Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 19f5a49d413bd9c7b81f29511f4c983bb9408968^! / .
commit19f5a49d413bd9c7b81f29511f4c983bb9408968[log] [tgz]
authorIan Cordasco <graffatcolmingov@gmail.com>Sat Aug 01 11:06:17 2015 -0500
committerIan Cordasco <graffatcolmingov@gmail.com>Sat Aug 01 11:06:17 2015 -0500
tree77bd0470e4bd740e20cf41a9b6e402cea2e95853
parentc5e1c254ba4bc9bb94e8ddcc66f4dc8eb62ce218 [diff]
Add check for an RSA Key being too small

- Remove outdated/unnecessary/illegitimate TODOs
- Fix up test for an RSA key that is too small

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 3beb716..eae31cd 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py

@@ -1081,7 +1081,11 @@
         res = self._lib.X509_sign(
             x509_cert, private_key._evp_pkey, evp_md
         )
-        assert res > 0
+        if res == 0:
+            errors = self._consume_errors()
+            assert errors[0][1] == self._lib.ERR_LIB_RSA
+            assert errors[0][3] == self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
+            raise ValueError("Digest too big for RSA key")
 
         return _Certificate(self, x509_cert)
 

diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index 11ce6cf..5760aae 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py

@@ -1680,7 +1680,6 @@
         """
         Sets the certificate activation time.
         """
-        # TODO: require UTC datetime?
         if not isinstance(time, datetime.datetime):
             raise TypeError('Expecting datetime object.')
         if self._not_valid_before is not None:
@@ -1698,7 +1697,6 @@
         """
         Sets the certificate expiration time.
         """
-        # TODO: require UTC datetime?
         if not isinstance(time, datetime.datetime):
             raise TypeError('Expecting datetime object.')
         if self._not_valid_after is not None:

diff --git a/tests/test_x509.py b/tests/test_x509.py
index c3381d5..341818a 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py

@@ -1082,8 +1082,7 @@
 
     @pytest.mark.requires_backend_interface(interface=RSABackend)
     @pytest.mark.requires_backend_interface(interface=X509Backend)
-    def test_build_cert_with_sha512_and_rsa512(self, backend):
-        # TODO(sigmavirus24): Give this a better name
+    def test_build_cert_with_rsa_key_too_small(self, backend):
         issuer_private_key = RSA_KEY_512.private_key(backend)
         subject_private_key = RSA_KEY_512.private_key(backend)
 
@@ -1117,16 +1116,8 @@
             not_valid_after
         )
 
-        cert = builder.sign(backend, issuer_private_key, hashes.SHA512())
-
-        assert cert.version is x509.Version.v3
-        assert cert.not_valid_before == not_valid_before
-        assert cert.not_valid_after == not_valid_after
-        basic_constraints = cert.extensions.get_extension_for_oid(
-            x509.OID_BASIC_CONSTRAINTS
-        )
-        assert basic_constraints.value.ca is False
-        assert basic_constraints.value.path_length is None
+        with pytest.raises(ValueError):
+            builder.sign(backend, issuer_private_key, hashes.SHA512())
 
 
 @pytest.mark.requires_backend_interface(interface=X509Backend)