Merge pull request #2175 from reaperhulk/csr-better-err-msg

handle RSA key too small and consume errors on CSR signature failure

2 files changed, 6 insertions, 1 deletions

diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py
index eebf19ba..73ce4e3c 100644
--- a/src/_cffi_src/openssl/err.py
+++ b/src/_cffi_src/openssl/err.py
@@ -230,6 +230,7 @@ static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY;
 static const int RSA_R_BLOCK_TYPE_IS_NOT_01;
 static const int RSA_R_BLOCK_TYPE_IS_NOT_02;
 static const int RSA_R_PKCS_DECODING_ERROR;
+static const int RSA_F_RSA_SIGN;
 """
 
 FUNCTIONS = """
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 2d2ecc81..db4f963a 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1055,7 +1055,11 @@ class Backend(object):
         res = self._lib.X509_REQ_sign(
             x509_req, private_key._evp_pkey, evp_md
         )
-        assert res > 0
+        if res == 0:
+            errors = self._consume_errors()
+            assert errors[0][1] == self._lib.ERR_LIB_RSA
+            assert errors[0][3] == self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
+            raise ValueError("Digest too big for RSA key")
 
         return _CertificateSigningRequest(self, x509_req)