deprecate old from_encoded_point (#4640)

5 files changed, 34 insertions, 13 deletions

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 7780c6ba..1801e04e 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -31,7 +31,9 @@ Changelog
 * Added
   :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`,
   which immediately checks if the point is on the curve and supports compressed
-  points.
+  points. Deprecated the previous method
+  :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`.
+
 
 .. _v2-4-2:
 
diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst
index 728c5159..168cdfd8 100644
--- a/docs/hazmat/primitives/asymmetric/ec.rst
+++ b/docs/hazmat/primitives/asymmetric/ec.rst
@@ -206,6 +206,11 @@ Elliptic Curve Signature Algorithms
 
         .. versionadded:: 1.1
 
+        .. note::
+
+            This has been deprecated in favor of
+            :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point`
+
         Decodes a byte string as described in `SEC 1 v2.0`_ section 2.3.3 and
         returns an :class:`EllipticCurvePublicNumbers`. This method only
         supports uncompressed points.
diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py
index 6b1de7c5..125235f8 100644
--- a/src/cryptography/hazmat/primitives/asymmetric/ec.py
+++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py
@@ -5,6 +5,7 @@
 from __future__ import absolute_import, division, print_function
 
 import abc
+import warnings
 
 import six
 
@@ -366,6 +367,14 @@ class EllipticCurvePublicNumbers(object):
         if not isinstance(curve, EllipticCurve):
             raise TypeError("curve must be an EllipticCurve instance")
 
+        warnings.warn(
+            "Support for unsafe construction of public numbers from "
+            "encoded data will be removed in a future version. "
+            "Please use EllipticCurvePublicKey.from_encoded_point",
+            utils.DeprecatedIn25,
+            stacklevel=2,
+        )
+
         if data.startswith(b'\x04'):
             # key_size is in bits. Convert to bytes and round up
             byte_length = (curve.key_size + 7) // 8
diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py
index 65a4ee71..cbbae3a7 100644
--- a/src/cryptography/utils.py
+++ b/src/cryptography/utils.py
@@ -23,6 +23,7 @@ class CryptographyDeprecationWarning(UserWarning):
 PersistentlyDeprecated = CryptographyDeprecationWarning
 DeprecatedIn21 = CryptographyDeprecationWarning
 DeprecatedIn23 = CryptographyDeprecationWarning
+DeprecatedIn25 = CryptographyDeprecationWarning
 
 
 def _check_bytes(name, value):
diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
index 9a8ddf60..7cf9a09a 100644
--- a/tests/hazmat/primitives/test_ec.py
+++ b/tests/hazmat/primitives/test_ec.py
@@ -188,9 +188,10 @@ def test_from_encoded_point():
         "04233ea3b0027127084cd2cd336a13aeef69c598d8af61369a36454a17c6c22ae"
         "c3ea2c10a84153862be4ec82940f0543f9ba866af9751a6ee79d38460b35f442e"
     )
-    pn = ec.EllipticCurvePublicNumbers.from_encoded_point(
-        ec.SECP256R1(), data
-    )
+    with pytest.warns(CryptographyDeprecationWarning):
+        pn = ec.EllipticCurvePublicNumbers.from_encoded_point(
+            ec.SECP256R1(), data
+        )
     assert pn.x == int(
         '233ea3b0027127084cd2cd336a13aeef69c598d8af61369a36454a17c6c22aec',
         16
@@ -207,9 +208,10 @@ def test_from_encoded_point_invalid_length():
         "c3ea2c10a84153862be4ec82940f0543f9ba866af9751a6ee79d38460"
     )
     with pytest.raises(ValueError):
-        ec.EllipticCurvePublicNumbers.from_encoded_point(
-            ec.SECP384R1(), bad_data
-        )
+        with pytest.warns(CryptographyDeprecationWarning):
+            ec.EllipticCurvePublicNumbers.from_encoded_point(
+                ec.SECP384R1(), bad_data
+            )
 
 
 def test_from_encoded_point_unsupported_point_no_backend():
@@ -218,16 +220,18 @@ def test_from_encoded_point_unsupported_point_no_backend():
         "02233ea3b0027127084cd2cd336a13aeef69c598d8af61369a36454a17c6c22a"
     )
     with pytest.raises(ValueError):
-        ec.EllipticCurvePublicNumbers.from_encoded_point(
-            ec.SECP256R1(), unsupported_type
-        )
+        with pytest.warns(CryptographyDeprecationWarning):
+            ec.EllipticCurvePublicNumbers.from_encoded_point(
+                ec.SECP256R1(), unsupported_type
+            )
 
 
 def test_from_encoded_point_not_a_curve():
     with pytest.raises(TypeError):
-        ec.EllipticCurvePublicNumbers.from_encoded_point(
-            "notacurve", b"\x04data"
-        )
+        with pytest.warns(CryptographyDeprecationWarning):
+            ec.EllipticCurvePublicNumbers.from_encoded_point(
+                "notacurve", b"\x04data"
+            )
 
 
 def test_ec_public_numbers_repr():