Replace assertions with real error checks

2 files changed, 16 insertions, 2 deletions

diff --git a/cryptography/fernet.py b/cryptography/fernet.py
index c0c5631f..c5474af4 100644
--- a/cryptography/fernet.py
+++ b/cryptography/fernet.py
@@ -38,7 +38,10 @@ class Fernet(object):
             backend = default_backend()
 
         key = base64.urlsafe_b64decode(key)
-        assert len(key) == 32
+        if len(key) != 32:
+            raise ValueError(
+                "Fernet key must be 32 url-safe base64-encoded bytes"
+            )
 
         self._signing_key = key[:16]
         self._encryption_key = key[16:]
@@ -88,7 +91,9 @@ class Fernet(object):
         except (TypeError, binascii.Error):
             raise InvalidToken
 
-        assert six.indexbytes(data, 0) == 0x80
+        if six.indexbytes(data, 0) != 0x80:
+            raise InvalidToken
+
         timestamp = struct.unpack(">Q", data[1:9])[0]
         iv = data[9:25]
         ciphertext = data[25:-32]
diff --git a/tests/test_fernet.py b/tests/test_fernet.py
index 48df867c..77661180 100644
--- a/tests/test_fernet.py
+++ b/tests/test_fernet.py
@@ -69,6 +69,11 @@ class TestFernet(object):
         with pytest.raises(InvalidToken):
             f.decrypt(token.encode("ascii"), ttl=ttl_sec)
 
+    def test_invalid_start_byte(self, backend):
+        f = Fernet(Fernet.generate_key(), backend=backend)
+        with pytest.raises(InvalidToken):
+            f.decrypt(base64.urlsafe_b64encode(b"\x81"))
+
     def test_unicode(self, backend):
         f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
         with pytest.raises(TypeError):
@@ -84,3 +89,7 @@ class TestFernet(object):
     def test_default_backend(self):
         f = Fernet(Fernet.generate_key())
         assert f._backend is default_backend()
+
+    def test_bad_key(self, backend):
+        with pytest.raises(ValueError):
+            Fernet(base64.urlsafe_b64encode(b"abc"), backend=backend)