x509 tests for boring (#6590)

.github/workflows/ci.yml

@@ -42,7 +42,7 @@ jobs:
           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.4.1"}}
           - {VERSION: "3.10", TOXENV: "py310"}
           # Latest commit on the main-with-bazel branch, as of November 8, 2021
-          - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--ignore=tests/hazmat/bindings/test_openssl.py --ignore=tests/hazmat/primitives/test_pkcs7.py --ignore=tests/x509/", OPENSSL: {TYPE: "boringssl", VERSION: "4fb158925f7753d80fb858cb0239dff893ef9f15"}}
+          - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--ignore=tests/hazmat/bindings/test_openssl.py --ignore=tests/hazmat/primitives/test_pkcs7.py", OPENSSL: {TYPE: "boringssl", VERSION: "4fb158925f7753d80fb858cb0239dff893ef9f15"}}
         RUST:
           - stable
     name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.TOXARGS }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}"

src/cryptography/hazmat/backends/openssl/backend.py

@@ -1128,8 +1128,9 @@ def _handle_key_loading_error(self):
             errors = binding._errors_with_text(errors)
             raise ValueError(
                 "Could not deserialize key data. The data may be in an "
-                "incorrect format or it may be encrypted with an unsupported "
-                "algorithm.",
+                "incorrect format, it may be encrypted with an unsupported "
+                "algorithm, or it may be an unsupported key type (e.g. EC "
+                "curves with explicit parameters).",
                 errors,
             )
 

src/cryptography/hazmat/backends/openssl/ec.py

@@ -41,8 +41,8 @@ def _ec_key_curve_sn(backend, ec_key):
     # The following check is to find EC keys with unnamed curves and raise
     # an error for now.
     if nid == backend._lib.NID_undef:
-        raise NotImplementedError(
-            "ECDSA keys with unnamed curves are unsupported at this time"
+        raise ValueError(
+            "ECDSA keys with explicit parameters are unsupported at this time"
         )
 
     # This is like the above check, but it also catches the case where you
@@ -52,8 +52,8 @@ def _ec_key_curve_sn(backend, ec_key):
         not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
         and backend._lib.EC_GROUP_get_asn1_flag(group) == 0
     ):
-        raise NotImplementedError(
-            "ECDSA keys with unnamed curves are unsupported at this time"
+        raise ValueError(
+            "ECDSA keys with explicit parameters are unsupported at this time"
         )
 
     curve_name = backend._lib.OBJ_nid2sn(nid)

tests/wycheproof/test_ecdh.py

@@ -65,9 +65,6 @@ def test_ecdh(backend, wycheproof):
             binascii.unhexlify(wycheproof.testcase["public"]), backend
         )
         assert isinstance(public_key, ec.EllipticCurvePublicKey)
-    except NotImplementedError:
-        assert wycheproof.has_flag("UnnamedCurve")
-        return
     except ValueError:
         assert wycheproof.invalid or wycheproof.acceptable
         return

tests/x509/test_x509.py

@@ -4603,7 +4603,10 @@ def test_load_ecdsa_no_named_curve(self, backend):
             x509.load_pem_x509_certificate,
             backend,
         )
-        with pytest.raises(NotImplementedError):
+        # This test can trigger three different value errors depending
+        # on OpenSSL/BoringSSL and versions. Match on the text to ensure
+        # we are getting the right error.
+        with pytest.raises(ValueError, match="explicit parameters"):
             cert.public_key()
 
 
@@ -5194,6 +5197,10 @@ def test_load_pem_cert(self, backend):
         assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED448
 
 
+@pytest.mark.supported(
+    only_if=lambda backend: backend.dh_supported(),
+    skip_message="DH not supported",
+)
 class TestSignatureRejection(object):
     """Test if signing rejects DH keys properly."""