Fix KeysFuzzer

Signed-off-by: Arthur Chan <arthur.chan@adalogics.com> Signed-off-by: Appu Goundan <appu@google.com>
sigstore · Mar 29, 2024 · 7e5e268 · 7e5e268
1 parent 36a6b2e
commit 7e5e268
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 4 deletions.
diff --git a/...ing/src/main/java/fuzzing/KeysFuzzer.java → .../main/java/fuzzing/KeysParsingFuzzer.java b/...ing/src/main/java/fuzzing/KeysFuzzer.java → .../main/java/fuzzing/KeysParsingFuzzer.java
@@ -21,15 +21,12 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.spec.InvalidKeySpecException;
 
-public class KeysFuzzer {
+public class KeysParsingFuzzer {
   public static void fuzzerTestOneInput(FuzzedDataProvider data) {
     try {
-      String[] schemes = {"rsassa-pss-sha256", "ed25519", "ecdsa-sha2-nistp256"};
-      String scheme = data.pickValue(schemes);
       byte[] byteArray = data.consumeRemainingAsBytes();
 
       Keys.parsePublicKey(byteArray);
-      Keys.constructTufPublicKey(byteArray, scheme);
     } catch (IOException | InvalidKeySpecException | NoSuchAlgorithmException e) {
       // known exceptions
     }

diff --git a/fuzzing/src/main/java/fuzzing/TufKeysFuzzer.java b/fuzzing/src/main/java/fuzzing/TufKeysFuzzer.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package fuzzing;
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+import dev.sigstore.encryption.Keys;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+
+public class TufKeysFuzzer {
+  public static void fuzzerTestOneInput(FuzzedDataProvider data) {
+    try {
+      String[] schemes = {"rsassa-pss-sha256", "ed25519", "ecdsa-sha2-nistp256", "ecdsa"};
+      String scheme = data.pickValue(schemes);
+      byte[] byteArray = data.consumeRemainingAsBytes();
+
+      Keys.constructTufPublicKey(byteArray, scheme);
+    } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
+      // known exceptions
+    } catch (RuntimeException e) {
+      if (!e.toString().contains("not currently supported")) {
+        throw e;
+      }
+    }
+  }
+}
diff --git a/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java b/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java
@@ -135,6 +135,9 @@ public static PublicKey parsePkcs1RsaPublicKey(byte[] contents)
    */
   public static PublicKey constructTufPublicKey(byte[] contents, String scheme)
       throws NoSuchAlgorithmException, InvalidKeySpecException {
+    if (contents.length == 0) {
+      throw new InvalidKeySpecException("key contents was empty");
+    }
     switch (scheme) {
       case "ed25519":
         {