add check to ensure only invalid ASN1 gives InvalidSignature in DSA

2 files changed, 12 insertions, 0 deletions

diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index 37d1c35e..37deb2ae 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -1363,6 +1363,9 @@ class _DSAVerificationContext(object):
         if res != 1:
             errors = self._backend._consume_errors()
             assert errors
+            if res == -1:
+                assert errors[0].lib == self._backend._lib.ERR_LIB_ASN1
+
             raise InvalidSignature
 
 
diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py
index c6642e07..4c3cd58a 100644
--- a/tests/hazmat/primitives/test_dsa.py
+++ b/tests/hazmat/primitives/test_dsa.py
@@ -765,6 +765,15 @@ class TestDSAVerification(object):
         else:
             verifier.verify()
 
+    def test_dsa_verify_invalid_asn1(self, backend):
+        parameters = dsa.DSAParameters.generate(1024, backend)
+        private_key = dsa.DSAPrivateKey.generate(parameters, backend)
+        public_key = private_key.public_key()
+        verifier = public_key.verifier(b'fakesig', hashes.SHA1(), backend)
+        verifier.update(b'fakesig')
+        with pytest.raises(InvalidSignature):
+            verifier.verify()
+
     def test_use_after_finalize(self, backend):
         parameters = dsa.DSAParameters.generate(1024, backend)
         private_key = dsa.DSAPrivateKey.generate(parameters, backend)