diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2015-07-25 15:29:20 -0400 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2015-07-25 15:29:20 -0400 |
| commit | 86b4849256a579b3bb40cfa0f31e6b0b24d8d058 (patch) | |
| tree | 28a69c2ed47540306dc61244a816e36f7bca4984 | |
| parent | 268b0ed4b9518604ca28b40a30488ff989932017 (diff) | |
| parent | af57f7d2ce0b77a3e58a40d85b772ddd949f8e89 (diff) | |
| download | cryptography-86b4849256a579b3bb40cfa0f31e6b0b24d8d058.tar.gz cryptography-86b4849256a579b3bb40cfa0f31e6b0b24d8d058.tar.bz2 cryptography-86b4849256a579b3bb40cfa0f31e6b0b24d8d058.zip | |
Merge pull request #2175 from reaperhulk/csr-better-err-msg
handle RSA key too small and consume errors on CSR signature failure
| -rw-r--r-- | src/_cffi_src/openssl/err.py | 1 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 6 | ||||
| -rw-r--r-- | tests/test_x509.py | 13 |
3 files changed, 19 insertions, 1 deletions
diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py index eebf19ba..73ce4e3c 100644 --- a/src/_cffi_src/openssl/err.py +++ b/src/_cffi_src/openssl/err.py @@ -230,6 +230,7 @@ static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY; static const int RSA_R_BLOCK_TYPE_IS_NOT_01; static const int RSA_R_BLOCK_TYPE_IS_NOT_02; static const int RSA_R_PKCS_DECODING_ERROR; +static const int RSA_F_RSA_SIGN; """ FUNCTIONS = """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 2d2ecc81..db4f963a 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1055,7 +1055,11 @@ class Backend(object): res = self._lib.X509_REQ_sign( x509_req, private_key._evp_pkey, evp_md ) - assert res > 0 + if res == 0: + errors = self._consume_errors() + assert errors[0][1] == self._lib.ERR_LIB_RSA + assert errors[0][3] == self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY + raise ValueError("Digest too big for RSA key") return _CertificateSigningRequest(self, x509_req) diff --git a/tests/test_x509.py b/tests/test_x509.py index cacf3c88..98cf49be 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1206,6 +1206,19 @@ class TestCertificateSigningRequestBuilder(object): x509.OID_CODE_SIGNING, ]) + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_rsa_key_too_small(self, backend): + private_key = rsa.generate_private_key(65537, 512, backend) + builder = x509.CertificateSigningRequestBuilder() + builder = builder.subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ) + + with pytest.raises(ValueError) as exc: + builder.sign(private_key, hashes.SHA512(), backend) + + assert str(exc.value) == "Digest too big for RSA key" + @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) |