Description
It would be nice if pysaml2 could support certificate chains for the various certificates it uses. Currently it only supports a single certificate.
Code Version
6.1.0
Expected Behavior
Section 3.1.0 of https://www.oasis-open.org/committees/download.php/8958/sstc-saml-implementation-guidelines-draft-01.pdf suggests that a certificate chain may be supported, and that if it is, the xml should include the chain up to (but not including) the root. So, in my case, the xml should include both the server certificate and the intermediate certificate.
Current Behavior
Currently, if the certificate provided for signing, for example, contains an intermediate certificate, pysaml2 emits an invalid
certificate in the xml, or fails. If it fails, it fails with an error like "Invalid base 64 string". It doesn't fail, it emits a mangled certificate chain (the outermost begin/end cert lines from the pem encoding are removed, but the inner end/begin are not).
To work around this, I need to strip the intermediate certificates from my certificate chain. This means that those intermediate certificates will need to be trusted by the parties with which I am integrating. This is unfortunate if I am using a public CA to sign my certificate, since those CAs typically provide their root certificates for validation in standard packages/etc, easing distrubtion.
Note the comment here:
"""
Reads a certificate from a file. The assumption is that there is
only one certificate in the file
...
"""
This appears to be where the troubles start. It's not cleat to me what's involved in supporting multiple certificates. I suspect it's more than just changing this function.
Possible Solution
Include all certificates from the pem encoded certificate files in the xml. This leaves the decision of how to evaluate the chain of trust in the hands of the implementation.