fixes #12257 -- raise the correct error on an unsupported curve (#12271)

Author: alex

src/rust/src/backend/ec.rs

@@ -45,7 +45,8 @@ fn curve_from_py_curve(
     }
 
     let py_curve_name = py_curve.getattr(pyo3::intern!(py, "name"))?;
-    let nid = match &*py_curve_name.extract::<pyo3::pybacked::PyBackedStr>()? {
+    let curve_name = &*py_curve_name.extract::<pyo3::pybacked::PyBackedStr>()?;
+    let nid = match curve_name {
         "secp192r1" => openssl::nid::Nid::X9_62_PRIME192V1,
         "secp224r1" => openssl::nid::Nid::SECP224R1,
         "secp256r1" => openssl::nid::Nid::X9_62_PRIME256V1,
@@ -84,7 +85,12 @@ fn curve_from_py_curve(
         }
     };
 
-    Ok(openssl::ec::EcGroup::from_curve_name(nid)?)
+    Ok(openssl::ec::EcGroup::from_curve_name(nid).map_err(|_| {
+        exceptions::UnsupportedAlgorithm::new_err((
+            format!("Curve {curve_name} is not supported"),
+            exceptions::Reasons::UNSUPPORTED_ELLIPTIC_CURVE,
+        ))
+    })?)
 }
 
 fn py_curve_from_curve<'p>(

tests/hazmat/primitives/test_ec.py

@@ -331,6 +331,21 @@ def test_generate_unknown_curve(self, backend):
             is False
         )
 
+    @pytest.mark.skip_fips(
+        reason="Some FIPS curves aren't supported but work anyways"
+    )
+    @pytest.mark.parametrize("curve", ec._CURVE_TYPES.values())
+    def test_generate_unsupported_curve(
+        self, backend, curve: ec.EllipticCurve
+    ):
+        if backend.elliptic_curve_supported(curve):
+            return
+
+        with raises_unsupported_algorithm(
+            exceptions._Reasons.UNSUPPORTED_ELLIPTIC_CURVE
+        ):
+            ec.generate_private_key(curve)
+
     def test_unknown_signature_algoritm(self, backend):
         _skip_curve_unsupported(backend, ec.SECP192R1())