Skip to main content

TLS Support using SPIFFE

Project description

spiffe-tls package (experimental)

Overview

The spiffe-tls package, part of the py-spiffe library, streamlines the establishment of secure TLS connections using SPIFFE certificates. Powered by pyOpenSSL, it provides straightforward utilities for configuring TLS clients and servers. Currently experimental, spiffe-tls facilitates the seamless integration of SPIFFE for the automatic management of X.509 certificates and CA trust bundles via X509Source from the spiffe package.

Key Features

  • TLS connections with SPIFFE ID validation.
  • Mutual TLS (MTLS) support for authenticated client-server communication.
  • Customizable server and client TLS configurations.
  • Standard library-compatible SSL context with automatic certificate refresh.

Quick Start

Server Setup

# Create a TLS server with SPIFFE-based MTLS
from spiffetls import listen, ListenOptions
from spiffe import SpiffeId, X509Source
from spiffetls.mode import ServerTlsMode
from spiffetls.tlsconfig.authorize import authorize_id

x509_source = X509Source()
options = ListenOptions(
    tls_mode=ServerTlsMode.MTLS,
    authorize_fn=authorize_id(SpiffeId("spiffe://example.org/client-service")),
)

listener = listen("localhost:8443", x509_source, options)

Client Connection

# Establish a secure connection to a TLS server
from spiffetls import dial
from spiffe import SpiffeId, X509Source
from spiffetls.tlsconfig.authorize import authorize_id

x509_source = X509Source()

conn = dial(
    "localhost:8443",
    x509_source,
    authorize_fn=authorize_id(SpiffeId("spiffe://example.org/server")),
)

Using with Standard HTTP Libraries

For integration with standard Python HTTP libraries (like requests, httpx, urllib3), use SpiffeSSLContext:

# Use SPIFFE authentication with httpx
from spiffetls import SpiffeSSLContext
from spiffe import X509Source
import httpx

x509_source = X509Source()

# Create an SSL context that automatically refreshes certificates
ssl_context = SpiffeSSLContext(x509_source, use_system_trusted_cas=True)

# Use with httpx
client = httpx.Client(verify=ssl_context)
response = client.get("https://api.example.org/data")

The SpiffeSSLContext provides a standard library-compatible interface that automatically refreshes X.509 SVIDs as they rotate, without requiring manual updates to the SSL context. This is particularly useful for long-running applications.

Authorization Functions

The package supports custom authorization functions for additional certificate validation:

  • authorize_any(): Accepts any SPIFFE ID.
  • authorize_id(): Validates a specific SPIFFE ID.
  • authorize_one_of(): Allows any ID from a set of allowed SPIFFE IDs.
  • authorize_member_of(): Permits any ID from a specific trust domain.

Contributing

We welcome contributions to the spiffe-tls package! Please see our contribution guidelines for more details. For feedback and issues, please submit them through the GitHub issue tracker.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

spiffe_tls-0.4.0.tar.gz (21.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

spiffe_tls-0.4.0-py3-none-any.whl (27.0 kB view details)

Uploaded Python 3

File details

Details for the file spiffe_tls-0.4.0.tar.gz.

File metadata

  • Download URL: spiffe_tls-0.4.0.tar.gz
  • Upload date:
  • Size: 21.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.21 {"installer":{"name":"uv","version":"0.11.21","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for spiffe_tls-0.4.0.tar.gz
Algorithm Hash digest
SHA256 412e94a86b0229e70608ce12d1387c36484fa04c1037aec73dbf88003b95dffd
MD5 d73b8d1e812e40b60cd2f3dbf3dd9753
BLAKE2b-256 d2c8f1299b2242661f3d5a92a99664a7b8a0927b6bdebb52027ed2d654391b56

See more details on using hashes here.

File details

Details for the file spiffe_tls-0.4.0-py3-none-any.whl.

File metadata

  • Download URL: spiffe_tls-0.4.0-py3-none-any.whl
  • Upload date:
  • Size: 27.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.21 {"installer":{"name":"uv","version":"0.11.21","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for spiffe_tls-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 83690269b099960c4cd979c98d37f2da706486908c01fabe8502d01938001142
MD5 543aa31fd3e5459a45b70d19184bd84a
BLAKE2b-256 47232935a70d09149c0b3ac79502ec71d6c666cf595227d3bcaa8791a2a4eb7d

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page