fix(security): resolve CVE-2026-26007 by migrating deprecated OpenSSL.crypto.verify and unblocking cryptography >= 46.0.5

[ascii-dev]

Description

The feature or problem addressed by this PR

This PR resolves the dependency deadlock preventing the mitigation of CVE-2026-26007 (elliptic curve subgroup validation vulnerability).

Currently, upgrading the cryptography package to a secure version is blocked by the upper bound constraint on pyopenssl < 24.3.0. That constraint exists because OpenSSL.crypto.verify was deprecated and subsequently removed in pyopenssl 24.3.0. We need a way to verify signatures without relying on the removed API so we can bump both packages and secure downstream users.

Closes #1017

What your changes do and why you chose this solution

To unblock the security patch, this PR refactors the signature verification layer in src/saml2/cert.py.

Technical Changes:

• Migrated Verification API: Replaced the removed OpenSSL.crypto.verify API with direct cryptography.hazmat.primitives.asymmetric implementations.
• Handles RSA keys via RSAPublicKey.verify() with PKCS1v15 padding.
• Handles EC keys via EllipticCurvePublicKey.verify() with ECDSA.
• Removed the < 24.3.0 upper bound on pyopenssl.
• Bumped cryptography >= 46.0.5 to explicitly enforce the CVE-2026-26007 mitigation.
• Updated types-pyopenssl to >= 24.0.0 to maintain type compatibility.
• Bumped the minimum supported Python version from 3.9 to 3.9.2 to align with the new upstream package constraints.

Why this solution:
The project's remaining reliance on pyopenssl for certificate creation and loading remains completely untouched and functional. Existing tests pass locally with xmlsec1 installed.

Checklist

• Checked that no other issues or pull requests exist for the same issue/change
• Added tests covering the new functionality
• Updated documentation OR the change is too minor to be documented
• Updated CHANGELOG.md OR changes are insignificant