istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/fuzz/pki_fuzzer.go (about) 1 // Copyright Istio Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package fuzz 16 17 import ( 18 "crypto/x509/pkix" 19 "os" 20 21 fuzz "github.com/AdaLogics/go-fuzz-headers" 22 23 "istio.io/istio/security/pkg/pki/util" 24 ) 25 26 // FuzzVerifyCertificate implements a fuzzer 27 // that tests util.VerifyCertificate 28 func FuzzVerifyCertificate(data []byte) int { 29 f := fuzz.NewConsumer(data) 30 privPem, err := f.GetBytes() 31 if err != nil { 32 return 0 33 } 34 certChainPem, err := f.GetBytes() 35 if err != nil { 36 return 0 37 } 38 rootCertPem, err := f.GetBytes() 39 if err != nil { 40 return 0 41 } 42 expectedFields := &util.VerifyFields{} 43 err = f.GenerateStruct(expectedFields) 44 if err != nil { 45 return 0 46 } 47 util.VerifyCertificate(privPem, certChainPem, rootCertPem, expectedFields) 48 return 1 49 } 50 51 // FindRootCertFromCertificateChainBytesFuzz implements a fuzzer 52 // that tests util.FindRootCertFromCertificateChainBytes 53 func FuzzFindRootCertFromCertificateChainBytes(data []byte) int { 54 _, _ = util.FindRootCertFromCertificateChainBytes(data) 55 return 1 56 } 57 58 func FuzzExtractIDs(data []byte) int { 59 f := fuzz.NewConsumer(data) 60 noOfExts, err := f.GetInt() 61 if err != nil { 62 return 0 63 } 64 noOfExtensions := noOfExts % 30 65 if noOfExtensions == 0 { 66 return 0 67 } 68 extensions := make([]pkix.Extension, 0) 69 for i := 0; i < noOfExtensions; i++ { 70 newExtension := pkix.Extension{} 71 err = f.GenerateStruct(&newExtension) 72 if err != nil { 73 return 0 74 } 75 extensions = append(extensions, newExtension) 76 } 77 _, _ = util.ExtractIDs(extensions) 78 return 1 79 } 80 81 // FuzzPemCertBytestoString implements a fuzzer 82 // that tests PemCertBytestoString 83 func FuzzPemCertBytestoString(data []byte) int { 84 _ = util.PemCertBytestoString(data) 85 return 1 86 } 87 88 // FuzzParsePemEncodedCertificateChain implements 89 // a fuzzer that tests ParsePemEncodedCertificateChain 90 func FuzzParsePemEncodedCertificateChain(data []byte) int { 91 _, _, _ = util.ParsePemEncodedCertificateChain(data) 92 return 1 93 } 94 95 // FuzzUpdateVerifiedKeyCertBundleFromFile implements a 96 // fuzzer that tests UpdateVerifiedKeyCertBundleFromFile 97 func FuzzUpdateVerifiedKeyCertBundleFromFile(data []byte) int { 98 f := fuzz.NewConsumer(data) 99 certFile, err := os.Create("certfile") 100 if err != nil { 101 return 0 102 } 103 defer certFile.Close() 104 defer os.Remove("certfile") 105 106 certFileBytes, err := f.GetBytes() 107 if err != nil { 108 return 0 109 } 110 _, err = certFile.Write(certFileBytes) 111 if err != nil { 112 return 0 113 } 114 115 privKeyFile, err := os.Create("privKeyFile") 116 if err != nil { 117 return 0 118 } 119 defer privKeyFile.Close() 120 defer os.Remove("privKeyFile") 121 122 privKeyFileBytes, err := f.GetBytes() 123 if err != nil { 124 return 0 125 } 126 _, err = privKeyFile.Write(privKeyFileBytes) 127 if err != nil { 128 return 0 129 } 130 131 certChainFile, err := os.Create("certChainFile") 132 if err != nil { 133 return 0 134 } 135 defer certChainFile.Close() 136 defer os.Remove("certChainFile") 137 138 certChainBytes, err := f.GetBytes() 139 if err != nil { 140 return 0 141 } 142 _, err = certChainFile.Write(certChainBytes) 143 if err != nil { 144 return 0 145 } 146 147 rootCertFile, err := os.Create("rootCertFile") 148 if err != nil { 149 return 0 150 } 151 defer rootCertFile.Close() 152 defer os.Remove("rootCertFile") 153 154 rootCertFileBytes, err := f.GetBytes() 155 if err != nil { 156 return 0 157 } 158 _, err = rootCertFile.Write(rootCertFileBytes) 159 if err != nil { 160 return 0 161 } 162 bundle, err := util.NewVerifiedKeyCertBundleFromFile("certfile", "privKeyFile", []string{"certChainFile"}, "rootCertFile") 163 if err != nil { 164 return 0 165 } 166 _, err = bundle.CertOptions() 167 if err == nil { 168 panic("Ran successfully") 169 } 170 171 newCertFile, err := os.Create("newCertfile") 172 if err != nil { 173 return 0 174 } 175 defer newCertFile.Close() 176 defer os.Remove("newCertFile") 177 178 newCertFileBytes, err := f.GetBytes() 179 if err != nil { 180 return 0 181 } 182 _, err = newCertFile.Write(newCertFileBytes) 183 if err != nil { 184 return 0 185 } 186 187 newPrivKeyFile, err := os.Create("newPrivKeyFile") 188 if err != nil { 189 return 0 190 } 191 defer newPrivKeyFile.Close() 192 defer os.Remove("newPrivKeyFile") 193 194 newPrivKeyFileBytes, err := f.GetBytes() 195 if err != nil { 196 return 0 197 } 198 _, err = newPrivKeyFile.Write(newPrivKeyFileBytes) 199 if err != nil { 200 return 0 201 } 202 203 newCertChainFile, err := os.Create("newCertChainFile") 204 if err != nil { 205 return 0 206 } 207 defer newCertChainFile.Close() 208 defer os.Remove("newCertChainFile") 209 210 newCertChainBytes, err := f.GetBytes() 211 if err != nil { 212 return 0 213 } 214 _, err = newCertChainFile.Write(newCertChainBytes) 215 if err != nil { 216 return 0 217 } 218 219 newRootCertFile, err := os.Create("newRootCertFile") 220 if err != nil { 221 return 0 222 } 223 defer newRootCertFile.Close() 224 defer os.Remove("newRootCertFile") 225 226 newRootCertFileBytes, err := f.GetBytes() 227 if err != nil { 228 return 0 229 } 230 _, err = newRootCertFile.Write(newRootCertFileBytes) 231 if err != nil { 232 return 0 233 } 234 235 bundle.UpdateVerifiedKeyCertBundleFromFile("newCertfile", "newPrivKeyFile", []string{"newCertChainFile"}, "newRootCertFile") 236 return 1 237 }