Merge pull request #1346 from reaperhulk/fix-pkcs8-ec-load
Process curve name when loading EC keys. Fixes #1336
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index c28d233..389ef0b 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -1075,12 +1075,12 @@
)
@contextmanager
- def _bn_ctx_manager(self):
+ def _tmp_bn_ctx(self):
bn_ctx = self._lib.BN_CTX_new()
assert bn_ctx != self._ffi.NULL
bn_ctx = self._ffi.gc(bn_ctx, self._lib.BN_CTX_free)
+ self._lib.BN_CTX_start(bn_ctx)
try:
- self._lib.BN_CTX_start(bn_ctx)
yield bn_ctx
finally:
self._lib.BN_CTX_end(bn_ctx)
@@ -1124,7 +1124,7 @@
assert set_func and get_func
- with self._bn_ctx_manager() as bn_ctx:
+ with self._tmp_bn_ctx() as bn_ctx:
check_x = self._lib.BN_CTX_get(bn_ctx)
check_y = self._lib.BN_CTX_get(bn_ctx)
diff --git a/cryptography/hazmat/backends/openssl/ec.py b/cryptography/hazmat/backends/openssl/ec.py
index 51fc8f4..611dba2 100644
--- a/cryptography/hazmat/backends/openssl/ec.py
+++ b/cryptography/hazmat/backends/openssl/ec.py
@@ -38,7 +38,7 @@
group = _lib.EC_KEY_get0_group(ec_key_cdata)
- with backend._bn_ctx_manager() as bn_ctx:
+ with backend._tmp_bn_ctx() as bn_ctx:
order = _lib.BN_CTX_get(bn_ctx)
assert order != _ffi.NULL
diff --git a/docs/hazmat/primitives/asymmetric/serialization.rst b/docs/hazmat/primitives/asymmetric/serialization.rst
index 18b89c4..b86fab6 100644
--- a/docs/hazmat/primitives/asymmetric/serialization.rst
+++ b/docs/hazmat/primitives/asymmetric/serialization.rst
@@ -107,8 +107,8 @@
:returns: A new instance of a public key.
- :raises ValueError: If the PEM data could not be decrypted or if its
- structure could not be decoded successfully.
+ :raises ValueError: If the PEM data's structure could not be decoded
+ successfully.
:raises UnsupportedAlgorithm: If the serialized key is of a type that
is not supported by the backend.
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index ca6e9ab..78da965 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -109,9 +109,11 @@
assert b.lib.SSL_OP_ALL > 0
ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method())
ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free)
+ current_options = b.lib.SSL_CTX_get_options(ctx)
resp = b.lib.SSL_CTX_set_options(ctx, b.lib.SSL_OP_ALL)
- assert resp == b.lib.SSL_OP_ALL
- assert b.lib.SSL_OP_ALL == b.lib.SSL_CTX_get_options(ctx)
+ expected_options = current_options | b.lib.SSL_OP_ALL
+ assert resp == expected_options
+ assert b.lib.SSL_CTX_get_options(ctx) == expected_options
def test_ssl_options(self):
# Test that we're properly handling 32-bit unsigned on all platforms.
@@ -121,9 +123,11 @@
ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free)
ssl = b.lib.SSL_new(ctx)
ssl = b.ffi.gc(ssl, b.lib.SSL_free)
+ current_options = b.lib.SSL_get_options(ssl)
resp = b.lib.SSL_set_options(ssl, b.lib.SSL_OP_ALL)
- assert resp == b.lib.SSL_OP_ALL
- assert b.lib.SSL_OP_ALL == b.lib.SSL_get_options(ssl)
+ expected_options = current_options | b.lib.SSL_OP_ALL
+ assert resp == expected_options
+ assert b.lib.SSL_get_options(ssl) == expected_options
def test_ssl_mode(self):
# Test that we're properly handling 32-bit unsigned on all platforms.
@@ -133,9 +137,11 @@
ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free)
ssl = b.lib.SSL_new(ctx)
ssl = b.ffi.gc(ssl, b.lib.SSL_free)
+ current_options = b.lib.SSL_get_mode(ssl)
resp = b.lib.SSL_set_mode(ssl, b.lib.SSL_OP_ALL)
- assert resp == b.lib.SSL_OP_ALL
- assert b.lib.SSL_OP_ALL == b.lib.SSL_get_mode(ssl)
+ expected_options = current_options | b.lib.SSL_OP_ALL
+ assert resp == expected_options
+ assert b.lib.SSL_get_mode(ssl) == expected_options
def test_windows_static_dynamic_libraries(self):
assert "ssleay32mt" in _get_windows_libraries("static")