improvements, bionic will still fail

pyca · Apr 25, 2022 · 2f8c78d · 2f8c78d
1 parent b07b6b0
commit 2f8c78d
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py
@@ -295,8 +295,8 @@
 static const long Cryptography_HAS_EVP_PKEY_DH = 1;
 #endif
 
-// OpenSSL 1.1.0 doesn't define this value. But its presence isn't
-// unsafe so we don't need to remove it if unsupported.
+// This can be removed when we drop OpenSSL 1.1.0 support
+// OPENSSL_LESS_THAN_111
 #if !defined(EVP_PKEY_RSA_PSS)
 #define EVP_PKEY_RSA_PSS 912
 #endif

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -648,6 +648,7 @@ def _evp_pkey_to_private_key(self, evp_pkey) -> PRIVATE_KEY_TYPES:
             key_type == self._lib.EVP_PKEY_RSA_PSS
             and not self._lib.CRYPTOGRAPHY_IS_LIBRESSL
             and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL
+            and not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
         ):
             # At the moment the way we handle RSA PSS keys is to strip the
             # PSS constraints from them and treat them as normal RSA keys

diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
@@ -261,6 +261,7 @@ def test_load_pss_vect_example_keys(self, pkcs1_example):
         only_if=lambda backend: (
             not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
             and not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL
+            and not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
         ),
         skip_message="Does not support RSA PSS loading",
     )
@@ -289,17 +290,21 @@ def test_load_pss_keys_strips_constraints(self, path, backend):
         # These keys have constraints that prohibit PKCS1v15 signing,
         # but for now we load them without the constraint and test that
         # it's truly removed by performing a disallowed signature.
+        assert isinstance(key, rsa.RSAPrivateKey)
         key.sign(b"whatever", padding.PKCS1v15(), hashes.SHA224())
 
     @pytest.mark.supported(
         only_if=lambda backend: (
             backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
             or backend._lib.CRYPTOGRAPHY_IS_BORINGSSL
+            or backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
         ),
-        skip_message="Test requires LibreSSL or BoringSSL",
+        skip_message="Test requires a backend without RSA-PSS key support",
     )
     def test_load_pss_unsupported(self, backend):
-        with pytest.raises(UnsupportedAlgorithm):
+        # Key loading errors unfortunately have multiple paths so
+        # we need to allow ValueError and UnsupportedAlgorithm
+        with pytest.raises((UnsupportedAlgorithm, ValueError)):
             load_vectors_from_file(
                 filename=os.path.join(
                     "asymmetric", "PKCS8", "rsa_pss_2048.pem"