elliptic-curve: make SecretKey::new failible (#1804)

This fixes an invariant violation where you could create a secret key
from an all-zero scalar and convert it to a non-zero scala.

Fixes: #1607

Author: baloo

elliptic-curve/src/secret_key.rs

@@ -11,7 +11,7 @@ mod pkcs8;
 use crate::{Curve, Error, FieldBytes, Result, ScalarPrimitive};
 use core::fmt::{self, Debug};
 use hybrid_array::typenum::Unsigned;
-use subtle::{Choice, ConstantTimeEq};
+use subtle::{Choice, ConstantTimeEq, CtOption};
 use zeroize::{Zeroize, ZeroizeOnDrop, Zeroizing};
 
 #[cfg(feature = "arithmetic")]
@@ -117,8 +117,12 @@ where
     }
 
     /// Create a new secret key from a scalar value.
-    pub fn new(scalar: ScalarPrimitive<C>) -> Self {
-        Self { inner: scalar }
+    ///
+    /// # Returns
+    ///
+    /// This will return a none if the scalar is all-zero.
+    pub fn new(scalar: ScalarPrimitive<C>) -> CtOption<Self> {
+        CtOption::new(Self { inner: scalar }, !scalar.is_zero())
     }
 
     /// Borrow the inner secret [`ScalarPrimitive`] value.