TokenUtilFuzzer.java
// Copyright 2023 the cncf-fuzzing authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
///////////////////////////////////////////////////////////////////////////
import com.code_intelligence.jazzer.api.FuzzedDataProvider;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import javax.crypto.KeyGenerator;
import org.keycloak.jose.jwe.JWEConstants;
import org.keycloak.jose.jwe.JWEException;
import org.keycloak.jose.jwe.alg.DirectAlgorithmProvider;
import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider;
import org.keycloak.jose.jwe.enc.AesCbcHmacShaJWEEncryptionProvider;
import org.keycloak.jose.jwe.enc.AesGcmJWEEncryptionProvider;
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.util.TokenUtil;
/**
* This fuzzer targets the methods in TokenUtil class. It passes random string for choosing
* algorithm, key creation and method call.
*/
public class TokenUtilFuzzer {
// Set up a list of valid algorithm for the JWE object
private static String[] alg = {
JWEConstants.DIRECT,
JWEConstants.A128KW,
JWEConstants.RSA1_5,
JWEConstants.RSA_OAEP,
JWEConstants.RSA_OAEP_256
};
// Set up a list of valid encryption / compression
// algorithm for the JWE object
private static String[] enc = {
JWEConstants.A128CBC_HS256,
JWEConstants.A192CBC_HS384,
JWEConstants.A256CBC_HS512,
JWEConstants.A128GCM,
JWEConstants.A192GCM,
JWEConstants.A256GCM
};
public static void fuzzerTestOneInput(FuzzedDataProvider data) {
try {
// Create base object for method call
KeyGenerator generator = null;
Key aesKey = null;
Key hmacKey = null;
// Randomly choose which method to invoke
Integer choice = data.consumeInt(1, 11);
switch (choice) {
case 1:
// Call isOfflineToken method with random string
TokenUtil.isOfflineToken(data.consumeRemainingAsString());
break;
case 2:
// Call getRefreshToken method with random string
TokenUtil.getRefreshToken(data.consumeRemainingAsBytes());
break;
case 3:
// Generate AES key for method call
generator = KeyGenerator.getInstance("AES");
generator.init(128);
aesKey = generator.generateKey();
// Generate Hmac key for method call
generator = KeyGenerator.getInstance("HmacSHA256");
hmacKey = generator.generateKey();
// Call jweDirectEncode method with the created keys and random byte array
TokenUtil.jweDirectEncode(aesKey, hmacKey, data.consumeRemainingAsBytes());
break;
case 4:
// Generate AES key for method call
generator = KeyGenerator.getInstance("AES");
generator.init(128);
aesKey = generator.generateKey();
// Generate Hmac key for method call
generator = KeyGenerator.getInstance("HmacSHA256");
hmacKey = generator.generateKey();
// Call jweDirectVerifyAndDecode method with the created keys and random byte array
TokenUtil.jweDirectVerifyAndDecode(aesKey, hmacKey, data.consumeRemainingAsString());
break;
case 5:
// Generate AES key for method call
generator = KeyGenerator.getInstance("AES");
generator.init(128);
aesKey = generator.generateKey();
// Call jweKeyEncryptionVerifyAndDecode method with the created key and random string
TokenUtil.jweKeyEncryptionVerifyAndDecode(aesKey, data.consumeRemainingAsString());
break;
case 6:
// Generate AES key for method call
generator = KeyGenerator.getInstance("AES");
generator.init(128);
aesKey = generator.generateKey();
// Initialize the jweAlgorithmProvider object for method call
JWEAlgorithmProvider jweAlgorithmProvider = new DirectAlgorithmProvider();
// Randomly initialize a JWEEncryptionProvider object with randomly chosen encryption
// algorithm
JWEEncryptionProvider jweEncryptionProvider;
if (data.consumeBoolean()) {
jweEncryptionProvider =
new AesCbcHmacShaJWEEncryptionProvider(data.pickValue(TokenUtilFuzzer.enc));
} else {
jweEncryptionProvider =
new AesGcmJWEEncryptionProvider(data.pickValue(TokenUtilFuzzer.enc));
}
// Randomly choose which method to invoke
if (data.consumeBoolean()) {
// Choose random algorithm and initialize a key id with random string
String algAlgorithm = data.pickValue(TokenUtilFuzzer.alg);
String encAlgorithm = data.pickValue(TokenUtilFuzzer.enc);
String kid = data.consumeString(data.consumeInt(0, 10000));
// Call jweKeyEncryptionEncode method with created object and random byte array
TokenUtil.jweKeyEncryptionEncode(
aesKey,
data.consumeRemainingAsBytes(),
algAlgorithm,
encAlgorithm,
kid,
jweAlgorithmProvider,
jweEncryptionProvider);
} else {
// Call jweKeyEncryptionVerifyAndDecode method with created object and random byte array
TokenUtil.jweKeyEncryptionVerifyAndDecode(
aesKey,
data.consumeRemainingAsString(),
jweAlgorithmProvider,
jweEncryptionProvider);
}
break;
case 7:
TokenUtil.attachOIDCScope(data.consumeRemainingAsString());
break;
case 8:
TokenUtil.isOIDCRequest(data.consumeRemainingAsString());
break;
case 9:
TokenUtil.isOfflineTokenRequested(data.consumeRemainingAsString());
break;
case 10:
TokenUtil.hasScope(
data.consumeString(data.consumeInt(0, 10000)), data.consumeRemainingAsString());
break;
case 11:
TokenUtil.hasPrompt(
data.consumeString(data.consumeInt(0, 10000)), data.consumeRemainingAsString());
break;
}
} catch (JWSInputException | JWEException | NoSuchAlgorithmException e) {
// Known exception
}
}
}