diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2014-07-08 16:53:20 -0700 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2014-07-08 16:53:20 -0700 |
| commit | be31fc67788d5b137ea1d3441b798302919177b8 (patch) | |
| tree | ea6d03ad13664dd2fa99414ed569dd3e1fdf8e0a | |
| parent | ab8d3eb82b9faaf1d3a2792cf4a10cc054b86165 (diff) | |
| download | cryptography-be31fc67788d5b137ea1d3441b798302919177b8.tar.gz cryptography-be31fc67788d5b137ea1d3441b798302919177b8.tar.bz2 cryptography-be31fc67788d5b137ea1d3441b798302919177b8.zip | |
Factor out a function from key loading
| -rw-r--r-- | cryptography/hazmat/backends/openssl/backend.py | 138 | ||||
| -rw-r--r-- | cryptography/hazmat/primitives/serialization.py | 4 |
2 files changed, 70 insertions, 72 deletions
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 4991177a..da52799c 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -763,7 +763,6 @@ class Backend(object): def load_traditional_openssl_pem_private_key(self, data, password): # OpenSSLs API for loading PKCS#8 certs can also load the traditional # format so we just use that for both of them. - return self.load_pkcs8_pem_private_key(data, password) def load_pkcs8_pem_private_key(self, data, password): @@ -779,74 +778,7 @@ class Backend(object): ) if evp_pkey == self._ffi.NULL: - errors = self._consume_errors() - if not errors: - raise ValueError("Could not unserialize key data.") - - if ( - errors[0][1:] == ( - self._lib.ERR_LIB_PEM, - self._lib.PEM_F_PEM_DO_HEADER, - self._lib.PEM_R_BAD_PASSWORD_READ - ) - ) or ( - errors[0][1:] == ( - self._lib.ERR_LIB_PEM, - self._lib.PEM_F_PEM_READ_BIO_PRIVATEKEY, - self._lib.PEM_R_BAD_PASSWORD_READ - ) - ): - assert not password - raise TypeError( - "Password was not given but private key is encrypted.") - - elif errors[0][1:] == ( - self._lib.ERR_LIB_EVP, - self._lib.EVP_F_EVP_DECRYPTFINAL_EX, - self._lib.EVP_R_BAD_DECRYPT - ): - raise ValueError( - "Bad decrypt. Incorrect password?" - ) - - elif errors[0][1:] in ( - ( - self._lib.ERR_LIB_PEM, - self._lib.PEM_F_PEM_GET_EVP_CIPHER_INFO, - self._lib.PEM_R_UNSUPPORTED_ENCRYPTION - ), - - ( - self._lib.ERR_LIB_EVP, - self._lib.EVP_F_EVP_PBE_CIPHERINIT, - self._lib.EVP_R_UNKNOWN_PBE_ALGORITHM - ) - ): - raise UnsupportedAlgorithm( - "PEM data is encrypted with an unsupported cipher", - _Reasons.UNSUPPORTED_CIPHER - ) - - elif any( - error[1:] == ( - self._lib.ERR_LIB_EVP, - self._lib.EVP_F_EVP_PKCS82PKEY, - self._lib.EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM - ) - for error in errors - ): - raise UnsupportedAlgorithm( - "Unsupported public key algorithm.", - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM - ) - - else: - assert errors[0][1] in ( - self._lib.ERR_LIB_EVP, - self._lib.ERR_LIB_PEM, - self._lib.ERR_LIB_ASN1, - ) - raise ValueError("Could not unserialize key data.") + self._handle_key_loading_error(password) evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) @@ -861,6 +793,74 @@ class Backend(object): return self._evp_pkey_to_private_key(evp_pkey) + def _handle_key_loading_error(self, password): + errors = self._consume_errors() + if not errors: + raise ValueError("Could not unserialize key data.") + + if ( + errors[0][1:] == ( + self._lib.ERR_LIB_PEM, + self._lib.PEM_F_PEM_DO_HEADER, + self._lib.PEM_R_BAD_PASSWORD_READ + ) + ) or ( + errors[0][1:] == ( + self._lib.ERR_LIB_PEM, + self._lib.PEM_F_PEM_READ_BIO_PRIVATEKEY, + self._lib.PEM_R_BAD_PASSWORD_READ + ) + ): + assert not password + raise TypeError( + "Password was not given but private key is encrypted.") + + elif errors[0][1:] == ( + self._lib.ERR_LIB_EVP, + self._lib.EVP_F_EVP_DECRYPTFINAL_EX, + self._lib.EVP_R_BAD_DECRYPT + ): + raise ValueError("Bad decrypt. Incorrect password?") + + elif errors[0][1:] in ( + ( + self._lib.ERR_LIB_PEM, + self._lib.PEM_F_PEM_GET_EVP_CIPHER_INFO, + self._lib.PEM_R_UNSUPPORTED_ENCRYPTION + ), + + ( + self._lib.ERR_LIB_EVP, + self._lib.EVP_F_EVP_PBE_CIPHERINIT, + self._lib.EVP_R_UNKNOWN_PBE_ALGORITHM + ) + ): + raise UnsupportedAlgorithm( + "PEM data is encrypted with an unsupported cipher", + _Reasons.UNSUPPORTED_CIPHER + ) + + elif any( + error[1:] == ( + self._lib.ERR_LIB_EVP, + self._lib.EVP_F_EVP_PKCS82PKEY, + self._lib.EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM + ) + for error in errors + ): + raise UnsupportedAlgorithm( + "Unsupported public key algorithm.", + _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM + ) + + else: + assert errors[0][1] in ( + self._lib.ERR_LIB_EVP, + self._lib.ERR_LIB_PEM, + self._lib.ERR_LIB_ASN1, + ) + raise ValueError("Could not unserialize key data.") + def elliptic_curve_supported(self, curve): if self._lib.Cryptography_HAS_EC != 1: return False diff --git a/cryptography/hazmat/primitives/serialization.py b/cryptography/hazmat/primitives/serialization.py index ed73c4c4..55b8640e 100644 --- a/cryptography/hazmat/primitives/serialization.py +++ b/cryptography/hazmat/primitives/serialization.py @@ -21,6 +21,4 @@ def load_pem_traditional_openssl_private_key(data, password, backend): def load_pem_pkcs8_private_key(data, password, backend): - return backend.load_pkcs8_pem_private_key( - data, password - ) + return backend.load_pkcs8_pem_private_key(data, password) |