Merge pull request #840 from reaperhulk/pkcs1-key-size-checks

some checks for PKCS1 keys being too small for the payload to be signed
author: Alex Gaynor <alex.gaynor@gmail.com> 2014-04-19 20:31:29 -0700
committer: Alex Gaynor <alex.gaynor@gmail.com> 2014-04-19 20:31:29 -0700
commit: 75db7f4902ffd756f06c14e4328ebeda6a527800 (patch)
tree: 2f589a4bffbe05facab0e821d3b07675ba904167 /cryptography
parent: e6610ba910e3c7dc0ca55700c27f77c3029c83d3 (diff)
parent: 07827ebe994121262ab0d25936c443d81be7f9c4 (diff)
download: cryptography-75db7f4902ffd756f06c14e4328ebeda6a527800.tar.gz
cryptography-75db7f4902ffd756f06c14e4328ebeda6a527800.tar.bz2
cryptography-75db7f4902ffd756f06c14e4328ebeda6a527800.zip
2 files changed, 19 insertions, 5 deletions
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index 021ce8c4..9ac062c2 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -897,10 +897,16 @@ class _RSASignatureContext(object):
         if res != 1:
             errors = self._backend._consume_errors()
             assert errors[0].lib == self._backend._lib.ERR_LIB_RSA
-            assert (errors[0].reason ==
-                    self._backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE)
-            raise ValueError("Salt length too long for key size. Try using "
-                             "MAX_LENGTH instead.")
+            reason = None
+            if (errors[0].reason ==
+                    self._backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE):
+                reason = ("Salt length too long for key size. Try using "
+                          "MAX_LENGTH instead.")
+            elif (errors[0].reason ==
+                    self._backend._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY):
+                reason = "Digest too large for key size. Use a larger key."
+            assert reason is not None
+            raise ValueError(reason)
 
         return self._backend._ffi.buffer(buf)[:]
 
@@ -915,7 +921,14 @@ class _RSASignatureContext(object):
         )
         self._hash_ctx.finalize()
         self._hash_ctx = None
-        assert res == 1
+        if res == 0:
+            errors = self._backend._consume_errors()
+            assert errors[0].lib == self._backend._lib.ERR_LIB_RSA
+            assert (errors[0].reason ==
+                    self._backend._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY)
+            raise ValueError("Digest too large for key size. Use a larger "
+                             "key.")
+
         return self._backend._ffi.buffer(sig_buf)[:sig_len[0]]
 
     def _finalize_pss(self, evp_pkey, pkey_size, evp_md):
diff --git a/cryptography/hazmat/bindings/openssl/err.py b/cryptography/hazmat/bindings/openssl/err.py
index 551d8217..f51393aa 100644
--- a/cryptography/hazmat/bindings/openssl/err.py
+++ b/cryptography/hazmat/bindings/openssl/err.py
@@ -215,6 +215,7 @@ static const int PEM_R_UNSUPPORTED_CIPHER;
 static const int PEM_R_UNSUPPORTED_ENCRYPTION;
 
 static const int RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
+static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY;
 """
 
 FUNCTIONS = """
author	Alex Gaynor <alex.gaynor@gmail.com>	2014-04-19 20:31:29 -0700
committer	Alex Gaynor <alex.gaynor@gmail.com>	2014-04-19 20:31:29 -0700
commit	75db7f4902ffd756f06c14e4328ebeda6a527800 (patch)
tree	2f589a4bffbe05facab0e821d3b07675ba904167 /cryptography
parent	e6610ba910e3c7dc0ca55700c27f77c3029c83d3 (diff)
parent	07827ebe994121262ab0d25936c443d81be7f9c4 (diff)
download	cryptography-75db7f4902ffd756f06c14e4328ebeda6a527800.tar.gz cryptography-75db7f4902ffd756f06c14e4328ebeda6a527800.tar.bz2 cryptography-75db7f4902ffd756f06c14e4328ebeda6a527800.zip