jar_utils.go

Documentation: github.com/sigstore/rekor/pkg/fuzz

     1  //
     2  // Copyright 2023 The Sigstore Authors.
     3  //
     4  // Licensed under the Apache License, Version 2.0 (the "License");
     5  // you may not use this file except in compliance with the License.
     6  // You may obtain a copy of the License at
     7  //
     8  //     http://www.apache.org/licenses/LICENSE-2.0
     9  //
    10  // Unless required by applicable law or agreed to in writing, software
    11  // distributed under the License is distributed on an "AS IS" BASIS,
    12  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  // See the License for the specific language governing permissions and
    14  // limitations under the License.
    15  
    16  package fuzz
    17  
    18  import (
    19  	"archive/tar"
    20  	"archive/zip"
    21  	"bytes"
    22  	"context"
    23  	"crypto"
    24  	"crypto/rsa"
    25  	"crypto/x509"
    26  	"encoding/pem"
    27  	"errors"
    28  	"os"
    29  	"time"
    30  
    31  	fuzz "github.com/AdamKorcz/go-fuzz-headers-1"
    32  
    33  	"github.com/sassoftware/relic/lib/zipslicer"
    34  	"github.com/sassoftware/relic/v7/lib/certloader"
    35  	"github.com/sassoftware/relic/v7/lib/signjar"
    36  )
    37  
    38  var (
    39  	CertPrivateKey *rsa.PrivateKey
    40  	Certificate    *x509.Certificate
    41  )
    42  
    43  // copy pasted from rekor/pkg/pki/x509/e2e.go
    44  const RSACert = `-----BEGIN CERTIFICATE-----
    45  MIIDOjCCAiKgAwIBAgIUEP925shVBKERFCsymdSqESLZFyMwDQYJKoZIhvcNAQEL
    46  BQAwHzEdMBsGCSqGSIb3DQEJARYOdGVzdEByZWtvci5kZXYwHhcNMjEwNDIxMjAy
    47  ODAzWhcNMjEwNTIxMjAyODAzWjAfMR0wGwYJKoZIhvcNAQkBFg50ZXN0QHJla29y
    48  LmRldjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN8KiP08rFIik4GN
    49  W8/sHSXxDopeDBLEQEihsyXXWesfYW/q59lFaCZrsTetlyNEzKDJ+JrpIHwoGOo4
    50  EwefFfvy2nkgPFs9aeIDsYZNZnIGxeB8sUfsZUYGHx+Ikm18vhM//GYzNjjuvHyq
    51  +CWRAOS12ZISa99iah/lIhcP8IEj1gPGldAH0QFx3XpCePAdQocSU6ziVkj054/x
    52  NJXy1bKySrVw7gvE9LxZlVO9urSOnzg7BBOla0mob8NRDVB8yN+LG365q4IMDzuI
    53  jAEL6sLtoJ9pcemo1rIfNOhSLYlzfg7oszJ8eCjASNCCcp6EKVjhW7LRoldC8oGZ
    54  EOrKM78CAwEAAaNuMGwwHQYDVR0OBBYEFGjs8EHKT3x1itwwptJLuQQg/hQcMB8G
    55  A1UdIwQYMBaAFGjs8EHKT3x1itwwptJLuQQg/hQcMA8GA1UdEwEB/wQFMAMBAf8w
    56  GQYDVR0RBBIwEIEOdGVzdEByZWtvci5kZXYwDQYJKoZIhvcNAQELBQADggEBAAHE
    57  bYuePN3XpM7pHoCz6g4uTHu0VrezqJyK1ohysgWJmSJzzazUeISXk0xWnHPk1Zxi
    58  kzoEuysI8b0P7yodMA8e16zbIOL6QbGe3lNXYqRIg+bl+4OPFGVMX8xHNZmeh0kD
    59  vX1JVS+y9uyo4/z/pm0JhaSCn85ft/Y5uXMQYn1wFR5DAcJH+iWjNX4fipGxGRE9
    60  Cy0DjFnYJ3SRY4HPQ0oUSQmyhrwe2DiYzeqtbL2KJBXPcFQKWhkf/fupdYFljvcH
    61  d9NNfRb0p2oFGG/J0ROg9pEcP1/aZP5k8P2pRdt3y7h1MAtmg2bgEdugZgXwAUmM
    62  BmU8k2FeTuqV15piPCE=
    63  -----END CERTIFICATE-----`
    64  
    65  // copy pasted from rekor/pkg/pki/x509/e2e.go
    66  const RSAKey = `-----BEGIN PRIVATE KEY-----
    67  MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDfCoj9PKxSIpOB
    68  jVvP7B0l8Q6KXgwSxEBIobMl11nrH2Fv6ufZRWgma7E3rZcjRMygyfia6SB8KBjq
    69  OBMHnxX78tp5IDxbPWniA7GGTWZyBsXgfLFH7GVGBh8fiJJtfL4TP/xmMzY47rx8
    70  qvglkQDktdmSEmvfYmof5SIXD/CBI9YDxpXQB9EBcd16QnjwHUKHElOs4lZI9OeP
    71  8TSV8tWyskq1cO4LxPS8WZVTvbq0jp84OwQTpWtJqG/DUQ1QfMjfixt+uauCDA87
    72  iIwBC+rC7aCfaXHpqNayHzToUi2Jc34O6LMyfHgowEjQgnKehClY4Vuy0aJXQvKB
    73  mRDqyjO/AgMBAAECggEBAIHOAs3Gis8+WjRSjXVjh882DG1QsJwXZQYgPT+vpiAl
    74  YjKdNpOHRkbd9ARgXY5kEuccxDd7p7E6MM3XFpQf7M51ltpZfWboRgAIgD+WOiHw
    75  eSbdytr95C6tj11twTJBH+naGk1sTokxv7aaVdKfIjL49oeBexBFmVe4pW9gkmrE
    76  1z1y1a0RohqbZ0kprYPWjz5UhsNqbCzgkdDqS7IrcOwVg6zvKYFjHnqIHqaJXVif
    77  FgIfoNt7tz+12FTHI+6OkKoN3YCJueaxneBhITXm6RLOpQWa9qhdUPbkJ9vQNfph
    78  Qqke4faaxKY9UDma+GpEHR016AWufZp92pd9wQkDn0kCgYEA7w/ZizAkefHoZhZ8
    79  Isn/fYu4fdtUaVgrnGUVZobiGxWrHRU9ikbAwR7UwbgRSfppGiJdAMq1lyH2irmb
    80  4OHU64rjuYSlIqUWHLQHWmqUbLUvlDojH/vdmH/Zn0AbrLZaimC5UCjK3Eb7sAMq
    81  G0tGeDX2JraQvx7KrbC6peTaaaMCgYEA7tgZBiRCQJ7+mNu+gX9x6OXtjsDCh516
    82  vToRLkxWc7LAbC9LKsuEHl4e3vy1PY/nyuv12Ng2dBq4WDXozAmVgz0ok7rRlIFp
    83  w8Yj8o/9KuGZkD/7tw/pLsVc9Q3Wf0ACrnAAh7+3dAvn3yg+WHwXzqWIbrseDPt9
    84  ILCfUoNDpzUCgYAKFCX8y0PObFd67lm/cbq2xUw66iNN6ay1BEH5t5gSwkAbksis
    85  ar03pyAbJrJ75vXFZ0t6fBFZ1NG7GYYr3fmHEKz3JlN7+W/MN/7TXgjx6FWgLy9J
    86  6ul1w3YeU6qXBn0ctmU5ru6WiNuVmRyOWAcZjFTbXvkNRbQPzJKh6dsXdwKBgA1D
    87  FIihxMf/zBVCxl48bF/JPJqbm3GaTfFp4wBWHsrH1yVqrtrOeCSTh1VMZOfpMK60
    88  0W7b+pIR1cCYJbgGpDWoVLN3QSHk2bGUM/TJB/60jilTVC/DA2ikbtfwj8N7E2sK
    89  Lw1amN4ptxNOEcAqC8xepqe3XiDMahNBm2cigMQtAoGBAKwrXvss2BKz+/6poJQU
    90  A0c7jhMN8M9Y5S2Ockw07lrQeAgfu4q+/8ztm0NeHJbk01IJvJY5Nt7bSgwgNVlo
    91  j7vR2BMAc9U73Ju9aeTl/L6GqmZyA+Ojhl5gA5DPZYqNiqi93ydgRaI6n4+o3dI7
    92  5wnr40AmbuKCDvMOvN7nMybL
    93  -----END PRIVATE KEY-----`
    94  
    95  // copy pasted from rekor/pkg/pki/x509/e2e.go
    96  func init() {
    97  	p, _ := pem.Decode([]byte(RSAKey))
    98  	priv, err := x509.ParsePKCS8PrivateKey(p.Bytes)
    99  	if err != nil {
   100  		panic(err)
   101  	}
   102  	cpk, ok := priv.(*rsa.PrivateKey)
   103  	if !ok {
   104  		panic("unsuccessful conversion")
   105  	}
   106  	CertPrivateKey = cpk
   107  
   108  	p, _ = pem.Decode([]byte(RSACert))
   109  	Certificate, err = x509.ParseCertificate(p.Bytes)
   110  	if err != nil {
   111  		panic(err)
   112  	}
   113  }
   114  
   115  // Creates jar artifact files.
   116  func createJarArtifactFiles(ff *fuzz.ConsumeFuzzer) ([]*fuzz.TarFile, error) {
   117  	var files []*fuzz.TarFile
   118  	files, err := ff.TarFiles()
   119  	if err != nil {
   120  		return files, err
   121  	}
   122  	if len(files) <= 1 {
   123  		return files, err
   124  	}
   125  	for _, file := range files {
   126  		if len(file.Body) == 0 {
   127  			return files, errors.New("Created an empty file")
   128  		}
   129  	}
   130  
   131  	// add "META-INF/MANIFEST.MF"
   132  	mfContents, err := ff.GetBytes()
   133  	if err != nil {
   134  		return files, err
   135  	}
   136  
   137  	// check the manifest early. This is an inexpensive check,
   138  	// so we want to call it before compressing.
   139  	_, err = signjar.ParseManifest(mfContents)
   140  	if err != nil {
   141  		return files, err
   142  	}
   143  
   144  	files = append(files, &fuzz.TarFile{
   145  		Hdr: &tar.Header{
   146  			Name:    "META-INF/MANIFEST.MF",
   147  			Size:    int64(len(mfContents)),
   148  			Mode:    0o600,
   149  			ModTime: time.Unix(int64(123), int64(456)),
   150  		},
   151  		Body: mfContents,
   152  	})
   153  	return files, nil
   154  }
   155  
   156  func tarfilesToJar(artifactFiles []*fuzz.TarFile) ([]byte, error) {
   157  	var jarBytes []byte
   158  	f, err := os.Create("artifactFile")
   159  	if err != nil {
   160  		return jarBytes, err
   161  	}
   162  	defer f.Close()
   163  	defer os.Remove("artifactFile")
   164  	zw := zip.NewWriter(f)
   165  	for _, zipFile := range artifactFiles {
   166  		jw, err := zw.Create(zipFile.Hdr.Name)
   167  		if err != nil {
   168  			zw.Close()
   169  			return jarBytes, err
   170  		}
   171  		_, err = jw.Write(zipFile.Body)
   172  		if err != nil {
   173  			continue
   174  		}
   175  	}
   176  	zw.Close()
   177  	err = f.Sync()
   178  	if err != nil {
   179  		return jarBytes, err
   180  	}
   181  	buf := bytes.Buffer{}
   182  	err = zipslicer.ZipToTar(f, &buf)
   183  	if err != nil {
   184  		return jarBytes, err
   185  	}
   186  
   187  	jd, err := signjar.DigestJarStream(&buf, crypto.SHA256)
   188  	if err != nil {
   189  		os.Remove("artifactFile")
   190  		return jarBytes, err
   191  	}
   192  	c := certloader.Certificate{
   193  		PrivateKey: CertPrivateKey,
   194  		Leaf:       Certificate,
   195  	}
   196  
   197  	patch, _, err := jd.Sign(context.Background(), &c, "rekor", false, true, false)
   198  	if err != nil {
   199  		return jarBytes, err
   200  	}
   201  
   202  	if err := patch.Apply(f, "artifactFile"); err != nil {
   203  		return jarBytes, err
   204  	}
   205  	f.Close()
   206  
   207  	artifactBytes, err := os.ReadFile("artifactFile")
   208  	if err != nil {
   209  		return jarBytes, err
   210  	}
   211  	return artifactBytes, nil
   212  }
   213
View as plain text