Merge pull request #406 from arthurscchan/fix-empty-content

Fix: Fix possible Null Pointer Exception

sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java

@@ -74,7 +74,9 @@ public static PublicKey parsePublicKey(byte[] keyBytes)
       throw new InvalidKeySpecException("Invalid key, could not parse PEM section");
     }
     // special handling for PKCS1 (rsa) public key
-    if ((section == null) || (section.getContent() == null)) {
+    // TODO: The length checking is not necessary after https://github.com/bcgit/bc-java/issues/1370
+    // has been merged. Remove it when bc-java is updated with the merge.
+    if ((section == null) || (section.getContent() == null) || (section.getContent().length == 0)) {
       throw new InvalidKeySpecException("Invalid key, empty PEM section");
     }
     if (section.getType().equals("RSA PUBLIC KEY")) {

sigstore-java/src/test/java/dev/sigstore/encryption/KeysTest.java

@@ -19,6 +19,7 @@
 
 import com.google.common.io.Resources;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.PublicKey;
@@ -208,6 +209,16 @@ void parsePkixPublicKey_ecdsa() throws NoSuchAlgorithmException, InvalidKeySpecE
     Assertions.assertNotNull(Keys.parsePkixPublicKey(Base64.decode(base64Key), "EC"));
   }
 
+  @Test
+  void parsePublicKey_failOnNullSection()
+      throws IOException, NoSuchAlgorithmException, NoSuchProviderException {
+    // This unit test is used to test the fix for a bug discovered by oss-fuzz
+    // The bug happens when a malformed byte array is passed to the method
+    // https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57247
+    byte[] byteArray = "-----BEGIN A-----\nBBBBB-----END A".getBytes(StandardCharsets.UTF_8);
+    Assertions.assertThrows(InvalidKeySpecException.class, () -> Keys.parsePublicKey(byteArray));
+  }
+
   @Test
   void testGetJavaVersion() {
     assertEquals(1, Keys.getJavaVersion("1.6.0_23"));