Merge pull request #1080 from reaperhulk/generate-rsa-parameters

add generate_rsa_parameters_supported to RSABackend

7 files changed, 45 insertions, 1 deletions

diff --git a/cryptography/hazmat/backends/interfaces.py b/cryptography/hazmat/backends/interfaces.py
index 11b13788..97a7a4fd 100644
--- a/cryptography/hazmat/backends/interfaces.py
+++ b/cryptography/hazmat/backends/interfaces.py
@@ -135,6 +135,13 @@ class RSABackend(object):
         Returns True if the backend supports the given padding options.
         """
 
+    @abc.abstractmethod
+    def generate_rsa_parameters_supported(self, public_exponent, key_size):
+        """
+        Returns True if the backend supports the given parameters for key
+        generation.
+        """
+
 
 @six.add_metaclass(abc.ABCMeta)
 class DSABackend(object):
diff --git a/cryptography/hazmat/backends/multibackend.py b/cryptography/hazmat/backends/multibackend.py
index 21630ba8..b4cb6889 100644
--- a/cryptography/hazmat/backends/multibackend.py
+++ b/cryptography/hazmat/backends/multibackend.py
@@ -132,6 +132,14 @@ class MultiBackend(object):
         raise UnsupportedAlgorithm("RSA is not supported by the backend.",
                                    _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM)
 
+    def generate_rsa_parameters_supported(self, public_exponent, key_size):
+        for b in self._filtered_backends(RSABackend):
+            return b.generate_rsa_parameters_supported(
+                public_exponent, key_size
+            )
+        raise UnsupportedAlgorithm("RSA is not supported by the backend.",
+                                   _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM)
+
     def create_rsa_signature_ctx(self, private_key, padding, algorithm):
         for b in self._filtered_backends(RSABackend):
             return b.create_rsa_signature_ctx(private_key, padding, algorithm)
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index e5d6eaa1..8d76160d 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -378,6 +378,10 @@ class Backend(object):
 
         return self._rsa_cdata_to_private_key(ctx)
 
+    def generate_rsa_parameters_supported(self, public_exponent, key_size):
+        return (public_exponent >= 3 and public_exponent & 1 != 0 and
+                key_size >= 512)
+
     def _new_evp_pkey(self):
         evp_pkey = self._lib.EVP_PKEY_new()
         assert evp_pkey != self._ffi.NULL
diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst
index e98b9a59..78a35cd9 100644
--- a/docs/hazmat/backends/interfaces.rst
+++ b/docs/hazmat/backends/interfaces.rst
@@ -274,6 +274,15 @@ A specific ``backend`` may provide one or more of these interfaces.
         :returns: ``True`` if the specified ``padding`` is supported by this
             backend, otherwise ``False``.
 
+    .. method:: generate_rsa_parameters_supported(public_exponent, key_size)
+
+        Check if the specified parameters are supported for key generation by
+        the backend.
+
+        :param int public_exponent: The public exponent.
+
+        :param int key_size: The bit length of the generated modulus.
+
     .. method:: decrypt_rsa(private_key, ciphertext, padding)
 
         :param private_key: An instance of an
diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py
index 63d7dd23..3fa364e2 100644
--- a/tests/hazmat/backends/test_multibackend.py
+++ b/tests/hazmat/backends/test_multibackend.py
@@ -104,6 +104,9 @@ class DummyRSABackend(object):
     def rsa_padding_supported(self, padding):
         pass
 
+    def generate_rsa_parameters_supported(self, public_exponent, key_size):
+        pass
+
     def decrypt_rsa(self, private_key, ciphertext, padding):
         pass
 
@@ -227,6 +230,8 @@ class TestMultiBackend(object):
 
         backend.rsa_padding_supported(padding.PKCS1v15())
 
+        backend.generate_rsa_parameters_supported(65537, 1024)
+
         backend.encrypt_rsa("public_key", "encryptme", padding.PKCS1v15())
 
         backend.decrypt_rsa("private_key", "encrypted", padding.PKCS1v15())
@@ -262,6 +267,11 @@ class TestMultiBackend(object):
         with raises_unsupported_algorithm(
             _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
         ):
+            backend.generate_rsa_parameters_supported(65537, 1024)
+
+        with raises_unsupported_algorithm(
+            _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
+        ):
             backend.encrypt_rsa("public_key", "encryptme", padding.PKCS1v15())
 
         with raises_unsupported_algorithm(
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index f9896233..0ccf7286 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -271,6 +271,12 @@ class TestOpenSSLRandomEngine(object):
 
 
 class TestOpenSSLRSA(object):
+    def test_generate_rsa_parameters_supported(self):
+        assert backend.generate_rsa_parameters_supported(1, 1024) is False
+        assert backend.generate_rsa_parameters_supported(4, 1024) is False
+        assert backend.generate_rsa_parameters_supported(3, 1024) is True
+        assert backend.generate_rsa_parameters_supported(3, 511) is False
+
     @pytest.mark.skipif(
         backend._lib.OPENSSL_VERSION_NUMBER >= 0x1000100f,
         reason="Requires an older OpenSSL. Must be < 1.0.1"
diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
index fcb72e00..ea72f916 100644
--- a/tests/hazmat/primitives/test_rsa.py
+++ b/tests/hazmat/primitives/test_rsa.py
@@ -99,7 +99,7 @@ class TestRSA(object):
         assert skey.key_size == key_size
         assert skey.public_exponent == public_exponent
 
-    def test_generate_bad_rsa_key(self, backend):
+    def test_generate_bad_public_exponent(self, backend):
         with pytest.raises(ValueError):
             rsa.RSAPrivateKey.generate(public_exponent=1,
                                        key_size=2048,