fix: reject identity elements in deserialization and key generation

UdjinM6 · claude · UdjinM6 · commit 42b707bba4c5 · 2026-03-02T21:59:29.000+03:00
Reject BLS identity elements (point at infinity for G1/G2) at the
deserialization boundary in SetBytes(). Also reject zero private keys
in MakeNewKey(), though these would not pass further validation.

Identity elements are mathematically valid curve points but have no
legitimate use in the protocol.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/bls/bls.cpp b/src/bls/bls.cpp
@@ -66,6 +66,9 @@ void CBLSSecretKey::MakeNewKey()
         GetStrongRandBytes({buf, sizeof(buf)});
         try {
             impl = bls::PrivateKey::FromBytes(bls::Bytes(reinterpret_cast<const uint8_t*>(buf), SerSize));
+            if (impl == bls::PrivateKey()) {
+                continue;
+            }
             break;
         } catch (...) {
         }
diff --git a/src/bls/bls.h b/src/bls/bls.h
@@ -111,6 +111,11 @@ class CBLSWrapper
         } else {
             try {
                 impl = ImplType::FromBytes(bls::Bytes(vecBytes.data(), vecBytes.size()), specificLegacyScheme);
+                if (impl == ImplType()) {
+                    Reset();
+                    cachedHash.SetNull();
+                    return;
+                }
                 fValid = true;
             } catch (...) {
                 Reset();
