# Golden Set: CVE-2024-0727
# OpenSSL PKCS12 Parsing Vulnerability
#
# Sprint: SPRINT_20260110_012_010_TEST
# Task: GTV-001 - OpenSSL Golden Sets
#
# This golden set defines the vulnerability targets for CVE-2024-0727,
# allowing binary-level verification that a patch eliminates the vulnerable code path.

id: "CVE-2024-0727"
version: "1.0.0"
created: "2026-01-11T12:00:00Z"
author: "stellaops-security"
status: "approved"

# Component identification
component:
  name: "openssl"
  ecosystem: "system"
  affectedVersions:
    - ">=1.0.2,<1.0.2zd"
    - ">=1.1.0,<1.1.1x"
    - ">=3.0.0,<3.0.13"
    - ">=3.1.0,<3.1.5"
    - ">=3.2.0,<3.2.1"

# Vulnerability details
vulnerability:
  cveId: "CVE-2024-0727"
  severity: "MEDIUM"
  cvssScore: 5.5
  description: |
    Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
    to crash leading to a potential Denial of Service attack.
    
    The PKCS12 specification allows certain fields to be NULL, but OpenSSL does
    not correctly check for this case. A NULL value can lead to a memory access
    violation when processing PKCS12 files.
  references:
    - url: "https://www.openssl.org/news/secadv/20240125.txt"
      title: "OpenSSL Security Advisory"
    - url: "https://nvd.nist.gov/vuln/detail/CVE-2024-0727"
      title: "NVD Entry"

# Vulnerability targets - the code locations that must be analyzed
targets:
  - function: "PKCS12_parse"
    symbolPattern: "PKCS12_parse"
    description: "Main PKCS12 parsing function - vulnerable to NULL pointer dereference"
    criticalEdges:
      - from: "bb_entry"
        to: "bb_null_check"
        description: "Entry to NULL validation check"
      - from: "bb_process"
        to: "bb_mac_verify"
        description: "Processing to MAC verification"
    sinks:
      - "memcpy"
      - "X509_REQ_get_subject_name"
      - "PKCS12_verify_mac"
    expectedPatchBehavior: "add_null_check"

  - function: "PKCS12_item_decrypt_d2i"
    symbolPattern: "PKCS12_item_decrypt_d2i"
    description: "PKCS12 decryption - may receive NULL input"
    criticalEdges:
      - from: "bb_entry"
        to: "bb_decrypt"
        description: "Entry to decryption block"
    sinks:
      - "EVP_CIPHER_CTX_free"
      - "OPENSSL_cleanse"
    expectedPatchBehavior: "add_null_check"

  - function: "PKCS8_decrypt"
    symbolPattern: "PKCS8_decrypt"
    description: "PKCS8 key decryption - downstream of PKCS12_parse"
    criticalEdges:
      - from: "bb_entry"
        to: "bb_key_extract"
        description: "Entry to key extraction"
    sinks:
      - "EVP_DecryptInit_ex"
    expectedPatchBehavior: "propagate_null_check"

# Witness data - inputs that trigger the vulnerable path
witness:
  command: "openssl pkcs12 -in {input} -passin pass:test"
  inputs:
    - name: "malformed_pkcs12.p12"
      description: "PKCS12 file with NULL MAC field"
      sha256: "0000000000000000000000000000000000000000000000000000000000000000"  # Placeholder
      trigger: "null_mac_pointer"
    - name: "malformed_pkcs12_empty_cert.p12"
      description: "PKCS12 file with empty certificate bag"
      sha256: "0000000000000000000000000000000000000000000000000000000000000001"  # Placeholder
      trigger: "empty_cert_bag"

# Verification criteria
verification:
  # What changes indicate the fix is applied
  fixIndicators:
    - type: "null_check_added"
      location: "PKCS12_parse"
      pattern: "if\\s*\\(.*==\\s*NULL\\)"
    - type: "return_early"
      location: "PKCS12_item_decrypt_d2i"
      pattern: "return.*0|NULL"
    - type: "edge_removed"
      fromFunction: "PKCS12_parse"
      description: "Vulnerable edge to MAC processing removed"
  
  # Expected confidence levels
  expectedConfidence:
    fixed: 0.95
    partial: 0.70
    inconclusive: 0.50

# Metadata
metadata:
  reviewedBy: "security-team"
  reviewedAt: "2026-01-11T12:00:00Z"
  approvedFor: "production"
  tags:
    - "memory-safety"
    - "null-dereference"
    - "crypto"
    - "pkcs12"