From d5355f4dfc4956820cee6c27dcc9a3249d9ef2d2 Mon Sep 17 00:00:00 2001
From: Alfred Whitehead <awhitehead@klick.com>
Date: Mon, 27 Oct 2025 15:51:00 +0000
Subject: [PATCH] Refactored to work with modern pyopenssl versions

---
 flask_saml2/signing.py | 21 ++++++++++++++++++---
 flask_saml2/version.py |  2 +-
 setup.py               |  2 +-
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/flask_saml2/signing.py b/flask_saml2/signing.py
index e32f21a..ce879db 100644
--- a/flask_saml2/signing.py
+++ b/flask_saml2/signing.py
@@ -7,7 +7,8 @@
 from typing import ClassVar, Sequence, Tuple, Union
 from urllib.parse import urlencode
 
-import OpenSSL.crypto
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import padding
 
 from flask_saml2.types import X509, PKey, XmlNode
 
@@ -98,7 +99,14 @@ def __init__(self, key: Union[X509, PKey]):
         self.key = key
 
     def __call__(self, data: bytes):
-        data = OpenSSL.crypto.sign(self.key, data, "sha1")
+        # pyOpenSSL PKey -> cryptography key:
+        priv = self.key.to_cryptography_key()  # returns RSAPrivateKey
+        signature = priv.sign(
+            data,
+            padding.PKCS1v15(),
+            hashes.SHA1(),   
+        )
+        data = signature
         return base64.b64encode(data).decode('ascii')
 
 
@@ -109,7 +117,14 @@ def __init__(self, key: Union[X509, PKey]):
         self.key = key
 
     def __call__(self, data: bytes):
-        data = OpenSSL.crypto.sign(self.key, data, "sha256")
+        # pyOpenSSL PKey -> cryptography key:
+        priv = self.key.to_cryptography_key()  # returns RSAPrivateKey
+        signature = priv.sign(
+            data,
+            padding.PKCS1v15(),
+            hashes.SHA256(),   # prefer SHA-256, not SHA-1
+        )
+        data = signature
         return base64.b64encode(data).decode('ascii')
 
 
diff --git a/flask_saml2/version.py b/flask_saml2/version.py
index c62b4ed..f269070 100644
--- a/flask_saml2/version.py
+++ b/flask_saml2/version.py
@@ -30,5 +30,5 @@ def make_version_string(version_info):
     return version_str
 
 
-version_info = (0, 3, 0)
+version_info = (0, 3, 1)
 version_str = make_version_string(version_info)
diff --git a/setup.py b/setup.py
index 07f5e39..dacdf7a 100755
--- a/setup.py
+++ b/setup.py
@@ -27,7 +27,7 @@
         'Flask>=1.0.0',
         'signxml>=2.4.0',
         'lxml>=3.8.0',
-        'pyopenssl<18',
+        'pyopenssl>=23',
         'defusedxml>=0.5.0',
         'pytz>=0',
         'iso8601~=0.1.12',