key packet fuzzing tests: Use OpenPGPKey/OpenPGPCertificate API

.gitignore

@@ -34,4 +34,4 @@ push_html.sh
 
 node_modules
 
-pgpainless-sop/.cifuzz-corpus/*
+*/.cifuzz-corpus/*

pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt

@@ -347,12 +347,7 @@ class OpenPgpMessageInputStream(
             "Symmetrically Encrypted Data Packet at depth ${layerMetadata.depth} encountered.")
         syntaxVerifier.next(InputSymbol.ENCRYPTED_DATA)
         val encDataList = packetInputStream!!.readEncryptedDataList()
-        if (encDataList.isEmpty) {
+        if (!encDataList.isIntegrityProtected && !encDataList.isEmpty && !encDataList.get(0).isAEAD) {
-            LOGGER.debug(
-                "Missing encrypted session key packet.")
-            return false
-        }
-        if (!encDataList.isIntegrityProtected && !encDataList.get(0).isAEAD) {
             LOGGER.warn("Symmetrically Encrypted Data Packet is not integrity-protected.")
             if (!options.isIgnoreMDCErrors()) {
                 throw MessageNotIntegrityProtectedException()

pgpainless-sop/build.gradle

@@ -19,7 +19,7 @@ dependencies {
     testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
 
     // Jazzer for Fuzzing
-    testImplementation "com.code-intelligence:jazzer-junit:0.24.0"
+    testImplementation "com.code-intelligence:jazzer-junit:$jazzerVersion"
 
     // Logging
     testImplementation "ch.qos.logback:logback-classic:$logbackVersion"

pgpainless-sop/src/test/java/org/pgpainless/sop/fuzzing/AsciiArmorFuzzTest.java

@@ -22,7 +22,7 @@ public class AsciiArmorFuzzTest {
             maxDuration = "60s"
     )
     public void armorAndDearmorData(FuzzedDataProvider data) throws IOException {
-        byte[] bytes = data.consumeBytes(1024);
+        byte[] bytes = data.consumeRemainingAsBytes();
 
         byte[] armored = sop.armor().data(bytes).getBytes();
         if (Arrays.areEqual(bytes, armored)) {

pgpainless-sop/src/test/java/org/pgpainless/sop/fuzzing/EncryptedMessageFuzzingTest.java

@@ -10,6 +10,7 @@ import org.bouncycastle.util.encoders.Hex;
 import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
+import org.pgpainless.exception.MissingDecryptionMethodException;
 import org.pgpainless.exception.ModificationDetectionException;
 import org.pgpainless.sop.SOPImpl;
 import sop.SOP;
@@ -75,7 +76,7 @@ public class EncryptedMessageFuzzingTest {
             maxDuration = "60s"
     )
     public void decryptFuzzedMessage(FuzzedDataProvider provider) {
-        byte[] ciphertext = provider.consumeBytes(8192);
+        byte[] ciphertext = provider.consumeRemainingAsBytes();
         if (ciphertext.length == 0) {
             return;
         }

pgpainless-sop/src/test/java/org/pgpainless/sop/fuzzing/ParseCertFuzzTest.java

@@ -22,7 +22,7 @@ public class ParseCertFuzzTest {
 
     @FuzzTest(maxDuration = "30s")
     public void parseOpenPGPCert(FuzzedDataProvider data) throws IOException {
-        byte[] certEncoding = data.consumeBytes(8192);
+        byte[] certEncoding = data.consumeRemainingAsBytes();
         if (certEncoding.length == 0) {
             return;
         }

pgpainless-sop/src/test/java/org/pgpainless/sop/fuzzing/PublicKeyPacketFuzzTest.java

@@ -6,33 +6,24 @@ package org.pgpainless.sop.fuzzing;
 
 import com.code_intelligence.jazzer.api.FuzzedDataProvider;
 import com.code_intelligence.jazzer.junit.FuzzTest;
-import org.bouncycastle.bcpg.BCPGInputStream;
 import org.bouncycastle.bcpg.UnsupportedPacketVersionException;
-import org.bouncycastle.openpgp.PGPObjectFactory;
+import org.bouncycastle.openpgp.api.OpenPGPKeyReader;
-import org.bouncycastle.openpgp.PGPPublicKeyRing;
-import org.bouncycastle.openpgp.bc.BcPGPObjectFactory;
 
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
 
 public class PublicKeyPacketFuzzTest {
 
-    @FuzzTest(maxDuration = "30m")
+    private final OpenPGPKeyReader reader = new OpenPGPKeyReader();
-    public void parsePublicKeyPacket(FuzzedDataProvider provider)
+
-    {
+    @FuzzTest(maxDuration = "60s")
-        byte[] encoding = provider.consumeBytes(8192);
+    public void parsePublicKeyPacket(FuzzedDataProvider provider) {
+        byte[] encoding = provider.consumeRemainingAsBytes();
         if (encoding.length == 0) {
             return;
         }
 
-        ByteArrayInputStream bIn = new ByteArrayInputStream(encoding);
-        BCPGInputStream pIn = new BCPGInputStream(bIn);
-        PGPObjectFactory objFac = new BcPGPObjectFactory(pIn);
         try {
-            Object next = objFac.nextObject();
+            reader.parseCertificate(encoding);
-            if (next == null) return;
-
-            PGPPublicKeyRing pubKey = (PGPPublicKeyRing) next;
         } catch (IOException e) {
             // ignore
         } catch (UnsupportedPacketVersionException e) {

pgpainless-sop/src/test/java/org/pgpainless/sop/fuzzing/SecretKeyPacketFuzzTest.java

@@ -6,33 +6,25 @@ package org.pgpainless.sop.fuzzing;
 
 import com.code_intelligence.jazzer.api.FuzzedDataProvider;
 import com.code_intelligence.jazzer.junit.FuzzTest;
-import org.bouncycastle.bcpg.BCPGInputStream;
 import org.bouncycastle.bcpg.UnsupportedPacketVersionException;
-import org.bouncycastle.openpgp.PGPObjectFactory;
+import org.bouncycastle.openpgp.api.OpenPGPKeyReader;
-import org.bouncycastle.openpgp.PGPSecretKeyRing;
-import org.bouncycastle.openpgp.bc.BcPGPObjectFactory;
 
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
 
 public class SecretKeyPacketFuzzTest {
 
-    @FuzzTest(maxDuration = "30m")
+    private final OpenPGPKeyReader reader = new OpenPGPKeyReader();
+
+    @FuzzTest(maxDuration = "6ßs")
     public void parseSecretKeyPacket(FuzzedDataProvider provider)
     {
-        byte[] encoding = provider.consumeBytes(8192);
+        byte[] encoding = provider.consumeRemainingAsBytes();
         if (encoding.length == 0) {
             return;
         }
 
-        ByteArrayInputStream bIn = new ByteArrayInputStream(encoding);
-        BCPGInputStream pIn = new BCPGInputStream(bIn);
-        PGPObjectFactory objFac = new BcPGPObjectFactory(pIn);
         try {
-            Object next = objFac.nextObject();
+            reader.parseKey(encoding);
-            if (next == null) return;
-
-            PGPSecretKeyRing secKey = (PGPSecretKeyRing) next;
         } catch (IOException e) {
             // ignore
         } catch (UnsupportedPacketVersionException e) {

pgpainless-sop/src/test/java/org/pgpainless/sop/fuzzing/SignatureFuzzTest.java

@@ -273,7 +273,7 @@ public class SignatureFuzzTest {
             maxDuration = "60s"
     )
     public void verifyFuzzedSig(FuzzedDataProvider provider) throws IOException {
-        byte[] sig = provider.consumeBytes(1024);
+        byte[] sig = provider.consumeRemainingAsBytes();
         if (sig.length == 0) {
             return;
         }

version.gradle

@@ -10,6 +10,7 @@ allprojects {
         bouncyCastleVersion = '1.82-SNAPSHOT'
         bouncyPgVersion = bouncyCastleVersion
         junitVersion = '5.8.2'
+        jazzerVersion = '0.24.0'
         logbackVersion = '1.5.13'
         mockitoVersion = '4.5.1'
         slf4jVersion = '1.7.36'