add fuzzing tests

wolfv · wolfv · commit 8cb93467362f · 2025-12-06T09:12:57.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -68,9 +68,41 @@ jobs:
 
       - uses: dtolnay/rust-toolchain@1.89.0
 
-      - name: Build conformance binary
-        run: cargo build --release --package sigstore-conformance
+      - name: Build binaries
+        run: cargo build --release --package sigstore-conformance --example verify_bundle
 
       - uses: sigstore/sigstore-conformance@main
         with:
           entrypoint: ./target/release/conformance
+
+      - name: Upload verify_bundle binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: verify_bundle
+          path: target/release/examples/verify_bundle
+
+  mutation-tests:
+    name: Mutation Fuzzing
+    runs-on: ubuntu-latest
+    needs: conformance
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Download verify_bundle binary
+        uses: actions/download-artifact@v4
+        with:
+          name: verify_bundle
+          path: target/release/examples
+
+      - name: Make binary executable
+        run: chmod +x target/release/examples/verify_bundle
+
+      - name: Clone sigstore-conformance test data
+        run: git clone --depth 1 https://github.com/sigstore/sigstore-conformance.git
+
+      - name: Run mutation fuzzer
+        run: python3 tests/mutation_fuzzer.py --verifier-type rust
diff --git a/crates/sigstore-bundle/src/validation.rs b/crates/sigstore-bundle/src/validation.rs
@@ -53,6 +53,9 @@ fn validate_v0_1(bundle: &Bundle, options: &ValidationOptions) -> Result<()> {
         ));
     }
 
+    // Validate inclusion proofs if present (v0.1 may have both promise and proof)
+    validate_inclusion_proofs(bundle)?;
+
     // Common validation
     validate_common(bundle, options)
 }
diff --git a/crates/sigstore-verify/src/verify.rs b/crates/sigstore-verify/src/verify.rs
@@ -364,6 +364,20 @@ impl Verifier {
                 }
             }
         }
+
+        // For MessageSignature bundles, verify the messageDigest matches the artifact
+        if let SignatureContent::MessageSignature(msg_sig) = &bundle.content {
+            if let Some(ref digest) = msg_sig.message_digest {
+                let artifact_hash = compute_artifact_digest(&artifact);
+
+                // Compare the digest in the bundle with the computed artifact hash
+                if digest.digest.as_bytes() != artifact_hash.as_bytes() {
+                    return Err(Error::Verification(
+                        "message digest in bundle does not match artifact hash".to_string(),
+                    ));
+                }
+            }
+        }
         // Note: For hashedrekord (MessageSignature), the signature verification
         // is performed in step (8) by verify_hashedrekord_entries, which properly
         // handles prehashed signatures.
diff --git a/tests/mutation_fuzzer.py b/tests/mutation_fuzzer.py

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,9 @@ fn validate_v0_1(bundle: &Bundle, options: &ValidationOptions) -> Result<()> {`
`53`	`53`	`));`
`54`	`54`	`}`
`55`	`55`
	`56`	`+ // Validate inclusion proofs if present (v0.1 may have both promise and proof)`
	`57`	`+ validate_inclusion_proofs(bundle)?;`
	`58`	`+`
`56`	`59`	`// Common validation`
`57`	`60`	`validate_common(bundle, options)`
`58`	`61`	`}`