yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2119991] [NEW] xmlsec1 key error for tests.unit.test_v3_federation.SAMLGenerationTests.test_saml_signing

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Myles Penner <2119991@xxxxxxxxxxxxxxxxxx>
Date: Thu, 07 Aug 2025 22:37:54 -0000
Reply-to: Bug 2119991 <2119991@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

Building current master-branch Keystone on Ubuntu Questing gives the
unit test failure posted below. This error is observed with xmlsec1
1.3.7 but does not appear with xmlsec1 1.2.39 (Ubuntu Noble).

My theory is that the newer xmlsec1 uses OpenSSL3 (3.5.0) on Questing
which has deprecated SHA-1 X509 certificates. The certificates at
examples/pki/private/signing_key.pem used in the unit test appear to be
SHA-1 2048 certificates and get rejected by the newer version of
OpenSSL.


Traceback (most recent call last):
  File "/<<PKGBUILDDIR>>/keystone/federation/idp.py", line 538, in _sign_assertion
    stdout = subprocess.check_output(
        command_list,  # nosec : The contents
    ...<15 lines>...
        errors='replace',
    )
  File "/usr/lib/python3.13/subprocess.py", line 472, in check_output
    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
           ~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
               **kwargs).stdout
               ^^^^^^^^^
  File "/usr/lib/python3.13/subprocess.py", line 577, in run
    raise CalledProcessError(retcode, process.args,
                             output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['xmlsec1', '--sign', '--privkey-pem', 'examples/pki/private/signing_key.pem,examples/pki/certs/signing_cert.pem', '--id-attr:ID', 'Assertion', '/tmp/tmppm8yxa6u/tmp_5ic6awy']' returned non-zero exit status 1.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/<<PKGBUILDDIR>>/keystone/tests/unit/test_v3_federation.py", line 4066, in test_saml_signing
    response = generator.samlize_token(
        self.ISSUER,
    ...<6 lines>...
        self.GROUPS,
    )
  File "/<<PKGBUILDDIR>>/keystone/federation/idp.py", line 101, in samlize_token
    assertion = _sign_assertion(assertion)
  File "/<<PKGBUILDDIR>>/keystone/federation/idp.py", line 566, in _sign_assertion
    raise exception.SAMLSigningError(reason=e)
keystone.exception.SAMLSigningError: An unexpected error prevented the server from fulfilling your request.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2119991

Title:
  xmlsec1 key error for
  tests.unit.test_v3_federation.SAMLGenerationTests.test_saml_signing

Status in OpenStack Identity (keystone):
  New

Bug description:
  Building current master-branch Keystone on Ubuntu Questing gives the
  unit test failure posted below. This error is observed with xmlsec1
  1.3.7 but does not appear with xmlsec1 1.2.39 (Ubuntu Noble).

  My theory is that the newer xmlsec1 uses OpenSSL3 (3.5.0) on Questing
  which has deprecated SHA-1 X509 certificates. The certificates at
  examples/pki/private/signing_key.pem used in the unit test appear to
  be SHA-1 2048 certificates and get rejected by the newer version of
  OpenSSL.


  Traceback (most recent call last):
    File "/<<PKGBUILDDIR>>/keystone/federation/idp.py", line 538, in _sign_assertion
      stdout = subprocess.check_output(
          command_list,  # nosec : The contents
      ...<15 lines>...
          errors='replace',
      )
    File "/usr/lib/python3.13/subprocess.py", line 472, in check_output
      return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
             ~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                 **kwargs).stdout
                 ^^^^^^^^^
    File "/usr/lib/python3.13/subprocess.py", line 577, in run
      raise CalledProcessError(retcode, process.args,
                               output=stdout, stderr=stderr)
  subprocess.CalledProcessError: Command '['xmlsec1', '--sign', '--privkey-pem', 'examples/pki/private/signing_key.pem,examples/pki/certs/signing_cert.pem', '--id-attr:ID', 'Assertion', '/tmp/tmppm8yxa6u/tmp_5ic6awy']' returned non-zero exit status 1.

  During handling of the above exception, another exception occurred:

  Traceback (most recent call last):
    File "/<<PKGBUILDDIR>>/keystone/tests/unit/test_v3_federation.py", line 4066, in test_saml_signing
      response = generator.samlize_token(
          self.ISSUER,
      ...<6 lines>...
          self.GROUPS,
      )
    File "/<<PKGBUILDDIR>>/keystone/federation/idp.py", line 101, in samlize_token
      assertion = _sign_assertion(assertion)
    File "/<<PKGBUILDDIR>>/keystone/federation/idp.py", line 566, in _sign_assertion
      raise exception.SAMLSigningError(reason=e)
  keystone.exception.SAMLSigningError: An unexpected error prevented the server from fulfilling your request.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2119991/+subscriptions