From 4e4a9ba524efe4963961c62c6da915a834ca185c Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 25 Jul 2015 18:49:35 +0100
Subject: handle RSA key too small and consume errors on CSR signature failure

---
 src/_cffi_src/openssl/err.py                        |  1 +
 src/cryptography/hazmat/backends/openssl/backend.py | 11 ++++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py
index eebf19ba..73ce4e3c 100644
--- a/src/_cffi_src/openssl/err.py
+++ b/src/_cffi_src/openssl/err.py
@@ -230,6 +230,7 @@ static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY;
 static const int RSA_R_BLOCK_TYPE_IS_NOT_01;
 static const int RSA_R_BLOCK_TYPE_IS_NOT_02;
 static const int RSA_R_PKCS_DECODING_ERROR;
+static const int RSA_F_RSA_SIGN;
 """
 
 FUNCTIONS = """
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 2d2ecc81..dd89623e 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1055,7 +1055,16 @@ class Backend(object):
         res = self._lib.X509_REQ_sign(
             x509_req, private_key._evp_pkey, evp_md
         )
-        assert res > 0
+        if res == 0:
+            errors = self._consume_errors()
+            assert errors[0][1:] in (
+                (
+                    self._lib.ERR_LIB_RSA,
+                    self._lib.RSA_F_RSA_SIGN,
+                    self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
+                ),
+            )
+            raise ValueError("Digest too big for RSA key")
 
         return _CertificateSigningRequest(self, x509_req)
 
-- 
cgit v1.2.3


From 28fae4e437a8487e6d5414ce5e3f7904f412995d Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 25 Jul 2015 19:07:21 +0100
Subject: == instead of in

---
 src/cryptography/hazmat/backends/openssl/backend.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index dd89623e..8b332c53 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1057,12 +1057,12 @@ class Backend(object):
         )
         if res == 0:
             errors = self._consume_errors()
-            assert errors[0][1:] in (
+            assert errors[0][1:] == (
                 (
                     self._lib.ERR_LIB_RSA,
                     self._lib.RSA_F_RSA_SIGN,
                     self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
-                ),
+                )
             )
             raise ValueError("Digest too big for RSA key")
 
-- 
cgit v1.2.3


From 195a1ecb96d7ac7fc0d9ce39340e747531e5ad96 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 25 Jul 2015 19:12:19 +0100
Subject: extra parens

---
 src/cryptography/hazmat/backends/openssl/backend.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 8b332c53..76252404 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1058,11 +1058,9 @@ class Backend(object):
         if res == 0:
             errors = self._consume_errors()
             assert errors[0][1:] == (
-                (
-                    self._lib.ERR_LIB_RSA,
-                    self._lib.RSA_F_RSA_SIGN,
-                    self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
-                )
+                self._lib.ERR_LIB_RSA,
+                self._lib.RSA_F_RSA_SIGN,
+                self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
             )
             raise ValueError("Digest too big for RSA key")
 
-- 
cgit v1.2.3


From af57f7d2ce0b77a3e58a40d85b772ddd949f8e89 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 25 Jul 2015 20:04:11 +0100
Subject: openssl error codes are clearly not considered part of the api
 contract

---
 src/cryptography/hazmat/backends/openssl/backend.py | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 76252404..db4f963a 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1057,11 +1057,8 @@ class Backend(object):
         )
         if res == 0:
             errors = self._consume_errors()
-            assert errors[0][1:] == (
-                self._lib.ERR_LIB_RSA,
-                self._lib.RSA_F_RSA_SIGN,
-                self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
-            )
+            assert errors[0][1] == self._lib.ERR_LIB_RSA
+            assert errors[0][3] == self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
             raise ValueError("Digest too big for RSA key")
 
         return _CertificateSigningRequest(self, x509_req)
-- 
cgit v1.2.3