From 9d345312d5ff22cd40d2359dc1765170badf42ea Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 26 Dec 2015 18:09:52 -0600
Subject: Support EC and DSA signing of CRLs in the OpenSSL backend

---
 src/cryptography/hazmat/backends/openssl/backend.py | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

(limited to 'src')

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 38fe0772..e8b0322e 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1453,16 +1453,17 @@ class Backend(object):
         if not isinstance(algorithm, hashes.HashAlgorithm):
             raise TypeError('Algorithm must be a registered hash algorithm.')
 
-        if isinstance(private_key, _DSAPrivateKey):
-            raise NotImplementedError(
-                "CRL signatures aren't implemented for DSA"
-                " keys at this time."
-            )
-        if isinstance(private_key, _EllipticCurvePrivateKey):
-            raise NotImplementedError(
-                "CRL signatures aren't implemented for EC"
-                " keys at this time."
-            )
+        if self._lib.OPENSSL_VERSION_NUMBER <= 0x10001000:
+            if isinstance(private_key, _DSAPrivateKey):
+                raise NotImplementedError(
+                    "CRL signatures aren't implemented for DSA"
+                    " keys on OpenSSL versions less than 1.0.1."
+                )
+            if isinstance(private_key, _EllipticCurvePrivateKey):
+                raise NotImplementedError(
+                    "CRL signatures aren't implemented for EC"
+                    " keys on OpenSSL versions less than 1.0.1."
+                )
 
         evp_md = self._lib.EVP_get_digestbyname(
             algorithm.name.encode('ascii')
-- 
cgit v1.2.3