95 lines
2.2 KiB
Markdown
95 lines
2.2 KiB
Markdown
# Fuzzing lib/hx509
|
|
|
|
This directory contains a fuzzer for JWS/JWT parsing (`jose.c`).
|
|
|
|
## fuzz_jose
|
|
|
|
Fuzzes `hx509_jws_verify()` and `hx509_jwt_verify()` with various key types.
|
|
|
|
Note: This fuzzer primarily exercises the parsing paths (base64url decoding,
|
|
JSON header/payload parsing, signature format handling). Signature verification
|
|
itself will reject most mutations early, so this is less effective than fuzzing
|
|
pure codecs like the JSON parser.
|
|
|
|
### Building
|
|
|
|
#### Standalone (for testing)
|
|
|
|
```bash
|
|
cd build
|
|
make -C lib/hx509 fuzz_jose
|
|
```
|
|
|
|
#### With libFuzzer + AddressSanitizer (recommended)
|
|
|
|
```bash
|
|
cd build
|
|
CC=clang CXX=clang++ \
|
|
CFLAGS="-fsanitize=fuzzer-no-link,address -g -O1" \
|
|
LDFLAGS="-fsanitize=fuzzer,address" \
|
|
../configure --enable-maintainer-mode --enable-developer
|
|
|
|
make -C lib/hx509 fuzz_jose
|
|
```
|
|
|
|
#### With AFL++
|
|
|
|
```bash
|
|
cd build
|
|
CC=afl-clang-fast CXX=afl-clang-fast++ \
|
|
../configure --enable-maintainer-mode --enable-developer
|
|
|
|
make -C lib/hx509 fuzz_jose
|
|
```
|
|
|
|
### Running
|
|
|
|
#### Standalone mode (reads from files or stdin)
|
|
|
|
```bash
|
|
# Test with corpus files
|
|
./lib/hx509/fuzz_jose ../lib/hx509/fuzz_jose_corpus/*.txt
|
|
|
|
# Test single input
|
|
echo 'eyJhbGciOiJSUzI1NiJ9.e30.AA' | ./lib/hx509/fuzz_jose
|
|
```
|
|
|
|
#### libFuzzer mode
|
|
|
|
```bash
|
|
# Basic fuzzing
|
|
./lib/hx509/fuzz_jose ../lib/hx509/fuzz_jose_corpus/
|
|
|
|
# With options
|
|
./lib/hx509/fuzz_jose ../lib/hx509/fuzz_jose_corpus/ \
|
|
-max_len=65536 \
|
|
-timeout=10 \
|
|
-jobs=4 \
|
|
-workers=4
|
|
```
|
|
|
|
#### AFL++ mode
|
|
|
|
```bash
|
|
afl-fuzz -i ../lib/hx509/fuzz_jose_corpus -o findings -- ./lib/hx509/fuzz_jose @@
|
|
```
|
|
|
|
### Seed Corpus
|
|
|
|
The `fuzz_jose_corpus/` directory contains seed inputs covering:
|
|
|
|
- Valid RFC test vectors (RS256, ES256, EdDSA from RFC 7515/8037)
|
|
- Various algorithms (RS384, RS512, ES384, ES512, HS256, unknown)
|
|
- Edge cases (empty parts, minimal tokens, algorithm "none")
|
|
- Malformed inputs (bad base64, wrong signature lengths)
|
|
- Long headers, nested JSON, Unicode payloads
|
|
|
|
### What it tests
|
|
|
|
1. **JWS verification** with RSA, EC, and Ed25519 public keys
|
|
2. **JWT verification** including claims parsing
|
|
3. **Base64URL decoding** of header, payload, and signature
|
|
4. **JSON parsing** of header and claims
|
|
5. **ECDSA signature format** conversion (JWS r||s to DER)
|
|
6. **Key type matching** against declared algorithm
|