Explicit check the key for ECAlgorithm (#713)

* Explicit check the key for ECAlgorithm

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

2 files changed, 18 insertions, 0 deletions

diff --git a/jwt/algorithms.py b/jwt/algorithms.py
index 1f8865a..739df80 100644
--- a/jwt/algorithms.py
+++ b/jwt/algorithms.py
@@ -417,6 +417,12 @@ if has_crypto:
             except ValueError:
                 key = load_pem_private_key(key, password=None)
 
+            # Explicit check the key to prevent confusing errors from cryptography
+            if not isinstance(key, (EllipticCurvePrivateKey, EllipticCurvePublicKey)):
+                raise InvalidKeyError(
+                    "Expecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for ECDSA algorithms"
+                )
+
             return key
 
         def sign(self, msg, key):
diff --git a/tests/test_algorithms.py b/tests/test_algorithms.py
index b6a73fc..f4ab75b 100644
--- a/tests/test_algorithms.py
+++ b/tests/test_algorithms.py
@@ -495,6 +495,18 @@ class TestAlgorithms:
         assert not result
 
     @crypto_required
+    def test_ec_should_throw_exception_on_wrong_key(self):
+        algo = ECAlgorithm(ECAlgorithm.SHA256)
+
+        with pytest.raises(InvalidKeyError):
+            with open(key_path("testkey_rsa.priv")) as keyfile:
+                algo.prepare_key(keyfile.read())
+
+        with pytest.raises(InvalidKeyError):
+            with open(key_path("testkey2_rsa.pub.pem")) as pem_key:
+                algo.prepare_key(pem_key.read())
+
+    @crypto_required
     def test_rsa_pss_sign_then_verify_should_return_true(self):
         algo = RSAPSSAlgorithm(RSAPSSAlgorithm.SHA256)