commit 94a0713e3aa1b2ec4f98fe1eb690ef2160d70fdf
author Paul Kehrer <paul.l.kehrer@gmail.com> Sun Nov 30 09:51:10 2014 -1000
committer Paul Kehrer <paul.l.kehrer@gmail.com> Sun Nov 30 09:51:10 2014 -1000
tree 377d423482faa4d32d9b6f3cacca162155d0a463
parent b3a3e5c78650f0bbcaa5386e2185381156032d56

error if signature has trailing bytes

src/cryptography/hazmat/primitives/asymmetric/utils.py

diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
index 0140e6c..a1a4029 100644
--- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
+++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
@@ -17,6 +17,10 @@
 
 def decode_rfc6979_signature(signature):
     data = decoder.decode(signature, asn1Spec=_DSSSigValue())
+    if data[1]:
+        raise ValueError(
+            "The signature contains bytes after the end of the ASN.1 sequence."
+        )
     r = int(data[0].getComponentByName('r'))
     s = int(data[0].getComponentByName('s'))
     return (r, s)

tests/hazmat/primitives/test_asym_utils.py

diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
index f2f8850..f8a67b6 100644
--- a/tests/hazmat/primitives/test_asym_utils.py
+++ b/tests/hazmat/primitives/test_asym_utils.py
@@ -4,6 +4,8 @@
 
 from __future__ import absolute_import, division, print_function
 
+import pytest
+
 from cryptography.hazmat.primitives.asymmetric.utils import (
     decode_rfc6979_signature, encode_rfc6979_signature
 )
@@ -32,3 +34,8 @@
     sig4 = encode_rfc6979_signature(-1, 0)
     assert sig4 == b"0\x06\x02\x01\xFF\x02\x01\x00"
     assert decode_rfc6979_signature(sig4) == (-1, 0)
+
+
+def test_decode_rfc6979_trailing_bytes():
+    with pytest.raises(ValueError):
+        decode_rfc6979_signature(b"0\x06\x02\x01\x01\x02\x01\x01\x00\x00\x00")