Simplify emitting errors on key parsing (#10417)

pyca · Feb 19, 2024 · a20d495 · a20d495
1 parent 9f9c5ea
commit a20d495
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 60 deletions.
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -299,52 +299,6 @@ def _key2ossl(self, key: PKCS12PrivateKeyTypes) -> typing.Any:
         self.openssl_assert(evp_pkey != self._ffi.NULL)
         return self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
 
-    def _handle_key_loading_error(
-        self, errors: list[rust_openssl.OpenSSLError]
-    ) -> typing.NoReturn:
-        if not errors:
-            raise ValueError(
-                "Could not deserialize key data. The data may be in an "
-                "incorrect format or it may be encrypted with an unsupported "
-                "algorithm."
-            )
-
-        elif (
-            errors[0]._lib_reason_match(
-                self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT
-            )
-            or errors[0]._lib_reason_match(
-                self._lib.ERR_LIB_PKCS12,
-                self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR,
-            )
-            or (
-                self._lib.Cryptography_HAS_PROVIDERS
-                and errors[0]._lib_reason_match(
-                    self._lib.ERR_LIB_PROV,
-                    self._lib.PROV_R_BAD_DECRYPT,
-                )
-            )
-        ):
-            raise ValueError("Bad decrypt. Incorrect password?")
-
-        elif any(
-            error._lib_reason_match(
-                self._lib.ERR_LIB_EVP,
-                self._lib.EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM,
-            )
-            for error in errors
-        ):
-            raise ValueError("Unsupported public key algorithm.")
-
-        else:
-            raise ValueError(
-                "Could not deserialize key data. The data may be in an "
-                "incorrect format, it may be encrypted with an unsupported "
-                "algorithm, or it may be an unsupported key type (e.g. EC "
-                "curves with explicit parameters).",
-                errors,
-            )
-
     def elliptic_curve_supported(self, curve: ec.EllipticCurve) -> bool:
         if self._fips_enabled and not isinstance(
             curve, self._fips_ecdh_curves

diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi
@@ -65,4 +65,3 @@ class OpenSSLError:
     def reason(self) -> int: ...
     @property
     def reason_text(self) -> bytes: ...
-    def _lib_reason_match(self, lib: int, reason: int) -> bool: ...
diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs
@@ -5,6 +5,7 @@
 use crate::backend::hashes::Hash;
 use crate::error::{CryptographyError, CryptographyResult};
 use crate::{error, types};
+use pyo3::ToPyObject;
 
 pub(crate) fn py_int_to_bn(
     py: pyo3::Python<'_>,
@@ -431,10 +432,10 @@ pub(crate) fn handle_key_load_result<T>(
         (Err(e), _, _) => {
             let errors = error::list_from_openssl_error(py, e);
             Err(CryptographyError::from(
-                types::BACKEND_HANDLE_KEY_LOADING_ERROR
-                    .get(py)?
-                    .call1((errors,))
-                    .unwrap_err(),
+                pyo3::exceptions::PyValueError::new_err((
+                    "Could not deserialize key data. The data may be in an incorrect format, the provided password may be incorrect, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).",
+                    errors.to_object(py),
+                ))
             ))
         }
     }

diff --git a/src/rust/src/error.rs b/src/rust/src/error.rs
@@ -174,10 +174,6 @@ impl OpenSSLError {
         self.e.reason().unwrap_or("").as_bytes()
     }
 
-    fn _lib_reason_match(&self, lib: i32, reason: i32) -> bool {
-        self.e.library_code() == lib && self.e.reason_code() == reason
-    }
-
     fn __repr__(&self) -> pyo3::PyResult<String> {
         Ok(format!(
             "<OpenSSLError(code={}, lib={}, reason={}, reason_text={})>",

diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs
@@ -380,11 +380,6 @@ pub static CALCULATE_MAX_PSS_SALT_LENGTH: LazyPyImport = LazyPyImport::new(
     &["calculate_max_pss_salt_length"],
 );
 
-pub static BACKEND_HANDLE_KEY_LOADING_ERROR: LazyPyImport = LazyPyImport::new(
-    "cryptography.hazmat.backends.openssl.backend",
-    &["backend", "_handle_key_loading_error"],
-);
-
 pub static RSA_PRIVATE_KEY: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.primitives.asymmetric.rsa",
     &["RSAPrivateKey"],