Ensure early exeption on non-bytes signature

Signature must be in bytes. If the check is skipped, verify() can
explode later in cffi call in _verify_pkey_ctx() for example.

2 files changed, 6 insertions, 0 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py
index f84857ff..f1bb6d9b 100644
--- a/src/cryptography/hazmat/backends/openssl/dsa.py
+++ b/src/cryptography/hazmat/backends/openssl/dsa.py
@@ -29,6 +29,9 @@ def _truncate_digest_for_dsa(dsa_cdata, digest, backend):
 @utils.register_interface(AsymmetricVerificationContext)
 class _DSAVerificationContext(object):
     def __init__(self, backend, public_key, signature, algorithm):
+        if not isinstance(signature, bytes):
+            raise TypeError("signature must be bytes.")
+
         self._backend = backend
         self._public_key = public_key
         self._signature = signature
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index 822c7304..8e32eb02 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -337,6 +337,9 @@ class _RSASignatureContext(object):
 @utils.register_interface(AsymmetricVerificationContext)
 class _RSAVerificationContext(object):
     def __init__(self, backend, public_key, signature, padding, algorithm):
+        if not isinstance(signature, bytes):
+            raise TypeError("signature must be bytes.")
+
         self._backend = backend
         self._public_key = public_key
         self._signature = signature