key contents using the curve parameters
// (spec variable)
ECNamedCurveSpec params =
new ECNamedCurveSpec("P-256", spec.getCurve(), spec.getG(), spec.getN());
ECPoint point = decodePoint(params.getCurve(), contents);
ECPublicKeySpec pubKeySpec = new ECPublicKeySpec(point, params);
return kf.generatePublic(pubKeySpec);
try {
ECNamedCurveSpec params =
new ECNamedCurveSpec("P-256", spec.getCurve(), spec.getG(), spec.getN());
ECPoint point = decodePoint(params.getCurve(), contents);
ECPublicKeySpec pubKeySpec = new ECPublicKeySpec(point, params);
return kf.generatePublic(pubKeySpec);
} catch (IllegalArgumentException ex) {
throw new InvalidKeySpecException("ecdsa key was not parseable", ex);
}
}
default:
throw new RuntimeException(scheme + " not currently supported");
Expand Down

0 comments on commit b2a3278

Please sign in to comment.