fix(security): resolve CVE-2026-26007 by migrating deprecated OpenSSL.crypto.verify and unblocking cryptography >= 46.0.5

[ascii-dev]

Description

The feature or problem addressed by this PR

This PR resolves the dependency deadlock preventing the mitigation of CVE-2026-26007 (elliptic curve subgroup validation vulnerability).

Currently, upgrading the cryptography package to a secure version is blocked by the upper bound constraint on pyopenssl < 24.3.0. That constraint exists because OpenSSL.crypto.verify was deprecated and subsequently removed in pyopenssl 24.3.0. We need a way to verify signatures without relying on the removed API so we can bump both packages and secure downstream users.

Closes #1017

What your changes do and why you chose this solution

To unblock the security patch, this PR refactors the signature verification layer in src/saml2/cert.py.

Technical Changes:

• Migrated Verification API: Replaced the removed OpenSSL.crypto.verify API with direct cryptography.hazmat.primitives.asymmetric implementations.
• Handles RSA keys via RSAPublicKey.verify() with PKCS1v15 padding.
• Handles EC keys via EllipticCurvePublicKey.verify() with ECDSA.
• Removed the < 24.3.0 upper bound on pyopenssl.
• Bumped cryptography >= 46.0.5 to explicitly enforce the CVE-2026-26007 mitigation.
• Updated types-pyopenssl to >= 24.0.0 to maintain type compatibility.
• Bumped the minimum supported Python version from 3.9 to 3.9.2 to align with the new upstream package constraints.

Why this solution:
The project's remaining reliance on pyopenssl for certificate creation and loading remains completely untouched and functional. Existing tests pass locally with xmlsec1 installed.

Checklist

• Checked that no other issues or pull requests exist for the same issue/change
• Added tests covering the new functionality
• Updated documentation OR the change is too minor to be documented
• Updated CHANGELOG.md OR changes are insignificant

[peppelinux]

@ascii-dev I got your contribution here:
https://github.com/italia/iam-proxy-italia/releases/tag/v3.2.0

thank you

@c00kiemon5ter ^

[ascii-dev]

@peppelinux Awesome to see this actively unblocking the v3.2.0 release for iam-proxy-italia! Glad it was helpful.

@c00kiemon5ter - let me know if there are any changes you'd like me to add to get this aligned for a merge.

[robin92]

I think this is a good change though I'd take care of

issue: cert_crypto.signature_hash_algorithm can return None which would cause a TypeError from _ec.ECDSA call.

and add some tests before merging this.

[robin92]

suggestion: If there weren't any fixes that you need, then I'd avoid bumping this.

[ascii-dev]

@robin92 cryptography (46.0.5) requires >=3.8 but explicitly excludes 3.9.0 and 3.9.1.

[jwjenkin]

should bump this to >=26.0.0 as well (#1023)

[voneiden]

If common name is missing from both certs the old code would return False: pyopenssl returns None if attribute is missing: https://github.com/pyca/pyopenssl/blob/f72218efff8a1e3e7ae4683793ad36d2f9610976/src/OpenSSL/crypto.py#L681

New code will not return in such case.

I don't know if that is a problem or not, just pointing out that there is a subtle difference in logic.

[nelsonharry]

We are currently developing a SAML-based SSO implementation using pysaml2. However, we are blocked due to CVE-2026-26007 in the cryptography dependency, which is causing our security/compliance checks to fail.

Thanks for all efforts in raising this PR, this change would unblock our adoption and ongoing development. Would appreciate it if this could be reviewed and merged at the earliest.

The community is ready to help move this forward. This would also help a broader community currently impacted by this CVE.