Build failure: pysaml2

[ambroisie]

Steps To Reproduce

Steps to reproduce the behavior:

1. build python3Packages.pysaml2 (in my instance, as a dependency of matrix-synapse).

Build log

Build Log

=================================== FAILURES ===================================
____________________ TestServer1.test_encrypted_response_6 _____________________

self = <test_50_server.TestServer1 object at 0x7ffff32f8f20>

    def test_encrypted_response_6(self):
        _server = Server("idp_conf_verify_cert")
    
        cert_str_advice, cert_key_str_advice = generate_cert()
    
        cert_str_assertion, cert_key_str_assertion = generate_cert()
    
>       _resp = _server.create_authn_response(
            self.ava,
            "id12",  # in_response_to
            "http://lingon.catalogix.se:8087/",  # consumer_url
            "urn:mace:example.com:saml:roland:sp",  # sp_entity_id
            name_id=self.name_id,
            sign_response=False,
            sign_assertion=False,
            encrypt_assertion=True,
            encrypt_assertion_self_contained=True,
            pefim=True,
            encrypt_cert_advice=cert_str_advice,
            encrypt_cert_assertion=cert_str_assertion,
        )

tests/test_50_server.py:911: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
/nix/store/npymkspmrvv81cxx67x7838wk89rl235-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/server.py:833: in create_authn_response
    args = self.gather_authn_response_args(
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <saml2.server.Server object at 0x7ffff321b7d0>
sp_entity_id = 'urn:mace:example.com:saml:roland:sp', name_id_policy = None
userid = None
kwargs = {'encrypt_assertion': True, 'encrypt_assertion_self_contained': True, 'encrypt_cert_advice': '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjIxMjM1MjA5WhcNMzQxMjE5MjM1MjA5WjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAouk69c/UpGkEdXEDGq9N5zzX5xp8AyPfILU1c1JZVqV+YAps+5NikrUf\nc/LiYL2Z9Xwm4fWf7Sldte1d9F088R0CTCJbRUCRucBejJWf0RY/USgKQpswuf51\nMGxe8wGhYBpGaW5wquFmCmKrX3OccOi/RsqP52E+4m01cu1qXwSiLjUvBqLk+aZw\nxRUXn5XiH/7obKIXuOkbCN9if9BkpDQ/QtyOrMddMQggzf1SfPySIEl922GBTlp0\nJj9RrUx83Ze38eHPqNfpYoCDKJjtjvMJS5Is2//XmIH/M7B/Vr4uzT+eVlrcrtK1\nO+j7PRCzbt65A41JYENxkt9vSNqDgwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAFve\ntVUxDk+bOqTJ/XHXSCrSfNfO1eoeZLuhSm41BNuzvCPdecAvmt2l8IECNcYvQX71\nyuq+X+WySWAK7kcU9r0qdS8TKwubvfrlgKD6s/Db+83Mm+vVuk3lQWHr5bYE11/7\ni4ClfrrxkO2aFAmc9NFQhgMJEc7PQNv5LoApWwJz\n-----END CERTIFICATE-----\n', 'encrypt_cert_assertion': '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjIxMjM1MjA5WhcNMzQxMjE5MjM1MjA5WjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAuGrxuK+XiQE7lEnjJJku9/NnC/u092EOoZf0oSoI1pOD7kka1Mt4gffT\nGAsyaShnsXdnI9GJcHf0s5mD5vsog7df0F7yTmfQF1z1sIRY6kTnBw46HXvsq3WL\nfmLMzfMYc19qRuc9LoM+3HnzO24ItLgXuBrWOOD0pQ2pWqT5QIB9lSpmat96rqog\nP84gsHKtPZsg9IUx9dQDQ7253roz9z18xVfwLkcsn/+YTX5yK19fSHAeQFxuUq/c\nlQLB1b7tcW/0cOoTSDyog2pYNRrVYUYCyJ8FLwVh9SHWByloPwSaCiNAeWudjN1x\njqvqhXpBQVu8kvVG3ttAmm9rY2w4CQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBALnK\nUkWK0fMnIdYZXi4768QCmSFPvt5xAqHbnGLrYM//KRqIZ1RfS0mSlvxStY6/DmtX\nmqy+DsvL75cXiqYlNHHrQikwLgSna3eW9FQZ+lftbQkKLRHaglnGYi2DhuMeuAVr\nOPhQUHsXY2ZfkrWhTZqI0BVqlcGEi1lUmdbv6ztw\n-----END CERTIFICATE-----\n', ...}
args = {'best_effort': False, 'encrypt_assertion': True, 'encrypt_assertion_self_contained': True, 'encrypt_cert_advice': '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjIxMjM1MjA5WhcNMzQxMjE5MjM1MjA5WjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAouk69c/UpGkEdXEDGq9N5zzX5xp8AyPfILU1c1JZVqV+YAps+5NikrUf\nc/LiYL2Z9Xwm4fWf7Sldte1d9F088R0CTCJbRUCRucBejJWf0RY/USgKQpswuf51\nMGxe8wGhYBpGaW5wquFmCmKrX3OccOi/RsqP52E+4m01cu1qXwSiLjUvBqLk+aZw\nxRUXn5XiH/7obKIXuOkbCN9if9BkpDQ/QtyOrMddMQggzf1SfPySIEl922GBTlp0\nJj9RrUx83Ze38eHPqNfpYoCDKJjtjvMJS5Is2//XmIH/M7B/Vr4uzT+eVlrcrtK1\nO+j7PRCzbt65A41JYENxkt9vSNqDgwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAFve\ntVUxDk+bOqTJ/XHXSCrSfNfO1eoeZLuhSm41BNuzvCPdecAvmt2l8IECNcYvQX71\nyuq+X+WySWAK7kcU9r0qdS8TKwubvfrlgKD6s/Db+83Mm+vVuk3lQWHr5bYE11/7\ni4ClfrrxkO2aFAmc9NFQhgMJEc7PQNv5LoApWwJz\n-----END CERTIFICATE-----\n', ...}
param_defaults = {'best_effort': False, 'encrypt_assertion': False, 'encrypt_assertion_self_contained': True, 'encrypt_cert_advice': None, ...}
param = 'encrypt_cert_assertion', val_default = None
val_kw = '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjIxMjM1MjA5WhcNMzQxMjE5MjM1MjA5WjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAuGrxuK+XiQE7lEnjJJku9/NnC/u092EOoZf0oSoI1pOD7kka1Mt4gffT\nGAsyaShnsXdnI9GJcHf0s5mD5vsog7df0F7yTmfQF1z1sIRY6kTnBw46HXvsq3WL\nfmLMzfMYc19qRuc9LoM+3HnzO24ItLgXuBrWOOD0pQ2pWqT5QIB9lSpmat96rqog\nP84gsHKtPZsg9IUx9dQDQ7253roz9z18xVfwLkcsn/+YTX5yK19fSHAeQFxuUq/c\nlQLB1b7tcW/0cOoTSDyog2pYNRrVYUYCyJ8FLwVh9SHWByloPwSaCiNAeWudjN1x\njqvqhXpBQVu8kvVG3ttAmm9rY2w4CQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBALnK\nUkWK0fMnIdYZXi4768QCmSFPvt5xAqHbnGLrYM//KRqIZ1RfS0mSlvxStY6/DmtX\nmqy+DsvL75cXiqYlNHHrQikwLgSna3eW9FQZ+lftbQkKLRHaglnGYi2DhuMeuAVr\nOPhQUHsXY2ZfkrWhTZqI0BVqlcGEi1lUmdbv6ztw\n-----END CERTIFICATE-----\n'
val_config = None, arg = 'encrypted_advice_attributes'

    def gather_authn_response_args(self, sp_entity_id, name_id_policy, userid, **kwargs):
        kwargs["policy"] = kwargs.get("release_policy")
    
        # collect args and return them
        args = {}
    
        # XXX will be passed to _authn_response
        param_defaults = {
            "policy": None,
            "best_effort": False,
            "sign_assertion": False,
            "sign_response": False,
            "encrypt_assertion": False,
            "encrypt_assertion_self_contained": True,
            "encrypted_advice_attributes": False,
            "encrypt_cert_advice": None,
            "encrypt_cert_assertion": None,
            # need to be named sign_alg and digest_alg
        }
        for param, val_default in param_defaults.items():
            val_kw = kwargs.get(param)
            val_config = self.config.getattr(param, "idp")
            args[param] = val_kw if val_kw is not None else val_config if val_config is not None else val_default
    
        for arg, attr, eca, pefim in [
            ("encrypted_advice_attributes", "verify_encrypt_cert_advice", "encrypt_cert_advice", kwargs["pefim"]),
            ("encrypt_assertion", "verify_encrypt_cert_assertion", "encrypt_cert_assertion", False),
        ]:
    
            if args[arg] or pefim:
                _enc_cert = self.config.getattr(attr, "idp")
    
                if _enc_cert is not None:
                    if kwargs[eca] is None:
                        raise CertificateError(
                            "No SPCertEncType certificate for encryption " "contained in authentication " "request."
                        )
                    if not _enc_cert(kwargs[eca]):
>                       raise CertificateError("Invalid certificate for encryption!")
E                       saml2.cert.CertificateError: Invalid certificate for encryption!

/nix/store/npymkspmrvv81cxx67x7838wk89rl235-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/server.py:737: CertificateError
_______________ TestServer1NonAsciiAva.test_encrypted_response_6 _______________

self = <test_50_server.TestServer1NonAsciiAva object at 0x7ffff2baf1a0>

    def test_encrypted_response_6(self):
        _server = Server("idp_conf_verify_cert")
    
        cert_str_advice, cert_key_str_advice = generate_cert()
    
        cert_str_assertion, cert_key_str_assertion = generate_cert()
    
>       _resp = _server.create_authn_response(
            self.ava,
            "id12",  # in_response_to
            "http://lingon.catalogix.se:8087/",  # consumer_url
            "urn:mace:example.com:saml:roland:sp",  # sp_entity_id
            name_id=self.name_id,
            sign_response=False,
            sign_assertion=False,
            encrypt_assertion=True,
            encrypt_assertion_self_contained=True,
            pefim=True,
            encrypt_cert_advice=cert_str_advice,
            encrypt_cert_assertion=cert_str_assertion,
        )

tests/test_50_server.py:1987: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
/nix/store/npymkspmrvv81cxx67x7838wk89rl235-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/server.py:833: in create_authn_response
    args = self.gather_authn_response_args(
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <saml2.server.Server object at 0x7ffff10fa450>
sp_entity_id = 'urn:mace:example.com:saml:roland:sp', name_id_policy = None
userid = None
kwargs = {'encrypt_assertion': True, 'encrypt_assertion_self_contained': True, 'encrypt_cert_advice': '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjIxMjM1MjE1WhcNMzQxMjE5MjM1MjE1WjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAqWF3FP1Lxw4fyDShAaWSE5OcSaQ3SOVh9NiIxvDVBH2xC54ONGHZSehj\nkUFTOYmlMA9YBSyCAI+HuDOyuW2OlgPFKgka/U5WXof2XpZsD4qVuqKQBAjlP3Rm\nwMILIhlTprJduIQ5JlIWp+i1npi37hSBPCB2bupFCNDsf0IMk43NUy+wa3xIVilO\nUtLOINchgCUHP0y5hcjXXTPK18YKTMveai+Q6YE7JDZAJSBkmzZXN+o9ErrKNhmz\nmfc3l7bi//1VKnwOJh3O4ez362PqPdcDwDb+ynbCwcvwb3wSuQpHjdMf4HMXm+5X\nC7BMBZ7+t6BPQDrc/cU3qFVB7jp4WQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAHSU\nWIXCklNFv5qNGhsKacBSQrZ/r0f2EOj9E0NZU6P+D+KWKKNpdAZT2lxfHRJSChqR\nuXQVcT0rHdAFN1DTOoSZnG5q/cMXHbmuMBnjkQYBgZPl5yt/wKR7b2SYxdWKLPtN\nvUaGpc1obxwxmH6G48HNQeRUykKFEfKhkr5k9Wnn\n-----END CERTIFICATE-----\n', 'encrypt_cert_assertion': '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjIxMjM1MjE1WhcNMzQxMjE5MjM1MjE1WjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAqlkd54R4EJLJAk35hSo7GA7GRcRC+aR/7QMnJ3q7LHsJNXgCjmGC12im\nFOh0717Wrd8ZR8ZwLjwLc+pV5Y6LbvYASPQHbebY2vKkfa7xecP4iYBMI3LAy6vs\ngm6uEyCsSL1ZvmSSXGNKpPWJBFz0KC0CSjcTQYbR0ZEC71Xk+JgYsJWylrJ+j2oC\nBbpVOF97/99D8WsCAjAJuzjXHPBAiSXwxOclGYGGvne4TGksd3x4jRrTLhPtyx3S\nKAGmItDXgiYY15//0enydQD8nziEHFFkru+QLMpAcP0KXSONjHguXcZDWGYsNxPG\nMvmyvyOrzX1uobOKJofCnv5r46cNawIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAIhH\nyW1J3ygdr4+f7SCKwUa33H3o5ihXqTdi32URBERVeU6O2BiKAVNnYrRqUaM6PC9i\n736sYmkVbIgm/xaAOvzio0gL1E9tXk9DVUPiSH1HUmecmc/Te9v0MVr7XlGn21Xu\nH3zDNjV/Vsk3xokxB0NfI4ZJqWC4r4tj1ihJ08ev\n-----END CERTIFICATE-----\n', ...}
args = {'best_effort': False, 'encrypt_assertion': True, 'encrypt_assertion_self_contained': True, 'encrypt_cert_advice': '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjIxMjM1MjE1WhcNMzQxMjE5MjM1MjE1WjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAqWF3FP1Lxw4fyDShAaWSE5OcSaQ3SOVh9NiIxvDVBH2xC54ONGHZSehj\nkUFTOYmlMA9YBSyCAI+HuDOyuW2OlgPFKgka/U5WXof2XpZsD4qVuqKQBAjlP3Rm\nwMILIhlTprJduIQ5JlIWp+i1npi37hSBPCB2bupFCNDsf0IMk43NUy+wa3xIVilO\nUtLOINchgCUHP0y5hcjXXTPK18YKTMveai+Q6YE7JDZAJSBkmzZXN+o9ErrKNhmz\nmfc3l7bi//1VKnwOJh3O4ez362PqPdcDwDb+ynbCwcvwb3wSuQpHjdMf4HMXm+5X\nC7BMBZ7+t6BPQDrc/cU3qFVB7jp4WQIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAHSU\nWIXCklNFv5qNGhsKacBSQrZ/r0f2EOj9E0NZU6P+D+KWKKNpdAZT2lxfHRJSChqR\nuXQVcT0rHdAFN1DTOoSZnG5q/cMXHbmuMBnjkQYBgZPl5yt/wKR7b2SYxdWKLPtN\nvUaGpc1obxwxmH6G48HNQeRUykKFEfKhkr5k9Wnn\n-----END CERTIFICATE-----\n', ...}
param_defaults = {'best_effort': False, 'encrypt_assertion': False, 'encrypt_assertion_self_contained': True, 'encrypt_cert_advice': None, ...}
param = 'encrypt_cert_assertion', val_default = None
val_kw = '-----BEGIN CERTIFICATE-----\nMIICujCCAiMCAQEwDQYJKoZIhvcNAQELBQAwbTELMAkGA1UEBhMCc2UxCzAJBgNV\nBAgMAmFjMQ0wCwYDVQQHDAR1bWVhMRwwGgYDVQQKDBNJVFMgVW1lYSBVbml2ZXJz\naXR5MQ0wCwYDVQQLDARESVJHMRUwEwYDVQQDDAxsb2NhbGhvc3QuY2EwHhcNMjQx\nMjIxMjM1MjE1WhcNMzQxMjE5MjM1MjE1WjBaMQswCQYDVQQGEwJzZTELMAkGA1UE\nCAwCYWMxDTALBgNVBAcMBFVtZWExDDAKBgNVBAoMA0lUUzENMAsGA1UECwwERElS\nRzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAqlkd54R4EJLJAk35hSo7GA7GRcRC+aR/7QMnJ3q7LHsJNXgCjmGC12im\nFOh0717Wrd8ZR8ZwLjwLc+pV5Y6LbvYASPQHbebY2vKkfa7xecP4iYBMI3LAy6vs\ngm6uEyCsSL1ZvmSSXGNKpPWJBFz0KC0CSjcTQYbR0ZEC71Xk+JgYsJWylrJ+j2oC\nBbpVOF97/99D8WsCAjAJuzjXHPBAiSXwxOclGYGGvne4TGksd3x4jRrTLhPtyx3S\nKAGmItDXgiYY15//0enydQD8nziEHFFkru+QLMpAcP0KXSONjHguXcZDWGYsNxPG\nMvmyvyOrzX1uobOKJofCnv5r46cNawIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAIhH\nyW1J3ygdr4+f7SCKwUa33H3o5ihXqTdi32URBERVeU6O2BiKAVNnYrRqUaM6PC9i\n736sYmkVbIgm/xaAOvzio0gL1E9tXk9DVUPiSH1HUmecmc/Te9v0MVr7XlGn21Xu\nH3zDNjV/Vsk3xokxB0NfI4ZJqWC4r4tj1ihJ08ev\n-----END CERTIFICATE-----\n'
val_config = None, arg = 'encrypted_advice_attributes'

    def gather_authn_response_args(self, sp_entity_id, name_id_policy, userid, **kwargs):
        kwargs["policy"] = kwargs.get("release_policy")
    
        # collect args and return them
        args = {}
    
        # XXX will be passed to _authn_response
        param_defaults = {
            "policy": None,
            "best_effort": False,
            "sign_assertion": False,
            "sign_response": False,
            "encrypt_assertion": False,
            "encrypt_assertion_self_contained": True,
            "encrypted_advice_attributes": False,
            "encrypt_cert_advice": None,
            "encrypt_cert_assertion": None,
            # need to be named sign_alg and digest_alg
        }
        for param, val_default in param_defaults.items():
            val_kw = kwargs.get(param)
            val_config = self.config.getattr(param, "idp")
            args[param] = val_kw if val_kw is not None else val_config if val_config is not None else val_default
    
        for arg, attr, eca, pefim in [
            ("encrypted_advice_attributes", "verify_encrypt_cert_advice", "encrypt_cert_advice", kwargs["pefim"]),
            ("encrypt_assertion", "verify_encrypt_cert_assertion", "encrypt_cert_assertion", False),
        ]:
    
            if args[arg] or pefim:
                _enc_cert = self.config.getattr(attr, "idp")
    
                if _enc_cert is not None:
                    if kwargs[eca] is None:
                        raise CertificateError(
                            "No SPCertEncType certificate for encryption " "contained in authentication " "request."
                        )
                    if not _enc_cert(kwargs[eca]):
>                       raise CertificateError("Invalid certificate for encryption!")
E                       saml2.cert.CertificateError: Invalid certificate for encryption!

/nix/store/npymkspmrvv81cxx67x7838wk89rl235-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/server.py:737: CertificateError
______________ TestGenerateCertificates.test_validate_cert_chains ______________

self = <test_81_certificates.TestGenerateCertificates testMethod=test_validate_cert_chains>

    def test_validate_cert_chains(self):
    
        cert_info_ca = {
            "cn": "qwerty",
            "country_code": "qw",
            "state": "qwerty",
            "city": "qwerty",
            "organization": "qwerty",
            "organization_unit": "qwerty",
        }
    
        cert_intermediate_1_info = {
            "cn": "intermediate_1",
            "country_code": "as",
            "state": "asdfgh",
            "city": "asdfgh",
            "organization": "asdfgh",
            "organization_unit": "asdfg",
        }
    
        cert_intermediate_2_info = {
            "cn": "intermediate_2",
            "country_code": "as",
            "state": "asdfgh",
            "city": "asdfgh",
            "organization": "asdfgh",
            "organization_unit": "asdfg",
        }
    
        cert_client_cert_info = {
            "cn": "intermediate_1",
            "country_code": "as",
            "state": "asdfgh",
            "city": "asdfgh",
            "organization": "asdfgh",
            "organization_unit": "asdfg",
        }
    
        osw = OpenSSLWrapper()
    
        ca_cert_str, ca_key_str = osw.create_certificate(cert_info_ca, request=False)
    
        req_cert_str, intermediate_1_key_str = osw.create_certificate(cert_intermediate_1_info, request=True)
        intermediate_cert_1_str = osw.create_cert_signed_certificate(ca_cert_str, ca_key_str, req_cert_str)
    
        req_cert_str, intermediate_2_key_str = osw.create_certificate(cert_intermediate_2_info, request=True)
        intermediate_cert_2_str = osw.create_cert_signed_certificate(
            intermediate_cert_1_str, intermediate_1_key_str, req_cert_str
        )
    
        req_cert_str, client_key_str = osw.create_certificate(cert_client_cert_info, request=True)
        client_cert_str = osw.create_cert_signed_certificate(
            intermediate_cert_2_str, intermediate_2_key_str, req_cert_str
        )
    
        cert_chain = [intermediate_cert_2_str, intermediate_cert_1_str, ca_cert_str]
    
        valid, mess = osw.verify_chain(cert_chain, client_cert_str)
>       self.assertTrue(valid)
E       AssertionError: False is not true

tests/test_81_certificates.py:131: AssertionError
____________ TestGenerateCertificates.test_validate_with_root_cert _____________

self = <test_81_certificates.TestGenerateCertificates testMethod=test_validate_with_root_cert>

    def test_validate_with_root_cert(self):
    
        cert_info_ca = {
            "cn": "qwerty",
            "country_code": "qw",
            "state": "qwerty",
            "city": "qwerty",
            "organization": "qwerty",
            "organization_unit": "qwerty",
        }
    
        cert_info = {
            "cn": "asdfgh",
            "country_code": "as",
            "state": "asdfgh",
            "city": "asdfgh",
            "organization": "asdfgh",
            "organization_unit": "asdfg",
        }
    
        osw = OpenSSLWrapper()
    
        ca_cert, ca_key = osw.create_certificate(
            cert_info_ca,
            request=False,
            write_to_file=True,
            cert_dir=f"{os.path.dirname(os.path.abspath(__file__))}/pki",
        )
    
        req_cert_str, req_key_str = osw.create_certificate(cert_info, request=True)
    
        ca_cert_str = osw.read_str_from_file(ca_cert)
        ca_key_str = osw.read_str_from_file(ca_key)
    
        cert_str = osw.create_cert_signed_certificate(ca_cert_str, ca_key_str, req_cert_str)
    
        valid, mess = osw.verify(ca_cert_str, cert_str)
>       self.assertTrue(valid)
E       AssertionError: False is not true

tests/test_81_certificates.py:50: AssertionError
=============================== warnings summary ===============================
tests/test_10_time_util.py: 2 warnings
tests/test_20_assertion.py: 6 warnings
tests/test_32_cache.py: 5 warnings
tests/test_34_population.py: 4 warnings
tests/test_41_response.py: 8 warnings
tests/test_42_enc.py: 6 warnings
tests/test_44_authnresp.py: 9 warnings
tests/test_50_server.py: 152 warnings
tests/test_51_client.py: 223 warnings
tests/test_52_default_sign_alg.py: 6 warnings
tests/test_62_vo.py: 2 warnings
tests/test_63_ecp.py: 5 warnings
tests/test_64_artifact.py: 4 warnings
tests/test_65_authn_query.py: 7 warnings
tests/test_66_name_id_mapping.py: 2 warnings
tests/test_67_manage_name_id.py: 3 warnings
tests/test_68_assertion_id.py: 4 warnings
tests/test_89_http_post_relay_state.py: 2 warnings
  /nix/store/npymkspmrvv81cxx67x7838wk89rl235-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/time_util.py:178: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
    return datetime.utcnow() + delta

tests/test_44_authnresp.py: 3 warnings
tests/test_50_server.py: 7 warnings
tests/test_51_client.py: 95 warnings
tests/test_63_ecp.py: 3 warnings
tests/test_64_artifact.py: 2 warnings
tests/test_65_authn_query.py: 5 warnings
tests/test_66_name_id_mapping.py: 2 warnings
tests/test_67_manage_name_id.py: 3 warnings
tests/test_68_assertion_id.py: 2 warnings
  /nix/store/npymkspmrvv81cxx67x7838wk89rl235-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/time_util.py:188: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
    return datetime.utcnow() - delta

tests/test_44_authnresp.py::TestAuthnResponse::test_verify_w_authn
  /build/source/tests/test_44_authnresp.py:134: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
    now = datetime.utcnow()

tests/test_50_server.py: 18 warnings
tests/test_51_client.py: 10 warnings
tests/test_81_certificates.py: 10 warnings
  /nix/store/npymkspmrvv81cxx67x7838wk89rl235-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/cert.py:141: DeprecationWarning: CSR support in pyOpenSSL is deprecated. You should use the APIs in cryptography.
    cert = crypto.X509Req()

tests/test_50_server.py: 18 warnings
tests/test_51_client.py: 10 warnings
tests/test_81_certificates.py: 10 warnings
  /nix/store/npymkspmrvv81cxx67x7838wk89rl235-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/cert.py:161: DeprecationWarning: CSR support in pyOpenSSL is deprecated. You should use the APIs in cryptography.
    tmp_cert = crypto.dump_certificate_request(crypto.FILETYPE_PEM, cert)

tests/test_50_server.py: 18 warnings
tests/test_51_client.py: 10 warnings
tests/test_81_certificates.py: 10 warnings
  /nix/store/npymkspmrvv81cxx67x7838wk89rl235-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/cert.py:246: DeprecationWarning: CSR support in pyOpenSSL is deprecated. You should use the APIs in cryptography.
    req_cert = crypto.load_certificate_request(crypto.FILETYPE_PEM, request_cert_str)

tests/test_50_server.py: 4 warnings
tests/test_81_certificates.py: 11 warnings
  /nix/store/npymkspmrvv81cxx67x7838wk89rl235-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/cert.py:281: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
    now = pytz.UTC.localize(datetime.datetime.utcnow())

tests/test_92_aes.py: 35 warnings
  /nix/store/npymkspmrvv81cxx67x7838wk89rl235-python3.12-pysaml2-7.5.0/lib/python3.12/site-packages/saml2/cryptography/symmetric.py:124: DeprecationWarning: AESCipher type is deprecated. It will be removed in the next version. Use saml2.cryptography.symmetric.Default or saml2.cryptography.symmetric.Fernet instead.
    _warn(_deprecation_msg, DeprecationWarning)

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
=========================== short test summary info ============================
SKIPPED [1] tests/test_37_entity_categories.py:296: Temporarily disabled
SKIPPED [1] tests/test_37_entity_categories.py:325: Temporarily disabled
SKIPPED [1] tests/test_37_entity_categories.py:358: Temporarily disabled
SKIPPED [1] tests/test_60_sp.py:59: s2repoze dependencies not installed
SKIPPED [1] tests/test_60_sp.py:62: s2repoze dependencies not installed
FAILED tests/test_50_server.py::TestServer1::test_encrypted_response_6 - saml2.cert.CertificateError: Invalid certificate for encryption!
FAILED tests/test_50_server.py::TestServer1NonAsciiAva::test_encrypted_response_6 - saml2.cert.CertificateError: Invalid certificate for encryption!
FAILED tests/test_81_certificates.py::TestGenerateCertificates::test_validate_cert_chains - AssertionError: False is not true
FAILED tests/test_81_certificates.py::TestGenerateCertificates::test_validate_with_root_cert - AssertionError: False is not true
= 4 failed, 772 passed, 5 skipped, 4 deselected, 737 warnings in 224.35s (0:03:44) =

Additional context

Metadata

Notify maintainers

---

Note for maintainers: Please tag this issue in your PR.

---

Add a 👍 reaction to issues you find important.

[bachp]

Duplicate of #367976

[ambroisie]

Weird, I couldn't find it when I search the open issues. Thanks for de-duping, sorry about the noise.