Explicit check the key for ECAlgorithm (#713)

estin · pre-commit-ci[bot] · web-flow · commit aabeb061348c · 2021-12-12T17:49:19.000+06:00
* Explicit check the key for ECAlgorithm * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
diff --git a/jwt/algorithms.py b/jwt/algorithms.py
@@ -417,6 +417,12 @@ def prepare_key(self, key):
             except ValueError:
                 key = load_pem_private_key(key, password=None)
 
+            # Explicit check the key to prevent confusing errors from cryptography
+            if not isinstance(key, (EllipticCurvePrivateKey, EllipticCurvePublicKey)):
+                raise InvalidKeyError(
+                    "Expecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for ECDSA algorithms"
+                )
+
             return key
 
         def sign(self, msg, key):
diff --git a/tests/test_algorithms.py b/tests/test_algorithms.py
@@ -494,6 +494,18 @@ def test_ec_verify_should_return_false_if_signature_wrong_length(self):
         result = algo.verify(message, pub_key, sig)
         assert not result
 
+    @crypto_required
+    def test_ec_should_throw_exception_on_wrong_key(self):
+        algo = ECAlgorithm(ECAlgorithm.SHA256)
+
+        with pytest.raises(InvalidKeyError):
+            with open(key_path("testkey_rsa.priv")) as keyfile:
+                algo.prepare_key(keyfile.read())
+
+        with pytest.raises(InvalidKeyError):
+            with open(key_path("testkey2_rsa.pub.pem")) as pem_key:
+                algo.prepare_key(pem_key.read())
+
     @crypto_required
     def test_rsa_pss_sign_then_verify_should_return_true(self):
         algo = RSAPSSAlgorithm(RSAPSSAlgorithm.SHA256)
