From 4f23d146452b299940690b4491c1dfabc3c5cdc8 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Mon, 25 Apr 2022 17:49:00 -0500
Subject: [PATCH] improvements, bionic will still fail

---
 src/_cffi_src/openssl/evp.py                        | 4 ++--
 src/cryptography/hazmat/backends/openssl/backend.py | 1 +
 tests/hazmat/primitives/test_rsa.py                 | 8 ++++++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py
index a9fc9897550f..f4d9fb953cd5 100644
--- a/src/_cffi_src/openssl/evp.py
+++ b/src/_cffi_src/openssl/evp.py
@@ -295,8 +295,8 @@
 static const long Cryptography_HAS_EVP_PKEY_DH = 1;
 #endif
 
-// OpenSSL 1.1.0 doesn't define this value. But its presence isn't
-// unsafe so we don't need to remove it if unsupported.
+// This can be removed when we drop OpenSSL 1.1.0 support
+// OPENSSL_LESS_THAN_111
 #if !defined(EVP_PKEY_RSA_PSS)
 #define EVP_PKEY_RSA_PSS 912
 #endif
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 35a6edd6577a..eabaaf823519 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -648,6 +648,7 @@ def _evp_pkey_to_private_key(self, evp_pkey) -> PRIVATE_KEY_TYPES:
             key_type == self._lib.EVP_PKEY_RSA_PSS
             and not self._lib.CRYPTOGRAPHY_IS_LIBRESSL
             and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL
+            and not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
         ):
             # At the moment the way we handle RSA PSS keys is to strip the
             # PSS constraints from them and treat them as normal RSA keys
diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
index f6df9f6aaa05..ab480763ed1d 100644
--- a/tests/hazmat/primitives/test_rsa.py
+++ b/tests/hazmat/primitives/test_rsa.py
@@ -261,6 +261,7 @@ def test_load_pss_vect_example_keys(self, pkcs1_example):
         only_if=lambda backend: (
             not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
             and not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL
+            and not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
         ),
         skip_message="Does not support RSA PSS loading",
     )
@@ -295,11 +296,14 @@ def test_load_pss_keys_strips_constraints(self, path, backend):
         only_if=lambda backend: (
             backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
             or backend._lib.CRYPTOGRAPHY_IS_BORINGSSL
+            or backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
         ),
-        skip_message="Test requires LibreSSL or BoringSSL",
+        skip_message="Test requires a backend without RSA-PSS key support",
     )
     def test_load_pss_unsupported(self, backend):
-        with pytest.raises(UnsupportedAlgorithm):
+        # Key loading errors unfortunately have multiple paths so
+        # we need to allow ValueError and UnsupportedAlgorithm
+        with pytest.raises((UnsupportedAlgorithm, ValueError)):
             load_vectors_from_file(
                 filename=os.path.join(
                     "asymmetric", "PKCS8", "rsa_pss_2048.pem"