From 924a2b7b428d6f69b41fbde32d3224648e61cdf4 Mon Sep 17 00:00:00 2001
From: arckoor <33837362+arckoor@users.noreply.github.com>
Date: Sat, 18 Apr 2026 22:37:15 +0200
Subject: [PATCH] Fuzz EncodingKey and DecodingKey

---
 .github/workflows/ci.yml              | 22 +++++++++++
 fuzz/.gitignore                       |  4 ++
 fuzz/Cargo.toml                       | 56 +++++++++++++++++++++++++++
 fuzz/fuzz_targets/decoding_key_ec.rs  |  7 ++++
 fuzz/fuzz_targets/decoding_key_ed.rs  |  7 ++++
 fuzz/fuzz_targets/decoding_key_rsa.rs |  7 ++++
 fuzz/fuzz_targets/encoding_key_ec.rs  |  7 ++++
 fuzz/fuzz_targets/encoding_key_ed.rs  |  7 ++++
 fuzz/fuzz_targets/encoding_key_rsa.rs |  7 ++++
 9 files changed, 124 insertions(+)
 create mode 100644 fuzz/.gitignore
 create mode 100644 fuzz/Cargo.toml
 create mode 100644 fuzz/fuzz_targets/decoding_key_ec.rs
 create mode 100644 fuzz/fuzz_targets/decoding_key_ed.rs
 create mode 100644 fuzz/fuzz_targets/decoding_key_rsa.rs
 create mode 100644 fuzz/fuzz_targets/encoding_key_ec.rs
 create mode 100644 fuzz/fuzz_targets/encoding_key_ed.rs
 create mode 100644 fuzz/fuzz_targets/encoding_key_rsa.rs

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 406f3459..42cbcb3f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -84,3 +84,25 @@ jobs:
 
             -   name: Run tests no features
                 run: wasm-pack test --node --no-default-features --features rust_crypto,getrandom/js
+
+    fuzz:
+        name: Run fuzzer
+        runs-on: ubuntu-latest
+        strategy:
+            matrix:
+                include:
+                - fuzz_target: decoding_key_ec
+                - fuzz_target: decoding_key_ed
+                - fuzz_target: decoding_key_rsa
+                - fuzz_target: encoding_key_ec
+                - fuzz_target: encoding_key_ed
+                - fuzz_target: encoding_key_rsa
+        steps:
+            -   uses: actions/checkout@v6
+            -   name: Install Rust
+                uses: dtolnay/rust-toolchain@master
+                with:
+                    toolchain: nightly
+            -   name: Install cargo-fuzz
+                run: cargo install cargo-fuzz
+            -   run: cargo fuzz run ${{ matrix.fuzz_target }} -- -max_total_time=300
diff --git a/fuzz/.gitignore b/fuzz/.gitignore
new file mode 100644
index 00000000..1a45eee7
--- /dev/null
+++ b/fuzz/.gitignore
@@ -0,0 +1,4 @@
+target
+corpus
+artifacts
+coverage
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
new file mode 100644
index 00000000..a0b09c50
--- /dev/null
+++ b/fuzz/Cargo.toml
@@ -0,0 +1,56 @@
+[package]
+name = "jsonwebtoken-fuzz"
+version = "0.0.0"
+publish = false
+edition = "2024"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+
+[dependencies.jsonwebtoken]
+path = ".."
+
+[[bin]]
+name = "encoding_key_ec"
+path = "fuzz_targets/encoding_key_ec.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "encoding_key_ed"
+path = "fuzz_targets/encoding_key_ed.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "encoding_key_rsa"
+path = "fuzz_targets/encoding_key_rsa.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "decoding_key_ec"
+path = "fuzz_targets/decoding_key_ec.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "decoding_key_ed"
+path = "fuzz_targets/decoding_key_ed.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "decoding_key_rsa"
+path = "fuzz_targets/decoding_key_rsa.rs"
+test = false
+doc = false
+bench = false
diff --git a/fuzz/fuzz_targets/decoding_key_ec.rs b/fuzz/fuzz_targets/decoding_key_ec.rs
new file mode 100644
index 00000000..382042c5
--- /dev/null
+++ b/fuzz/fuzz_targets/decoding_key_ec.rs
@@ -0,0 +1,7 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    let _ = jsonwebtoken::DecodingKey::from_ec_pem(data);
+});
diff --git a/fuzz/fuzz_targets/decoding_key_ed.rs b/fuzz/fuzz_targets/decoding_key_ed.rs
new file mode 100644
index 00000000..137bdd03
--- /dev/null
+++ b/fuzz/fuzz_targets/decoding_key_ed.rs
@@ -0,0 +1,7 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    let _ = jsonwebtoken::DecodingKey::from_ed_pem(data);
+});
diff --git a/fuzz/fuzz_targets/decoding_key_rsa.rs b/fuzz/fuzz_targets/decoding_key_rsa.rs
new file mode 100644
index 00000000..cf3b1373
--- /dev/null
+++ b/fuzz/fuzz_targets/decoding_key_rsa.rs
@@ -0,0 +1,7 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    let _ = jsonwebtoken::DecodingKey::from_rsa_pem(data);
+});
diff --git a/fuzz/fuzz_targets/encoding_key_ec.rs b/fuzz/fuzz_targets/encoding_key_ec.rs
new file mode 100644
index 00000000..e238782f
--- /dev/null
+++ b/fuzz/fuzz_targets/encoding_key_ec.rs
@@ -0,0 +1,7 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    let _ = jsonwebtoken::EncodingKey::from_ec_pem(data);
+});
diff --git a/fuzz/fuzz_targets/encoding_key_ed.rs b/fuzz/fuzz_targets/encoding_key_ed.rs
new file mode 100644
index 00000000..aa94354e
--- /dev/null
+++ b/fuzz/fuzz_targets/encoding_key_ed.rs
@@ -0,0 +1,7 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    let _ = jsonwebtoken::EncodingKey::from_ed_pem(data);
+});
diff --git a/fuzz/fuzz_targets/encoding_key_rsa.rs b/fuzz/fuzz_targets/encoding_key_rsa.rs
new file mode 100644
index 00000000..dc3d3b9d
--- /dev/null
+++ b/fuzz/fuzz_targets/encoding_key_rsa.rs
@@ -0,0 +1,7 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    let _ = jsonwebtoken::EncodingKey::from_rsa_pem(data);
+});