disallow MD5 in CertificateBuilder and CertificateSigningRequestBuilder (#3738)

* disallow MD5 in CertificateBuilder and CertificateSigningRequestBuilder * only error on ECDSA and DSA lots of duplication in tests here, bleh * remove changelog entry, also handle this for CRLBuilder * pep8
author: Paul Kehrer <paul.l.kehrer@gmail.com> 2017-06-30 19:49:53 -0500
committer: Alex Gaynor <alex.gaynor@gmail.com> 2017-06-30 17:49:53 -0700
commit: 784e3bc30d7c08952a2b994c57fc98bcc3f805c5 (patch)
tree: a2a232e436999d0a1e152d5a5a1891fda77007fa /src
parent: 51f049ab3c6eaddd2afc5b089d54ac7b8244fa1e (diff)
download: cryptography-784e3bc30d7c08952a2b994c57fc98bcc3f805c5.tar.gz
cryptography-784e3bc30d7c08952a2b994c57fc98bcc3f805c5.tar.bz2
cryptography-784e3bc30d7c08952a2b994c57fc98bcc3f805c5.zip
1 files changed, 24 insertions, 0 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 18238e1c..cf0300e0 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -662,6 +662,14 @@ class Backend(object):
         if not isinstance(algorithm, hashes.HashAlgorithm):
             raise TypeError('Algorithm must be a registered hash algorithm.')
 
+        if (
+            isinstance(algorithm, hashes.MD5) and not
+            isinstance(private_key, rsa.RSAPrivateKey)
+        ):
+            raise ValueError(
+                "MD5 is not a supported hash algorithm for EC/DSA CSRs"
+            )
+
         # Resolve the signature algorithm.
         evp_md = self._lib.EVP_get_digestbyname(
             algorithm.name.encode('ascii')
@@ -731,6 +739,14 @@ class Backend(object):
         if not isinstance(algorithm, hashes.HashAlgorithm):
             raise TypeError('Algorithm must be a registered hash algorithm.')
 
+        if (
+            isinstance(algorithm, hashes.MD5) and not
+            isinstance(private_key, rsa.RSAPrivateKey)
+        ):
+            raise ValueError(
+                "MD5 is not a supported hash algorithm for EC/DSA certificates"
+            )
+
         # Resolve the signature algorithm.
         evp_md = self._lib.EVP_get_digestbyname(
             algorithm.name.encode('ascii')
@@ -828,6 +844,14 @@ class Backend(object):
         if not isinstance(algorithm, hashes.HashAlgorithm):
             raise TypeError('Algorithm must be a registered hash algorithm.')
 
+        if (
+            isinstance(algorithm, hashes.MD5) and not
+            isinstance(private_key, rsa.RSAPrivateKey)
+        ):
+            raise ValueError(
+                "MD5 is not a supported hash algorithm for EC/DSA CRLs"
+            )
+
         evp_md = self._lib.EVP_get_digestbyname(
             algorithm.name.encode('ascii')
         )
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2017-06-30 19:49:53 -0500
committer	Alex Gaynor <alex.gaynor@gmail.com>	2017-06-30 17:49:53 -0700
commit	784e3bc30d7c08952a2b994c57fc98bcc3f805c5 (patch)
tree	a2a232e436999d0a1e152d5a5a1891fda77007fa /src
parent	51f049ab3c6eaddd2afc5b089d54ac7b8244fa1e (diff)
download	cryptography-784e3bc30d7c08952a2b994c57fc98bcc3f805c5.tar.gz cryptography-784e3bc30d7c08952a2b994c57fc98bcc3f805c5.tar.bz2 cryptography-784e3bc30d7c08952a2b994c57fc98bcc3f805c5.zip