WIP

key packet fuzzing tests: Use OpenPGPKey/OpenPGPCertificate API
Replace consumeAsBytes(XXX) with consumeRemainingAsBytes()
2025-09-13 20:29:39 +02:00 · 2025-07-23 10:40:45 +02:00 · 2025-07-14 22:09:51 +02:00 · 2025-07-14 21:52:04 +02:00 · 2025-07-14 21:33:51 +02:00 · 2025-07-14 20:34:33 +02:00
5 changed files with 15 additions and 22 deletions
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt
@ -45,6 +45,9 @@ class KeyRingBuilder : KeyRingBuilderInterface<KeyRingBuilder> {
    }

    override fun addUserId(userId: CharSequence): KeyRingBuilder = apply {
+        require(!userId.contains("\n") && !userId.contains("\r")) {
+            "User-ID cannot contain newlines and/or carriage returns."
+        }
        userIds[userId.toString()] = null
    }

--- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt
@ -569,10 +569,11 @@ class SecretKeyRingEditor(
    }

    private fun sanitizeUserId(userId: CharSequence): CharSequence =
-        // I'm not sure, what kind of sanitization is needed.
-        // Newlines are allowed, they just need to be escaped when emitted in an ASCII armor header
-        // Trailing/Leading whitespace is also fine.
-        userId.toString()
+        userId.toString().also {
+            require(!it.contains("\n") && !it.contains("\r")) {
+                "UserId cannot contain newlines and/or carriage returns."
+            }
+        }

    private fun callbackFromRevocationAttributes(attributes: RevocationAttributes?) =
        object : RevocationSignatureSubpackets.Callback {
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt
@ -247,8 +247,7 @@ class ArmorUtils {
                .add(OpenPgpFingerprint.of(publicKey).prettyPrint())
            // Primary / First User ID
            (primary ?: first)?.let {
-                headerMap.getOrPut(HEADER_COMMENT) { mutableSetOf() }
-                    .add(it.replace("\n", "\\n").replace("\r", "\\r"))
+                headerMap.getOrPut(HEADER_COMMENT) { mutableSetOf() }.add(it)
            }
            // X-1 further identities
            when (userIds.size) {
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/util/Passphrase.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/util/Passphrase.kt
@ -11,9 +11,14 @@ import org.bouncycastle.util.Arrays
 *
 * @param chars may be null for empty passwords.
 */
-class Passphrase(private val chars: CharArray?) {
+class Passphrase(chars: CharArray?) {
    private val lock = Any()
    private var valid = true
+    private val chars: CharArray?
+
+    init {
+        this.chars = chars;//trimWhitespace(chars)
+    }

    /**
     * Return a copy of the underlying char array. A return value of null represents an empty
@ -62,11 +67,6 @@ class Passphrase(private val chars: CharArray?) {

    override fun hashCode(): Int = getChars()?.let { String(it) }.hashCode()

-    /**
-     * Return a copy of this [Passphrase], but with whitespace characters trimmed off.
-     *
-     * @return copy with trimmed whitespace
-     */
    fun withTrimmedWhitespace(): Passphrase = Passphrase(trimWhitespace(chars))

    companion object {
--- a/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
+++ b/pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java
@ -100,14 +100,4 @@ public class GenerateKeyTest {
        assertThrows(SOPGPException.UnsupportedProfile.class, () ->
                sop.generateKey().profile("invalid"));
    }
-
-    @Test
-    public void generateKeyWithNewlinesInUserId() throws IOException {
-        byte[] keyBytes = sop.generateKey()
-                .userId("Foo\n\nBar")
-                .generate()
-                .getBytes();
-
-        assertTrue(new String(keyBytes).contains("Foo\\n\\nBar"));
-    }
 }
Author	SHA1	Message	Date
Paul Schaub	880b0720db	WIP	2025-07-23 10:40:45 +02:00
Paul Schaub	8f41fb0f27	key packet fuzzing tests: Use OpenPGPKey/OpenPGPCertificate API	2025-07-14 22:09:51 +02:00
Paul Schaub	5939b747b0	Replace consumeAsBytes(XXX) with consumeRemainingAsBytes()	2025-07-14 21:52:04 +02:00
Paul Schaub	adf9fc4639	Fix IndexOutOfBounds, but keep decryption with only SK working	2025-07-14 21:33:51 +02:00
Paul Schaub	9df5060bab	gitignore all .cifuzz-corpus directories	2025-07-14 20:34:33 +02:00
Paul Schaub	fef620d18b	Move jazzerVersion to version.gradle	2025-07-12 11:35:34 +02:00
Paul Schaub	42e6bb483f	More fuzzing tests and vectors	2025-07-12 11:29:07 +02:00
Paul Schaub	1560980c7e	Even more fuzzing	2025-07-09 14:09:47 +02:00
Paul Schaub	cefdfa8eac	More fuzzing	2025-07-09 11:24:18 +02:00
Paul Schaub	ae9c702b29	Add more test vectors	2025-07-08 15:03:59 +02:00
Paul Schaub	4c2e60bb92	Add fuzzing data to REUSE.toml	2025-07-08 14:34:55 +02:00
Paul Schaub	599c689c2e	Fuzzer tests	2025-07-08 14:34:35 +02:00
Paul Schaub	556766e0bf	Fuzz different methods	2025-07-04 17:37:26 +02:00
Paul Schaub	343fc6cf65	Add pgpainless-sop/.cifuzz-corpus/* to .gitignore	2025-07-04 17:37:04 +02:00
Paul Schaub	fa0d515c35	SOP armor: catch IOException during inspection of data	2025-07-04 17:35:27 +02:00
Paul Schaub	453b190f58	OpenPGPInputStream: Expose inspectBuffer method	2025-07-04 17:34:44 +02:00