4 files changed, 120 insertions, 5 deletions
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index 6bf3787a..86fa704b 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -901,10 +901,16 @@ class _RSASignatureContext(object):
         if res != 1:
             errors = self._backend._consume_errors()
             assert errors[0].lib == self._backend._lib.ERR_LIB_RSA
-            assert (errors[0].reason ==
-                    self._backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE)
-            raise ValueError("Salt length too long for key size. Try using "
-                             "MAX_LENGTH instead.")
+            reason = None
+            if (errors[0].reason ==
+                    self._backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE):
+                reason = ("Salt length too long for key size. Try using "
+                          "MAX_LENGTH instead.")
+            elif (errors[0].reason ==
+                    self._backend._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY):
+                reason = "Digest too large for key size. Use a larger key."
+            assert reason is not None
+            raise ValueError(reason)
 
         return self._backend._ffi.buffer(buf)[:]
 
@@ -919,7 +925,14 @@ class _RSASignatureContext(object):
         )
         self._hash_ctx.finalize()
         self._hash_ctx = None
-        assert res == 1
+        if res == 0:
+            errors = self._backend._consume_errors()
+            assert errors[0].lib == self._backend._lib.ERR_LIB_RSA
+            assert (errors[0].reason ==
+                    self._backend._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY)
+            raise ValueError("Digest too large for key size. Use a larger "
+                             "key.")
+
         return self._backend._ffi.buffer(sig_buf)[:sig_len[0]]
 
     def _finalize_pss(self, evp_pkey, pkey_size, evp_md):
diff --git a/cryptography/hazmat/bindings/openssl/binding.py b/cryptography/hazmat/bindings/openssl/binding.py
index acf9d42c..cc40a108 100644
--- a/cryptography/hazmat/bindings/openssl/binding.py
+++ b/cryptography/hazmat/bindings/openssl/binding.py
@@ -49,6 +49,7 @@ class Binding(object):
         "bignum",
         "bio",
         "cmac",
+        "cms",
         "conf",
         "crypto",
         "dh",
diff --git a/cryptography/hazmat/bindings/openssl/cms.py b/cryptography/hazmat/bindings/openssl/cms.py
new file mode 100644
index 00000000..a3760f2c
--- /dev/null
+++ b/cryptography/hazmat/bindings/openssl/cms.py
@@ -0,0 +1,100 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#if !defined(OPENSSL_NO_CMS) && OPENSSL_VERSION_NUMBER >= 0x0090808fL
+// The next define should really be in the OpenSSL header, but it is missing.
+// Failing to include this on Windows causes compilation failures.
+#if defined(OPENSSL_SYS_WINDOWS)
+#include <windows.h>
+#endif
+#include <openssl/cms.h>
+#endif
+"""
+
+TYPES = """
+static const long Cryptography_HAS_CMS;
+
+typedef ... CMS_ContentInfo;
+typedef ... CMS_SignerInfo;
+typedef ... CMS_CertificateChoices;
+typedef ... CMS_RevocationInfoChoice;
+typedef ... CMS_RecipientInfo;
+typedef ... CMS_ReceiptRequest;
+typedef ... CMS_Receipt;
+"""
+
+FUNCTIONS = """
+"""
+
+MACROS = """
+BIO *BIO_new_CMS(BIO *, CMS_ContentInfo *);
+int i2d_CMS_bio_stream(BIO *, CMS_ContentInfo *, BIO *, int);
+int PEM_write_bio_CMS_stream(BIO *, CMS_ContentInfo *, BIO *, int);
+int CMS_final(CMS_ContentInfo *, BIO *, BIO *, unsigned int);
+CMS_ContentInfo *CMS_sign(X509 *, EVP_PKEY *, Cryptography_STACK_OF_X509 *,
+                          BIO *, unsigned int);
+int CMS_verify(CMS_ContentInfo *, Cryptography_STACK_OF_X509 *, X509_STORE *,
+               BIO *, BIO *, unsigned int);
+CMS_ContentInfo *CMS_encrypt(Cryptography_STACK_OF_X509 *, BIO *,
+                             const EVP_CIPHER *, unsigned int);
+int CMS_decrypt(CMS_ContentInfo *, EVP_PKEY *, X509 *, BIO *, BIO *,
+                unsigned int);
+CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *, X509 *, EVP_PKEY *,
+                                const EVP_MD *, unsigned int);
+"""
+
+CUSTOMIZATIONS = """
+#if !defined(OPENSSL_NO_CMS) && OPENSSL_VERSION_NUMBER >= 0x0090808fL
+static const long Cryptography_HAS_CMS = 1;
+#else
+static const long Cryptography_HAS_CMS = 0;
+typedef void CMS_ContentInfo;
+typedef void CMS_SignerInfo;
+typedef void CMS_CertificateChoices;
+typedef void CMS_RevocationInfoChoice;
+typedef void CMS_RecipientInfo;
+typedef void CMS_ReceiptRequest;
+typedef void CMS_Receipt;
+BIO *(*BIO_new_CMS)(BIO *, CMS_ContentInfo *) = NULL;
+int (*i2d_CMS_bio_stream)(BIO *, CMS_ContentInfo *, BIO *, int) = NULL;
+int (*PEM_write_bio_CMS_stream)(BIO *, CMS_ContentInfo *, BIO *, int) = NULL;
+int (*CMS_final)(CMS_ContentInfo *, BIO *, BIO *, unsigned int) = NULL;
+CMS_ContentInfo *(*CMS_sign)(X509 *, EVP_PKEY *, Cryptography_STACK_OF_X509 *,
+                             BIO *, unsigned int) = NULL;
+int (*CMS_verify)(CMS_ContentInfo *, Cryptography_STACK_OF_X509 *,
+                  X509_STORE *, BIO *, BIO *, unsigned int) = NULL;
+CMS_ContentInfo *(*CMS_encrypt)(Cryptography_STACK_OF_X509 *, BIO *,
+                                const EVP_CIPHER *, unsigned int) = NULL;
+int (*CMS_decrypt)(CMS_ContentInfo *, EVP_PKEY *, X509 *, BIO *, BIO *,
+                   unsigned int) = NULL;
+CMS_SignerInfo *(*CMS_add1_signer)(CMS_ContentInfo *, X509 *, EVP_PKEY *,
+                                   const EVP_MD *, unsigned int) = NULL;
+#endif
+"""
+
+CONDITIONAL_NAMES = {
+    "Cryptography_HAS_CMS": [
+        "BIO_new_CMS",
+        "i2d_CMS_bio_stream",
+        "PEM_write_bio_CMS_stream",
+        "CMS_final",
+        "CMS_sign",
+        "CMS_verify",
+        "CMS_encrypt",
+        "CMS_decrypt",
+        "CMS_add1_signer",
+    ]
+}
diff --git a/cryptography/hazmat/bindings/openssl/err.py b/cryptography/hazmat/bindings/openssl/err.py
index 551d8217..f51393aa 100644
--- a/cryptography/hazmat/bindings/openssl/err.py
+++ b/cryptography/hazmat/bindings/openssl/err.py
@@ -215,6 +215,7 @@ static const int PEM_R_UNSUPPORTED_CIPHER;
 static const int PEM_R_UNSUPPORTED_ENCRYPTION;
 
 static const int RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
+static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY;
 """
 
 FUNCTIONS = """