diff options
| -rw-r--r-- | .travis.yml | 16 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/ec.py | 2 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/ec.py | 18 |
3 files changed, 25 insertions, 11 deletions
diff --git a/.travis.yml b/.travis.yml index 472ba032..1a9919a9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -48,15 +48,15 @@ matrix: - python: 3.7 env: TOXENV=py37 OPENSSL=1.0.1u - python: 2.7 - env: TOXENV=py27 OPENSSL=1.1.0k + env: TOXENV=py27 OPENSSL=1.1.0l - python: 3.5 - env: TOXENV=py35 OPENSSL=1.1.0k + env: TOXENV=py35 OPENSSL=1.1.0l - python: 2.7 - env: TOXENV=py27 OPENSSL=1.1.1c + env: TOXENV=py27 OPENSSL=1.1.1d - python: 3.7 - env: TOXENV=py37 OPENSSL=1.1.1c + env: TOXENV=py37 OPENSSL=1.1.1d - python: 3.7 - env: TOXENV=py37 OPENSSL=1.1.1c OPENSSL_CONFIG_FLAGS=no-engine + env: TOXENV=py37 OPENSSL=1.1.1d OPENSSL_CONFIG_FLAGS=no-engine - python: 3.7 env: TOXENV=py37 LIBRESSL=2.6.5 - python: 3.7 @@ -110,7 +110,7 @@ matrix: env: TOXENV=py37 DOCKER=pyca/cryptography-runner-alpine:latest - python: 3.6 - env: TOXENV=docs OPENSSL=1.1.1b + env: TOXENV=docs OPENSSL=1.1.1d addons: apt: packages: @@ -133,9 +133,9 @@ matrix: - python: 2.7 # BOTO_CONFIG works around this boto issue on travis: # https://github.com/boto/boto/issues/3717 - env: DOWNSTREAM=dynamodb-encryption-sdk OPENSSL=1.1.0k BOTO_CONFIG=/dev/null + env: DOWNSTREAM=dynamodb-encryption-sdk OPENSSL=1.1.0l BOTO_CONFIG=/dev/null - python: 2.7 - env: DOWNSTREAM=certbot OPENSSL=1.1.0k + env: DOWNSTREAM=certbot OPENSSL=1.1.0l - python: 2.7 env: DOWNSTREAM=certbot-josepy - python: 2.7 diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py index 258afa21..52f60014 100644 --- a/src/_cffi_src/openssl/ec.py +++ b/src/_cffi_src/openssl/ec.py @@ -105,6 +105,8 @@ int EC_POINT_mul(const EC_GROUP *, EC_POINT *, const BIGNUM *, int EC_METHOD_get_field_type(const EC_METHOD *); const char *EC_curve_nid2nist(int); + +int EC_GROUP_get_asn1_flag(const EC_GROUP *); """ CUSTOMIZATIONS = """ diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py index 2ca48091..3d8681b4 100644 --- a/src/cryptography/hazmat/backends/openssl/ec.py +++ b/src/cryptography/hazmat/backends/openssl/ec.py @@ -34,7 +34,19 @@ def _ec_key_curve_sn(backend, ec_key): # an error for now. if nid == backend._lib.NID_undef: raise NotImplementedError( - "ECDSA certificates with unnamed curves are unsupported " + "ECDSA keys with unnamed curves are unsupported " + "at this time" + ) + + # This is like the above check, but it also catches the case where you + # explicitly encoded a curve with the same parameters as a named curve. + # Don't do that. + if ( + backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and + backend._lib.EC_GROUP_get_asn1_flag(group) == 0 + ): + raise NotImplementedError( + "ECDSA keys with unnamed curves are unsupported " "at this time" ) @@ -127,12 +139,12 @@ class _ECDSAVerificationContext(object): class _EllipticCurvePrivateKey(object): def __init__(self, backend, ec_key_cdata, evp_pkey): self._backend = backend - _mark_asn1_named_ec_curve(backend, ec_key_cdata) self._ec_key = ec_key_cdata self._evp_pkey = evp_pkey sn = _ec_key_curve_sn(backend, ec_key_cdata) self._curve = _sn_to_elliptic_curve(backend, sn) + _mark_asn1_named_ec_curve(backend, ec_key_cdata) curve = utils.read_only_property("_curve") @@ -229,12 +241,12 @@ class _EllipticCurvePrivateKey(object): class _EllipticCurvePublicKey(object): def __init__(self, backend, ec_key_cdata, evp_pkey): self._backend = backend - _mark_asn1_named_ec_curve(backend, ec_key_cdata) self._ec_key = ec_key_cdata self._evp_pkey = evp_pkey sn = _ec_key_curve_sn(backend, ec_key_cdata) self._curve = _sn_to_elliptic_curve(backend, sn) + _mark_asn1_named_ec_curve(backend, ec_key_cdata) curve = utils.read_only_property("_curve") |