EC check key on cofactor > 1 (#14287)

reaperhulk · alex · web-flow · commit 0eebb9dbb634 · 2026-02-10T18:32:06.000Z
* Refactor EC public key construction to share more code (#14285) * Run an EC check key if cofactor > 1 This only applies to the binary curves (ed25519 is cofactor 8 and ed448 is cofactor 4 but we use a different code path for eddsa) * deprecate SECT curves * add a test * more tests * code review * simplify * update with CVE and credit --------- Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,21 @@
 Changelog
 =========
 
+.. _v46-0-5:
+
+46.0.5 - 2026-02-10
+~~~~~~~~~~~~~~~~~~~
+
+* An attacker could create a malicious public key that reveals portions of your
+  private key when using certain uncommon elliptic curves (binary curves).
+  This version now includes additional security checks to prevent this attack.
+  This issue only affects binary elliptic curves, which are rarely used in
+  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
+  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
+  **CVE-2026-26007**
+* Support for ``SECT*`` binary elliptic curves is deprecated and will be
+  removed in the next release.
+
 .. v46-0-4:
 
 46.0.4 - 2026-01-27
diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py
@@ -445,3 +445,26 @@ def get_curve_for_oid(oid: ObjectIdentifier) -> type[EllipticCurve]:
             "The provided object identifier has no matching elliptic "
             "curve class"
         )
+
+
+_SECT_CURVES: tuple[type[EllipticCurve], ...] = (
+    SECT163K1,
+    SECT163R2,
+    SECT233K1,
+    SECT233R1,
+    SECT283K1,
+    SECT283R1,
+    SECT409K1,
+    SECT409R1,
+    SECT571K1,
+    SECT571R1,
+)
+
+for _curve_cls in _SECT_CURVES:
+    utils.deprecated(
+        _curve_cls,
+        __name__,
+        f"{_curve_cls.__name__} will be removed in the next release.",
+        utils.DeprecatedIn46,
+        name=_curve_cls.__name__,
+    )
diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py
@@ -26,6 +26,7 @@ class CryptographyDeprecationWarning(UserWarning):
 DeprecatedIn41 = CryptographyDeprecationWarning
 DeprecatedIn42 = CryptographyDeprecationWarning
 DeprecatedIn43 = CryptographyDeprecationWarning
+DeprecatedIn46 = CryptographyDeprecationWarning
 
 
 # If you're wondering why we don't use `Buffer`, it's because `Buffer` would
diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs
@@ -135,12 +135,10 @@ pub(crate) fn public_key_from_pkey(
 ) -> CryptographyResult<ECPublicKey> {
     let ec = pkey.ec_key()?;
     let curve = py_curve_from_curve(py, ec.group())?;
-    check_key_infinity(&ec)?;
-    Ok(ECPublicKey {
-        pkey: pkey.to_owned(),
-        curve: curve.into(),
-    })
+
+    ECPublicKey::new(pkey.to_owned(), curve.into())
 }
+
 #[pyo3::pyfunction]
 #[pyo3(signature = (curve, backend=None))]
 fn generate_private_key(
@@ -198,10 +196,7 @@ fn from_public_bytes(
     let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?;
     let pkey = openssl::pkey::PKey::from_ec_key(ec)?;
 
-    Ok(ECPublicKey {
-        pkey,
-        curve: py_curve.into(),
-    })
+    ECPublicKey::new(pkey, py_curve.into())
 }
 
 #[pyo3::pymethods]
@@ -367,6 +362,29 @@ impl ECPrivateKey {
     }
 }
 
+impl ECPublicKey {
+    fn new(
+        pkey: openssl::pkey::PKey<openssl::pkey::Public>,
+        curve: pyo3::Py<pyo3::PyAny>,
+    ) -> CryptographyResult<ECPublicKey> {
+        let ec = pkey.ec_key()?;
+        check_key_infinity(&ec)?;
+        let mut bn_ctx = openssl::bn::BigNumContext::new()?;
+        let mut cofactor = openssl::bn::BigNum::new()?;
+        ec.group().cofactor(&mut cofactor, &mut bn_ctx)?;
+        let one = openssl::bn::BigNum::from_u32(1)?;
+        if cofactor != one {
+            ec.check_key().map_err(|_| {
+                pyo3::exceptions::PyValueError::new_err(
+                    "Invalid EC key (key out of range, infinity, etc.)",
+                )
+            })?;
+        }
+
+        Ok(ECPublicKey { pkey, curve })
+    }
+}
+
 #[pyo3::pymethods]
 impl ECPublicKey {
     #[getter]
@@ -606,10 +624,7 @@ impl EllipticCurvePublicNumbers {
 
         let pkey = openssl::pkey::PKey::from_ec_key(public_key)?;
 
-        Ok(ECPublicKey {
-            pkey,
-            curve: self.curve.clone_ref(py),
-        })
+        ECPublicKey::new(pkey, self.curve.clone_ref(py))
     }
 
     fn __eq__(
diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
@@ -1542,3 +1542,40 @@ def test_exchange_non_matching_curve(self, backend):
 
         with pytest.raises(ValueError):
             key.exchange(ec.ECDH(), public_key)
+
+
+def test_invalid_sect_public_keys(backend):
+    _skip_curve_unsupported(backend, ec.SECT571K1())
+    public_numbers = ec.EllipticCurvePublicNumbers(1, 1, ec.SECT571K1())
+    with pytest.raises(ValueError):
+        public_numbers.public_key()
+
+    point = binascii.unhexlify(
+        b"0400000000000000000000000000000000000000000000000000000000000000000"
+        b"0000000000000000000000000000000000000000000000000000000000000000000"
+        b"0000000000010000000000000000000000000000000000000000000000000000000"
+        b"0000000000000000000000000000000000000000000000000000000000000000000"
+        b"0000000000000000000001"
+    )
+    with pytest.raises(ValueError):
+        ec.EllipticCurvePublicKey.from_encoded_point(ec.SECT571K1(), point)
+
+    der = binascii.unhexlify(
+        b"3081a7301006072a8648ce3d020106052b810400260381920004000000000000000"
+        b"0000000000000000000000000000000000000000000000000000000000000000000"
+        b"0000000000000000000000000000000000000000000000000000000000000100000"
+        b"0000000000000000000000000000000000000000000000000000000000000000000"
+        b"0000000000000000000000000000000000000000000000000000000000000000000"
+        b"00001"
+    )
+    with pytest.raises(ValueError):
+        serialization.load_der_public_key(der)
+
+    pem = textwrap.dedent("""-----BEGIN PUBLIC KEY-----
+    MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+    AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=
+    -----END PUBLIC KEY-----""").encode()
+    with pytest.raises(ValueError):
+        serialization.load_pem_public_key(pem)
