fix: enforce ECDSA curve validation per RFC 7518 Section 3.4

ECAlgorithm now validates that a key's elliptic curve matches the
algorithm being used (e.g. ES256 requires P-256, ES384 requires P-384).
Previously, any EC key could be used with any ECDSA algorithm, allowing
weaker curves like P-192 to be used for ES256 verification.

- Add optional expected_curve parameter to ECAlgorithm.__init__
- Add _validate_curve method called during prepare_key
- Update get_default_algorithms to pass correct curves
- Fix test_encode_decode_ecdsa_related_algorithms to use correct keys

Author: jpadilla

jwt/algorithms.py

@@ -171,12 +171,12 @@ def get_default_algorithms() -> dict[str, Algorithm]:
                 "RS256": RSAAlgorithm(RSAAlgorithm.SHA256),
                 "RS384": RSAAlgorithm(RSAAlgorithm.SHA384),
                 "RS512": RSAAlgorithm(RSAAlgorithm.SHA512),
-                "ES256": ECAlgorithm(ECAlgorithm.SHA256),
-                "ES256K": ECAlgorithm(ECAlgorithm.SHA256),
-                "ES384": ECAlgorithm(ECAlgorithm.SHA384),
-                "ES521": ECAlgorithm(ECAlgorithm.SHA512),
+                "ES256": ECAlgorithm(ECAlgorithm.SHA256, SECP256R1),
+                "ES256K": ECAlgorithm(ECAlgorithm.SHA256, SECP256K1),
+                "ES384": ECAlgorithm(ECAlgorithm.SHA384, SECP384R1),
+                "ES521": ECAlgorithm(ECAlgorithm.SHA512, SECP521R1),
                 "ES512": ECAlgorithm(
-                    ECAlgorithm.SHA512
+                    ECAlgorithm.SHA512, SECP521R1
                 ),  # Backward compat for #219 fix
                 "PS256": RSAPSSAlgorithm(RSAPSSAlgorithm.SHA256),
                 "PS384": RSAPSSAlgorithm(RSAPSSAlgorithm.SHA384),
@@ -576,11 +576,28 @@ class ECAlgorithm(Algorithm):
 
         _crypto_key_types = ALLOWED_EC_KEY_TYPES
 
-        def __init__(self, hash_alg: type[hashes.HashAlgorithm]) -> None:
+        def __init__(
+            self,
+            hash_alg: type[hashes.HashAlgorithm],
+            expected_curve: type[EllipticCurve] | None = None,
+        ) -> None:
             self.hash_alg = hash_alg
+            self.expected_curve = expected_curve
+
+        def _validate_curve(self, key: AllowedECKeys) -> None:
+            """Validate that the key's curve matches the expected curve."""
+            if self.expected_curve is None:
+                return
+
+            if not isinstance(key.curve, self.expected_curve):
+                raise InvalidKeyError(
+                    f"The key's curve '{key.curve.name}' does not match the expected "
+                    f"curve '{self.expected_curve.name}' for this algorithm"
+                )
 
         def prepare_key(self, key: AllowedECKeys | str | bytes) -> AllowedECKeys:
             if isinstance(key, self._crypto_key_types):
+                self._validate_curve(key)
                 return key
 
             if not isinstance(key, (bytes, str)):
@@ -599,11 +616,15 @@ def prepare_key(self, key: AllowedECKeys | str | bytes) -> AllowedECKeys:
 
                 # Explicit check the key to prevent confusing errors from cryptography
                 self.check_crypto_key_type(public_key)
-                return cast(EllipticCurvePublicKey, public_key)
+                ec_public_key = cast(EllipticCurvePublicKey, public_key)
+                self._validate_curve(ec_public_key)
+                return ec_public_key
             except ValueError:
                 private_key = load_pem_private_key(key_bytes, password=None)
                 self.check_crypto_key_type(private_key)
-                return cast(EllipticCurvePrivateKey, private_key)
+                ec_private_key = cast(EllipticCurvePrivateKey, private_key)
+                self._validate_curve(ec_private_key)
+                return ec_private_key
 
         def sign(self, msg: bytes, key: EllipticCurvePrivateKey) -> bytes:
             der_sig = key.sign(msg, ECDSA(self.hash_alg()))

tests/test_algorithms.py

@@ -1162,3 +1162,228 @@ def test_rsa_prepare_key_raises_invalid_key_error_on_invalid_pem(self):
 
         # Check that the exception message is correct
         assert "Could not parse the provided public key." in str(excinfo.value)
+
+
+@crypto_required
+class TestECCurveValidation:
+    """Tests for ECDSA curve validation per RFC 7518 Section 3.4."""
+
+    def test_ec_curve_validation_rejects_wrong_curve_for_es256(self):
+        """ES256 should reject keys that are not P-256."""
+        from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1
+
+        algo = ECAlgorithm(ECAlgorithm.SHA256, SECP256R1)
+
+        # P-384 key should be rejected
+        with open(key_path("jwk_ec_key_P-384.json")) as keyfile:
+            p384_key = ECAlgorithm.from_jwk(keyfile.read())
+
+        with pytest.raises(InvalidKeyError) as excinfo:
+            algo.prepare_key(p384_key)
+        assert "secp384r1" in str(excinfo.value)
+        assert "secp256r1" in str(excinfo.value)
+
+    def test_ec_curve_validation_rejects_wrong_curve_for_es384(self):
+        """ES384 should reject keys that are not P-384."""
+        from cryptography.hazmat.primitives.asymmetric.ec import SECP384R1
+
+        algo = ECAlgorithm(ECAlgorithm.SHA384, SECP384R1)
+
+        # P-256 key should be rejected
+        with open(key_path("jwk_ec_key_P-256.json")) as keyfile:
+            p256_key = ECAlgorithm.from_jwk(keyfile.read())
+
+        with pytest.raises(InvalidKeyError) as excinfo:
+            algo.prepare_key(p256_key)
+        assert "secp256r1" in str(excinfo.value)
+        assert "secp384r1" in str(excinfo.value)
+
+    def test_ec_curve_validation_rejects_wrong_curve_for_es512(self):
+        """ES512 should reject keys that are not P-521."""
+        from cryptography.hazmat.primitives.asymmetric.ec import SECP521R1
+
+        algo = ECAlgorithm(ECAlgorithm.SHA512, SECP521R1)
+
+        # P-256 key should be rejected
+        with open(key_path("jwk_ec_key_P-256.json")) as keyfile:
+            p256_key = ECAlgorithm.from_jwk(keyfile.read())
+
+        with pytest.raises(InvalidKeyError) as excinfo:
+            algo.prepare_key(p256_key)
+        assert "secp256r1" in str(excinfo.value)
+        assert "secp521r1" in str(excinfo.value)
+
+    def test_ec_curve_validation_rejects_wrong_curve_for_es256k(self):
+        """ES256K should reject keys that are not secp256k1."""
+        from cryptography.hazmat.primitives.asymmetric.ec import SECP256K1
+
+        algo = ECAlgorithm(ECAlgorithm.SHA256, SECP256K1)
+
+        # P-256 key should be rejected
+        with open(key_path("jwk_ec_key_P-256.json")) as keyfile:
+            p256_key = ECAlgorithm.from_jwk(keyfile.read())
+
+        with pytest.raises(InvalidKeyError) as excinfo:
+            algo.prepare_key(p256_key)
+        assert "secp256r1" in str(excinfo.value)
+        assert "secp256k1" in str(excinfo.value)
+
+    def test_ec_curve_validation_accepts_correct_curve_for_es256(self):
+        """ES256 should accept P-256 keys."""
+        from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1
+
+        algo = ECAlgorithm(ECAlgorithm.SHA256, SECP256R1)
+
+        with open(key_path("jwk_ec_key_P-256.json")) as keyfile:
+            key = algo.from_jwk(keyfile.read())
+            prepared = algo.prepare_key(key)
+            assert prepared is key
+
+    def test_ec_curve_validation_accepts_correct_curve_for_es384(self):
+        """ES384 should accept P-384 keys."""
+        from cryptography.hazmat.primitives.asymmetric.ec import SECP384R1
+
+        algo = ECAlgorithm(ECAlgorithm.SHA384, SECP384R1)
+
+        with open(key_path("jwk_ec_key_P-384.json")) as keyfile:
+            key = algo.from_jwk(keyfile.read())
+            prepared = algo.prepare_key(key)
+            assert prepared is key
+
+    def test_ec_curve_validation_accepts_correct_curve_for_es512(self):
+        """ES512 should accept P-521 keys."""
+        from cryptography.hazmat.primitives.asymmetric.ec import SECP521R1
+
+        algo = ECAlgorithm(ECAlgorithm.SHA512, SECP521R1)
+
+        with open(key_path("jwk_ec_key_P-521.json")) as keyfile:
+            key = algo.from_jwk(keyfile.read())
+            prepared = algo.prepare_key(key)
+            assert prepared is key
+
+    def test_ec_curve_validation_accepts_correct_curve_for_es256k(self):
+        """ES256K should accept secp256k1 keys."""
+        from cryptography.hazmat.primitives.asymmetric.ec import SECP256K1
+
+        algo = ECAlgorithm(ECAlgorithm.SHA256, SECP256K1)
+
+        with open(key_path("jwk_ec_key_secp256k1.json")) as keyfile:
+            key = algo.from_jwk(keyfile.read())
+            prepared = algo.prepare_key(key)
+            assert prepared is key
+
+    def test_ec_curve_validation_rejects_p192_for_es256(self):
+        """ES256 should reject P-192 keys (weaker than P-256)."""
+        from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1
+
+        algo = ECAlgorithm(ECAlgorithm.SHA256, SECP256R1)
+
+        with open(key_path("testkey_ec_secp192r1.priv")) as keyfile:
+            with pytest.raises(InvalidKeyError) as excinfo:
+                algo.prepare_key(keyfile.read())
+            assert "secp192r1" in str(excinfo.value)
+            assert "secp256r1" in str(excinfo.value)
+
+    def test_ec_algorithm_without_expected_curve_accepts_any_curve(self):
+        """ECAlgorithm without expected_curve should accept any curve (backwards compat)."""
+        algo = ECAlgorithm(ECAlgorithm.SHA256)
+
+        # Should accept P-256
+        with open(key_path("jwk_ec_key_P-256.json")) as keyfile:
+            p256_key = algo.from_jwk(keyfile.read())
+            algo.prepare_key(p256_key)
+
+        # Should accept P-384
+        with open(key_path("jwk_ec_key_P-384.json")) as keyfile:
+            p384_key = algo.from_jwk(keyfile.read())
+            algo.prepare_key(p384_key)
+
+        # Should accept P-521
+        with open(key_path("jwk_ec_key_P-521.json")) as keyfile:
+            p521_key = algo.from_jwk(keyfile.read())
+            algo.prepare_key(p521_key)
+
+        # Should accept secp256k1
+        with open(key_path("jwk_ec_key_secp256k1.json")) as keyfile:
+            secp256k1_key = algo.from_jwk(keyfile.read())
+            algo.prepare_key(secp256k1_key)
+
+    def test_default_algorithms_have_correct_expected_curve(self):
+        """Default algorithms returned by get_default_algorithms should have expected_curve set."""
+        from cryptography.hazmat.primitives.asymmetric.ec import (
+            SECP256K1,
+            SECP256R1,
+            SECP384R1,
+            SECP521R1,
+        )
+
+        from jwt.algorithms import get_default_algorithms
+
+        algorithms = get_default_algorithms()
+
+        es256 = algorithms["ES256"]
+        assert isinstance(es256, ECAlgorithm)
+        assert es256.expected_curve == SECP256R1
+
+        es256k = algorithms["ES256K"]
+        assert isinstance(es256k, ECAlgorithm)
+        assert es256k.expected_curve == SECP256K1
+
+        es384 = algorithms["ES384"]
+        assert isinstance(es384, ECAlgorithm)
+        assert es384.expected_curve == SECP384R1
+
+        es521 = algorithms["ES521"]
+        assert isinstance(es521, ECAlgorithm)
+        assert es521.expected_curve == SECP521R1
+
+        es512 = algorithms["ES512"]
+        assert isinstance(es512, ECAlgorithm)
+        assert es512.expected_curve == SECP521R1
+
+    def test_ec_curve_validation_with_pem_key(self):
+        """Curve validation should work with PEM-formatted keys."""
+        from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1
+
+        algo = ECAlgorithm(ECAlgorithm.SHA256, SECP256R1)
+
+        # P-256 PEM key should be accepted
+        with open(key_path("testkey_ec.priv")) as keyfile:
+            algo.prepare_key(keyfile.read())
+
+        # P-192 PEM key should be rejected
+        with open(key_path("testkey_ec_secp192r1.priv")) as keyfile:
+            with pytest.raises(InvalidKeyError):
+                algo.prepare_key(keyfile.read())
+
+    def test_jwt_encode_decode_rejects_wrong_curve(self):
+        """Integration test: jwt.encode/decode should reject wrong curve keys."""
+        import jwt
+
+        # Use P-384 key with ES256 algorithm (expects P-256)
+        with open(key_path("jwk_ec_key_P-384.json")) as keyfile:
+            p384_key = ECAlgorithm.from_jwk(keyfile.read())
+
+        # Encoding should fail
+        with pytest.raises(InvalidKeyError):
+            jwt.encode({"hello": "world"}, p384_key, algorithm="ES256")
+
+        # Create a valid token with P-256 key
+        with open(key_path("jwk_ec_key_P-256.json")) as keyfile:
+            p256_key = ECAlgorithm.from_jwk(keyfile.read())
+
+        token = jwt.encode({"hello": "world"}, p256_key, algorithm="ES256")
+
+        # Decoding with wrong curve key should fail
+        with open(key_path("jwk_ec_pub_P-384.json")) as keyfile:
+            p384_pub_key = ECAlgorithm.from_jwk(keyfile.read())
+
+        with pytest.raises(InvalidKeyError):
+            jwt.decode(token, p384_pub_key, algorithms=["ES256"])
+
+        # Decoding with correct curve key should succeed
+        with open(key_path("jwk_ec_pub_P-256.json")) as keyfile:
+            p256_pub_key = ECAlgorithm.from_jwk(keyfile.read())
+
+        decoded = jwt.decode(token, p256_pub_key, algorithms=["ES256"])
+        assert decoded == {"hello": "world"}

tests/test_api_jws.py

@@ -646,32 +646,27 @@ def test_rsa_related_algorithms(self, jws):
             assert "PS512" not in jws_algorithms
 
     @pytest.mark.parametrize(
-        "algo",
+        "algo,priv_key_file,pub_key_file",
         [
-            "ES256",
-            "ES256K",
-            "ES384",
-            "ES512",
+            ("ES256", "jwk_ec_key_P-256.json", "jwk_ec_pub_P-256.json"),
+            ("ES256K", "jwk_ec_key_secp256k1.json", "jwk_ec_pub_secp256k1.json"),
+            ("ES384", "jwk_ec_key_P-384.json", "jwk_ec_pub_P-384.json"),
+            ("ES512", "jwk_ec_key_P-521.json", "jwk_ec_pub_P-521.json"),
         ],
     )
     @crypto_required
-    def test_encode_decode_ecdsa_related_algorithms(self, jws, payload, algo):
-        # PEM-formatted EC key
-        with open(key_path("testkey_ec.priv"), "rb") as ec_priv_file:
-            priv_eckey = load_pem_private_key(ec_priv_file.read(), password=None)
-            jws_message = jws.encode(payload, priv_eckey, algorithm=algo)
-
-        with open(key_path("testkey_ec.pub"), "rb") as ec_pub_file:
-            pub_eckey = load_pem_public_key(ec_pub_file.read())
-            jws.decode(jws_message, pub_eckey, algorithms=[algo])
+    def test_encode_decode_ecdsa_related_algorithms(
+        self, jws, payload, algo, priv_key_file, pub_key_file
+    ):
+        from jwt.algorithms import ECAlgorithm
 
-        # string-formatted key
-        with open(key_path("testkey_ec.priv")) as ec_priv_file:
-            priv_eckey = ec_priv_file.read()  # type: ignore[assignment]
+        # Load keys from JWK files (each algorithm requires its specific curve)
+        with open(key_path(priv_key_file)) as priv_file:
+            priv_eckey = ECAlgorithm.from_jwk(priv_file.read())
             jws_message = jws.encode(payload, priv_eckey, algorithm=algo)
 
-        with open(key_path("testkey_ec.pub")) as ec_pub_file:
-            pub_eckey = ec_pub_file.read()  # type: ignore[assignment]
+        with open(key_path(pub_key_file)) as pub_file:
+            pub_eckey = ECAlgorithm.from_jwk(pub_file.read())
             jws.decode(jws_message, pub_eckey, algorithms=[algo])
 
     def test_ecdsa_related_algorithms(self, jws):