From 88c6fa8fe02b92bcb7fb492ebac21d4867e912e1 Mon Sep 17 00:00:00 2001
From: Leo Eichhorn <leo.eichhorn@dfinity.org>
Date: Tue, 4 Mar 2025 16:26:13 +0000
Subject: [PATCH] check

---
 rs/crypto/utils/canister_threshold_sig/src/lib.rs     | 5 +++++
 rs/execution_environment/src/execution_environment.rs | 8 +++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/rs/crypto/utils/canister_threshold_sig/src/lib.rs b/rs/crypto/utils/canister_threshold_sig/src/lib.rs
index 3851ae497c2..2de78bdc61c 100644
--- a/rs/crypto/utils/canister_threshold_sig/src/lib.rs
+++ b/rs/crypto/utils/canister_threshold_sig/src/lib.rs
@@ -50,6 +50,11 @@ pub fn derive_vetkd_public_key(
     Ok(derived_key.serialize().to_vec())
 }
 
+/// Checks if the given bytes deserialize into a correct public key
+pub fn is_valid_transport_public_key(transport_public_key: &[u8; 48]) -> bool {
+    G2Affine::deserialize(transport_public_key).is_ok()
+}
+
 #[derive(Clone, Eq, PartialEq, Debug)]
 pub enum VetKdPublicKeyDeriveError {
     InvalidAlgorithmId,
diff --git a/rs/execution_environment/src/execution_environment.rs b/rs/execution_environment/src/execution_environment.rs
index 75e06e55f2f..609a30d6ec9 100644
--- a/rs/execution_environment/src/execution_environment.rs
+++ b/rs/execution_environment/src/execution_environment.rs
@@ -20,7 +20,7 @@ use ic_base_types::PrincipalId;
 use ic_config::execution_environment::Config as ExecutionConfig;
 use ic_config::flag_status::FlagStatus;
 use ic_crypto_utils_canister_threshold_sig::{
-    derive_threshold_public_key, derive_vetkd_public_key,
+    derive_threshold_public_key, derive_vetkd_public_key, is_valid_transport_public_key,
 };
 use ic_cycles_account_manager::{
     is_delayed_ingress_induction_cost, CyclesAccountManager, IngressInductionCost,
@@ -2859,6 +2859,12 @@ impl ExecutionEnvironment {
                 ),
             ));
         };
+        if !is_valid_transport_public_key(&args.encryption_public_key) {
+            return Err(UserError::new(
+                ErrorCode::CanisterRejectedMessage,
+                "The provided transport public key is invalid.",
+            ));
+        }
         self.sign_with_threshold(
             (*request).clone(),
             ThresholdArguments::VetKd(VetKdArguments {