diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2014-05-31 20:57:47 -0700 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2014-05-31 20:57:47 -0700 |
| commit | ae2e9afc2735a74ed989210ee7da2e48494e5986 (patch) | |
| tree | e055fc1cb4ad34d087b3caf44eb65b2bcb66f9f4 | |
| parent | 3f7b3d34a594a93dd7f8a3eac658f094b6aae582 (diff) | |
| parent | 1b4e751292d694d411d806116eca1a2a325b3c5c (diff) | |
| download | cryptography-ae2e9afc2735a74ed989210ee7da2e48494e5986.tar.gz cryptography-ae2e9afc2735a74ed989210ee7da2e48494e5986.tar.bz2 cryptography-ae2e9afc2735a74ed989210ee7da2e48494e5986.zip | |
Merge pull request #1082 from reaperhulk/move-a-test
add RSA key generation restrictions to primitive layer
| -rw-r--r-- | cryptography/hazmat/backends/openssl/backend.py | 9 | ||||
| -rw-r--r-- | cryptography/hazmat/primitives/asymmetric/rsa.py | 12 | ||||
| -rw-r--r-- | tests/hazmat/backends/test_openssl.py | 16 |
3 files changed, 29 insertions, 8 deletions
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index a5f21787..c6bcbaaa 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -357,14 +357,7 @@ class Backend(object): return bn_ptr[0] def generate_rsa_private_key(self, public_exponent, key_size): - if public_exponent < 3: - raise ValueError("public_exponent must be >= 3.") - - if public_exponent & 1 == 0: - raise ValueError("public_exponent must be odd.") - - if key_size < 512: - raise ValueError("key_size must be at least 512-bits.") + rsa._verify_rsa_parameters(public_exponent, key_size) ctx = self._lib.RSA_new() assert ctx != self._ffi.NULL diff --git a/cryptography/hazmat/primitives/asymmetric/rsa.py b/cryptography/hazmat/primitives/asymmetric/rsa.py index a9f57838..9e11c58a 100644 --- a/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -21,6 +21,17 @@ from cryptography.hazmat.backends.interfaces import RSABackend from cryptography.hazmat.primitives import interfaces +def _verify_rsa_parameters(public_exponent, key_size): + if public_exponent < 3: + raise ValueError("public_exponent must be >= 3.") + + if public_exponent & 1 == 0: + raise ValueError("public_exponent must be odd.") + + if key_size < 512: + raise ValueError("key_size must be at least 512-bits.") + + @utils.register_interface(interfaces.RSAPublicKey) class RSAPublicKey(object): def __init__(self, public_exponent, modulus): @@ -187,6 +198,7 @@ class RSAPrivateKey(object): _Reasons.BACKEND_MISSING_INTERFACE ) + _verify_rsa_parameters(public_exponent, key_size) return backend.generate_rsa_private_key(public_exponent, key_size) def signer(self, padding, algorithm, backend): diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 0ccf7286..bfcdf14a 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -277,6 +277,22 @@ class TestOpenSSLRSA(object): assert backend.generate_rsa_parameters_supported(3, 1024) is True assert backend.generate_rsa_parameters_supported(3, 511) is False + def test_generate_bad_public_exponent(self): + with pytest.raises(ValueError): + backend.generate_rsa_private_key(public_exponent=1, key_size=2048) + + with pytest.raises(ValueError): + backend.generate_rsa_private_key(public_exponent=4, key_size=2048) + + def test_cant_generate_insecure_tiny_key(self): + with pytest.raises(ValueError): + backend.generate_rsa_private_key(public_exponent=65537, + key_size=511) + + with pytest.raises(ValueError): + backend.generate_rsa_private_key(public_exponent=65537, + key_size=256) + @pytest.mark.skipif( backend._lib.OPENSSL_VERSION_NUMBER >= 0x1000100f, reason="Requires an older OpenSSL. Must be < 1.0.1" |