make signature and verification contexts error better re: prehashed (#3658)

* make signature and verification contexts error better re: prehashed * code review feedback
author: Paul Kehrer <paul.l.kehrer@gmail.com> 2017-06-02 07:51:09 -1000
committer: Alex Gaynor <alex.gaynor@gmail.com> 2017-06-02 13:51:09 -0400
commit: 26fcc5c24d7ef7e905181ba044447ed15746c73b (patch)
tree: 00d9d9d22f28434f57dab94fa03bd357558d6db0 /src/cryptography
parent: a7e9a22886418b43ecdebd4ea3b5acba5425e822 (diff)
download: cryptography-26fcc5c24d7ef7e905181ba044447ed15746c73b.tar.gz
cryptography-26fcc5c24d7ef7e905181ba044447ed15746c73b.tar.bz2
cryptography-26fcc5c24d7ef7e905181ba044447ed15746c73b.zip
4 files changed, 17 insertions, 3 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py
index e2ed3dfd..c2223250 100644
--- a/src/cryptography/hazmat/backends/openssl/dsa.py
+++ b/src/cryptography/hazmat/backends/openssl/dsa.py
@@ -7,7 +7,7 @@ from __future__ import absolute_import, division, print_function
 from cryptography import utils
 from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.backends.openssl.utils import (
-    _calculate_digest_and_algorithm
+    _calculate_digest_and_algorithm, _check_not_prehashed
 )
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import (
@@ -121,6 +121,7 @@ class _DSAPrivateKey(object):
     key_size = utils.read_only_property("_key_size")
 
     def signer(self, signature_algorithm):
+        _check_not_prehashed(signature_algorithm)
         return _DSASignatureContext(self._backend, self, signature_algorithm)
 
     def private_numbers(self):
@@ -210,6 +211,7 @@ class _DSAPublicKey(object):
         if not isinstance(signature, bytes):
             raise TypeError("signature must be bytes.")
 
+        _check_not_prehashed(signature_algorithm)
         return _DSAVerificationContext(
             self._backend, self, signature, signature_algorithm
         )
diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py
index 3a81f919..b70735dc 100644
--- a/src/cryptography/hazmat/backends/openssl/ec.py
+++ b/src/cryptography/hazmat/backends/openssl/ec.py
@@ -9,7 +9,7 @@ from cryptography.exceptions import (
     InvalidSignature, UnsupportedAlgorithm, _Reasons
 )
 from cryptography.hazmat.backends.openssl.utils import (
-    _calculate_digest_and_algorithm
+    _calculate_digest_and_algorithm, _check_not_prehashed
 )
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import (
@@ -141,6 +141,7 @@ class _EllipticCurvePrivateKey(object):
 
     def signer(self, signature_algorithm):
         _check_signature_algorithm(signature_algorithm)
+        _check_not_prehashed(signature_algorithm.algorithm)
         return _ECDSASignatureContext(
             self._backend, self, signature_algorithm.algorithm
         )
@@ -244,6 +245,7 @@ class _EllipticCurvePublicKey(object):
             raise TypeError("signature must be bytes.")
 
         _check_signature_algorithm(signature_algorithm)
+        _check_not_prehashed(signature_algorithm.algorithm)
         return _ECDSAVerificationContext(
             self._backend, self, signature, signature_algorithm.algorithm
         )
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index 0a375721..fdde4589 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -11,7 +11,7 @@ from cryptography.exceptions import (
     InvalidSignature, UnsupportedAlgorithm, _Reasons
 )
 from cryptography.hazmat.backends.openssl.utils import (
-    _calculate_digest_and_algorithm
+    _calculate_digest_and_algorithm, _check_not_prehashed
 )
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric import (
@@ -378,6 +378,7 @@ class _RSAPrivateKey(object):
     key_size = utils.read_only_property("_key_size")
 
     def signer(self, padding, algorithm):
+        _check_not_prehashed(algorithm)
         return _RSASignatureContext(self._backend, self, padding, algorithm)
 
     def decrypt(self, ciphertext, padding):
@@ -474,6 +475,7 @@ class _RSAPublicKey(object):
         if not isinstance(signature, bytes):
             raise TypeError("signature must be bytes.")
 
+        _check_not_prehashed(algorithm)
         return _RSAVerificationContext(
             self._backend, self, signature, padding, algorithm
         )
diff --git a/src/cryptography/hazmat/backends/openssl/utils.py b/src/cryptography/hazmat/backends/openssl/utils.py
index e8b4a307..f71a62a5 100644
--- a/src/cryptography/hazmat/backends/openssl/utils.py
+++ b/src/cryptography/hazmat/backends/openssl/utils.py
@@ -23,3 +23,11 @@ def _calculate_digest_and_algorithm(backend, data, algorithm):
         )
 
     return (data, algorithm)
+
+
+def _check_not_prehashed(signature_algorithm):
+    if isinstance(signature_algorithm, Prehashed):
+        raise TypeError(
+            "Prehashed is only supported in the sign and verify methods. "
+            "It cannot be used with signer or verifier."
+        )
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2017-06-02 07:51:09 -1000
committer	Alex Gaynor <alex.gaynor@gmail.com>	2017-06-02 13:51:09 -0400
commit	26fcc5c24d7ef7e905181ba044447ed15746c73b (patch)
tree	00d9d9d22f28434f57dab94fa03bd357558d6db0 /src/cryptography
parent	a7e9a22886418b43ecdebd4ea3b5acba5425e822 (diff)
download	cryptography-26fcc5c24d7ef7e905181ba044447ed15746c73b.tar.gz cryptography-26fcc5c24d7ef7e905181ba044447ed15746c73b.tar.bz2 cryptography-26fcc5c24d7ef7e905181ba044447ed15746c73b.zip