Patch cryptography and pyOpenSSL vulnerabilities CVE-2026-26007 and CVE-2026-27459

[evansun06]

Description

The feature or problem addressed by this PR

Addresses security findings in pysaml2’s cryptography stack, including the pyOpenSSL vulnerability tracked in #1023.

Specifically:

• CVE-2026-27459: affected pyOpenSSL >=22.0.0,<26.0.0
• cryptography/OpenSSL wheel vulnerability exposure addressed by moving to a newer secure cryptography release
• Related upstream work: fix(security): resolve CVE-2026-26007 by migrating deprecated OpenSSL.crypto.verify and unblocking cryptography >= 46.0.5 #1021

What your changes do and why you chose this solution

This PR updates pysaml2’s dependency bounds and certificate verification implementation to support secure pyCA package versions.

Changes include:

• Bumps pyOpenSSL to >=26.2.0,<26.3.0

• Bumps cryptography to >=48.0.1,<49.0.0

• Replaces removed OpenSSL.crypto.verify usage with cryptography.x509 certificate verification

• Adds explicit security floors for vulnerable transitive/test dependencies found during audit

• Raises Python support to >=3.10 to allow secure dependency resolution

• Updates the tox matrix to supported Python versions

• Adds certificate verification regression tests

  The pyOpenSSL <26.3.0 cap is intentional: 26.3.0 removes CSR APIs that pysaml2 still uses. This bounded upgrade fixes the security issue without requiring a larger CSR-generation rewrite.

  Verification completed:

  • poetry check
  • pytest tests/test_81_certificates.py tests/test_92_aes.py
  • python -m pip check
  • pip-audit

  pip-audit reports: No known vulnerabilities found.

  Checklist

  • Checked that no other issues or pull requests exist for the same issue/change
  • Added tests covering the new functionality
  • Updated documentation OR the change is too minor to be documented
  • Updated CHANGELOG.md OR changes are insignificant