From f58d1ab6cf5d90ae06a593fca52ab388d75da068 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Thu, 1 May 2014 12:58:16 -0500
Subject: add check to ensure only invalid ASN1 gives InvalidSignature in DSA

---
 cryptography/hazmat/backends/openssl/backend.py | 3 +++
 tests/hazmat/primitives/test_dsa.py             | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index 37d1c35e..37deb2ae 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -1363,6 +1363,9 @@ class _DSAVerificationContext(object):
         if res != 1:
             errors = self._backend._consume_errors()
             assert errors
+            if res == -1:
+                assert errors[0].lib == self._backend._lib.ERR_LIB_ASN1
+
             raise InvalidSignature
 
 
diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py
index c6642e07..4c3cd58a 100644
--- a/tests/hazmat/primitives/test_dsa.py
+++ b/tests/hazmat/primitives/test_dsa.py
@@ -765,6 +765,15 @@ class TestDSAVerification(object):
         else:
             verifier.verify()
 
+    def test_dsa_verify_invalid_asn1(self, backend):
+        parameters = dsa.DSAParameters.generate(1024, backend)
+        private_key = dsa.DSAPrivateKey.generate(parameters, backend)
+        public_key = private_key.public_key()
+        verifier = public_key.verifier(b'fakesig', hashes.SHA1(), backend)
+        verifier.update(b'fakesig')
+        with pytest.raises(InvalidSignature):
+            verifier.verify()
+
     def test_use_after_finalize(self, backend):
         parameters = dsa.DSAParameters.generate(1024, backend)
         private_key = dsa.DSAPrivateKey.generate(parameters, backend)
-- 
cgit v1.2.3