Skip to main content

X.509 mutual TLS proof-of-possession verifier for Swarmauri

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_pop_x509 Discord

Swarmauri PoP X.509

swarmauri_pop_x509 validates mutual TLS certificate bindings for Swarmauri PoP workflows. It matches presented client certificates against access-token confirmation claims so downstream components can trust mTLS-provided identities.

Features

  • Implements X509PoPVerifier that matches SHA-256 thumbprints against cnf values for RFC 8705-style confirmation
  • Reuses the shared Swarmauri PoP contract, allowing X.509 proofs to be interchanged with JWT- and COSE-based strategies
  • Accepts asynchronous HTTP request parts and extra context so you can forward peer certificate material from proxies or API gateways
  • Provides clear error messaging for missing certificates, mismatched thumbprints, or unsupported binding types

Installation

pip install swarmauri_pop_x509
uv add swarmauri_pop_x509

Usage

The verifier consumes the normalised HTTP request alongside the cnf binding from the access token. Provide the peer certificate in DER form via the extras mapping when invoking verify_http.

import asyncio
import ssl
from swarmauri_core.pop import CnfBinding, HttpParts, VerifyPolicy, BindType
from swarmauri_pop_x509 import X509PoPVerifier


async def main() -> None:
    verifier = X509PoPVerifier()
    cnf = CnfBinding(BindType.X5T_S256, "<thumbprint-from-token>")
    request = HttpParts(method="GET", url="https://api.example.com/resource", headers={})

    peer_cert_der = ssl.PEM_cert_to_DER_cert(open("client.pem", "r", encoding="utf-8").read())

    await verifier.verify_http(
        request,
        cnf,
        policy=VerifyPolicy(),
        extras={"peer_cert_der": peer_cert_der},
    )


asyncio.run(main())

X509PoPVerifier does not parse any detached proof artefact; the TLS handshake supplies the evidence. Only the certificate thumbprint comparison is performed, mirroring the behaviour of OAuth 2.0 mutual TLS confirmation.

Compatibility

  • Python 3.10, 3.11, and 3.12
  • Works with TLS termination layers that can forward peer certificates into the verification context
  • Built on the same asynchronous verification contract exposed by swarmauri_core

Related Packages

Contributing

Changes and documentation updates should be proposed through the Swarmauri SDK repository. Run the formatting, linting, and targeted tests outlined in the repository guides before submitting pull requests.

Support

For integration questions or bug reports, open an issue on GitHub. Sensitive security matters should follow the disclosure guidance referenced in the repository security policy.

License

Apache License 2.0. See the LICENSE file for details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_pop_x509-0.11.0.dev1.tar.gz (8.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

swarmauri_pop_x509-0.11.0.dev1-py3-none-any.whl (12.5 kB view details)

Uploaded Python 3

File details

Details for the file swarmauri_pop_x509-0.11.0.dev1.tar.gz.

File metadata

  • Download URL: swarmauri_pop_x509-0.11.0.dev1.tar.gz
  • Upload date:
  • Size: 8.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_pop_x509-0.11.0.dev1.tar.gz
Algorithm Hash digest
SHA256 9719d11833ba7201048b215f9f65ac6e012ebf0505e922256f024277f402870a
MD5 5111b7db8daabc51d3a51da6dc0da913
BLAKE2b-256 bf1c0f5b9bbef481cd21538267a11f781cf65e0278002b8edd05699ad532ae9a

See more details on using hashes here.

File details

Details for the file swarmauri_pop_x509-0.11.0.dev1-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_pop_x509-0.11.0.dev1-py3-none-any.whl
  • Upload date:
  • Size: 12.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_pop_x509-0.11.0.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 87f071b443eedf4eb72e8b7f6e63509233a90a301ac0d43fff24fda41a5d16fc
MD5 79b888ef24bb2bcccec053eb8afa1d45
BLAKE2b-256 958e71b83b1da0d6daad4d549f2eb674899a58836f0264b56fac78c779341bdc

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page