TLS Support using SPIFFE
Project description
spiffe-tls
package (experimental)
Overview
The spiffe-tls
package, part of the py-spiffe library, streamlines the
establishment of secure TLS connections using SPIFFE certificates. Powered
by pyOpenSSL, it provides straightforward utilities for configuring TLS clients
and servers. Currently experimental, spiffe-tls
facilitates the seamless integration of SPIFFE for the automatic
management of X.509 certificates and CA trust bundles via X509Source
from
the spiffe package.
Key Features
- TLS connections with SPIFFE ID validation.
- Mutual TLS (MTLS) support for authenticated client-server communication.
- Customizable server and client TLS configurations.
Quick Start
Server Setup
# Create a TLS server with SPIFFE-based MTLS
from spiffetls import listen, ListenOptions
from spiffe import SpiffeId, X509Source
from spiffetls.mode import ServerTlsMode
from spiffetls.tlsconfig.authorize import authorize_id
x509_source = X509Source()
options = ListenOptions(
tls_mode=ServerTlsMode.MTLS,
authorize_fn=authorize_id(SpiffeId("spiffe://example.org/client-service")),
)
listener = listen("localhost:8443", x509_source, options)
Client Connection
# Establish a secure connection to a TLS server
from spiffetls import dial
from spiffe import SpiffeId, X509Source
from spiffetls.tlsconfig.authorize import authorize_id
x509_source = X509Source()
conn = dial(
"localhost:8443",
x509_source,
authorize_fn=authorize_id(SpiffeId("spiffe://example.org/server")),
)
Authorization Functions
The package supports custom authorization functions for additional certificate validation:
authorize_any()
: Accepts any SPIFFE ID.authorize_id()
: Validates a specific SPIFFE ID.authorize_one_of()
: Allows any ID from a set of allowed SPIFFE IDs.authorize_member_of()
: Permits any ID from a specific trust domain.
Contributing
We welcome contributions to the spiffe-tls
package! Please see
our contribution guidelines for more
details. For feedback and issues, please submit them through
the GitHub issue tracker.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for spiffe_tls-0.1.3-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5b008a10decad5accd55aaecd5612a1cb6299970bb831a34d96ff9b33c4d91a3 |
|
MD5 | af937c471e0941d361ec1251d0cf5fd5 |
|
BLAKE2b-256 | 271d597f678ca1b0cda9a05e2b2675e8b195ba52508ac5b512110b3b16bb5ca9 |