2 files changed, 21 insertions, 20 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py
index 56b7893e..33d5b498 100644
--- a/src/cryptography/hazmat/backends/openssl/ec.py
+++ b/src/cryptography/hazmat/backends/openssl/ec.py
@@ -43,7 +43,13 @@ def _ec_key_curve_sn(backend, ec_key):
     assert group != backend._ffi.NULL
 
     nid = backend._lib.EC_GROUP_get_curve_name(group)
-    assert nid != backend._lib.NID_undef
+    # The following check is to find EC keys with unnamed curves and raise
+    # an error for now.
+    if nid == backend._lib.NID_undef:
+        raise NotImplementedError(
+            "ECDSA certificates with unnamed curves are unsupported "
+            "at this time"
+        )
 
     curve_name = backend._lib.OBJ_nid2sn(nid)
     assert curve_name != backend._ffi.NULL
@@ -52,6 +58,18 @@ def _ec_key_curve_sn(backend, ec_key):
     return sn
 
 
+def _mark_asn1_named_ec_curve(backend, ec_cdata):
+    """
+    Set the named curve flag on the EC_KEY. This causes OpenSSL to
+    serialize EC keys along with their curve OID which makes
+    deserialization easier.
+    """
+
+    backend._lib.EC_KEY_set_asn1_flag(
+        ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE
+    )
+
+
 def _sn_to_elliptic_curve(backend, sn):
     try:
         return ec._CURVE_TYPES[sn]()
@@ -132,6 +150,7 @@ class _ECDSAVerificationContext(object):
 class _EllipticCurvePrivateKey(object):
     def __init__(self, backend, ec_key_cdata):
         self._backend = backend
+        _mark_asn1_named_ec_curve(backend, ec_key_cdata)
         self._ec_key = ec_key_cdata
 
         sn = _ec_key_curve_sn(backend, ec_key_cdata)
@@ -184,6 +203,7 @@ class _EllipticCurvePrivateKey(object):
 class _EllipticCurvePublicKey(object):
     def __init__(self, backend, ec_key_cdata):
         self._backend = backend
+        _mark_asn1_named_ec_curve(backend, ec_key_cdata)
         self._ec_key = ec_key_cdata
 
         sn = _ec_key_curve_sn(backend, ec_key_cdata)
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 0828f3cc..66c99c9f 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -63,25 +63,6 @@ class _Certificate(object):
         pkey = self._backend._lib.X509_get_pubkey(self._x509)
         assert pkey != self._backend._ffi.NULL
         pkey = self._backend._ffi.gc(pkey, self._backend._lib.EVP_PKEY_free)
-        # The following check is to find ECDSA certificates with unnamed
-        # curves and raise an error for now.
-        if (
-            self._backend._lib.Cryptography_HAS_EC == 1 and
-            pkey.type == self._backend._lib.EVP_PKEY_EC
-        ):
-            ec_cdata = self._backend._lib.EVP_PKEY_get1_EC_KEY(pkey)
-            assert ec_cdata != self._backend._ffi.NULL
-            ec_cdata = self._backend._ffi.gc(
-                ec_cdata, self._backend._lib.EC_KEY_free
-            )
-            group = self._backend._lib.EC_KEY_get0_group(ec_cdata)
-            assert group != self._backend._ffi.NULL
-            nid = self._backend._lib.EC_GROUP_get_curve_name(group)
-            if nid == self._backend._lib.NID_undef:
-                raise NotImplementedError(
-                    "ECDSA certificates with unnamed curves are unsupported "
-                    "at this time"
-                )
 
         return self._backend._evp_pkey_to_public_key(pkey)