diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fd06014c4caf..61ac2fa62714 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,7 +42,7 @@ jobs: - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.4.1"}} - {VERSION: "3.10", TOXENV: "py310"} # Latest commit on the main-with-bazel branch, as of November 8, 2021 - - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--ignore=tests/hazmat/bindings/test_openssl.py --ignore=tests/hazmat/primitives/test_pkcs7.py --ignore=tests/x509/", OPENSSL: {TYPE: "boringssl", VERSION: "4fb158925f7753d80fb858cb0239dff893ef9f15"}} + - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--ignore=tests/hazmat/bindings/test_openssl.py --ignore=tests/hazmat/primitives/test_pkcs7.py", OPENSSL: {TYPE: "boringssl", VERSION: "4fb158925f7753d80fb858cb0239dff893ef9f15"}} RUST: - stable name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.TOXARGS }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}" diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 00e2c05a61b4..a293cdb38656 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1128,8 +1128,9 @@ def _handle_key_loading_error(self): errors = binding._errors_with_text(errors) raise ValueError( "Could not deserialize key data. The data may be in an " - "incorrect format or it may be encrypted with an unsupported " - "algorithm.", + "incorrect format, it may be encrypted with an unsupported " + "algorithm, or it may be an unsupported key type (e.g. EC " + "curves with explicit parameters).", errors, ) diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py index 0199b5ea72e4..7c06d7a0b8b5 100644 --- a/src/cryptography/hazmat/backends/openssl/ec.py +++ b/src/cryptography/hazmat/backends/openssl/ec.py @@ -41,8 +41,8 @@ def _ec_key_curve_sn(backend, ec_key): # The following check is to find EC keys with unnamed curves and raise # an error for now. if nid == backend._lib.NID_undef: - raise NotImplementedError( - "ECDSA keys with unnamed curves are unsupported at this time" + raise ValueError( + "ECDSA keys with explicit parameters are unsupported at this time" ) # This is like the above check, but it also catches the case where you @@ -52,8 +52,8 @@ def _ec_key_curve_sn(backend, ec_key): not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL and backend._lib.EC_GROUP_get_asn1_flag(group) == 0 ): - raise NotImplementedError( - "ECDSA keys with unnamed curves are unsupported at this time" + raise ValueError( + "ECDSA keys with explicit parameters are unsupported at this time" ) curve_name = backend._lib.OBJ_nid2sn(nid) diff --git a/tests/wycheproof/test_ecdh.py b/tests/wycheproof/test_ecdh.py index 02bf1182b0f6..672863fe7610 100644 --- a/tests/wycheproof/test_ecdh.py +++ b/tests/wycheproof/test_ecdh.py @@ -65,9 +65,6 @@ def test_ecdh(backend, wycheproof): binascii.unhexlify(wycheproof.testcase["public"]), backend ) assert isinstance(public_key, ec.EllipticCurvePublicKey) - except NotImplementedError: - assert wycheproof.has_flag("UnnamedCurve") - return except ValueError: assert wycheproof.invalid or wycheproof.acceptable return diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index e6acf45c361a..1c7ce3e1d4af 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -4603,7 +4603,10 @@ def test_load_ecdsa_no_named_curve(self, backend): x509.load_pem_x509_certificate, backend, ) - with pytest.raises(NotImplementedError): + # This test can trigger three different value errors depending + # on OpenSSL/BoringSSL and versions. Match on the text to ensure + # we are getting the right error. + with pytest.raises(ValueError, match="explicit parameters"): cert.public_key() @@ -5194,6 +5197,10 @@ def test_load_pem_cert(self, backend): assert cert.signature_algorithm_oid == SignatureAlgorithmOID.ED448 +@pytest.mark.supported( + only_if=lambda backend: backend.dh_supported(), + skip_message="DH not supported", +) class TestSignatureRejection(object): """Test if signing rejects DH keys properly."""