MCPcopy
hub / github.com/unkeyed/unkey / FuzzAlgorithmConfusion

Function FuzzAlgorithmConfusion

pkg/jwt/claims_fuzz_test.go:117–152  ·  view source on GitHub ↗

FuzzAlgorithmConfusion tests that tokens with wrong algorithms are rejected.

(f *testing.F)

Source from the content-addressed store, hash-verified

115
116// FuzzAlgorithmConfusion tests that tokens with wrong algorithms are rejected.
117func FuzzAlgorithmConfusion(f *testing.F) {
118 fuzz.Seed(f)
119
120 secret := []byte("test-secret-key-at-least-32-bytes-long")
121 hs256Verifier, _ := NewHS256Verifier[RegisteredClaims](secret)
122
123 privateKeyPEM, publicKeyPEM := generateFuzzKeyPair(f)
124 rs256Verifier, _ := NewRS256Verifier[RegisteredClaims](publicKeyPEM)
125
126 hs256Signer, _ := NewHS256Signer[RegisteredClaims](secret)
127 rs256Signer, _ := NewRS256Signer[RegisteredClaims](privateKeyPEM)
128
129 f.Fuzz(func(t *testing.T, data []byte) {
130 c := fuzz.New(t, data)
131
132 claims := RegisteredClaims{
133 Issuer: c.String(),
134 ExpiresAt: time.Now().Add(time.Hour).Unix(),
135 }
136
137 // Create tokens with both algorithms
138 hs256Token, err := hs256Signer.Sign(claims)
139 require.NoError(t, err)
140
141 rs256Token, err := rs256Signer.Sign(claims)
142 require.NoError(t, err)
143
144 // HS256 token should not verify with RS256 verifier
145 _, err = rs256Verifier.Verify(hs256Token)
146 require.Error(t, err, "HS256 token should not verify with RS256 verifier")
147
148 // RS256 token should not verify with HS256 verifier
149 _, err = hs256Verifier.Verify(rs256Token)
150 require.Error(t, err, "RS256 token should not verify with HS256 verifier")
151 })
152}

Callers

nothing calls this directly

Calls 9

SeedFunction · 0.92
NewFunction · 0.92
generateFuzzKeyPairFunction · 0.85
NowMethod · 0.65
SignMethod · 0.65
VerifyMethod · 0.65
StringMethod · 0.45
AddMethod · 0.45
ErrorMethod · 0.45

Tested by

no test coverage detected