From 20c5cbee300dd8f7c655bcea00911c7cad941a6f Mon Sep 17 00:00:00 2001
From: Adam Korczynski <adam@adalogics.com>
Date: Tue, 20 Aug 2024 22:16:42 +0100
Subject: [PATCH] add oss-fuzz build script

Signed-off-by: Adam Korczynski <adam@adalogics.com>
---
 test/fuzz/dictionaries/intoto_json.dict | 51 +++++++++++++++++++++++++
 test/fuzz/oss_fuzz_build.sh             | 34 +++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 test/fuzz/dictionaries/intoto_json.dict
 create mode 100755 test/fuzz/oss_fuzz_build.sh

diff --git a/test/fuzz/dictionaries/intoto_json.dict b/test/fuzz/dictionaries/intoto_json.dict
new file mode 100644
index 00000000..c26e6976
--- /dev/null
+++ b/test/fuzz/dictionaries/intoto_json.dict
@@ -0,0 +1,51 @@
+"https://in-toto.io/Statement/v0.1"
+"_type"
+"predicateType"
+"subject"
+"sha256"
+"sha512"
+"https://slsa.dev/provenance/v0.2"
+# Below is from https://github.com/rc0r/afl-fuzz/blob/master/dictionaries/json.dict
+"0"
+",0"
+":0"
+"0:"
+"-1.2e+3"
+
+"true"
+"false"
+"null"
+
+"\"\""
+",\"\""
+":\"\""
+"\"\":"
+
+"{}"
+",{}"
+":{}"
+"{\"\":0}"
+"{{}}"
+
+"[]"
+",[]"
+":[]"
+"[0]"
+"[[]]"
+
+"''"
+"\\"
+"\\b"
+"\\f"
+"\\n"
+"\\r"
+"\\t"
+"\\u0000"
+"\\x00"
+"\\0"
+"\\uD800\\uDC00"
+"\\uDBFF\\uDFFF"
+
+"\"\":0"
+"//"
+"/**/"
diff --git a/test/fuzz/oss_fuzz_build.sh b/test/fuzz/oss_fuzz_build.sh
new file mode 100755
index 00000000..ff3f9644
--- /dev/null
+++ b/test/fuzz/oss_fuzz_build.sh
@@ -0,0 +1,34 @@
+#!/bin/bash -eu
+# Copyright 2024 The Sigstore Authors.
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+go get github.com/AdamKorcz/go-118-fuzz-build/testing
+
+compile_native_go_fuzzer github.com/sigstore/sigstore-go/pkg/bundle FuzzBundle FuzzBundle
+compile_native_go_fuzzer github.com/sigstore/sigstore-go/pkg/tlog FuzzParseEntry FuzzParseEntry
+mkdir pkg/verify/fuzz && mv pkg/verify/fuzz_test.go pkg/verify/fuzz/
+compile_native_go_fuzzer github.com/sigstore/sigstore-go/pkg/verify/fuzz FuzzVerifyTimestampAuthorityWithoutThreshold FuzzVerifyTimestampAuthorityWithoutThreshold
+compile_native_go_fuzzer github.com/sigstore/sigstore-go/pkg/verify/fuzz FuzzVerifyTimestampAuthorityWithThreshold FuzzVerifyTimestampAuthorityWithThreshold
+compile_native_go_fuzzer github.com/sigstore/sigstore-go/pkg/verify/fuzz FuzzVerifyArtifactTransparencyLog FuzzVerifyArtifactTransparencyLog
+compile_native_go_fuzzer github.com/sigstore/sigstore-go/pkg/verify/fuzz FuzzSignedEntityVerifier FuzzSignedEntityVerifier
+compile_native_go_fuzzer github.com/sigstore/sigstore-go/pkg/verify/fuzz FuzzVerifySignatureWithoutArtifactOrDigest FuzzVerifySignatureWithoutArtifactOrDigest
+compile_native_go_fuzzer github.com/sigstore/sigstore-go/pkg/verify/fuzz FuzzVerifySignatureWithArtifactWithoutDigest FuzzVerifySignatureWithArtifactWithoutDigest
+compile_native_go_fuzzer github.com/sigstore/sigstore-go/pkg/verify/fuzz FuzzVerifySignatureWithArtifactDigest FuzzVerifySignatureWithArtifactDigest
+
+zip -j $OUT/FuzzSignedEntityVerifier_seed_corpus.zip examples/trusted-root-public-good.json
+
+for fuzzer in FuzzVerifyTimestampAuthorityWithoutThreshold FuzzVerifyTimestampAuthorityWithThreshold FuzzVerifyArtifactTransparencyLog FuzzVerifySignatureWithoutArtifactOrDigest FuzzVerifySignatureWithArtifactWithoutDigest FuzzVerifySignatureWithArtifactDigest; do
+  cp test/fuzz/dictionaries/intoto_json.dict $OUT/$fuzzer.dict
+  zip -j $OUT/"$fuzzer"_seed_corpus.zip examples/sigstore-go-signing/intoto.txt
+done