3 files changed, 29 insertions, 8 deletions

diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index a5f21787..c6bcbaaa 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -357,14 +357,7 @@ class Backend(object):
             return bn_ptr[0]
 
     def generate_rsa_private_key(self, public_exponent, key_size):
-        if public_exponent < 3:
-            raise ValueError("public_exponent must be >= 3.")
-
-        if public_exponent & 1 == 0:
-            raise ValueError("public_exponent must be odd.")
-
-        if key_size < 512:
-            raise ValueError("key_size must be at least 512-bits.")
+        rsa._verify_rsa_parameters(public_exponent, key_size)
 
         ctx = self._lib.RSA_new()
         assert ctx != self._ffi.NULL
diff --git a/cryptography/hazmat/primitives/asymmetric/rsa.py b/cryptography/hazmat/primitives/asymmetric/rsa.py
index a9f57838..9e11c58a 100644
--- a/cryptography/hazmat/primitives/asymmetric/rsa.py
+++ b/cryptography/hazmat/primitives/asymmetric/rsa.py
@@ -21,6 +21,17 @@ from cryptography.hazmat.backends.interfaces import RSABackend
 from cryptography.hazmat.primitives import interfaces
 
 
+def _verify_rsa_parameters(public_exponent, key_size):
+    if public_exponent < 3:
+        raise ValueError("public_exponent must be >= 3.")
+
+    if public_exponent & 1 == 0:
+        raise ValueError("public_exponent must be odd.")
+
+    if key_size < 512:
+        raise ValueError("key_size must be at least 512-bits.")
+
+
 @utils.register_interface(interfaces.RSAPublicKey)
 class RSAPublicKey(object):
     def __init__(self, public_exponent, modulus):
@@ -187,6 +198,7 @@ class RSAPrivateKey(object):
                 _Reasons.BACKEND_MISSING_INTERFACE
             )
 
+        _verify_rsa_parameters(public_exponent, key_size)
         return backend.generate_rsa_private_key(public_exponent, key_size)
 
     def signer(self, padding, algorithm, backend):
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 0ccf7286..bfcdf14a 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -277,6 +277,22 @@ class TestOpenSSLRSA(object):
         assert backend.generate_rsa_parameters_supported(3, 1024) is True
         assert backend.generate_rsa_parameters_supported(3, 511) is False
 
+    def test_generate_bad_public_exponent(self):
+        with pytest.raises(ValueError):
+            backend.generate_rsa_private_key(public_exponent=1, key_size=2048)
+
+        with pytest.raises(ValueError):
+            backend.generate_rsa_private_key(public_exponent=4, key_size=2048)
+
+    def test_cant_generate_insecure_tiny_key(self):
+        with pytest.raises(ValueError):
+            backend.generate_rsa_private_key(public_exponent=65537,
+                                             key_size=511)
+
+        with pytest.raises(ValueError):
+            backend.generate_rsa_private_key(public_exponent=65537,
+                                             key_size=256)
+
     @pytest.mark.skipif(
         backend._lib.OPENSSL_VERSION_NUMBER >= 0x1000100f,
         reason="Requires an older OpenSSL. Must be < 1.0.1"