4 files changed, 46 insertions, 55 deletions

diff --git a/cryptography/fernet.py b/cryptography/fernet.py
index cdb9bdca..a8e0330e 100644
--- a/cryptography/fernet.py
+++ b/cryptography/fernet.py
@@ -90,7 +90,7 @@ class Fernet(object):
         except (TypeError, binascii.Error):
             raise InvalidToken
 
-        if six.indexbytes(data, 0) != 0x80:
+        if not data or six.indexbytes(data, 0) != 0x80:
             raise InvalidToken
 
         try:
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index 567f1648..bb1a3f3d 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -984,6 +984,11 @@ class Backend(object):
         values.
         """
 
+        if x < 0 or y < 0:
+            raise ValueError(
+                "Invalid EC key. Both x and y must be non-negative."
+            )
+
         bn_x = self._int_to_bn(x)
         bn_y = self._int_to_bn(y)
 
diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
index 887520de..1b3bb9b3 100644
--- a/tests/hazmat/primitives/test_ec.py
+++ b/tests/hazmat/primitives/test_ec.py
@@ -274,6 +274,28 @@ class TestECDSAVectors(object):
         with pytest.raises(ValueError):
             numbers.private_key(backend)
 
+        numbers = ec.EllipticCurvePrivateNumbers(
+            357646505660320080863666618182642070958081774038609089496899025506,
+            ec.EllipticCurvePublicNumbers(
+                -4725080841032702313157360200834589492768638177232556118553296,
+                1120253292479243545483756778742719537373113335231773536789915,
+                ec.SECP256R1(),
+            )
+        )
+        with pytest.raises(ValueError):
+            numbers.private_key(backend)
+
+        numbers = ec.EllipticCurvePrivateNumbers(
+            357646505660320080863666618182642070958081774038609089496899025506,
+            ec.EllipticCurvePublicNumbers(
+                47250808410327023131573602008345894927686381772325561185532964,
+                -1120253292479243545483756778742719537373113335231773536789915,
+                ec.SECP256R1(),
+            )
+        )
+        with pytest.raises(ValueError):
+            numbers.private_key(backend)
+
     @pytest.mark.parametrize(
         "vector",
         load_vectors_from_file(
diff --git a/tests/test_fernet.py b/tests/test_fernet.py
index 34760e3c..0b4e3e87 100644
--- a/tests/test_fernet.py
+++ b/tests/test_fernet.py
@@ -41,14 +41,19 @@ def json_parametrize(keys, filename):
         ])
 
 
+def test_default_backend():
+    f = Fernet(Fernet.generate_key())
+    assert f._backend is default_backend()
+
+
 @pytest.mark.cipher
+@pytest.mark.supported(
+    only_if=lambda backend: backend.cipher_supported(
+        algorithms.AES("\x00" * 32), modes.CBC("\x00" * 16)
+    ),
+    skip_message="Does not support AES CBC",
+)
 class TestFernet(object):
-    @pytest.mark.supported(
-        only_if=lambda backend: backend.cipher_supported(
-            algorithms.AES("\x00" * 32), modes.CBC("\x00" * 16)
-        ),
-        skip_message="Does not support AES CBC",
-    )
     @json_parametrize(
         ("secret", "now", "iv", "src", "token"), "generate.json",
     )
@@ -61,12 +66,6 @@ class TestFernet(object):
         )
         assert actual_token == token.encode("ascii")
 
-    @pytest.mark.supported(
-        only_if=lambda backend: backend.cipher_supported(
-            algorithms.AES("\x00" * 32), modes.CBC("\x00" * 16)
-        ),
-        skip_message="Does not support AES CBC",
-    )
     @json_parametrize(
         ("secret", "now", "src", "ttl_sec", "token"), "verify.json",
     )
@@ -78,12 +77,6 @@ class TestFernet(object):
         payload = f.decrypt(token.encode("ascii"), ttl=ttl_sec)
         assert payload == src.encode("ascii")
 
-    @pytest.mark.supported(
-        only_if=lambda backend: backend.cipher_supported(
-            algorithms.AES("\x00" * 32), modes.CBC("\x00" * 16)
-        ),
-        skip_message="Does not support AES CBC",
-    )
     @json_parametrize(("secret", "token", "now", "ttl_sec"), "invalid.json")
     def test_invalid(self, secret, token, now, ttl_sec, backend, monkeypatch):
         f = Fernet(secret.encode("ascii"), backend=backend)
@@ -92,34 +85,21 @@ class TestFernet(object):
         with pytest.raises(InvalidToken):
             f.decrypt(token.encode("ascii"), ttl=ttl_sec)
 
-    @pytest.mark.supported(
-        only_if=lambda backend: backend.cipher_supported(
-            algorithms.AES("\x00" * 32), modes.CBC("\x00" * 16)
-        ),
-        skip_message="Does not support AES CBC",
-    )
     def test_invalid_start_byte(self, backend):
-        f = Fernet(Fernet.generate_key(), backend=backend)
+        f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
         with pytest.raises(InvalidToken):
             f.decrypt(base64.urlsafe_b64encode(b"\x81"))
 
-    @pytest.mark.supported(
-        only_if=lambda backend: backend.cipher_supported(
-            algorithms.AES("\x00" * 32), modes.CBC("\x00" * 16)
-        ),
-        skip_message="Does not support AES CBC",
-    )
     def test_timestamp_too_short(self, backend):
-        f = Fernet(Fernet.generate_key(), backend=backend)
+        f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
         with pytest.raises(InvalidToken):
             f.decrypt(base64.urlsafe_b64encode(b"\x80abc"))
 
-    @pytest.mark.supported(
-        only_if=lambda backend: backend.cipher_supported(
-            algorithms.AES("\x00" * 32), modes.CBC("\x00" * 16)
-        ),
-        skip_message="Does not support AES CBC",
-    )
+    def test_non_base64_token(self, backend):
+        f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
+        with pytest.raises(InvalidToken):
+            f.decrypt(b"\x00")
+
     def test_unicode(self, backend):
         f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
         with pytest.raises(TypeError):
@@ -127,27 +107,11 @@ class TestFernet(object):
         with pytest.raises(TypeError):
             f.decrypt(six.u(""))
 
-    @pytest.mark.supported(
-        only_if=lambda backend: backend.cipher_supported(
-            algorithms.AES("\x00" * 32), modes.CBC("\x00" * 16)
-        ),
-        skip_message="Does not support AES CBC",
-    )
     @pytest.mark.parametrize("message", [b"", b"Abc!", b"\x00\xFF\x00\x80"])
     def test_roundtrips(self, message, backend):
         f = Fernet(Fernet.generate_key(), backend=backend)
         assert f.decrypt(f.encrypt(message)) == message
 
-    def test_default_backend(self):
-        f = Fernet(Fernet.generate_key())
-        assert f._backend is default_backend()
-
-    @pytest.mark.supported(
-        only_if=lambda backend: backend.cipher_supported(
-            algorithms.AES("\x00" * 32), modes.CBC("\x00" * 16)
-        ),
-        skip_message="Does not support AES CBC",
-    )
     def test_bad_key(self, backend):
         with pytest.raises(ValueError):
             Fernet(base64.urlsafe_b64encode(b"abc"), backend=backend)