Check point against cofactor after decompression

2 files changed, 10 insertions, 5 deletions

diff --git a/crypto/src/math/ec/ECCurve.cs b/crypto/src/math/ec/ECCurve.cs
index 889da292f..eaa3e0c3d 100644
--- a/crypto/src/math/ec/ECCurve.cs
+++ b/crypto/src/math/ec/ECCurve.cs
@@ -387,6 +387,9 @@ namespace Org.BouncyCastle.Math.EC
                     BigInteger X = new BigInteger(1, encoded, 1, expectedLength);
 
                     p = DecompressPoint(yTilde, X);
+                    if (!p.SatisfiesCofactor())
+                        throw new ArgumentException("Invalid point");
+
                     break;
                 }
 
diff --git a/crypto/src/math/ec/ECPoint.cs b/crypto/src/math/ec/ECPoint.cs
index dbeaf31aa..3e206e65f 100644
--- a/crypto/src/math/ec/ECPoint.cs
+++ b/crypto/src/math/ec/ECPoint.cs
@@ -67,6 +67,12 @@ namespace Org.BouncyCastle.Math.EC
             this.m_withCompression = withCompression;
         }
 
+        protected internal bool SatisfiesCofactor()
+        {
+            BigInteger h = Curve.Cofactor;
+            return h == null || h.Equals(BigInteger.One) || !ECAlgorithms.ReferenceMultiply(this, h).IsInfinity;
+        }
+
         protected abstract bool SatisfiesCurveEquation();
 
         public ECPoint GetDetachedPoint()
@@ -304,12 +310,8 @@ namespace Org.BouncyCastle.Math.EC
                 if (!SatisfiesCurveEquation())
                     return false;
 
-                BigInteger h = curve.Cofactor;
-                if (h != null && !h.Equals(BigInteger.One)
-                    && ECAlgorithms.ReferenceMultiply(this, h).IsInfinity)
-                {
+                if (!SatisfiesCofactor())
                     return false;
-                }
             }
 
             return true;