Skip to content

feat(core): fuzzing hooks — config re-export, decrypt/parse split, key-injected VRC verify (#124)#125

Merged
stormer78 merged 1 commit into
mainfrom
fuzz-hooks
Jun 14, 2026
Merged

feat(core): fuzzing hooks — config re-export, decrypt/parse split, key-injected VRC verify (#124)#125
stormer78 merged 1 commit into
mainfrom
fuzz-hooks

Conversation

@stormer78

@stormer78 stormer78 commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Lands the self-contained openvtc-core seams the cargo-fuzz harnesses in #124
need, without the fuzz workspace itself. Per the review on #124.

What's here (issue #124 items 2–4)

Item 2 — pub validators. Mostly already true: MessageType: TryFrom<&str>,
CredentialKind::from_credential, and messaging::validate_did are already
pub (the issue's worry that validate_did "may be private" was unfounded).
Net change: re-export PublicConfig so the requested path
openvtc_core::config::PublicConfig works (it was only at config::public_config).

Item 3 — split decrypt from parse.

  • ProtectedConfig::parse(&[u8]) — the post-decrypt serde half of load.
  • SecuredConfig::parse(&[u8]) — parse-checks the stored wire blob (tagged or
    legacy) without unlocking.
    Both reachable with no OS keyring; load routes through them so behaviour is
    unchanged.

Item 4 — verify_vrc_proof without a live TDK. New
verify_vrc_proof_with_key(vrc, &public_key_bytes) verifies the proof against an
injected issuer key (no TDK / DID resolution), sharing the
issuer⇄verification-method binding guard with the TDK path via a new
check_vrc_issuer_binding helper. Uses dtg-credentials'
verify_proof_with_public_key (its affinidi-signing feature is default-on — no
dep change).

Tests

  • ProtectedConfig::parse / SecuredConfig::parse: accept valid, reject garbage/empty.
  • verify_vrc_proof_with_key: accepts the matching issuer key, rejects a
    different key, rejects unsigned (binding guard).

Not included (deliberately)

  • Item 5 (fuzz/ workspace + #[derive(Arbitrary)]) — the fuzz team's
    contribution per the issue; left to them. Happy to feature-gate Arbitrary if
    wanted.
  • Item 1's parsing feature--no-default-features reachability already
    holds (it's in the CI gate); gating out the network deps would be a large
    refactor (they're non-optional). The issue's "drops network deps" framing is
    noted on the issue.

Gate

cargo fmt; clippy --workspace --all-targets -D warnings (+ openvtc-core --no-default-features); cargo test --workspace — all green. No dependency
change (Cargo.lock untouched).

@stormer78
feat(core): fuzzing hooks — config re-export, decrypt/parse split, ke…
d8c70fa 
…y-injected VRC verify (#124)

Lands the self-contained openvtc-core seams the cargo-fuzz harnesses need
(issue #124), without the fuzz workspace itself.

- config: re-export `PublicConfig` at `openvtc_core::config::PublicConfig` (was
  only reachable via `config::public_config`). The validators the issue asks for
  are already `pub` (`MessageType: TryFrom<&str>`, `CredentialKind::from_credential`,
  `messaging::validate_did`) — no change needed there.
- config: split decrypt from parse. `ProtectedConfig::parse(&[u8])` is the
  post-decrypt serde half of `load`; `SecuredConfig::parse(&[u8])` parse-checks
  the stored wire blob (tagged or legacy) — both reachable with no OS keyring so
  the deserializers can be fuzzed directly. `load` now routes through them.
- messaging: add `verify_vrc_proof_with_key(vrc, &public_key_bytes)` — verifies a
  VRC's data-integrity proof against an injected issuer key (no live TDK / DID
  resolution), sharing the issuer⇄verification-method binding guard with the
  TDK-based `verify_vrc_proof` via a new `check_vrc_issuer_binding` helper. Uses
  dtg-credentials' `verify_proof_with_public_key` (its `affinidi-signing` feature
  is default-on; no dep change).

Tests: parse accept/reject for both configs; `verify_vrc_proof_with_key` accepts
the matching issuer key and rejects a different key + unsigned credentials.

Not included (the fuzz team's contribution, per #124 item 5): the `fuzz/`
workspace + `#[derive(Arbitrary)]`. Item 1's `--no-default-features` reachability
already holds (it's in the CI gate); a dedicated `parsing` feature gating the
network deps is out of scope (those deps are non-optional).

Gate: cargo fmt; clippy --workspace --all-targets -D warnings (+ openvtc-core
--no-default-features); cargo test --workspace — all green. No dep change.

Signed-off-by: Glenn Gore <glenn.g@affinidi.com>
@stormer78 stormer78 requested a review from a team as a code owner June 14, 2026 07:49
@stormer78 stormer78 mentioned this pull request Jun 14, 2026
Closed
@stormer78 stormer78 merged commit 7623466 into main Jun 14, 2026
10 of 13 checks passed
@stormer78 stormer78 deleted the fuzz-hooks branch June 14, 2026 07:50
@stormer78 stormer78 mentioned this pull request Jun 14, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stormer78