sigstore · loosebazooka · Aug 20, 2024 · May 24, 2023
diff --git a/...ing/src/main/java/fuzzing/KeysFuzzer.java → .../main/java/fuzzing/KeysParsingFuzzer.java b/...ing/src/main/java/fuzzing/KeysFuzzer.java → .../main/java/fuzzing/KeysParsingFuzzer.java
@@ -21,15 +21,12 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.spec.InvalidKeySpecException;
 
-public class KeysFuzzer {
+public class KeysParsingFuzzer {
   public static void fuzzerTestOneInput(FuzzedDataProvider data) {
     try {
-      String[] schemes = {"rsassa-pss-sha256", "ed25519", "ecdsa-sha2-nistp256"};
-      String scheme = data.pickValue(schemes);
       byte[] byteArray = data.consumeRemainingAsBytes();
 
       Keys.parsePublicKey(byteArray);
-      Keys.constructTufPublicKey(byteArray, scheme);
     } catch (IOException | InvalidKeySpecException | NoSuchAlgorithmException e) {
       // known exceptions
     }

diff --git a/fuzzing/src/main/java/fuzzing/TufKeysFuzzer.java b/fuzzing/src/main/java/fuzzing/TufKeysFuzzer.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package fuzzing;
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+import dev.sigstore.encryption.Keys;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+
+public class TufKeysFuzzer {
+  public static void fuzzerTestOneInput(FuzzedDataProvider data) {
+    try {
+      String[] schemes = {"rsassa-pss-sha256", "ed25519", "ecdsa-sha2-nistp256", "ecdsa"};
+      String scheme = data.pickValue(schemes);
+      byte[] byteArray = data.consumeRemainingAsBytes();
+
+      Keys.constructTufPublicKey(byteArray, scheme);
+    } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
+      // known exceptions
+    } catch (RuntimeException e) {
+      if (!e.toString().contains("not currently supported")) {
+        throw e;
+      }
+    }
+  }
+}
diff --git a/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java b/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java
@@ -135,6 +135,9 @@ public static PublicKey parsePkcs1RsaPublicKey(byte[] contents)
    */
   public static PublicKey constructTufPublicKey(byte[] contents, String scheme)
       throws NoSuchAlgorithmException, InvalidKeySpecException {
+    if (contents == null || contents.length == 0) {
+      throw new InvalidKeySpecException("key contents was empty");
+    }
     switch (scheme) {
       case "ed25519":
         {
@@ -172,11 +175,15 @@ public static PublicKey constructTufPublicKey(byte[] contents, String scheme)
 
           // code below just creates the public key from key contents using the curve parameters
           // (spec variable)
-          ECNamedCurveSpec params =
-              new ECNamedCurveSpec("P-256", spec.getCurve(), spec.getG(), spec.getN());
-          ECPoint point = decodePoint(params.getCurve(), contents);
-          ECPublicKeySpec pubKeySpec = new ECPublicKeySpec(point, params);
-          return kf.generatePublic(pubKeySpec);
+          try {
+            ECNamedCurveSpec params =
+                new ECNamedCurveSpec("P-256", spec.getCurve(), spec.getG(), spec.getN());
+            ECPoint point = decodePoint(params.getCurve(), contents);
+            ECPublicKeySpec pubKeySpec = new ECPublicKeySpec(point, params);
+            return kf.generatePublic(pubKeySpec);
+          } catch (IllegalArgumentException | NullPointerException ex) {
+            throw new InvalidKeySpecException("ecdsa key was not parseable", ex);
+          }
         }
       default:
         throw new RuntimeException(scheme + " not currently supported");

diff --git a/sigstore-java/src/test/java/dev/sigstore/encryption/KeysTest.java b/sigstore-java/src/test/java/dev/sigstore/encryption/KeysTest.java
@@ -107,8 +107,7 @@ void parseTufPublicKeyPemEncoded_sha2_nistp256()
   }
 
   @Test
-  void parseTufPublicKey_ecdsa()
-      throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
+  void parseTufPublicKey_ecdsa() throws NoSuchAlgorithmException, InvalidKeySpecException {
     PublicKey key =
         Keys.constructTufPublicKey(
             Hex.decode(
@@ -119,10 +118,9 @@ void parseTufPublicKey_ecdsa()
   }
 
   @Test
-  void parseTufPublicKey_ecdsaBad()
-      throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
+  void parseTufPublicKey_ecdsaBad() {
     Assertions.assertThrows(
-        RuntimeException.class,
+        InvalidKeySpecException.class,
         () -> {
           Keys.constructTufPublicKey(
               Hex.decode(