pyFF doesnt handle ASN.1 parser errors gracefully with backwards incompatible pyca/cryptography (>= 35.0.0) #265
Description
When the local environment has a version of pyca/cryptography >= 35.0.0 then ASN.1 parser errors cause the process to fail.
Code Version
Version 2.0.0 (higher than this currently don't even check the metadata signature - see issue #264)
Expected Behavior
Certificate provided fails some country-specific encoding when being parsed and currently errors out. It should continue.
Current Behavior
Certificate provided should be accepted and used
Possible Solution
Unsure. I suspect that a fix similar to what was done with the tooling in this thread is followed:
panzi/verify-ehc#21
Steps to Reproduce
- take latest v9 Haka certificate and Metadata - https://wiki.eduuni.fi/display/CSCHAKA/Haka+metadata
- and use in a batch XRD file
Output from version 2.0.0 with pyca/cryptography > 35.0.0
INFO:pyff.fetch:successfully fetched https://haka.funet.fi/metadata/haka-metadata-v9.xml
ERROR:xmlsec:error parsing asn1 value: ParseError { kind: EncodedDefault, location: ["BasicConstraints::ca"] }
ERROR:pyff.samlmd:Error parsing https://haka.funet.fi/metadata/haka-metadata-v9.xml: No valid ds:Signature elements found
Output from 2.0.0 with pyca/cryptography 3.4.8 (the last version before the big version number jump to 35.0.0)
INFO:pyff.fetch:successfully fetched https://haka.funet.fi/metadata/haka-metadata-v9.xml
No error, metadata read successfully and entityIDs processed.