Skip to main content

OpenSSH certificate token service for Swarmauri

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_tokens_sshcert Discord

swarmauri_tokens_sshcert

An OpenSSH certificate token service for the Swarmauri framework. This service mints and verifies OpenSSH user and host certificates and exposes no JWKS endpoints.

Usage

SshCertTokenService uses the local ssh-keygen utility to mint and verify OpenSSH certificates. A key provider supplies the certificate authority (CA) key material used for signing. The typical workflow is:

  1. implement or configure an IKeyProvider that returns your CA key
  2. create the token service
  3. mint a certificate for a subject public key
  4. verify the certificate before trusting it
import asyncio
import os
import subprocess
import tempfile
from typing import Iterable, Mapping

from swarmauri_tokens_sshcert import SshCertTokenService
from swarmauri_core.crypto.types import ExportPolicy, KeyRef, KeyType, KeyUse
from swarmauri_core.key_providers import IKeyProvider


def _generate_keypair() -> tuple[str, str]:
    with tempfile.TemporaryDirectory() as d:
        path = os.path.join(d, "id")
        subprocess.run(
            ["ssh-keygen", "-t", "ed25519", "-N", "", "-f", path],
            check=True,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
        )
        priv = open(path, "r", encoding="utf-8").read()
        pub = open(path + ".pub", "r", encoding="utf-8").read()
    return priv, pub


class DummyKeyProvider(IKeyProvider):
    def __init__(self) -> None:
        self.priv, self.pub = _generate_keypair()
        self.kid = "ca"
        self.version = 1

    async def get_key(
        self, kid: str, version: int | None = None, *, include_secret: bool = False
    ) -> KeyRef:
        material = self.priv if include_secret else None
        return KeyRef(
            kid=self.kid,
            version=self.version,
            type=KeyType.ED25519,
            uses=(KeyUse.SIGN, KeyUse.VERIFY),
            export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
            material=material,
            public=self.pub,
        )

    async def jwks(self, *, prefix_kids: str | None = None) -> dict:
        return {"keys": []}

    def supports(self) -> Mapping[str, Iterable[str]]:
        return {}


async def main() -> None:
    svc = SshCertTokenService(DummyKeyProvider(), ca_kid="ca")
    _, subj_pub = _generate_keypair()
    cert = await svc.mint(
        {"subject_pub": subj_pub, "principals": ["alice"], "key_id": "demo"},
        alg="ssh-ed25519",
    )
    info = await svc.verify(cert, audience="alice")
    print(info["key_id"])


if __name__ == "__main__":
    asyncio.run(main())

The example above mints a certificate for a generated key and verifies it for the principal alice. The service requires the ssh-keygen command to be available on the system path.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_tokens_sshcert-0.11.0.dev1.tar.gz (10.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

swarmauri_tokens_sshcert-0.11.0.dev1-py3-none-any.whl (11.6 kB view details)

Uploaded Python 3

File details

Details for the file swarmauri_tokens_sshcert-0.11.0.dev1.tar.gz.

File metadata

  • Download URL: swarmauri_tokens_sshcert-0.11.0.dev1.tar.gz
  • Upload date:
  • Size: 10.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_tokens_sshcert-0.11.0.dev1.tar.gz
Algorithm Hash digest
SHA256 6873fb5a8285cac2ebd57f1c486475ddfb75355ec5c0c89d687da2dc306fa021
MD5 fecbb0240af89701c1daa0e14df2013b
BLAKE2b-256 118e957051841b761d4a80387f89de2a56d31ee6f96719b0a51a588fd7a0b442

See more details on using hashes here.

File details

Details for the file swarmauri_tokens_sshcert-0.11.0.dev1-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_tokens_sshcert-0.11.0.dev1-py3-none-any.whl
  • Upload date:
  • Size: 11.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_tokens_sshcert-0.11.0.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 0d73c2dfe93b52bd4118dd5753d7b0c9061df9935dfe76c1fbf677d4b33dc05a
MD5 986db81458f573a613dae0bfb36af837
BLAKE2b-256 46990a4b9342870a7d7aa75d49f82336daf0d306e9f22afdf6510875eb2f6746

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page