pyFF doesnt handle ASN.1 parser errors gracefully with backwards incompatible pyca/cryptography (>= 35.0.0)

[alanbuxey]

trafficstars

When the local environment has a version of pyca/cryptography >= 35.0.0 then ASN.1 parser errors cause the process to fail.

Code Version

Version 2.0.0 (higher than this currently don't even check the metadata signature - see issue #264)

Expected Behavior

Certificate provided fails some country-specific encoding when being parsed and currently errors out. It should continue.

Current Behavior

Certificate provided should be accepted and used

Possible Solution

Unsure. I suspect that a fix similar to what was done with the tooling in this thread is followed: https://github.com/panzi/verify-ehc/issues/21

Steps to Reproduce

• take latest v9 Haka certificate and Metadata - https://wiki.eduuni.fi/display/CSCHAKA/Haka+metadata
• and use in a batch XRD file

---

Output from version 2.0.0 with pyca/cryptography > 35.0.0

INFO:pyff.fetch:successfully fetched https://haka.funet.fi/metadata/haka-metadata-v9.xml
ERROR:xmlsec:error parsing asn1 value: ParseError { kind: EncodedDefault, location: ["BasicConstraints::ca"] }
ERROR:pyff.samlmd:Error parsing https://haka.funet.fi/metadata/haka-metadata-v9.xml: No valid ds:Signature elements found

---

Output from 2.0.0 with pyca/cryptography 3.4.8 (the last version before the big version number jump to 35.0.0)

INFO:pyff.fetch:successfully fetched https://haka.funet.fi/metadata/haka-metadata-v9.xml

No error, metadata read successfully and entityIDs processed.