cleanups and fixes

alex · alex · commit 4134f4b3aeb7 · 2025-01-31T09:30:19.000-08:00
diff --git a/src/rust/cryptography-crypto/src/pbkdf1.rs b/src/rust/cryptography-crypto/src/pbkdf1.rs
@@ -12,6 +12,7 @@ pub fn openssl_kdf(
 ) -> Result<Vec<u8>, openssl::error::ErrorStack> {
     let mut key = Vec::with_capacity(length);
 
+    while key.len() < length {
         let mut h = openssl::hash::Hasher::new(hash_alg)?;
 
         if !key.is_empty() {
diff --git a/src/rust/cryptography-key-parsing/src/pkcs8.rs b/src/rust/cryptography-key-parsing/src/pkcs8.rs
@@ -126,9 +126,9 @@ pub fn parse_encrypted_private_key(
 
     let plaintext = match epki.encryption_algorithm.params {
         AlgorithmParameters::Pbes1WithShaAnd3KeyTripleDesCbc(params) => {
-            // XXX:
-            // - handle invalid utf8
-            let password = std::str::from_utf8(password).unwrap();
+            let Ok(password) = std::str::from_utf8(password) else {
+                return Err(KeyParsingError::IncorrectPassword);
+            };
             let key = cryptography_crypto::pkcs12::kdf(
                 password,
                 &params.salt,
@@ -191,8 +191,10 @@ pub fn parse_encrypted_private_key(
                     openssl::pkcs5::pbkdf2_hmac(
                         password,
                         pbkdf2_params.salt,
-                        // XXX
-                        pbkdf2_params.iteration_count.try_into().expect("XXX"),
+                        pbkdf2_params
+                            .iteration_count
+                            .try_into()
+                            .map_err(|_| KeyParsingError::InvalidKey)?,
                         md,
                         &mut key,
                     )
diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs
@@ -129,7 +129,14 @@ fn load_pem_private_key<'p>(
             let key = cryptography_crypto::pbkdf1::openssl_kdf(
                 openssl::hash::MessageDigest::md5(),
                 password,
-                &iv,
+                iv.get(..8)
+                    .ok_or_else(|| {
+                        pyo3::exceptions::PyValueError::new_err(
+                            "DEK-Info IV must be at least 8 bytes",
+                        )
+                    })?
+                    .try_into()
+                    .unwrap(),
                 cipher.key_len(),
             )
             .map_err(|_| {
