From 4e4a9ba524efe4963961c62c6da915a834ca185c Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 25 Jul 2015 18:49:35 +0100 Subject: handle RSA key too small and consume errors on CSR signature failure --- src/_cffi_src/openssl/err.py | 1 + src/cryptography/hazmat/backends/openssl/backend.py | 11 ++++++++++- tests/test_x509.py | 13 +++++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py index eebf19ba..73ce4e3c 100644 --- a/src/_cffi_src/openssl/err.py +++ b/src/_cffi_src/openssl/err.py @@ -230,6 +230,7 @@ static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY; static const int RSA_R_BLOCK_TYPE_IS_NOT_01; static const int RSA_R_BLOCK_TYPE_IS_NOT_02; static const int RSA_R_PKCS_DECODING_ERROR; +static const int RSA_F_RSA_SIGN; """ FUNCTIONS = """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 2d2ecc81..dd89623e 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1055,7 +1055,16 @@ class Backend(object): res = self._lib.X509_REQ_sign( x509_req, private_key._evp_pkey, evp_md ) - assert res > 0 + if res == 0: + errors = self._consume_errors() + assert errors[0][1:] in ( + ( + self._lib.ERR_LIB_RSA, + self._lib.RSA_F_RSA_SIGN, + self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY + ), + ) + raise ValueError("Digest too big for RSA key") return _CertificateSigningRequest(self, x509_req) diff --git a/tests/test_x509.py b/tests/test_x509.py index cacf3c88..38432271 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1206,6 +1206,19 @@ class TestCertificateSigningRequestBuilder(object): x509.OID_CODE_SIGNING, ]) + @pytest.mark.requires_backend_interface(interface=RSABackend) + def test_rsa_key_too_small(self, backend): + private_key = rsa.generate_private_key(65537, 512, backend) + builder = x509.CertificateSigningRequestBuilder() + builder = builder.subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ) + + with pytest.raises(ValueError) as exc: + builder.sign(private_key, hashes.SHA512(), backend) + + assert exc.value.message == "Digest too big for RSA key" + @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) -- cgit v1.2.3 From 28fae4e437a8487e6d5414ce5e3f7904f412995d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 25 Jul 2015 19:07:21 +0100 Subject: == instead of in --- src/cryptography/hazmat/backends/openssl/backend.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index dd89623e..8b332c53 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1057,12 +1057,12 @@ class Backend(object): ) if res == 0: errors = self._consume_errors() - assert errors[0][1:] in ( + assert errors[0][1:] == ( ( self._lib.ERR_LIB_RSA, self._lib.RSA_F_RSA_SIGN, self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY - ), + ) ) raise ValueError("Digest too big for RSA key") -- cgit v1.2.3 From 195a1ecb96d7ac7fc0d9ce39340e747531e5ad96 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 25 Jul 2015 19:12:19 +0100 Subject: extra parens --- src/cryptography/hazmat/backends/openssl/backend.py | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 8b332c53..76252404 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1058,11 +1058,9 @@ class Backend(object): if res == 0: errors = self._consume_errors() assert errors[0][1:] == ( - ( - self._lib.ERR_LIB_RSA, - self._lib.RSA_F_RSA_SIGN, - self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY - ) + self._lib.ERR_LIB_RSA, + self._lib.RSA_F_RSA_SIGN, + self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY ) raise ValueError("Digest too big for RSA key") -- cgit v1.2.3 From 6a71f8d9972032c5f034ba47bcf3439c9ffd3494 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 25 Jul 2015 19:15:59 +0100 Subject: py3 fixin' --- tests/test_x509.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_x509.py b/tests/test_x509.py index 38432271..98cf49be 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1217,7 +1217,7 @@ class TestCertificateSigningRequestBuilder(object): with pytest.raises(ValueError) as exc: builder.sign(private_key, hashes.SHA512(), backend) - assert exc.value.message == "Digest too big for RSA key" + assert str(exc.value) == "Digest too big for RSA key" @pytest.mark.requires_backend_interface(interface=DSABackend) -- cgit v1.2.3 From af57f7d2ce0b77a3e58a40d85b772ddd949f8e89 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 25 Jul 2015 20:04:11 +0100 Subject: openssl error codes are clearly not considered part of the api contract --- src/cryptography/hazmat/backends/openssl/backend.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 76252404..db4f963a 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1057,11 +1057,8 @@ class Backend(object): ) if res == 0: errors = self._consume_errors() - assert errors[0][1:] == ( - self._lib.ERR_LIB_RSA, - self._lib.RSA_F_RSA_SIGN, - self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY - ) + assert errors[0][1] == self._lib.ERR_LIB_RSA + assert errors[0][3] == self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY raise ValueError("Digest too big for RSA key") return _CertificateSigningRequest(self, x509_req) -- cgit v1.2.3