TLS Support using SPIFFE

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for maxlambrecht from gravatar.com maxlambrecht

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Max Lambrecht
  • Requires: Python <4.0, >=3.9
Classifiers

Project description

spiffe-tls package (experimental)

Overview

The spiffe-tls package, part of the py-spiffe library, is designed to simplify the creation of secure TLS connections by leveraging SPIFFE IDs for authentication. Utilizing the capabilities of pyOpenSSL, this package offers straightforward utilities for both TLS client and server configurations. Currently in its experimental phase, spiffe-tlsenables integration of SPIFFE-based authentication, facilitating automatic management of X.509 certificates and CA trusted bundles through an X509Source from the spiffe package.

Key Features

  • TLS connections with SPIFFE ID validation.
  • Mutual TLS (MTLS) support for authenticated client-server communication.
  • Customizable server and client TLS configurations.

Quick Start

Server Setup

# Create a TLS server with SPIFFE-based MTLS
from spiffetls import listen, ListenOptions
from spiffe import SpiffeId, X509Source
from spiffetls.mode import ServerTlsMode
from spiffetls.tlsconfig.authorize import authorize_id

x509_source = X509Source()
options = ListenOptions(
    tls_mode=ServerTlsMode.MTLS,
    authorize_fn=authorize_id(SpiffeId("spiffe://example.org/client-service")),
)

listener = listen("localhost:8443", x509_source, options)

Client Connection

# Establish a secure connection to a TLS server
from spiffetls import dial
from spiffe import SpiffeId, X509Source
from spiffetls.tlsconfig.authorize import authorize_id

x509_source = X509Source()

conn = dial(
    "localhost:8443",
    x509_source,
    authorize_fn=authorize_id(SpiffeId("spiffe://example.org/server")),
)

Authorization Functions

The package supports custom authorization functions for additional certificate validation:

  • authorize_any(): Accepts any SPIFFE ID.
  • authorize_id(): Validates a specific SPIFFE ID.
  • authorize_one_of(): Allows any ID from a set of allowed SPIFFE IDs.
  • authorize_member_of(): Permits any ID from a specific trust domain.

Contributing

We welcome contributions to the spiffe-tls package! Please see our contribution guidelines for more details. For feedback and issues, please submit them through the GitHub issue tracker.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for maxlambrecht from gravatar.com maxlambrecht

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Max Lambrecht
  • Requires: Python <4.0, >=3.9
Classifiers

Release history Release notifications | RSS feed

0.1.3

0.1.2

This version

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

spiffe_tls-0.1.1.tar.gz (11.6 kB view hashes)

Uploaded Source

Built Distribution

spiffe_tls-0.1.1-py3-none-any.whl (15.5 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page