support explicit curves mapping to named curves

We now support loading EC keys with explicit encodings of named
curves.  This requires that the explicit curve encoding match
exactly (but allows the omission of the seed parameter to maintain
compatibility with the -no_seed OpenSSL flag). This is only supported
for secp256r1, secp384r1, secp521r1, and secp256k1 at this time.

This is not arbitrary explicit curve support; we still have no plans to
implement that.

Author: reaperhulk

CHANGELOG.rst

@@ -73,6 +73,8 @@ Changelog
   ``ecdsa_deterministic`` in :meth:`~cryptography.x509.CertificateBuilder.sign`,
   :meth:`~cryptography.x509.CertificateRevocationListBuilder.sign`
   and :meth:`~cryptography.x509.CertificateSigningRequestBuilder.sign`.
+* Added support for loading elliptic curve keys that contain explicit encodings
+  of the curves ``secp256r1``, ``secp384r1``, ``secp521r1``, and ``secp256k1``.
 
 .. _v44-0-3:
 

src/rust/cryptography-key-parsing/src/ec.rs

@@ -3,6 +3,7 @@
 // for complete details.
 
 use cryptography_x509::common::EcParameters;
+use cryptography_x509::ec_constants;
 
 use crate::{KeyParsingError, KeyParsingResult};
 
@@ -57,9 +58,34 @@ pub(crate) fn ec_params_to_group(
             Ok(openssl::ec::EcGroup::from_curve_name(curve_nid)
                 .map_err(|_| KeyParsingError::UnsupportedEllipticCurve(curve_oid.clone()))?)
         }
-        EcParameters::ImplicitCurve(_) | EcParameters::SpecifiedCurve(_) => {
-            Err(KeyParsingError::ExplicitCurveUnsupported)
+        EcParameters::SpecifiedCurve(params) => {
+            // We do not support arbitrary explicit curves. Instead we map values
+            // to named curves. This currently supports only P256, P384,
+            // P521, and SECP256K1. No binary curves are supported. Everything must
+            // match, except the seed may be omitted on NIST curves since OpenSSL
+            // has supported a -no_seed option for over 20 years and I don't want to
+            // figure out whether anyone uses that or not. No one should be using
+            // explicit curve encoding anyway. Curves were meant to be named!
+            let curve_nid = match params {
+                &ec_constants::P256_DOMAIN | &ec_constants::P256_DOMAIN_NO_SEED => {
+                    openssl::nid::Nid::X9_62_PRIME256V1
+                }
+                &ec_constants::P384_DOMAIN | &ec_constants::P384_DOMAIN_NO_SEED => {
+                    openssl::nid::Nid::SECP384R1
+                }
+                &ec_constants::P521_DOMAIN | &ec_constants::P521_DOMAIN_NO_SEED => {
+                    openssl::nid::Nid::SECP521R1
+                }
+                &ec_constants::SECP256K1_DOMAIN => openssl::nid::Nid::SECP256K1,
+                _ => return Err(KeyParsingError::ExplicitCurveUnsupported),
+            };
+            Ok(
+                openssl::ec::EcGroup::from_curve_name(curve_nid).map_err(|_| {
+                    KeyParsingError::UnsupportedEllipticCurve(cryptography_x509::oid::EC_SECP256R1)
+                })?,
+            )
         }
+        EcParameters::ImplicitCurve(_) => Err(KeyParsingError::ExplicitCurveUnsupported),
     }
 }
 

src/rust/cryptography-x509/src/common.rs

@@ -447,7 +447,59 @@ pub const PSS_SHA512_MASK_GEN_ALG: MaskGenAlgorithm<'_> = MaskGenAlgorithm {
 pub enum EcParameters<'a> {
     NamedCurve(asn1::ObjectIdentifier),
     ImplicitCurve(asn1::Null),
-    SpecifiedCurve(asn1::Sequence<'a>),
+    SpecifiedCurve(SpecifiedECDomain<'a>),
+}
+
+// From RFC 3279 Section 2.3.5 and RFC 5480 Appendix A
+// SpecifiedECDomain ::= SEQUENCE {
+//   version           ECPVer,
+//   fieldID           FieldID,
+//   curve             Curve,
+//   base              ECPoint,
+//   order             INTEGER,
+//   cofactor          INTEGER OPTIONAL
+// }
+#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, Clone, Eq, PartialEq, Debug)]
+pub struct SpecifiedECDomain<'a> {
+    pub version: u8,
+    pub field_id: FieldID<'a>,
+    pub curve: Curve<'a>,
+    pub base: &'a [u8], // ECPoint can be compressed or uncompressed
+    pub order: asn1::BigUint<'a>,
+    pub cofactor: Option<u8>,
+}
+
+// From RFC 3279 Section 2.3.5
+// FieldID ::= SEQUENCE {
+//   fieldType   FIELD-TYPE.&id({SupportedFieldTypes}),
+//   parameters  FIELD-TYPE.&Type({SupportedFieldTypes}{@fieldType})
+// }
+#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, Clone, PartialEq, Eq, Debug)]
+pub struct FieldID<'a> {
+    pub field_type: asn1::DefinedByMarker<asn1::ObjectIdentifier>,
+    #[defined_by(field_type)]
+    pub parameters: FieldParameters<'a>,
+}
+
+#[derive(asn1::Asn1DefinedByRead, asn1::Asn1DefinedByWrite, Hash, Clone, PartialEq, Eq, Debug)]
+pub enum FieldParameters<'a> {
+    #[defined_by(oid::PRIME_FIELD_OID)]
+    PrimeField(asn1::BigUint<'a>),
+    #[defined_by(oid::CHARACTERISTIC_TWO_FIELD_OID)]
+    CharacteristicTwo(asn1::Tlv<'a>),
+}
+
+// From RFC 3279 Section 2.3.5
+// Curve ::= SEQUENCE {
+//   a         FieldElement,
+//   b         FieldElement,
+//   seed      BIT STRING OPTIONAL
+// }
+#[derive(asn1::Asn1Read, asn1::Asn1Write, Hash, Clone, PartialEq, Eq, Debug)]
+pub struct Curve<'a> {
+    pub a: &'a [u8], // FieldElement
+    pub b: &'a [u8], // FieldElement
+    pub seed: Option<asn1::BitString<'a>>,
 }
 
 // From RFC 4055 section 3.1:

src/rust/cryptography-x509/src/ec_constants.rs

@@ -0,0 +1,142 @@
+// This file is dual licensed under the terms of the Apache License, Version
+// 2.0, and the BSD License. See the LICENSE file in the root of this repository
+// for complete details.
+
+use crate::common::{Curve, FieldID, FieldParameters, SpecifiedECDomain};
+
+const P256_FIELD: FieldID<'static> = FieldID {
+    field_type: asn1::DefinedByMarker::marker(),
+    parameters: FieldParameters::PrimeField(asn1::BigUint::new(b"\x00\xff\xff\xff\xff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff").unwrap()),
+};
+const P256_CURVE_A: &[u8; 32] = b"\xff\xff\xff\xff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc";
+const P256_CURVE_B: &[u8; 32] = b"\x5a\xc6\x35\xd8\xaa\x3a\x93\xe7\xb3\xeb\xbd\x55\x76\x98\x86\xbc\x65\x1d\x06\xb0\xcc\x53\xb0\xf6\x3b\xce\x3c\x3e\x27\xd2\x60\x4b";
+const P256_SEED: asn1::BitString<'static> = asn1::BitString::new(
+    b"\xc4\x9d\x36\x08\x86\xe7\x04\x93\x6a\x66\x78\xe1\x13\x9d\x26\xb7\x81\x9f\x7e\x90",
+    0,
+)
+.unwrap();
+const P256_UNCOMPRESSED_BASE: &[u8; 65] = b"\x04\x6b\x17\xd1\xf2\xe1\x2c\x42\x47\xf8\xbc\xe6\xe5\x63\xa4\x40\xf2\x77\x03\x7d\x81\x2d\xeb\x33\xa0\xf4\xa1\x39\x45\xd8\x98\xc2\x96\x4f\xe3\x42\xe2\xfe\x1a\x7f\x9b\x8e\xe7\xeb\x4a\x7c\x0f\x9e\x16\x2b\xce\x33\x57\x6b\x31\x5e\xce\xcb\xb6\x40\x68\x37\xbf\x51\xf5";
+const P256_ORDER: asn1::BigUint<'static> = asn1::BigUint::new(b"\x00\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xbc\xe6\xfa\xad\xa7\x17\x9e\x84\xf3\xb9\xca\xc2\xfc\x63\x25\x51").unwrap();
+
+pub const P256_DOMAIN: SpecifiedECDomain<'static> = SpecifiedECDomain {
+    version: 1,
+    field_id: P256_FIELD,
+    curve: Curve {
+        a: P256_CURVE_A,
+        b: P256_CURVE_B,
+        seed: Some(P256_SEED),
+    },
+    base: P256_UNCOMPRESSED_BASE,
+    order: P256_ORDER,
+    cofactor: Some(1),
+};
+
+pub const P256_DOMAIN_NO_SEED: SpecifiedECDomain<'static> = SpecifiedECDomain {
+    version: 1,
+    field_id: P256_FIELD,
+    curve: Curve {
+        a: P256_CURVE_A,
+        b: P256_CURVE_B,
+        seed: None,
+    },
+    base: P256_UNCOMPRESSED_BASE,
+    order: P256_ORDER,
+    cofactor: Some(1),
+};
+
+const P384_FIELD: FieldID<'static> = FieldID {
+    field_type: asn1::DefinedByMarker::marker(),
+    parameters: FieldParameters::PrimeField(asn1::BigUint::new(b"\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff").unwrap()),
+};
+const P384_CURVE_A: &[u8; 48] = b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfc";
+const P384_CURVE_B: &[u8; 48] = b"\xb3\x31\x2f\xa7\xe2\x3e\xe7\xe4\x98\x8e\x05\x6b\xe3\xf8\x2d\x19\x18\x1d\x9c\x6e\xfe\x81\x41\x12\x03\x14\x08\x8f\x50\x13\x87\x5a\xc6\x56\x39\x8d\x8a\x2e\xd1\x9d\x2a\x85\xc8\xed\xd3\xec\x2a\xef";
+const P384_SEED: asn1::BitString<'static> = asn1::BitString::new(
+    b"\xa3\x35\x92\x6a\xa3\x19\xa2\x7a\x1d\x00\x89\x6a\x67\x73\xa4\x82\x7a\xcd\xac\x73",
+    0,
+)
+.unwrap();
+const P384_UNCOMPRESSED_BASE: &[u8; 97] = b"\x04\xaa\x87\xca\x22\xbe\x8b\x05\x37\x8e\xb1\xc7\x1e\xf3\x20\xad\x74\x6e\x1d\x3b\x62\x8b\xa7\x9b\x98\x59\xf7\x41\xe0\x82\x54\x2a\x38\x55\x02\xf2\x5d\xbf\x55\x29\x6c\x3a\x54\x5e\x38\x72\x76\x0a\xb7\x36\x17\xde\x4a\x96\x26\x2c\x6f\x5d\x9e\x98\xbf\x92\x92\xdc\x29\xf8\xf4\x1d\xbd\x28\x9a\x14\x7c\xe9\xda\x31\x13\xb5\xf0\xb8\xc0\x0a\x60\xb1\xce\x1d\x7e\x81\x9d\x7a\x43\x1d\x7c\x90\xea\x0e\x5f";
+const P384_ORDER: asn1::BigUint<'static> = asn1::BigUint::new(b"\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xc7\x63\x4d\x81\xf4\x37\x2d\xdf\x58\x1a\x0d\xb2\x48\xb0\xa7\x7a\xec\xec\x19\x6a\xcc\xc5\x29\x73").unwrap();
+
+pub const P384_DOMAIN: SpecifiedECDomain<'static> = SpecifiedECDomain {
+    version: 1,
+    field_id: P384_FIELD,
+    curve: Curve {
+        a: P384_CURVE_A,
+        b: P384_CURVE_B,
+        seed: Some(P384_SEED),
+    },
+    base: P384_UNCOMPRESSED_BASE,
+    order: P384_ORDER,
+    cofactor: Some(1),
+};
+
+pub const P384_DOMAIN_NO_SEED: SpecifiedECDomain<'static> = SpecifiedECDomain {
+    version: 1,
+    field_id: P384_FIELD,
+    curve: Curve {
+        a: P384_CURVE_A,
+        b: P384_CURVE_B,
+        seed: None,
+    },
+    base: P384_UNCOMPRESSED_BASE,
+    order: P384_ORDER,
+    cofactor: Some(1),
+};
+
+const P521_FIELD: FieldID<'static> = FieldID {
+    field_type: asn1::DefinedByMarker::marker(),
+    parameters: FieldParameters::PrimeField(asn1::BigUint::new(b"\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff").unwrap()),
+};
+const P521_CURVE_A: &[u8; 66] = b"\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfc";
+const P521_CURVE_B: &[u8; 66] = b"\x00\x51\x95\x3e\xb9\x61\x8e\x1c\x9a\x1f\x92\x9a\x21\xa0\xb6\x85\x40\xee\xa2\xda\x72\x5b\x99\xb3\x15\xf3\xb8\xb4\x89\x91\x8e\xf1\x09\xe1\x56\x19\x39\x51\xec\x7e\x93\x7b\x16\x52\xc0\xbd\x3b\xb1\xbf\x07\x35\x73\xdf\x88\x3d\x2c\x34\xf1\xef\x45\x1f\xd4\x6b\x50\x3f\x00";
+const P521_SEED: asn1::BitString<'static> = asn1::BitString::new(
+    b"\xd0\x9e\x88\x00\x29\x1c\xb8\x53\x96\xcc\x67\x17\x39\x32\x84\xaa\xa0\xda\x64\xba",
+    0,
+)
+.unwrap();
+const P521_UNCOMPRESSED_BASE: &[u8; 133] = b"\x04\x00\xc6\x85\x8e\x06\xb7\x04\x04\xe9\xcd\x9e\x3e\xcb\x66\x23\x95\xb4\x42\x9c\x64\x81\x39\x05\x3f\xb5\x21\xf8\x28\xaf\x60\x6b\x4d\x3d\xba\xa1\x4b\x5e\x77\xef\xe7\x59\x28\xfe\x1d\xc1\x27\xa2\xff\xa8\xde\x33\x48\xb3\xc1\x85\x6a\x42\x9b\xf9\x7e\x7e\x31\xc2\xe5\xbd\x66\x01\x18\x39\x29\x6a\x78\x9a\x3b\xc0\x04\x5c\x8a\x5f\xb4\x2c\x7d\x1b\xd9\x98\xf5\x44\x49\x57\x9b\x44\x68\x17\xaf\xbd\x17\x27\x3e\x66\x2c\x97\xee\x72\x99\x5e\xf4\x26\x40\xc5\x50\xb9\x01\x3f\xad\x07\x61\x35\x3c\x70\x86\xa2\x72\xc2\x40\x88\xbe\x94\x76\x9f\xd1\x66\x50";
+const P521_ORDER: asn1::BigUint<'static> = asn1::BigUint::new(b"\x01\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfa\x51\x86\x87\x83\xbf\x2f\x96\x6b\x7f\xcc\x01\x48\xf7\x09\xa5\xd0\x3b\xb5\xc9\xb8\x89\x9c\x47\xae\xbb\x6f\xb7\x1e\x91\x38\x64\x09").unwrap();
+
+pub const P521_DOMAIN: SpecifiedECDomain<'static> = SpecifiedECDomain {
+    version: 1,
+    field_id: P521_FIELD,
+    curve: Curve {
+        a: P521_CURVE_A,
+        b: P521_CURVE_B,
+        seed: Some(P521_SEED),
+    },
+    base: P521_UNCOMPRESSED_BASE,
+    order: P521_ORDER,
+    cofactor: Some(1),
+};
+
+pub const P521_DOMAIN_NO_SEED: SpecifiedECDomain<'static> = SpecifiedECDomain {
+    version: 1,
+    field_id: P521_FIELD,
+    curve: Curve {
+        a: P521_CURVE_A,
+        b: P521_CURVE_B,
+        seed: None,
+    },
+    base: P521_UNCOMPRESSED_BASE,
+    order: P521_ORDER,
+    cofactor: Some(1),
+};
+
+// There is no seed for this curve so we don't need to create two domains like the previous curves
+pub const SECP256K1_DOMAIN: SpecifiedECDomain<'static> = SpecifiedECDomain {
+    version: 1,
+    field_id: FieldID {
+        field_type: asn1::DefinedByMarker::marker(),
+        parameters: FieldParameters::PrimeField(asn1::BigUint::new(b"\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xfc\x2f").unwrap()),
+    },
+    curve: Curve {
+        a: b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
+        b: b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07",
+        seed: None,
+    },
+    base: b"\x04\x79\xbe\x66\x7e\xf9\xdc\xbb\xac\x55\xa0\x62\x95\xce\x87\x0b\x07\x02\x9b\xfc\xdb\x2d\xce\x28\xd9\x59\xf2\x81\x5b\x16\xf8\x17\x98\x48\x3a\xda\x77\x26\xa3\xc4\x65\x5d\xa4\xfb\xfc\x0e\x11\x08\xa8\xfd\x17\xb4\x48\xa6\x85\x54\x19\x9c\x47\xd0\x8f\xfb\x10\xd4\xb8",
+    order: asn1::BigUint::new(b"\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xba\xae\xdc\xe6\xaf\x48\xa0\x3b\xbf\xd2\x5e\x8c\xd0\x36\x41\x41").unwrap(),
+    cofactor: Some(1),
+};

src/rust/cryptography-x509/src/lib.rs

@@ -10,6 +10,7 @@ pub mod certificate;
 pub mod common;
 pub mod crl;
 pub mod csr;
+pub mod ec_constants;
 pub mod extensions;
 pub mod name;
 pub mod ocsp_req;

src/rust/cryptography-x509/src/oid.rs

@@ -172,3 +172,6 @@ pub const HMAC_WITH_SHA224_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 1
 pub const HMAC_WITH_SHA256_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 2, 9);
 pub const HMAC_WITH_SHA384_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 2, 10);
 pub const HMAC_WITH_SHA512_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 113549, 2, 11);
+
+pub const PRIME_FIELD_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10045, 1, 1);
+pub const CHARACTERISTIC_TWO_FIELD_OID: asn1::ObjectIdentifier = asn1::oid!(1, 2, 840, 10045, 1, 2);

src/rust/src/error.rs

@@ -64,7 +64,7 @@ impl From<cryptography_key_parsing::KeyParsingError> for CryptographyError {
             }
             cryptography_key_parsing::KeyParsingError::ExplicitCurveUnsupported => {
                 CryptographyError::Py(pyo3::exceptions::PyValueError::new_err(
-                    "ECDSA keys with explicit parameters are unsupported at this time",
+                    "ECDSA keys with explicit parameters are only supported when they map to secp256r1, secp384r1, secp521r1, or secp256k1. No custom curves are supported.",
                 ))
             }
             cryptography_key_parsing::KeyParsingError::UnsupportedKeyType(oid) => {

tests/hazmat/primitives/test_ec.py

@@ -1071,7 +1071,8 @@ def test_public_bytes_from_derived_public_key(self, backend):
         parsed_public = serialization.load_pem_public_key(pem, backend)
         assert parsed_public
 
-    def test_load_private_key_explicit_parameters(self):
+    def test_load_private_key_unsupported_explicit_parameters(self):
+        # This vector is P256 except the prime field value is wrong
         with pytest.raises(ValueError, match="explicit parameters"):
             load_vectors_from_file(
                 os.path.join(
@@ -1084,6 +1085,7 @@ def test_load_private_key_explicit_parameters(self):
             )
 
         with pytest.raises(ValueError, match="explicit parameters"):
+            # This vector encodes SECT233R1 explicitly
             load_vectors_from_file(
                 os.path.join(
                     "asymmetric",
@@ -1096,6 +1098,54 @@ def test_load_private_key_explicit_parameters(self):
                 mode="rb",
             )
 
+    @pytest.mark.parametrize(
+        ("curve", "file"),
+        [
+            # secp256k1 has no seed value
+            (ec.SECP256K1, "secp256k1-explicit-no-seed.pem"),
+            (ec.SECP256R1, "secp256r1-explicit-seed.pem"),
+            (ec.SECP256R1, "secp256r1-explicit-no-seed.pem"),
+            (ec.SECP384R1, "secp384r1-explicit-seed.pem"),
+            (ec.SECP384R1, "secp384r1-explicit-no-seed.pem"),
+            (ec.SECP521R1, "secp521r1-explicit-seed.pem"),
+            (ec.SECP521R1, "secp521r1-explicit-no-seed.pem"),
+        ],
+    )
+    def test_load_private_key_explicit_parameters(self, curve, file, backend):
+        _skip_curve_unsupported(backend, curve())
+        key = load_vectors_from_file(
+            os.path.join("asymmetric", "EC", file),
+            lambda pemfile: serialization.load_pem_private_key(
+                pemfile.read(), password=None
+            ),
+            mode="rb",
+        )
+        assert isinstance(key, ec.EllipticCurvePrivateKey)
+        assert isinstance(key.curve, curve)
+
+    @pytest.mark.parametrize(
+        ("curve", "file"),
+        [
+            # secp256k1 has no seed value
+            (ec.SECP256K1, "secp256k1-pub-explicit-no-seed.pem"),
+            (ec.SECP256R1, "secp256r1-pub-explicit-seed.pem"),
+            (ec.SECP256R1, "secp256r1-pub-explicit-no-seed.pem"),
+            (ec.SECP384R1, "secp384r1-pub-explicit-seed.pem"),
+            (ec.SECP384R1, "secp384r1-pub-explicit-no-seed.pem"),
+            (ec.SECP521R1, "secp521r1-pub-explicit-seed.pem"),
+            (ec.SECP521R1, "secp521r1-pub-explicit-no-seed.pem"),
+        ],
+    )
+    def test_load_public_key_explicit_parameters(self, curve, file, backend):
+        _skip_curve_unsupported(backend, curve())
+        key = load_vectors_from_file(
+            os.path.join("asymmetric", "EC", file),
+            lambda pemfile: serialization.load_pem_public_key(pemfile.read()),
+            mode="rb",
+        )
+        assert isinstance(key, ec.EllipticCurvePublicKey)
+        assert isinstance(key.curve, curve)
+
     def test_load_private_key_unsupported_curve(self):
         with pytest.raises((ValueError, exceptions.UnsupportedAlgorithm)):
             load_vectors_from_file(

tests/x509/test_x509.py

@@ -5899,11 +5899,11 @@ def test_load_ecdsa_no_named_curve(self, backend):
             os.path.join("x509", "custom", "ec_no_named_curve.pem"),
             x509.load_pem_x509_certificate,
         )
-        # This test can trigger three different value errors depending
-        # on OpenSSL/BoringSSL and versions. Match on the text to ensure
-        # we are getting the right error.
-        with pytest.raises(ValueError, match="explicit parameters"):
-            cert.public_key()
+        # We map explicit parameters to known curves and this cert
+        # contains explicit params for P256, so it should load.
+        pk = cert.public_key()
+        assert isinstance(pk, ec.EllipticCurvePublicKey)
+        assert isinstance(pk.curve, ec.SECP256R1)
 
     def test_verify_directly_issued_by_ec(self):
         issuer_private_key = ec.generate_private_key(ec.SECP256R1())