3 files changed, 24 insertions, 1 deletions

diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py
index eebf19ba..73ce4e3c 100644
--- a/src/_cffi_src/openssl/err.py
+++ b/src/_cffi_src/openssl/err.py
@@ -230,6 +230,7 @@ static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY;
 static const int RSA_R_BLOCK_TYPE_IS_NOT_01;
 static const int RSA_R_BLOCK_TYPE_IS_NOT_02;
 static const int RSA_R_PKCS_DECODING_ERROR;
+static const int RSA_F_RSA_SIGN;
 """
 
 FUNCTIONS = """
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 2d2ecc81..dd89623e 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1055,7 +1055,16 @@ class Backend(object):
         res = self._lib.X509_REQ_sign(
             x509_req, private_key._evp_pkey, evp_md
         )
-        assert res > 0
+        if res == 0:
+            errors = self._consume_errors()
+            assert errors[0][1:] in (
+                (
+                    self._lib.ERR_LIB_RSA,
+                    self._lib.RSA_F_RSA_SIGN,
+                    self._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
+                ),
+            )
+            raise ValueError("Digest too big for RSA key")
 
         return _CertificateSigningRequest(self, x509_req)
 
diff --git a/tests/test_x509.py b/tests/test_x509.py
index cacf3c88..38432271 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1206,6 +1206,19 @@ class TestCertificateSigningRequestBuilder(object):
             x509.OID_CODE_SIGNING,
         ])
 
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    def test_rsa_key_too_small(self, backend):
+        private_key = rsa.generate_private_key(65537, 512, backend)
+        builder = x509.CertificateSigningRequestBuilder()
+        builder = builder.subject_name(
+            x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+        )
+
+        with pytest.raises(ValueError) as exc:
+            builder.sign(private_key, hashes.SHA512(), backend)
+
+        assert exc.value.message == "Digest too big for RSA key"
+
 
 @pytest.mark.requires_backend_interface(interface=DSABackend)
 @pytest.mark.requires_backend_interface(interface=X509Backend)