/src/open62541_15/tests/fuzz/fuzz_certificate_parse.cc

Source
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include <open62541/config.h>

#ifdef UA_ENABLE_ENCRYPTION

#include "custom_memory_manager.h"

#include <open62541/plugin/certificategroup.h>
#include <open62541/types.h>

/*
 * Fuzz X.509 certificate parsing utilities.
 * Tests parsing of DER-encoded certificates with various utility functions.
 * This targets the certificate validation code that processes untrusted
 * certificates from the network (OPN path).
 *
 * Byte 0: operation selector
 * Last 4 bytes: memory limit
 * Remaining: certificate data (DER format)
 */
extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    if(size <= 5)
        return 0;

    if(!UA_memoryManager_setLimitFromLast4Bytes(data, size))
        return 0;
    size -= 4;

    uint8_t op = data[0];
    data++;
    size--;

    UA_ByteString cert;
    cert.data = (UA_Byte*)(void*)data;
    cert.length = size;

    switch(op % 6) {
    case 0: {
        /* Parse subject name from certificate */
        UA_String subjectName = UA_STRING_NULL;
        UA_CertificateUtils_getSubjectName(&cert, &subjectName);
        UA_String_clear(&subjectName);
        break;
    }
    case 1: {
        /* Parse expiration date */
        UA_DateTime expiryDate = 0;
        UA_CertificateUtils_getExpirationDate(&cert, &expiryDate);
        break;
    }
    case 2: {
        /* Parse thumbprint */
        UA_String thumbprint = UA_STRING_NULL;
        UA_CertificateUtils_getThumbprint(&cert, &thumbprint);
        UA_String_clear(&thumbprint);
        break;
    }
    case 3: {
        /* Parse key size */
        size_t keySize = 0;
        UA_CertificateUtils_getKeySize(&cert, &keySize);
        break;
    }
    case 4: {
        /* Check if certificate is a CA certificate */
        UA_CertificateUtils_checkCA(&cert);
        break;
    }
    case 5: {
        /* Verify application URI */
        UA_String uri = UA_STRING((char*)"urn:test:app");
        UA_CertificateUtils_verifyApplicationUri(&cert, &uri);
        break;
    }
    }

    return 0;
}

#else /* UA_ENABLE_ENCRYPTION */

#include <stdint.h>
#include <stddef.h>

extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    (void)data;
    (void)size;
    return 0;
}

#endif


Line	Count	Source
1		/* This Source Code Form is subject to the terms of the Mozilla Public
2		* License, v. 2.0. If a copy of the MPL was not distributed with this
3		* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5		#include <open62541/config.h>
6
7		#ifdef UA_ENABLE_ENCRYPTION
8
9		#include "custom_memory_manager.h"
10
11		#include <open62541/plugin/certificategroup.h>
12		#include <open62541/types.h>
13
14		/*
15		* Fuzz X.509 certificate parsing utilities.
16		* Tests parsing of DER-encoded certificates with various utility functions.
17		* This targets the certificate validation code that processes untrusted
18		* certificates from the network (OPN path).
19		*
20		* Byte 0: operation selector
21		* Last 4 bytes: memory limit
22		* Remaining: certificate data (DER format)
23		*/
24		extern "C" int
25	384	LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
26	384	if(size <= 5)
27	8	return 0;
28
29	376	if(!UA_memoryManager_setLimitFromLast4Bytes(data, size))
30	0	return 0;
31	376	size -= 4;
32
33	376	uint8_t op = data[0];
34	376	data++;
35	376	size--;
36
37	376	UA_ByteString cert;
38	376	cert.data = (UA_Byte)(void)data;
39	376	cert.length = size;
40
41	376	switch(op % 6) {
42	267	case 0: {
43		/* Parse subject name from certificate */
44	267	UA_String subjectName = UA_STRING_NULL;
45	267	UA_CertificateUtils_getSubjectName(&cert, &subjectName);
46	267	UA_String_clear(&subjectName);
47	267	break;
48	0	}
49	26	case 1: {
50		/* Parse expiration date */
51	26	UA_DateTime expiryDate = 0;
52	26	UA_CertificateUtils_getExpirationDate(&cert, &expiryDate);
53	26	break;
54	0	}
55	7	case 2: {
56		/* Parse thumbprint */
57	7	UA_String thumbprint = UA_STRING_NULL;
58	7	UA_CertificateUtils_getThumbprint(&cert, &thumbprint);
59	7	UA_String_clear(&thumbprint);
60	7	break;
61	0	}
62	29	case 3: {
63		/* Parse key size */
64	29	size_t keySize = 0;
65	29	UA_CertificateUtils_getKeySize(&cert, &keySize);
66	29	break;
67	0	}
68	24	case 4: {
69		/* Check if certificate is a CA certificate */
70	24	UA_CertificateUtils_checkCA(&cert);
71	24	break;
72	0	}
73	23	case 5: {
74		/* Verify application URI */
75	23	UA_String uri = UA_STRING((char*)"urn:test:app");
76	23	UA_CertificateUtils_verifyApplicationUri(&cert, &uri);
77	23	break;
78	0	}
79	376	}
80
81	376	return 0;
82	376	}
83
84		#else /* UA_ENABLE_ENCRYPTION */
85
86		#include <stdint.h>
87		#include <stddef.h>
88
89		extern "C" int
90		LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
91		(void)data;
92		(void)size;
93		return 0;
94		}
95
96		#endif
97

Coverage Report

Created: 2026-06-09 06:15