Configuring non-default CA certificates for a KeyJar does not work as expected

[schlenk]

The KeyJar constructor takes two TLS related arguments 'verify_ssl' (default=True) and 'ca_certs' (default: None).

Trying to configure a non-default CA like this fails with a when fetching keys:

kj = KeyJar(ca_certs=mycerts, verify_ssl=True)
Client(ca_certs=mycerts, verify_ssl=True, keyjar=kj, ...)

It also fails to just use the defaults and just configure the client without an explicit keyjar:

Client(ca_certs=mycerts, verify_ssl=True, ...)

The ca_certs parameter to KeyJar is stored, but never used. The KeyBundle Class only ever sees the verify_ssl parameter that is passed down to requests.

The default KeyJar setup in PBase.init is also broken, so you need to set BOTH verify_ssl and ca_certs to a path to make it work properly. PBase gets it right for its own http_request code though, but fails to setup the default KeyJar correctly.

Looks like this in a slightly redacted traceback when doing an AccessTokenRequest with a RS256 signed response:

File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/oic/__init__.py", line 653, in do_access_token_request
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/oauth2/__init__.py", line 761, in do_access_token_request
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/oauth2/__init__.py", line 684, in request_and_return
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/oauth2/__init__.py", line 638, in parse_request_response
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/oauth2/__init__.py", line 565, in parse_response
    verf = resp.verify(**kwargs)
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/oic/message.py", line 302, in verify
    idt = IdToken().from_jwt(str(self["id_token"]), **args)
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/oauth2/message.py", line 687, in from_jwt
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/oauth2/message.py", line 599, in get_verify_keys
    self._add_key(keyjar, jso[ent], key, _key_type, _kid, nki)
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/oauth2/message.py", line 499, in _add_key
    issuer, key_summary(keyjar, issuer)))
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/utils/keyio.py", line 1144, in key_summary
    for key in kb.keys():
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/utils/keyio.py", line 274, in keys
    self._uptodate()
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/utils/keyio.py", line 232, in _uptodate
    if self.update():
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/utils/keyio.py", line 255, in update
    res = self.do_remote()
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/utils/keyio.py", line 168, in do_remote
REMOTE_FAILED.format(self.source, str(err)))
File "..../python2.7/site-packages/oic-0.11.0.0-py2.7.egg/oic/utils/keyio.py", line 39, in raise_exception
    raise excep(_err, 'application/json')
UpdateFailed: {"error_description": "Remote key update from 'https://example.com/nidp/oauth/nam/keys' failed, HTTP status HTTPSConnectionPool(host='example.com', port=443): Max retries exceeded with url: /nidp/oauth/nam/keys (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),))", "error": "service_error"}

[tpazderka]

You can use REQUESTS_CA_BUNDLE env variable to specify trusted authorities.

I think we should keep only one variable verify_ssl that would serve the same function as verify in requests.