Add fuzz tests for bundle, tlog and verify packages (#272)

Signed-off-by: Adam Korczynski <adam@adalogics.com>

pkg/bundle/fuzz_test.go

@@ -0,0 +1,59 @@
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package bundle
+
+import (
+ "testing"
+)
+
+/*
+FuzzBundle creates a randomized bundle and
+invokes three of its methods
+*/
+//nolint:errcheck
+func FuzzBundle(f *testing.F) {
+ f.Fuzz(func(t *testing.T, bundleData []byte,
+ call1,
+ call2,
+ call3 int,
+ expectVersion string) {
+ var bundle Bundle
+ err := bundle.UnmarshalJSON(bundleData)
+ if err != nil {
+ t.Skip()
+ }
+ calls := []int{call1, call2, call3}
+ for _, call := range calls {
+ switch call % 8 {
+ case 0:
+ bundle.VerificationContent()
+ case 1:
+ bundle.HasInclusionPromise()
+ case 2:
+ bundle.HasInclusionProof()
+ case 3:
+ bundle.TlogEntries()
+ case 4:
+ bundle.SignatureContent()
+ case 5:
+ bundle.Envelope()
+ case 6:
+ bundle.Timestamps()
+ case 7:
+ bundle.MinVersion(expectVersion)
+ }
+ }
+ })
+}

pkg/tlog/fuzz_test.go

@@ -0,0 +1,69 @@
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tlog
+
+import (
+ "testing"
+
+ commonV1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
+ v1 "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v1"
+)
+
+/*
+FuzzParseEntry creates a randomized
+TransparencyLogEntry and parses it
+*/
+func FuzzParseEntry(f *testing.F) {
+ f.Fuzz(func(_ *testing.T, proofTreeSize,
+ proofLogIndex,
+ tlEntryIntegratedTime,
+ tlEntryIndex int64,
+ proofRootHash,
+ proofHash1,
+ proofHash2,
+ proofHash3,
+ promiseSETimestamp,
+ tlEntryCanonicalizedBody,
+ logIdKeyId []byte,
+ kindVersion,
+ kindKind,
+ checkpointEnvelope string) {
+ //nolint:errcheck
+ ParseEntry(&v1.TransparencyLogEntry{
+ LogIndex: tlEntryIndex,
+ LogId: &commonV1.LogId{
+ KeyId: logIdKeyId,
+ },
+ KindVersion: &v1.KindVersion{
+ Kind: kindKind,
+ Version: kindVersion,
+ },
+ IntegratedTime: tlEntryIntegratedTime,
+ InclusionPromise: &v1.InclusionPromise{
+ SignedEntryTimestamp: promiseSETimestamp,
+ },
+ InclusionProof: &v1.InclusionProof{
+ LogIndex: proofLogIndex,
+ RootHash: proofRootHash,
+ TreeSize: proofTreeSize,
+ Hashes: [][]byte{proofHash1, proofHash2, proofHash3},
+ Checkpoint: &v1.Checkpoint{
+ Envelope: checkpointEnvelope,
+ },
+ },
+ CanonicalizedBody: tlEntryCanonicalizedBody,
+ })
+ })
+}

pkg/verify/fuzz_test.go

@@ -0,0 +1,236 @@
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package verify_test
+
+import (
+ "bytes"
+ "testing"
+
+ protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1"
+ "github.com/sigstore/sigstore-go/pkg/bundle"
+ "github.com/sigstore/sigstore-go/pkg/root"
+ "github.com/sigstore/sigstore-go/pkg/testing/ca"
+ "github.com/sigstore/sigstore-go/pkg/verify"
+ "google.golang.org/protobuf/encoding/protojson"
+)
+
+var FuzzSkipArtifactAndIdentitiesPolicy = verify.NewPolicy(verify.WithoutArtifactUnsafe(), verify.WithoutIdentitiesUnsafe())
+
+/*
+Tests VerifyTimestampAuthority with an entity that contains
+a randomized email and statement
+*/
+func FuzzVerifyTimestampAuthorityWithoutThreshold(f *testing.F) {
+ f.Fuzz(func(t *testing.T, email string, statement []byte) {
+ virtualSigstore, err := ca.NewVirtualSigstore()
+ if err != nil {
+ t.Fatal(err)
+ }
+ entity, err := virtualSigstore.Attest(email,
+ "issuer",
+ statement)
+ if err != nil {
+ t.Skip()
+ }
+ //nolint:errcheck
+ verify.VerifyTimestampAuthority(entity, virtualSigstore)
+ })
+}
+
+/*
+Tests VerifyTimestampAuthorityWithThreshold with an entity
+that contains a randomized email, statement and a randomized
+threshold
+*/
+func FuzzVerifyTimestampAuthorityWithThreshold(f *testing.F) {
+ f.Fuzz(func(t *testing.T, email string,
+ statement []byte,
+ threshold int) {
+ virtualSigstore, err := ca.NewVirtualSigstore()
+ if err != nil {
+ t.Fatal(err)
+ }
+ entity, err := virtualSigstore.Attest(email,
+ "issuer",
+ statement)
+ if err != nil {
+ t.Skip()
+ }
+ //nolint:errcheck
+ verify.VerifyTimestampAuthorityWithThreshold(entity,
+ virtualSigstore,
+ threshold)
+ })
+}
+
+/*
+Tests VerifyArtifactTransparencyLog with an entity
+that contains a randomized email and statement and
+a randomized log threshold and integrated time
+*/
+func FuzzVerifyArtifactTransparencyLog(f *testing.F) {
+ f.Fuzz(func(t *testing.T, email string,
+ statement []byte,
+ logThreshold int,
+ trustIntegratedTime bool) {
+ virtualSigstore, err := ca.NewVirtualSigstore()
+ if err != nil {
+ t.Fatal(err)
+ }
+ entity, err := virtualSigstore.Attest(email,
+ "issuer",
+ statement)
+ if err != nil {
+ t.Skip()
+ }
+ //nolint:errcheck
+ verify.VerifyArtifactTransparencyLog(entity,
+ virtualSigstore,
+ logThreshold,
+ trustIntegratedTime,
+ false)
+ })
+}
+
+/*
+Tests Verify with an entity that contains a randomized
+email and statement and a randomized root
+*/
+func FuzzSignedEntityVerifier(f *testing.F) {
+ f.Fuzz(func(t *testing.T, trustedrootJSON,
+ bundleBytes []byte) {
+ trustedRoot, err := root.NewTrustedRootFromJSON(trustedrootJSON)
+ if err != nil || trustedRoot == nil {
+ t.Skip()
+ }
+ var b protobundle.Bundle
+ err = protojson.Unmarshal(bundleBytes, &b)
+ if err != nil {
+ t.Skip()
+ }
+ entity, err := bundle.NewBundle(&b)
+ if err != nil {
+ t.Skip()
+ }
+ v, err := verify.NewSignedEntityVerifier(trustedRoot,
+ verify.WithTransparencyLog(1),
+ verify.WithObserverTimestamps(1))
+ if err != nil {
+ t.Fatal(err)
+ }
+ //nolint:errcheck
+ v.Verify(entity, FuzzSkipArtifactAndIdentitiesPolicy)
+ })
+}
+
+/*
+Tests VerifySignature with a sigContent and verificationsContent
+from an entity that contains a randomized email and statement.
+*/
+func FuzzVerifySignatureWithoutArtifactOrDigest(f *testing.F) {
+ f.Fuzz(func(t *testing.T, email string, statement []byte) {
+ virtualSigstore, err := ca.NewVirtualSigstore()
+ if err != nil {
+ t.Fatal(err)
+ }
+ entity, err := virtualSigstore.Attest(email, "issuer", statement)
+ if err != nil {
+ t.Skip()
+ }
+ sigContent, err := entity.SignatureContent()
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ verificationContent, err := entity.VerificationContent()
+ if err != nil {
+ t.Fatal(err)
+ }
+ //nolint:errcheck
+ verify.VerifySignature(sigContent, verificationContent, virtualSigstore)
+ })
+}
+
+/*
+Tests VerifySignatureWithArtifact with a sigContent and
+verificationsContent from an entity that contains a randomized
+email and statement. The fuzzer also creates an artifact from
+random bytes
+*/
+func FuzzVerifySignatureWithArtifactWithoutDigest(f *testing.F) {
+ f.Fuzz(func(t *testing.T, email string,
+ statement,
+ artifactBytes []byte) {
+ virtualSigstore, err := ca.NewVirtualSigstore()
+ if err != nil {
+ t.Fatal(err)
+ }
+ entity, err := virtualSigstore.Attest(email, "issuer", statement)
+ if err != nil {
+ t.Skip()
+ }
+ sigContent, err := entity.SignatureContent()
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ verificationContent, err := entity.VerificationContent()
+ if err != nil {
+ t.Fatal(err)
+ }
+ artifact := bytes.NewReader(artifactBytes)
+ //nolint:errcheck
+ verify.VerifySignatureWithArtifact(sigContent,
+ verificationContent,
+ virtualSigstore,
+ artifact)
+ })
+}
+
+/*
+Tests VerifySignatureWithArtifactDigest with a sigContent and
+verificationsContent from an entity that contains a randomized
+email and statement. The fuzzer also passes a digest from
+random bytes and a random string for the algorithm
+*/
+func FuzzVerifySignatureWithArtifactDigest(f *testing.F) {
+ f.Fuzz(func(t *testing.T, email,
+ artifactDigestAlgorithm string,
+ statement, artifactDigest []byte) {
+ virtualSigstore, err := ca.NewVirtualSigstore()
+ if err != nil {
+ t.Fatal(err)
+ }
+ entity, err := virtualSigstore.Attest(email, "issuer", statement)
+ if err != nil {
+ t.Skip()
+ }
+ sigContent, err := entity.SignatureContent()
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ verificationContent, err := entity.VerificationContent()
+ if err != nil {
+ t.Fatal(err)
+ }
+ //nolint:errcheck
+ verify.VerifySignatureWithArtifactDigest(sigContent,
+ verificationContent,
+ virtualSigstore,
+ artifactDigest,
+ artifactDigestAlgorithm)
+ })
+}