catch PyAsn1Error when decoding rfc6979 signature

2 files changed, 11 insertions, 1 deletions

diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
index 36b9080d..08bb40c7 100644
--- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
+++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
@@ -5,6 +5,7 @@
 from __future__ import absolute_import, division, print_function
 
 from pyasn1.codec.der import decoder, encoder
+from pyasn1.error import PyAsn1Error
 from pyasn1.type import namedtype, univ
 
 
@@ -16,7 +17,11 @@ class _DSSSigValue(univ.Sequence):
 
 
 def decode_rfc6979_signature(signature):
-    data, remaining = decoder.decode(signature, asn1Spec=_DSSSigValue())
+    try:
+        data, remaining = decoder.decode(signature, asn1Spec=_DSSSigValue())
+    except PyAsn1Error:
+        raise ValueError("Invalid signature data. Unable to decode ASN.1")
+
     if remaining:
         raise ValueError(
             "The signature contains bytes after the end of the ASN.1 sequence."
diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
index f8a67b68..640b5b3d 100644
--- a/tests/hazmat/primitives/test_asym_utils.py
+++ b/tests/hazmat/primitives/test_asym_utils.py
@@ -39,3 +39,8 @@ def test_rfc6979_signature():
 def test_decode_rfc6979_trailing_bytes():
     with pytest.raises(ValueError):
         decode_rfc6979_signature(b"0\x06\x02\x01\x01\x02\x01\x01\x00\x00\x00")
+
+
+def test_decode_rfc6979_invalid_asn1():
+    with pytest.raises(ValueError):
+        decode_rfc6979_signature(b"0\x07\x02\x01\x01\x02\x02\x01")