diff options
author | Ian Cordasco <graffatcolmingov@gmail.com> | 2015-08-01 11:06:17 -0500 |
---|---|---|
committer | Ian Cordasco <graffatcolmingov@gmail.com> | 2015-08-01 11:06:17 -0500 |
commit | 19f5a49d413bd9c7b81f29511f4c983bb9408968 (patch) | |
tree | 77bd0470e4bd740e20cf41a9b6e402cea2e95853 | |
parent | c5e1c254ba4bc9bb94e8ddcc66f4dc8eb62ce218 (diff) | |
download | cryptography-19f5a49d413bd9c7b81f29511f4c983bb9408968.tar.gz cryptography-19f5a49d413bd9c7b81f29511f4c983bb9408968.tar.bz2 cryptography-19f5a49d413bd9c7b81f29511f4c983bb9408968.zip |
Add check for an RSA Key being too small
- Remove outdated/unnecessary/illegitimate TODOs
- Fix up test for an RSA key that is too small
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 6 | ||||
-rw-r--r-- | src/cryptography/x509.py | 2 | ||||
-rw-r--r-- | tests/test_x509.py | 15 |
3 files changed, 8 insertions, 15 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 3beb716d..eae31cd1 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1081,7 +1081,11 @@ class Backend(object): res = self._lib.X509_sign( x509_cert, private_key._evp_pkey, evp_md ) - assert res > 0 + if res == 0: + errors = self._consume_errors() + assert errors[0][1] == self._lib.ERR_LIB_RSA + assert errors[0][3] == self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY + raise ValueError("Digest too big for RSA key") return _Certificate(self, x509_cert) diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py index 11ce6cf0..5760aae7 100644 --- a/src/cryptography/x509.py +++ b/src/cryptography/x509.py @@ -1680,7 +1680,6 @@ class CertificateBuilder(object): """ Sets the certificate activation time. """ - # TODO: require UTC datetime? if not isinstance(time, datetime.datetime): raise TypeError('Expecting datetime object.') if self._not_valid_before is not None: @@ -1698,7 +1697,6 @@ class CertificateBuilder(object): """ Sets the certificate expiration time. """ - # TODO: require UTC datetime? if not isinstance(time, datetime.datetime): raise TypeError('Expecting datetime object.') if self._not_valid_after is not None: diff --git a/tests/test_x509.py b/tests/test_x509.py index c3381d5f..341818af 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1082,8 +1082,7 @@ class TestCertificateBuilder(object): @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) - def test_build_cert_with_sha512_and_rsa512(self, backend): - # TODO(sigmavirus24): Give this a better name + def test_build_cert_with_rsa_key_too_small(self, backend): issuer_private_key = RSA_KEY_512.private_key(backend) subject_private_key = RSA_KEY_512.private_key(backend) @@ -1117,16 +1116,8 @@ class TestCertificateBuilder(object): not_valid_after ) - cert = builder.sign(backend, issuer_private_key, hashes.SHA512()) - - assert cert.version is x509.Version.v3 - assert cert.not_valid_before == not_valid_before - assert cert.not_valid_after == not_valid_after - basic_constraints = cert.extensions.get_extension_for_oid( - x509.OID_BASIC_CONSTRAINTS - ) - assert basic_constraints.value.ca is False - assert basic_constraints.value.path_length is None + with pytest.raises(ValueError): + builder.sign(backend, issuer_private_key, hashes.SHA512()) @pytest.mark.requires_backend_interface(interface=X509Backend) |