check

dfinity · Mar 4, 2025 · 88c6fa8 · 88c6fa8
1 parent d37c766
commit 88c6fa8
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/rs/crypto/utils/canister_threshold_sig/src/lib.rs b/rs/crypto/utils/canister_threshold_sig/src/lib.rs
@@ -50,6 +50,11 @@ pub fn derive_vetkd_public_key(
     Ok(derived_key.serialize().to_vec())
 }
 
+/// Checks if the given bytes deserialize into a correct public key
+pub fn is_valid_transport_public_key(transport_public_key: &[u8; 48]) -> bool {
+    G2Affine::deserialize(transport_public_key).is_ok()
+}
+
 #[derive(Clone, Eq, PartialEq, Debug)]
 pub enum VetKdPublicKeyDeriveError {
     InvalidAlgorithmId,

diff --git a/rs/execution_environment/src/execution_environment.rs b/rs/execution_environment/src/execution_environment.rs
@@ -20,7 +20,7 @@ use ic_base_types::PrincipalId;
 use ic_config::execution_environment::Config as ExecutionConfig;
 use ic_config::flag_status::FlagStatus;
 use ic_crypto_utils_canister_threshold_sig::{
-    derive_threshold_public_key, derive_vetkd_public_key,
+    derive_threshold_public_key, derive_vetkd_public_key, is_valid_transport_public_key,
 };
 use ic_cycles_account_manager::{
     is_delayed_ingress_induction_cost, CyclesAccountManager, IngressInductionCost,
@@ -2859,6 +2859,12 @@ impl ExecutionEnvironment {
                 ),
             ));
         };
+        if !is_valid_transport_public_key(&args.encryption_public_key) {
+            return Err(UserError::new(
+                ErrorCode::CanisterRejectedMessage,
+                "The provided transport public key is invalid.",
+            ));
+        }
         self.sign_with_threshold(
             (*request).clone(),
             ThresholdArguments::VetKd(VetKdArguments {