remove binary curve support

CHANGELOG.rst

@@ -10,6 +10,9 @@ Changelog
 
 * Support for Python 3.8 is deprecated and will be removed in the next
   ``cryptography`` release.
+* **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves
+  (``SECT*`` classes) has been removed. These curves are rarely used and
+  have additional security considerations that make them undesirable.
 * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been removed.
   OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
   continue to be supported.

docs/hazmat/primitives/asymmetric/ec.rst

@@ -395,87 +395,6 @@ All named curves are instances of :class:`EllipticCurve`.
     Brainpool curve specified in :rfc:`5639`. These curves are discouraged
     for new systems.
 
-.. class:: SECT571K1
-
-    .. versionadded:: 0.5
-
-    SECG curve ``sect571k1``. Also called NIST K-571. These binary curves are
-    discouraged for new systems.
-
-
-.. class:: SECT409K1
-
-    .. versionadded:: 0.5
-
-    SECG curve ``sect409k1``. Also called NIST K-409. These binary curves are
-    discouraged for new systems.
-
-
-.. class:: SECT283K1
-
-    .. versionadded:: 0.5
-
-    SECG curve ``sect283k1``. Also called NIST K-283. These binary curves are
-    discouraged for new systems.
-
-
-.. class:: SECT233K1
-
-    .. versionadded:: 0.5
-
-    SECG curve ``sect233k1``. Also called NIST K-233. These binary curves are
-    discouraged for new systems.
-
-
-.. class:: SECT163K1
-
-    .. versionadded:: 0.5
-
-    SECG curve ``sect163k1``. Also called NIST K-163. These binary curves are
-    discouraged for new systems.
-
-
-.. class:: SECT571R1
-
-    .. versionadded:: 0.5
-
-    SECG curve ``sect571r1``. Also called NIST B-571. These binary curves are
-    discouraged for new systems.
-
-
-.. class:: SECT409R1
-
-    .. versionadded:: 0.5
-
-    SECG curve ``sect409r1``. Also called NIST B-409. These binary curves are
-    discouraged for new systems.
-
-
-.. class:: SECT283R1
-
-    .. versionadded:: 0.5
-
-    SECG curve ``sect283r1``. Also called NIST B-283. These binary curves are
-    discouraged for new systems.
-
-
-.. class:: SECT233R1
-
-    .. versionadded:: 0.5
-
-    SECG curve ``sect233r1``. Also called NIST B-233. These binary curves are
-    discouraged for new systems.
-
-
-.. class:: SECT163R2
-
-    .. versionadded:: 0.5
-
-    SECG curve ``sect163r2``. Also called NIST B-163. These binary curves are
-    discouraged for new systems.
-
-
-
 
 Key Interfaces
 ~~~~~~~~~~~~~~
@@ -832,66 +751,6 @@ Elliptic Curve Object Identifiers
 
         Corresponds to the dotted string ``"1.3.36.3.3.2.8.1.1.13"``.
 
-    .. attribute:: SECT163K1
-
-        .. versionadded:: 2.5
-
-        Corresponds to the dotted string ``"1.3.132.0.1"``.
-
-    .. attribute:: SECT163R2
-
-        .. versionadded:: 2.5
-
-        Corresponds to the dotted string ``"1.3.132.0.15"``.
-
-    .. attribute:: SECT233K1
-
-        .. versionadded:: 2.5
-
-        Corresponds to the dotted string ``"1.3.132.0.26"``.
-
-    .. attribute:: SECT233R1
-
-        .. versionadded:: 2.5
-
-        Corresponds to the dotted string ``"1.3.132.0.27"``.
-
-    .. attribute:: SECT283K1
-
-        .. versionadded:: 2.5
-
-        Corresponds to the dotted string ``"1.3.132.0.16"``.
-
-    .. attribute:: SECT283R1
-
-        .. versionadded:: 2.5
-
-        Corresponds to the dotted string ``"1.3.132.0.17"``.
-
-    .. attribute:: SECT409K1
-
-        .. versionadded:: 2.5
-
-        Corresponds to the dotted string ``"1.3.132.0.36"``.
-
-    .. attribute:: SECT409R1
-
-        .. versionadded:: 2.5
-
-        Corresponds to the dotted string ``"1.3.132.0.37"``.
-
-    .. attribute:: SECT571K1
-
-        .. versionadded:: 2.5
-
-        Corresponds to the dotted string ``"1.3.132.0.38"``.
-
-    .. attribute:: SECT571R1
-
-        .. versionadded:: 2.5
-
-        Corresponds to the dotted string ``"1.3.132.0.39"``.
-
 .. function:: get_curve_for_oid(oid)
 
     .. versionadded:: 2.6

src/cryptography/hazmat/primitives/asymmetric/ec.py

@@ -25,16 +25,6 @@ class EllipticCurveOID:
     BRAINPOOLP256R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.7")
     BRAINPOOLP384R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.11")
     BRAINPOOLP512R1 = ObjectIdentifier("1.3.36.3.3.2.8.1.1.13")
-    SECT163K1 = ObjectIdentifier("1.3.132.0.1")
-    SECT163R2 = ObjectIdentifier("1.3.132.0.15")
-    SECT233K1 = ObjectIdentifier("1.3.132.0.26")
-    SECT233R1 = ObjectIdentifier("1.3.132.0.27")
-    SECT283K1 = ObjectIdentifier("1.3.132.0.16")
-    SECT283R1 = ObjectIdentifier("1.3.132.0.17")
-    SECT409K1 = ObjectIdentifier("1.3.132.0.36")
-    SECT409R1 = ObjectIdentifier("1.3.132.0.37")
-    SECT571K1 = ObjectIdentifier("1.3.132.0.38")
-    SECT571R1 = ObjectIdentifier("1.3.132.0.39")
 
 
 class EllipticCurve(metaclass=abc.ABCMeta):
@@ -227,66 +217,6 @@ def __deepcopy__(self, memo: dict) -> EllipticCurvePublicKey:
 EllipticCurvePublicNumbers = rust_openssl.ec.EllipticCurvePublicNumbers
 
 
-class SECT571R1(EllipticCurve):
-    name = "sect571r1"
-    key_size = 570
-    group_order = 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE661CE18FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47  # noqa: E501
-
-
-class SECT409R1(EllipticCurve):
-    name = "sect409r1"
-    key_size = 409
-    group_order = 0x10000000000000000000000000000000000000000000000000001E2AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173  # noqa: E501
-
-
-class SECT283R1(EllipticCurve):
-    name = "sect283r1"
-    key_size = 282
-    group_order = 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307  # noqa: E501
-
-
-class SECT233R1(EllipticCurve):
-    name = "sect233r1"
-    key_size = 233
-    group_order = 0x1000000000000000000000000000013E974E72F8A6922031D2603CFE0D7
-
-
-class SECT163R2(EllipticCurve):
-    name = "sect163r2"
-    key_size = 163
-    group_order = 0x40000000000000000000292FE77E70C12A4234C33
-
-
-class SECT571K1(EllipticCurve):
-    name = "sect571k1"
-    key_size = 570
-    group_order = 0x20000000000000000000000000000000000000000000000000000000000000000000000131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001  # noqa: E501
-
-
-class SECT409K1(EllipticCurve):
-    name = "sect409k1"
-    key_size = 407
-    group_order = 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F83B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF  # noqa: E501
-
-
-class SECT283K1(EllipticCurve):
-    name = "sect283k1"
-    key_size = 281
-    group_order = 0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61  # noqa: E501
-
-
-class SECT233K1(EllipticCurve):
-    name = "sect233k1"
-    key_size = 232
-    group_order = 0x8000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF
-
-
-class SECT163K1(EllipticCurve):
-    name = "sect163k1"
-    key_size = 163
-    group_order = 0x4000000000000000000020108A2E0CC0D99F8A5EF
-
-
 class SECP521R1(EllipticCurve):
     name = "secp521r1"
     key_size = 521
@@ -356,16 +286,6 @@ class BrainpoolP512R1(EllipticCurve):
     "secp384r1": SECP384R1(),
     "secp521r1": SECP521R1(),
     "secp256k1": SECP256K1(),
-    "sect163k1": SECT163K1(),
-    "sect233k1": SECT233K1(),
-    "sect283k1": SECT283K1(),
-    "sect409k1": SECT409K1(),
-    "sect571k1": SECT571K1(),
-    "sect163r2": SECT163R2(),
-    "sect233r1": SECT233R1(),
-    "sect283r1": SECT283R1(),
-    "sect409r1": SECT409R1(),
-    "sect571r1": SECT571R1(),
     "brainpoolP256r1": BrainpoolP256R1(),
     "brainpoolP384r1": BrainpoolP384R1(),
     "brainpoolP512r1": BrainpoolP512R1(),
@@ -436,16 +356,6 @@ class ECDH:
     EllipticCurveOID.BRAINPOOLP256R1: BrainpoolP256R1,
     EllipticCurveOID.BRAINPOOLP384R1: BrainpoolP384R1,
     EllipticCurveOID.BRAINPOOLP512R1: BrainpoolP512R1,
-    EllipticCurveOID.SECT163K1: SECT163K1,
-    EllipticCurveOID.SECT163R2: SECT163R2,
-    EllipticCurveOID.SECT233K1: SECT233K1,
-    EllipticCurveOID.SECT233R1: SECT233R1,
-    EllipticCurveOID.SECT283K1: SECT283K1,
-    EllipticCurveOID.SECT283R1: SECT283R1,
-    EllipticCurveOID.SECT409K1: SECT409K1,
-    EllipticCurveOID.SECT409R1: SECT409R1,
-    EllipticCurveOID.SECT571K1: SECT571K1,
-    EllipticCurveOID.SECT571R1: SECT571R1,
 }
 
 

src/rust/cryptography-key-parsing/src/ec.rs

@@ -29,16 +29,6 @@ pub(crate) fn group_to_curve_oid(
         openssl::nid::Nid::SECP384R1 => Some(cryptography_x509::oid::EC_SECP384R1),
         openssl::nid::Nid::SECP521R1 => Some(cryptography_x509::oid::EC_SECP521R1),
         openssl::nid::Nid::SECP256K1 => Some(cryptography_x509::oid::EC_SECP256K1),
-        openssl::nid::Nid::SECT233R1 => Some(cryptography_x509::oid::EC_SECT233R1),
-        openssl::nid::Nid::SECT283R1 => Some(cryptography_x509::oid::EC_SECT283R1),
-        openssl::nid::Nid::SECT409R1 => Some(cryptography_x509::oid::EC_SECT409R1),
-        openssl::nid::Nid::SECT571R1 => Some(cryptography_x509::oid::EC_SECT571R1),
-        openssl::nid::Nid::SECT163R2 => Some(cryptography_x509::oid::EC_SECT163R2),
-        openssl::nid::Nid::SECT163K1 => Some(cryptography_x509::oid::EC_SECT163K1),
-        openssl::nid::Nid::SECT233K1 => Some(cryptography_x509::oid::EC_SECT233K1),
-        openssl::nid::Nid::SECT283K1 => Some(cryptography_x509::oid::EC_SECT283K1),
-        openssl::nid::Nid::SECT409K1 => Some(cryptography_x509::oid::EC_SECT409K1),
-        openssl::nid::Nid::SECT571K1 => Some(cryptography_x509::oid::EC_SECT571K1),
         #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
         openssl::nid::Nid::BRAINPOOL_P256R1 => Some(cryptography_x509::oid::EC_BRAINPOOLP256R1),
         #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
@@ -63,19 +53,6 @@ pub(crate) fn ec_params_to_group(
 
                 &cryptography_x509::oid::EC_SECP256K1 => openssl::nid::Nid::SECP256K1,
 
-                &cryptography_x509::oid::EC_SECT233R1 => openssl::nid::Nid::SECT233R1,
-                &cryptography_x509::oid::EC_SECT283R1 => openssl::nid::Nid::SECT283R1,
-                &cryptography_x509::oid::EC_SECT409R1 => openssl::nid::Nid::SECT409R1,
-                &cryptography_x509::oid::EC_SECT571R1 => openssl::nid::Nid::SECT571R1,
-
-                &cryptography_x509::oid::EC_SECT163R2 => openssl::nid::Nid::SECT163R2,
-
-                &cryptography_x509::oid::EC_SECT163K1 => openssl::nid::Nid::SECT163K1,
-                &cryptography_x509::oid::EC_SECT233K1 => openssl::nid::Nid::SECT233K1,
-                &cryptography_x509::oid::EC_SECT283K1 => openssl::nid::Nid::SECT283K1,
-                &cryptography_x509::oid::EC_SECT409K1 => openssl::nid::Nid::SECT409K1,
-                &cryptography_x509::oid::EC_SECT571K1 => openssl::nid::Nid::SECT571K1,
-
                 #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
                 &cryptography_x509::oid::EC_BRAINPOOLP256R1 => openssl::nid::Nid::BRAINPOOL_P256R1,
                 #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]

src/rust/cryptography-x509/src/oid.rs

@@ -58,19 +58,6 @@ pub const EC_SECP521R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 35);
 
 pub const EC_SECP256K1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 10);
 
-pub const EC_SECT233R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 27);
-pub const EC_SECT283R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 17);
-pub const EC_SECT409R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 37);
-pub const EC_SECT571R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 39);
-
-pub const EC_SECT163R2: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 15);
-
-pub const EC_SECT163K1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 1);
-pub const EC_SECT233K1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 26);
-pub const EC_SECT283K1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 16);
-pub const EC_SECT409K1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 36);
-pub const EC_SECT571K1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 132, 0, 38);
-
 pub const EC_BRAINPOOLP256R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 36, 3, 3, 2, 8, 1, 1, 7);
 pub const EC_BRAINPOOLP384R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 36, 3, 3, 2, 8, 1, 1, 11);
 pub const EC_BRAINPOOLP512R1: asn1::ObjectIdentifier = asn1::oid!(1, 3, 36, 3, 3, 2, 8, 1, 1, 13);

src/rust/src/backend/ec.rs

@@ -47,19 +47,6 @@ fn curve_from_py_curve(
 
         "secp256k1" => openssl::nid::Nid::SECP256K1,
 
-        "sect233r1" => openssl::nid::Nid::SECT233R1,
-        "sect283r1" => openssl::nid::Nid::SECT283R1,
-        "sect409r1" => openssl::nid::Nid::SECT409R1,
-        "sect571r1" => openssl::nid::Nid::SECT571R1,
-
-        "sect163r2" => openssl::nid::Nid::SECT163R2,
-
-        "sect163k1" => openssl::nid::Nid::SECT163K1,
-        "sect233k1" => openssl::nid::Nid::SECT233K1,
-        "sect283k1" => openssl::nid::Nid::SECT283K1,
-        "sect409k1" => openssl::nid::Nid::SECT409K1,
-        "sect571k1" => openssl::nid::Nid::SECT571K1,
-
         #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
         "brainpoolP256r1" => openssl::nid::Nid::BRAINPOOL_P256R1,
         #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
@@ -249,9 +236,11 @@ impl ECPrivateKey {
 
         let len = deriver.len()?;
         Ok(pyo3::types::PyBytes::new_with(py, len, |b| {
-            let n = py.detach(|| deriver.derive(b)).map_err(|_| {
-                pyo3::exceptions::PyValueError::new_err("Error computing shared key.")
-            })?;
+            // Previously it was possible to have derive return an error
+            // if a public key was in a subgroup. Now that we only
+            // support cofactor 1 curves this should be unreachable
+            // so we unwrap.
+            let n = py.detach(|| deriver.derive(b)).unwrap();
             assert_eq!(n, b.len());
             Ok(())
         })?)
@@ -389,7 +378,13 @@ impl ECPublicKey {
     ) -> CryptographyResult<ECPublicKey> {
         let ec = pkey.ec_key()?;
         check_key_infinity(&ec)?;
-
+        let mut bn_ctx = openssl::bn::BigNumContext::new()?;
+        let mut cofactor = openssl::bn::BigNum::new()?;
+        ec.group().cofactor(&mut cofactor, &mut bn_ctx)?;
+        let one = openssl::bn::BigNum::from_u32(1)?;
+        // We only support curves with a cofactor of 1.
+        // Any change here requires more careful key checking
+        assert_eq!(cofactor, one, "cofactor must be 1");
         Ok(ECPublicKey { pkey, curve })
     }
 }