Test failures with pyopenssl 24.3.0 #975
Description
Code Version
7.5.0
Expected Behavior
Tests should succeed when within the version boundaries of pysaml2.
Current Behavior
The following tests fail in combination with pyopenssl==24.3.0.
FAILED tests/test_50_server.py::TestServer1::test_encrypted_response_6 - saml2.cert.CertificateError: Invalid certificate for encryption!
FAILED tests/test_50_server.py::TestServer1NonAsciiAva::test_encrypted_response_6 - saml2.cert.CertificateError: Invalid certificate for encryption!
FAILED tests/test_81_certificates.py::TestGenerateCertificates::test_validate_cert_chains - AssertionError: False is not true
FAILED tests/test_81_certificates.py::TestGenerateCertificates::test_validate_with_root_cert - AssertionError: False is not true
Full tracebacks
pysaml2> ____________________ TestServer1.test_encrypted_response_6 _____________________
pysaml2>
pysaml2> self =
pysaml2>
pysaml2> def test_encrypted_response_6(self):
pysaml2> _server = Server("idp_conf_verify_cert")
pysaml2>
pysaml2> cert_str_advice, cert_key_str_advice = generate_cert()
pysaml2>
pysaml2> cert_str_assertion, cert_key_str_assertion = generate_cert()
pysaml2>
pysaml2> > _resp = _server.create_authn_response(
pysaml2> self.ava,
pysaml2> "id12", # in_response_to
pysaml2> "http://lingon.catalogix.se:8087/", # consumer_url
pysaml2> "urn:mace:example.com:saml:roland:sp", # sp_entity_id
pysaml2> name_id=self.name_id,
pysaml2> sign_response=False,
pysaml2> sign_assertion=False,
pysaml2> encrypt_assertion=True,
pysaml2> encrypt_assertion_self_contained=True,
pysaml2> pefim=True,
pysaml2> encrypt_cert_advice=cert_str_advice,
pysaml2> encrypt_cert_assertion=cert_str_assertion,
pysaml2> )
pysaml2>
pysaml2> tests/test_50_server.py:911:
pysaml2> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
pysaml2> /nix/store/ad02k9isi75v6rjmmsxxcy6279z91pf0-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/server.py:833: in create_authn_response
pysaml2> args = self.gather_authn_response_args(
pysaml2> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
pysaml2>
pysaml2> self =
pysaml2> sp_entity_id = 'urn:mace:example.com:saml:roland:sp', name_id_policy = None
pysaml2> userid = None
pysaml2> kwargs = {'encrypt_assertion': True, 'encrypt_assertion_self_contained': True, 'encrypt_cert_advice': '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjI1MTkzNjMxWhcNMzQxMjIzMTkzNjMxWjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAz69frF07UZCHkhbgi1H3FGpxFxYbwTrD1iWWhtTWJ9RP3wJOMoI/lAs0\nJORpKeWe5AV9JpuLCKzCW7bH7JJqG20acxQEB9dT/PumY8a/L0WK6iO1VF59iK30\nCnV0nK7griNVkA1xSaDHYX8xp0ZEycGclH5BLx0sXXsi8W00nSsBthaQ7Qb26pQz\nEGtxZBBHAejBFkOl6x/kilQkC5t7XYnhbtn5n+TCDdmQiY56Cx/o5ogaxqPUFEwe\nLJfdVjuXYjGIZseUgtHcN1UY8R24xehwEJS5JkfPles4upHA6VfyPmgIzl5tm4hU\n9y5QigSdrFcxxEBbVlb7fyY8r7ow/wIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAByb\nQY95zOmbLRUNT9c1CJl/pHr4jGTG6Jpv3dpE2gFJ3c9xwzr6aFloGpSOeCtAhuue\nAhIcl8WqJFwC9p2mc9q+4gpmLylfjIvaHSYk1DlDZsw9VW3pcICLINqCdM19PsLw\np08h1/FyeMA4tt/x51Y35KKOGZUbJyft+wYMm8ec\n-----END CERTIFICATE-----\n', 'encrypt_cert_assertion': '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjI1MTkzNjMxWhcNMzQxMjIzMTkzNjMxWjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEA/M4X5DkGHFB4zEBmAdQ6ve70ISfDh4GEWTmhRrp32APEfTWiV3tYzACS\nRN8axHIULYHxKcJorAtPf8NdPeYJIB20PoIwkC/9P7RRdJIDssSQSDS2tv0cPoXQ\nY4/q8X9olgXY241eMb+jUUqA+rPhZdt8GkbNXJPp5AoCi4jEHdxP9Ij/32Zm2PwN\n+mjb4nDOpzHBXpLe4JssWKxNkHpH97vvw9hEHUwqViDmE6mhgEVOvAz1SrtDvlTj\nIBZ0ywTr9m1qpBFdtjTKpaPhgHSU8KSqFG9Ly20000jDQVSj2tj+quaExx4/8C65\nanj5DHRSRtBAlRdcERQXv//iUbHvGwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBALqh\n5E3GKePM//lgIO5DLln/S/LpoLwQBFZQh+WPxxKrAfOgJW1Fabie1qKSftMQj9Um\nnSk8oDN/pFlhIcWOUs2CZBL+aso8Frd2kXtkoYoSGzFvhE95i2cMAZ57MW+vTXri\nv/1nozv0svcCrEKcSCcNrvy51rFUh8RsfcrW5Xf0\n-----END CERTIFICATE-----\n', ...}
pysaml2> args = {'best_effort': False, 'encrypt_assertion': True, 'encrypt_assertion_self_contained': True, 'encrypt_cert_advice': '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjI1MTkzNjMxWhcNMzQxMjIzMTkzNjMxWjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAz69frF07UZCHkhbgi1H3FGpxFxYbwTrD1iWWhtTWJ9RP3wJOMoI/lAs0\nJORpKeWe5AV9JpuLCKzCW7bH7JJqG20acxQEB9dT/PumY8a/L0WK6iO1VF59iK30\nCnV0nK7griNVkA1xSaDHYX8xp0ZEycGclH5BLx0sXXsi8W00nSsBthaQ7Qb26pQz\nEGtxZBBHAejBFkOl6x/kilQkC5t7XYnhbtn5n+TCDdmQiY56Cx/o5ogaxqPUFEwe\nLJfdVjuXYjGIZseUgtHcN1UY8R24xehwEJS5JkfPles4upHA6VfyPmgIzl5tm4hU\n9y5QigSdrFcxxEBbVlb7fyY8r7ow/wIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAByb\nQY95zOmbLRUNT9c1CJl/pHr4jGTG6Jpv3dpE2gFJ3c9xwzr6aFloGpSOeCtAhuue\nAhIcl8WqJFwC9p2mc9q+4gpmLylfjIvaHSYk1DlDZsw9VW3pcICLINqCdM19PsLw\np08h1/FyeMA4tt/x51Y35KKOGZUbJyft+wYMm8ec\n-----END CERTIFICATE-----\n', ...}
pysaml2> param_defaults = {'best_effort': False, 'encrypt_assertion': False, 'encrypt_assertion_self_contained': True, 'encrypt_cert_advice': None, ...}
pysaml2> param = 'encrypt_cert_assertion', val_default = None
pysaml2> val_kw = '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjI1MTkzNjMxWhcNMzQxMjIzMTkzNjMxWjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEA/M4X5DkGHFB4zEBmAdQ6ve70ISfDh4GEWTmhRrp32APEfTWiV3tYzACS\nRN8axHIULYHxKcJorAtPf8NdPeYJIB20PoIwkC/9P7RRdJIDssSQSDS2tv0cPoXQ\nY4/q8X9olgXY241eMb+jUUqA+rPhZdt8GkbNXJPp5AoCi4jEHdxP9Ij/32Zm2PwN\n+mjb4nDOpzHBXpLe4JssWKxNkHpH97vvw9hEHUwqViDmE6mhgEVOvAz1SrtDvlTj\nIBZ0ywTr9m1qpBFdtjTKpaPhgHSU8KSqFG9Ly20000jDQVSj2tj+quaExx4/8C65\nanj5DHRSRtBAlRdcERQXv//iUbHvGwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBALqh\n5E3GKePM//lgIO5DLln/S/LpoLwQBFZQh+WPxxKrAfOgJW1Fabie1qKSftMQj9Um\nnSk8oDN/pFlhIcWOUs2CZBL+aso8Frd2kXtkoYoSGzFvhE95i2cMAZ57MW+vTXri\nv/1nozv0svcCrEKcSCcNrvy51rFUh8RsfcrW5Xf0\n-----END CERTIFICATE-----\n'
pysaml2> val_config = None, arg = 'encrypted_advice_attributes'
pysaml2>
pysaml2> def gather_authn_response_args(self, sp_entity_id, name_id_policy, userid, **kwargs):
pysaml2> kwargs["policy"] = kwargs.get("release_policy")
pysaml2>
pysaml2> # collect args and return them
pysaml2> args = {}
pysaml2>
pysaml2> # XXX will be passed to _authn_response
pysaml2> param_defaults = {
pysaml2> "policy": None,
pysaml2> "best_effort": False,
pysaml2> "sign_assertion": False,
pysaml2> "sign_response": False,
pysaml2> "encrypt_assertion": False,
pysaml2> "encrypt_assertion_self_contained": True,
pysaml2> "encrypted_advice_attributes": False,
pysaml2> "encrypt_cert_advice": None,
pysaml2> "encrypt_cert_assertion": None,
pysaml2> # need to be named sign_alg and digest_alg
pysaml2> }
pysaml2> for param, val_default in param_defaults.items():
pysaml2> val_kw = kwargs.get(param)
pysaml2> val_config = self.config.getattr(param, "idp")
pysaml2> args[param] = val_kw if val_kw is not None else val_config if val_config is not None else val_default
pysaml2>
pysaml2> for arg, attr, eca, pefim in [
pysaml2> ("encrypted_advice_attributes", "verify_encrypt_cert_advice", "encrypt_cert_advice", kwargs["pefim"]),
pysaml2> ("encrypt_assertion", "verify_encrypt_cert_assertion", "encrypt_cert_assertion", False),
pysaml2> ]:
pysaml2>
pysaml2> if args[arg] or pefim:
pysaml2> _enc_cert = self.config.getattr(attr, "idp")
pysaml2>
pysaml2> if _enc_cert is not None:
pysaml2> if kwargs[eca] is None:
pysaml2> raise CertificateError(
pysaml2> "No SPCertEncType certificate for encryption " "contained in authentication " "request."
pysaml2> )
pysaml2> if not _enc_cert(kwargs[eca]):
pysaml2> > raise CertificateError("Invalid certificate for encryption!")
pysaml2> E saml2.cert.CertificateError: Invalid certificate for encryption!
pysaml2>
pysaml2> /nix/store/ad02k9isi75v6rjmmsxxcy6279z91pf0-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/server.py:737: CertificateError
pysaml2> _______________ TestServer1NonAsciiAva.test_encrypted_response_6 _______________
pysaml2>
pysaml2> self =
pysaml2>
pysaml2> def test_encrypted_response_6(self):
pysaml2> _server = Server("idp_conf_verify_cert")
pysaml2>
pysaml2> cert_str_advice, cert_key_str_advice = generate_cert()
pysaml2>
pysaml2> cert_str_assertion, cert_key_str_assertion = generate_cert()
pysaml2>
pysaml2> > _resp = _server.create_authn_response(
pysaml2> self.ava,
pysaml2> "id12", # in_response_to
pysaml2> "http://lingon.catalogix.se:8087/", # consumer_url
pysaml2> "urn:mace:example.com:saml:roland:sp", # sp_entity_id
pysaml2> name_id=self.name_id,
pysaml2> sign_response=False,
pysaml2> sign_assertion=False,
pysaml2> encrypt_assertion=True,
pysaml2> encrypt_assertion_self_contained=True,
pysaml2> pefim=True,
pysaml2> encrypt_cert_advice=cert_str_advice,
pysaml2> encrypt_cert_assertion=cert_str_assertion,
pysaml2> )
pysaml2>
pysaml2> tests/test_50_server.py:1987:
pysaml2> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
pysaml2> /nix/store/ad02k9isi75v6rjmmsxxcy6279z91pf0-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/server.py:833: in create_authn_response
pysaml2> args = self.gather_authn_response_args(
pysaml2> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
pysaml2>
pysaml2> self =
pysaml2> sp_entity_id = 'urn:mace:example.com:saml:roland:sp', name_id_policy = None
pysaml2> userid = None
pysaml2> kwargs = {'encrypt_assertion': True, 'encrypt_assertion_self_contained': True, 'encrypt_cert_advice': '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjI1MTkzNjM0WhcNMzQxMjIzMTkzNjM0WjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAsaGJlp9GSAfh6yVXlk/rW8oFILMK+cnyqZm+5GrC4RIa6jM+ZXWV1eiy\n3MG8zatiaDNEBHLcg3sIrXpNKMMbCFMbVwuLVg9xe47BLVuxohgJg6gGWCKTui4S\nljbBrIMU8xHBO/XjFWvvwf93YuNdvGB7G2ES9Uj1MH1U/qTCKpFJl+tLooKP0KqV\nJKNr42dtOh0dCpaLcg6AWHhCukGqItAxYEBJMBoGkGskOXlbJcmIyrb6LNXSBb5l\nLdusUBnwOhxjUqXnhf13S2IMcirXY9HVTLOIltErob6Ho7tKAlAtUUXFLKt9LyTN\nOKrrWytw8n10FYV/+p0RBHk+tfZkvwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAKiA\n89PM+CH8tZJvMds7Dvcb53ca36oqcE2Er2BRzgut/aZQ8gatOWs+GHuLPeZV8/yu\ncNnM4dGgOS289bDszi/eN+G0CYh4z71IHkYpn1DKNG3nYAdcBw4nq/1qqUKCa4eg\nQzDor5Q7/WLj3cAPR+/C5A/5sAKCm4QziyUCxvdk\n-----END CERTIFICATE-----\n', 'encrypt_cert_assertion': '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjI1MTkzNjM1WhcNMzQxMjIzMTkzNjM1WjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAxpQ+QVI/6q0kIBtCceqdNkqaJ5RgOMn7nmf40hDgKBP231d0hmb2NgV7\nFig8pyaYI42MFfe7bma0X/FCMWhha157+cbPhQU+vmt096JMNBZPyWc6ILng9RRQ\nke+kM6vWc9zNb4hFrAe8B2WBhRwwgfreY1WX4Rp0xSCGepvyqQImS0V2bESH2u1A\n3dtaiKWVyT7ucs531wLDiRfOXWPhkwgk+2qS1qY7wJb6W8AV0UaA0FXZ0zJOXkUW\nw1+hBOTWp2lW8GdKE23UgVxCqSnUjVOSQ8yKIXrurHjL90FFhJyQSKkMLxX3zNba\nLfxfwt+Q9KOZAjdo2KvxIow0bbZHswIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAJuP\nzFNartqAJQ/iy6H1ABpfN6Neu5g0GXIF+TfikSM5w/3RKzHXhyPBK0ZdcducHqGL\nU+k2rpvUea9mmOpS6vHp73xyh1R6eaJh5IBL3qWKQOtStAHFP/LPnE+YaHbfkhnx\n/QnxhycvvpoXeOz76KNbUUBNtyRibFVBiR98B6La\n-----END CERTIFICATE-----\n', ...}
pysaml2> args = {'best_effort': False, 'encrypt_assertion': True, 'encrypt_assertion_self_contained': True, 'encrypt_cert_advice': '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjI1MTkzNjM0WhcNMzQxMjIzMTkzNjM0WjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAsaGJlp9GSAfh6yVXlk/rW8oFILMK+cnyqZm+5GrC4RIa6jM+ZXWV1eiy\n3MG8zatiaDNEBHLcg3sIrXpNKMMbCFMbVwuLVg9xe47BLVuxohgJg6gGWCKTui4S\nljbBrIMU8xHBO/XjFWvvwf93YuNdvGB7G2ES9Uj1MH1U/qTCKpFJl+tLooKP0KqV\nJKNr42dtOh0dCpaLcg6AWHhCukGqItAxYEBJMBoGkGskOXlbJcmIyrb6LNXSBb5l\nLdusUBnwOhxjUqXnhf13S2IMcirXY9HVTLOIltErob6Ho7tKAlAtUUXFLKt9LyTN\nOKrrWytw8n10FYV/+p0RBHk+tfZkvwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAKiA\n89PM+CH8tZJvMds7Dvcb53ca36oqcE2Er2BRzgut/aZQ8gatOWs+GHuLPeZV8/yu\ncNnM4dGgOS289bDszi/eN+G0CYh4z71IHkYpn1DKNG3nYAdcBw4nq/1qqUKCa4eg\nQzDor5Q7/WLj3cAPR+/C5A/5sAKCm4QziyUCxvdk\n-----END CERTIFICATE-----\n', ...}
pysaml2> param_defaults = {'best_effort': False, 'encrypt_assertion': False, 'encrypt_assertion_self_contained': True, 'encrypt_cert_advice': None, ...}
pysaml2> param = 'encrypt_cert_assertion', val_default = None
pysaml2> val_kw = '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjI1MTkzNjM1WhcNMzQxMjIzMTkzNjM1WjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAxpQ+QVI/6q0kIBtCceqdNkqaJ5RgOMn7nmf40hDgKBP231d0hmb2NgV7\nFig8pyaYI42MFfe7bma0X/FCMWhha157+cbPhQU+vmt096JMNBZPyWc6ILng9RRQ\nke+kM6vWc9zNb4hFrAe8B2WBhRwwgfreY1WX4Rp0xSCGepvyqQImS0V2bESH2u1A\n3dtaiKWVyT7ucs531wLDiRfOXWPhkwgk+2qS1qY7wJb6W8AV0UaA0FXZ0zJOXkUW\nw1+hBOTWp2lW8GdKE23UgVxCqSnUjVOSQ8yKIXrurHjL90FFhJyQSKkMLxX3zNba\nLfxfwt+Q9KOZAjdo2KvxIow0bbZHswIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAJuP\nzFNartqAJQ/iy6H1ABpfN6Neu5g0GXIF+TfikSM5w/3RKzHXhyPBK0ZdcducHqGL\nU+k2rpvUea9mmOpS6vHp73xyh1R6eaJh5IBL3qWKQOtStAHFP/LPnE+YaHbfkhnx\n/QnxhycvvpoXeOz76KNbUUBNtyRibFVBiR98B6La\n-----END CERTIFICATE-----\n'
pysaml2> val_config = None, arg = 'encrypted_advice_attributes'
pysaml2>
pysaml2> def gather_authn_response_args(self, sp_entity_id, name_id_policy, userid, **kwargs):
pysaml2> kwargs["policy"] = kwargs.get("release_policy")
pysaml2>
pysaml2> # collect args and return them
pysaml2> args = {}
pysaml2>
pysaml2> # XXX will be passed to _authn_response
pysaml2> param_defaults = {
pysaml2> "policy": None,
pysaml2> "best_effort": False,
pysaml2> "sign_assertion": False,
pysaml2> "sign_response": False,
pysaml2> "encrypt_assertion": False,
pysaml2> "encrypt_assertion_self_contained": True,
pysaml2> "encrypted_advice_attributes": False,
pysaml2> "encrypt_cert_advice": None,
pysaml2> "encrypt_cert_assertion": None,
pysaml2> # need to be named sign_alg and digest_alg
pysaml2> }
pysaml2> for param, val_default in param_defaults.items():
pysaml2> val_kw = kwargs.get(param)
pysaml2> val_config = self.config.getattr(param, "idp")
pysaml2> args[param] = val_kw if val_kw is not None else val_config if val_config is not None else val_default
pysaml2>
pysaml2> for arg, attr, eca, pefim in [
pysaml2> ("encrypted_advice_attributes", "verify_encrypt_cert_advice", "encrypt_cert_advice", kwargs["pefim"]),
pysaml2> ("encrypt_assertion", "verify_encrypt_cert_assertion", "encrypt_cert_assertion", False),
pysaml2> ]:
pysaml2>
pysaml2> if args[arg] or pefim:
pysaml2> _enc_cert = self.config.getattr(attr, "idp")
pysaml2>
pysaml2> if _enc_cert is not None:
pysaml2> if kwargs[eca] is None:
pysaml2> raise CertificateError(
pysaml2> "No SPCertEncType certificate for encryption " "contained in authentication " "request."
pysaml2> )
pysaml2> if not _enc_cert(kwargs[eca]):
pysaml2> > raise CertificateError("Invalid certificate for encryption!")
pysaml2> E saml2.cert.CertificateError: Invalid certificate for encryption!
pysaml2>
pysaml2> /nix/store/ad02k9isi75v6rjmmsxxcy6279z91pf0-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/server.py:737: CertificateError
pysaml2> ______________ TestGenerateCertificates.test_validate_cert_chains ______________
pysaml2>
pysaml2> self =
pysaml2>
pysaml2> def test_validate_cert_chains(self):
pysaml2>
pysaml2> cert_info_ca = {
pysaml2> "cn": "qwerty",
pysaml2> "country_code": "qw",
pysaml2> "state": "qwerty",
pysaml2> "city": "qwerty",
pysaml2> "organization": "qwerty",
pysaml2> "organization_unit": "qwerty",
pysaml2> }
pysaml2>
pysaml2> cert_intermediate_1_info = {
pysaml2> "cn": "intermediate_1",
pysaml2> "country_code": "as",
pysaml2> "state": "asdfgh",
pysaml2> "city": "asdfgh",
pysaml2> "organization": "asdfgh",
pysaml2> "organization_unit": "asdfg",
pysaml2> }
pysaml2>
pysaml2> cert_intermediate_2_info = {
pysaml2> "cn": "intermediate_2",
pysaml2> "country_code": "as",
pysaml2> "state": "asdfgh",
pysaml2> "city": "asdfgh",
pysaml2> "organization": "asdfgh",
pysaml2> "organization_unit": "asdfg",
pysaml2> }
pysaml2>
pysaml2> cert_client_cert_info = {
pysaml2> "cn": "intermediate_1",
pysaml2> "country_code": "as",
pysaml2> "state": "asdfgh",
pysaml2> "city": "asdfgh",
pysaml2> "organization": "asdfgh",
pysaml2> "organization_unit": "asdfg",
pysaml2> }
pysaml2>
pysaml2> osw = OpenSSLWrapper()
pysaml2>
pysaml2> ca_cert_str, ca_key_str = osw.create_certificate(cert_info_ca, request=False)
pysaml2>
pysaml2> req_cert_str, intermediate_1_key_str = osw.create_certificate(cert_intermediate_1_info, request=True)
pysaml2> intermediate_cert_1_str = osw.create_cert_signed_certificate(ca_cert_str, ca_key_str, req_cert_str)
pysaml2>
pysaml2> req_cert_str, intermediate_2_key_str = osw.create_certificate(cert_intermediate_2_info, request=True)
pysaml2> intermediate_cert_2_str = osw.create_cert_signed_certificate(
pysaml2> intermediate_cert_1_str, intermediate_1_key_str, req_cert_str
pysaml2> )
pysaml2>
pysaml2> req_cert_str, client_key_str = osw.create_certificate(cert_client_cert_info, request=True)
pysaml2> client_cert_str = osw.create_cert_signed_certificate(
pysaml2> intermediate_cert_2_str, intermediate_2_key_str, req_cert_str
pysaml2> )
pysaml2>
pysaml2> cert_chain = [intermediate_cert_2_str, intermediate_cert_1_str, ca_cert_str]
pysaml2>
pysaml2> valid, mess = osw.verify_chain(cert_chain, client_cert_str)
pysaml2> > self.assertTrue(valid)
pysaml2> E AssertionError: False is not true
pysaml2>
pysaml2> tests/test_81_certificates.py:131: AssertionError
pysaml2> ____________ TestGenerateCertificates.test_validate_with_root_cert _____________
pysaml2>
pysaml2> self =
pysaml2>
pysaml2> def test_validate_with_root_cert(self):
pysaml2>
pysaml2> cert_info_ca = {
pysaml2> "cn": "qwerty",
pysaml2> "country_code": "qw",
pysaml2> "state": "qwerty",
pysaml2> "city": "qwerty",
pysaml2> "organization": "qwerty",
pysaml2> "organization_unit": "qwerty",
pysaml2> }
pysaml2>
pysaml2> cert_info = {
pysaml2> "cn": "asdfgh",
pysaml2> "country_code": "as",
pysaml2> "state": "asdfgh",
pysaml2> "city": "asdfgh",
pysaml2> "organization": "asdfgh",
pysaml2> "organization_unit": "asdfg",
pysaml2> }
pysaml2>
pysaml2> osw = OpenSSLWrapper()
pysaml2>
pysaml2> ca_cert, ca_key = osw.create_certificate(
pysaml2> cert_info_ca,
pysaml2> request=False,
pysaml2> write_to_file=True,
pysaml2> cert_dir=f"{os.path.dirname(os.path.abspath(__file__))}/pki",
pysaml2> )
pysaml2>
pysaml2> req_cert_str, req_key_str = osw.create_certificate(cert_info, request=True)
pysaml2>
pysaml2> ca_cert_str = osw.read_str_from_file(ca_cert)
pysaml2> ca_key_str = osw.read_str_from_file(ca_key)
pysaml2>
pysaml2> cert_str = osw.create_cert_signed_certificate(ca_cert_str, ca_key_str, req_cert_str)
pysaml2>
pysaml2> valid, mess = osw.verify(ca_cert_str, cert_str)
pysaml2> > self.assertTrue(valid)
pysaml2> E AssertionError: False is not true
pysaml2>
pysaml2> tests/test_81_certificates.py:50: AssertionError
Possible Solution
Steps to Reproduce
- Install pyopenssl==24.3.0
- Run the test suite