cryptnox-sdk-arduino/fuzz__der_8cpp_source.html

/*

 * SPDX-License-Identifier: LGPL-3.0-or-later

 * Copyright (c) 2026 Cryptnox SA

 */


/*

 * fuzz_der.cpp — libFuzzer harness for the two DER parser paths in

 *                CW_SecureChannel (SEC-015).

 *

 * Targets:

 *   derWalkMfCert()                   file-static DER X.509 cert walker

 *   CW_SecureChannel::parseDerSigToRaw()  private-static DER sig parser

 *

 * Build (Linux / macOS, clang required):

 *   cd cryptnox-sdk-cpp/fuzz

 *   mkdir build && cd build

 *   cmake .. -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++

 *   make

 *

 * Run:

 *   ./fuzz_der corpus/ -max_len=512 -jobs=4

 *

 * Corpus seeds:

 *   Place valid DER ECDSA signatures and manufacturer certificate blobs

 *   inside corpus/.  See corpus/README.md for instructions.

 *

 * Input format (first byte selects target):

 *   0x00 + <bytes>  → parseDerSigToRaw only

 *   0x01 + <bytes>  → derWalkMfCert only

 *   anything else   → both parsers receive the same payload

 */


/* Must be defined before including CW_SecureChannel.h so the friend

 * declaration for DerFuzzTarget is compiled in.                        */

#define CW_FUZZ_BUILD 1


#include <stdint.h>

#include <stddef.h>

#include <string.h>


/* ── SDK headers ────────────────────────────────────────────────────── */

#include "../CW_CryptoProvider.h"

#include "../CW_NfcTransport.h"

#include "../CW_Logger.h"

#include "../CW_Platform.h"

#include "../CW_SecureChannel.h"


/* ── Minimal concrete stubs for the three abstract interfaces ──────────

 * Required so CW_SecureChannel.cpp compiles; these methods are never

 * reached from the DER-parser call paths exercised by this harness.    */


class StubNfc final : public CW_NfcTransport {

public:

    bool begin() override { return false; }

    bool inListPassiveTarget() override { return false; }


    bool sendAPDU(const uint8_t*, uint8_t,

                  uint8_t*, uint8_t&) override { return false; }


    void resetReader() override {}

    bool printFirmwareVersion() override { return false; }

};


class StubLogger final : public CW_Logger {

public:

    bool begin(unsigned long) override { return true; }

    void print(const __FlashStringHelper*) override {}

    void print(const char*) override {}

    void print(char) override {}

    void print(uint8_t, int) override {}

    void print(uint16_t, int) override {}

    void print(uint32_t, int) override {}

    void print(int, int) override {}

    void println() override {}

    void println(const __FlashStringHelper*) override {}

    void println(const char*) override {}

    void println(char) override {}

    void println(uint8_t, int) override {}

    void println(uint16_t, int) override {}

    void println(uint32_t, int) override {}

    void println(int, int) override {}

};


class StubCrypto final : public CW_CryptoProvider {

public:

    bool sha256(const uint8_t*, size_t, uint8_t*) override { return false; }

    bool sha512(const uint8_t*, size_t, uint8_t*) override { return false; }


    uint16_t aesCbcEncrypt(const uint8_t*, uint16_t, uint8_t*,

                           const uint8_t*, uint8_t,

                           uint8_t*, bool) override { return 0U; }


    uint16_t aesCbcDecrypt(uint8_t*, uint16_t, uint8_t*,

                           const uint8_t*, uint8_t,

                           uint8_t*, bool) override { return 0U; }


    bool ecdh(const uint8_t*, const uint8_t*, uint8_t*,

              CW_Curve) override { return false; }


    bool makeKey(uint8_t*, uint8_t*,

                 CW_Curve) override { return false; }


    bool random(uint8_t*, unsigned) override { return false; }


    bool ecdsaVerify(const uint8_t*, const uint8_t*, size_t,

                     const uint8_t*, CW_Curve) override { return false; }


};


class StubPlatform final : public CW_Platform {

public:

    void sleep_ms(uint32_t) override {}

};


/* ── CW_Utils::fill_secure_random stub ─────────────────────────────────

 * The real implementation is ESP32-specific (esp32_random.cpp).

 * The DER parsers never call this; the stub exists only for the linker. */


bool CW_Utils::fill_secure_random(uint8_t* dest, size_t len) {

    if ((dest != NULL) && (len > 0U)) {

        memset(dest, 0xA5U, len);

    }

    return true;

}


/* ── Pull in the production code under test ─────────────────────────── */

#include "../CW_Utils.cpp"

#include "../CW_SecureChannel.cpp"


/* ── DerFuzzTarget: bridge from friend to private parseDerSigToRaw ──── */


struct DerFuzzTarget {


    static bool parseDerSigToRaw(const uint8_t* der,

                                 uint8_t derLen,

                                 uint8_t* raw64) {

        return CW_SecureChannel::parseDerSigToRaw(der, derLen, raw64);

    }


};


/* ── libFuzzer entry point ─────────────────────────────────────────── */


extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    if (size < 1U) {

        return 0;

    }


    const uint8_t  selector    = data[0];

    const uint8_t* payload     = data + 1U;

    const size_t   payloadSize = size - 1U;


    /* ── Target A: parseDerSigToRaw ─────────────────────────────────── */

    if ((selector == 0x00U) || (selector > 0x01U)) {

        uint8_t raw64[64U] = { 0U };

        uint8_t derLen = (payloadSize <= 255U)

                             ? static_cast<uint8_t>(payloadSize)

                             : 255U;

        (void)DerFuzzTarget::parseDerSigToRaw(payload, derLen, raw64);

    }


    /* ── Target B: derWalkMfCert ────────────────────────────────────── */

    if ((selector == 0x01U) || (selector > 0x01U)) {

        uint16_t       tbsMsgStart = 0U;

        uint16_t       tbsMsgLen   = 0U;

        const uint8_t* pubKey65Ptr = NULL;

        const uint8_t* sigPtr      = NULL;

        uint8_t        sigLen      = 0U;

        uint16_t bufLen = (payloadSize <= 0xFFFFU)

                              ? static_cast<uint16_t>(payloadSize)

                              : 0xFFFFU;

        (void)derWalkMfCert(payload, bufLen,

                            tbsMsgStart, tbsMsgLen,

                            pubKey65Ptr, sigPtr, sigLen);

    }


    return 0;

}


CW_CryptoProvider.h
Abstract cryptographic primitives interface.

CW_Logger.h
Abstract logging interface.

CW_NfcTransport.h
Abstract NFC transport interface.

CW_Platform.h
Abstract platform interface for timing primitives.

CW_SecureChannel.cpp
Implementation of the Cryptnox secure channel protocol.

derWalkMfCert
static bool derWalkMfCert(const uint8_t *buf, uint16_t bufLen, uint16_t &tbsMsgStart, uint16_t &tbsMsgLen, const uint8_t *&pubKey65Ptr, const uint8_t *&sigPtr, uint8_t &sigLen)
Definition CW_SecureChannel.cpp:791

CW_SecureChannel.h
Cryptnox secure channel protocol over NFC.

CW_Utils.cpp
Implementation of the platform-independent utility helpers.

CW_CryptoProvider
Abstract interface for cryptographic operations used by CW_SecureChannel.
Definition CW_CryptoProvider.h:45

CW_Logger
Abstract interface for serial/debug output.
Definition CW_Logger.h:48

CW_NfcTransport
Abstract interface for NFC transport operations.
Definition CW_NfcTransport.h:40

CW_Platform
Abstract interface for platform-specific operations used by the SDK.
Definition CW_Platform.h:39

CW_SecureChannel::parseDerSigToRaw
static bool parseDerSigToRaw(const uint8_t *der, uint8_t derLen, uint8_t *raw64)
Definition CW_SecureChannel.cpp:1018

CW_Utils::fill_secure_random
static bool fill_secure_random(uint8_t *dest, size_t len)
Fill len bytes at dest with cryptographically random data.
Definition fuzz_der.cpp:109

StubCrypto
Definition fuzz_der.cpp:82

StubCrypto::sha512
bool sha512(const uint8_t *, size_t, uint8_t *) override
Compute SHA-512 over a contiguous data buffer.
Definition fuzz_der.cpp:85

StubCrypto::random
bool random(uint8_t *, unsigned) override
Fill a buffer with cryptographically random bytes.
Definition fuzz_der.cpp:96

StubCrypto::makeKey
bool makeKey(uint8_t *, uint8_t *, CW_Curve) override
Generate a new EC key pair.
Definition fuzz_der.cpp:94

StubCrypto::aesCbcEncrypt
uint16_t aesCbcEncrypt(const uint8_t *, uint16_t, uint8_t *, const uint8_t *, uint8_t, uint8_t *, bool) override
AES-CBC encrypt.
Definition fuzz_der.cpp:86

StubCrypto::ecdsaVerify
bool ecdsaVerify(const uint8_t *, const uint8_t *, size_t, const uint8_t *, CW_Curve) override
Verify an ECDSA signature (raw r||s, 64 bytes) against a message hash.
Definition fuzz_der.cpp:97

StubCrypto::aesCbcDecrypt
uint16_t aesCbcDecrypt(uint8_t *, uint16_t, uint8_t *, const uint8_t *, uint8_t, uint8_t *, bool) override
AES-CBC decrypt.
Definition fuzz_der.cpp:89

StubCrypto::ecdh
bool ecdh(const uint8_t *, const uint8_t *, uint8_t *, CW_Curve) override
ECDH shared secret computation.
Definition fuzz_der.cpp:92

StubCrypto::sha256
bool sha256(const uint8_t *, size_t, uint8_t *) override
Compute SHA-256 over a contiguous data buffer.
Definition fuzz_der.cpp:84

StubLogger
Definition fuzz_der.cpp:62

StubLogger::print
void print(uint32_t, int) override
Definition fuzz_der.cpp:70

StubLogger::print
void print(int, int) override
Definition fuzz_der.cpp:71

StubLogger::println
void println(const char *) override
Definition fuzz_der.cpp:74

StubLogger::print
void print(uint8_t, int) override
Definition fuzz_der.cpp:68

StubLogger::println
void println(uint8_t, int) override
Definition fuzz_der.cpp:76

StubLogger::println
void println(char) override
Definition fuzz_der.cpp:75

StubLogger::print
void print(const __FlashStringHelper *) override
Definition fuzz_der.cpp:65

StubLogger::println
void println() override
Definition fuzz_der.cpp:72

StubLogger::println
void println(uint16_t, int) override
Definition fuzz_der.cpp:77

StubLogger::begin
bool begin(unsigned long) override
Initialize the logging interface.
Definition fuzz_der.cpp:64

StubLogger::print
void print(char) override
Definition fuzz_der.cpp:67

StubLogger::print
void print(const char *) override
Definition fuzz_der.cpp:66

StubLogger::println
void println(const __FlashStringHelper *) override
Definition fuzz_der.cpp:73

StubLogger::print
void print(uint16_t, int) override
Definition fuzz_der.cpp:69

StubLogger::println
void println(uint32_t, int) override
Definition fuzz_der.cpp:78

StubLogger::println
void println(int, int) override
Definition fuzz_der.cpp:79

StubNfc
Definition fuzz_der.cpp:52

StubNfc::sendAPDU
bool sendAPDU(const uint8_t *, uint8_t, uint8_t *, uint8_t &) override
Send an APDU command to the card and receive the response.
Definition fuzz_der.cpp:56

StubNfc::inListPassiveTarget
bool inListPassiveTarget() override
Detect the presence of a passive ISO-DEP NFC target.
Definition fuzz_der.cpp:55

StubNfc::begin
bool begin() override
Initialize the NFC transport hardware.
Definition fuzz_der.cpp:54

StubNfc::printFirmwareVersion
bool printFirmwareVersion() override
Print NFC module firmware version information to the logger.
Definition fuzz_der.cpp:59

StubNfc::resetReader
void resetReader() override
Reset the NFC reader/field for the next card detection cycle.
Definition fuzz_der.cpp:58

StubPlatform
Definition fuzz_der.cpp:101

StubPlatform::sleep_ms
void sleep_ms(uint32_t) override
Block for at least ms milliseconds.
Definition fuzz_der.cpp:103

__FlashStringHelper
Definition platform_compat.h:41

LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition fuzz_der.cpp:130

CW_Curve
CW_Curve
Portable curve identifier used throughout the SDK.
Definition CW_Defs.h:151

DerFuzzTarget
Definition fuzz_der.cpp:121

DerFuzzTarget::parseDerSigToRaw
static bool parseDerSigToRaw(const uint8_t *der, uint8_t derLen, uint8_t *raw64)
Definition fuzz_der.cpp:122