add oss-fuzz build script, seeds and dictionaries

Signed-off-by: Adam Korczynski <[email protected]>

Author: AdamKorcz

test/fuzz/dictionaries/FuzzEvaluatePolicyAgainstJSON.dict

@@ -0,0 +1,45 @@
+"{\"authorityMatches\":{\"keyatt\":{\"signatures\":null,\"attestations\":{\"vuln-key\":[{\"subject\":\"PLACEHOLDER\",\"issuer\":\"PLACEHOLDER\"}]}},\"keysignature\":{\"signatures\":[{\"subject\":\"PLACEHOLDER\",\"issuer\":\"PLACEHOLDER\"}],\"attestations\":null},\"keylessatt\":{\"signatures\":null,\"attestations\":{\"custom-keyless\":[{\"subject\":\"PLACEHOLDER\",\"issuer\":\"PLACEHOLDER\"}]}}}}"
+# Below is from https://github.com/rc0r/afl-fuzz/blob/master/dictionaries/json.dict
+"0"
+",0"
+":0"
+"0:"
+"-1.2e+3"
+
+"true"
+"false"
+"null"
+
+"\"\""
+",\"\""
+":\"\""
+"\"\":"
+
+"{}"
+",{}"
+":{}"
+"{\"\":0}"
+"{{}}"
+
+"[]"
+",[]"
+":[]"
+"[0]"
+"[[]]"
+
+"''"
+"\\"
+"\\b"
+"\\f"
+"\\n"
+"\\r"
+"\\t"
+"\\u0000"
+"\\x00"
+"\\0"
+"\\uD800\\uDC00"
+"\\uDBFF\\uDFFF"
+
+"\"\":0"
+"//"
+"/**/"

test/fuzz/dictionaries/FuzzImportKeyPairLoadPrivateKey.dict

@@ -0,0 +1,14 @@
+"-----BEGIN RSA PRIVATE KEY-----"
+"-----END RSA PRIVATE KEY-----"
+"-----BEGIN PRIVATE KEY-----"
+"-----END PRIVATE KEY-----"
+"-----BEGIN PUBLIC KEY-----"
+"-----END PUBLIC KEY-----"
+"-----BEGIN PGP PRIVATE KEY BLOCK-----"
+"Version: BCPG C# v1.6.1.0"
+"-----END PGP PRIVATE KEY BLOCK-----"
+"-----BEGIN EC PRIVATE KEY-----"
+"-----END EC PRIVATE KEY-----"
+"-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----"
+"-----END ENCRYPTED COSIGN PRIVATE KEY-----"
+

test/fuzz/oss_fuzz_build.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+go get github.com/AdamKorcz/go-118-fuzz-build/testing
+
+mv ./pkg/cosign/keys_test.go ./pkg/cosign/keys_test_keep_in_fuzz_scope.go
+compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign/attestation FuzzGenerateStatement FuzzGenerateStatement
+compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign/cue FuzzValidateJSON FuzzValidateJSON_cue
+compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign/rego FuzzValidateJSON FuzzValidateJSON_rego
+compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign FuzzImportKeyPairLoadPrivateKey FuzzImportKeyPairLoadPrivateKey
+compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/cosign FuzzSigVerify FuzzSigVerify
+compile_native_go_fuzzer github.com/sigstore/cosign/v2/pkg/policy FuzzEvaluatePolicyAgainstJSON FuzzEvaluatePolicyAgainstJSON
+
+zip -j $OUT/FuzzEvaluatePolicyAgainstJSON_seed_corpus.zip test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed*
+zip -j $OUT/FuzzEvaluatePolicyAgainstJSON_seed_corpus.zip $SRC/go-fuzz-corpus/json/corpus/*
+zip -j $OUT/FuzzValidateJSON_cue_seed_corpus.zip $SRC/go-fuzz-corpus/json/corpus/*
+zip -j $OUT/FuzzValidateJSON_rego_seed_corpus.zip $SRC/go-fuzz-corpus/json/corpus/*
+zip -j $OUT/FuzzGenerateStatement_seed_corpus.zip $SRC/go-fuzz-corpus/json/corpus/*
+cp $SRC/afl-fuzz/dictionaries/json.dict $OUT/FuzzValidateJSON_cue.dict
+cp $SRC/afl-fuzz/dictionaries/json.dict $OUT/FuzzValidateJSON_rego.dict
+cp $SRC/afl-fuzz/dictionaries/json.dict $OUT/FuzzGenerateStatement.dict
+cp test/fuzz/dictionaries/FuzzImportKeyPairLoadPrivateKey.dict $OUT/

test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed1

@@ -0,0 +1,18 @@
+package sigstore
+isCompliant[response] {
+    attestationsKeylessATT := input.authorityMatches.keylessatt.attestations
+    result = (count(attestationsKeylessATT) == 1)
+    attestationsKeyATT := input.authorityMatches.keyatt.attestations
+    result = (count(attestationsKeyATT) == 1)
+    keySignature := input.authorityMatches.keysignature.signatures
+    result = (count(keySignature) == 1)
+
+    errorMsg = ""
+    warnMsg = "Throw warning error even if succeeded"
+
+    response := {
+        "result" : result,
+        "error" : errorMsg,
+        "warning" : warnMsg
+    }
+}

test/fuzz/seeds/FuzzEvaluatePolicyAgainstJSON_seed2

@@ -0,0 +1,18 @@
+package sigstore
+import "struct"
+import "list"
+authorityMatches: {
+  keyatt: {
+      attestations: struct.MaxFields(1) & struct.MinFields(1)
+  },
+  keysignature: {
+      signatures: list.MaxItems(1) & list.MinItems(1)
+  }, 
+  if( len(authorityMatches.keylessatt.attestations) < 2) {
+      keylessattMinAttestations: 2
+      keylessattMinAttestations: "Error"
+  },
+  keylesssignature: {
+      signatures: list.MaxItems(1) & list.MinItems(1)
+  }
+}