Skip to main content

X.509 certificate service for Swarmauri

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_certs_x509 Discord

swarmauri_certs_x509

X.509 certificate service plugin for Swarmauri using the cryptography library.

Features

  • Create standards-compliant CSRs
  • Issue self-signed leaf or CA certificates
  • Sign CSRs with an external CA key
  • Verify certificate chains with optional intermediates
  • Parse certificates to extract subject, issuer, validity, and extension metadata

RFC References

  • RFC 2986 ? PKCS #10 Certification Request Syntax
  • RFC 5280 ? Internet X.509 Public Key Infrastructure Certificate and CRL Profile

Installation

The package bundles both the local and in-memory key providers, so no additional extras are required for the example below. Optional PKCS#11 support can be enabled when you need to integrate with hardware modules.

pip

pip install swarmauri_certs_x509
# with PKCS#11 support
pip install 'swarmauri_certs_x509[pkcs11]'

uv

uv pip install swarmauri_certs_x509
# or add to pyproject.toml and install dependencies
uv add swarmauri_certs_x509
uv sync
# enable PKCS#11
uv pip install 'swarmauri_certs_x509[pkcs11]'

Poetry

poetry add swarmauri_certs_x509
# enable PKCS#11
poetry add swarmauri_certs_x509 --extras pkcs11

Usage

The example below uses LocalKeyProvider to create a certificate authority (CA), issue a leaf certificate, and verify the chain.

import asyncio
from swarmauri_certs_x509 import X509CertService
from swarmauri_keyprovider_local import LocalKeyProvider
from swarmauri_core.key_providers.types import KeySpec, KeyAlg, KeyClass
from swarmauri_core.crypto.types import KeyUse, ExportPolicy

svc = X509CertService()
kp = LocalKeyProvider()

spec = KeySpec(
    klass=KeyClass.asymmetric,
    alg=KeyAlg.ED25519,
    uses=(KeyUse.SIGN,),
    export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
)

ca_key = asyncio.run(kp.create_key(spec))
ca_cert = asyncio.run(svc.create_self_signed(ca_key, {"CN": "Example CA"}))

leaf_key = asyncio.run(kp.create_key(spec))
csr = asyncio.run(svc.create_csr(leaf_key, {"CN": "example.org"}))
leaf_cert = asyncio.run(svc.sign_cert(csr, ca_key, ca_cert=ca_cert))
result = asyncio.run(svc.verify_cert(leaf_cert, trust_roots=[ca_cert]))
assert result["valid"]

CMS/S/MIME certificate profile

When preparing identities for CMS or S/MIME signing, include Email Protection extended key usage and an email subject alternative name so that relying parties can validate the certificate purpose.

import asyncio
from swarmauri_core.crypto.types import KeyUse, ExportPolicy
from swarmauri_core.key_providers.types import KeyAlg, KeyClass, KeySpec
from swarmauri_certs_x509 import X509CertService
from swarmauri_keyprovider_local import LocalKeyProvider


async def issue_smime_identity():
    provider = LocalKeyProvider()
    svc = X509CertService()

    ca_spec = KeySpec(
        klass=KeyClass.asymmetric,
        alg=KeyAlg.ECDSA_P256_SHA256,
        uses=(KeyUse.SIGN,),
        export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
    )
    ca_key = await provider.create_key(ca_spec)
    ca_cert = await svc.create_self_signed(
        ca_key,
        {"CN": "Demo CMS Root"},
        extensions={
            "basic_constraints": {"ca": True, "path_len": 0},
            "key_usage": {
                "digital_signature": True,
                "content_commitment": True,
                "key_cert_sign": True,
                "crl_sign": True,
            },
        },
    )

    leaf_spec = KeySpec(
        klass=KeyClass.asymmetric,
        alg=KeyAlg.ECDSA_P256_SHA256,
        uses=(KeyUse.SIGN,),
        export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
    )
    leaf_key = await provider.create_key(leaf_spec)
    csr = await svc.create_csr(
        leaf_key,
        {"CN": "cms-signer.example", "emailAddress": "signer@example.org"},
        san={"email": ["signer@example.org"]},
    )
    leaf_cert = await svc.sign_cert(
        csr,
        ca_key,
        ca_cert=ca_cert,
        extensions={
            "basic_constraints": {"ca": False},
            "key_usage": {
                "digital_signature": True,
                "content_commitment": True,
            },
            "extended_key_usage": {"oids": ["emailProtection"]},
        },
    )

    return {
        "ca_cert": ca_cert,
        "leaf_cert": leaf_cert,
        "leaf_key_pem": leaf_key.material,
    }


bundle = asyncio.run(issue_smime_identity())

The bundle dictionary pairs neatly with swarmauri_signing_cms.CMSSigner by supplying the leaf_key_pem together with the leaf_cert and ca_cert entries as the PKCS#7 signing material.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_certs_x509-0.11.0.dev1.tar.gz (14.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

swarmauri_certs_x509-0.11.0.dev1-py3-none-any.whl (13.6 kB view details)

Uploaded Python 3

File details

Details for the file swarmauri_certs_x509-0.11.0.dev1.tar.gz.

File metadata

  • Download URL: swarmauri_certs_x509-0.11.0.dev1.tar.gz
  • Upload date:
  • Size: 14.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_certs_x509-0.11.0.dev1.tar.gz
Algorithm Hash digest
SHA256 c3beef00c59f05fc46fa68957de4bf07df1f81203272be7b3964218cf47a9194
MD5 0130d6eb0a2352a45a66d592d05e312c
BLAKE2b-256 9f07b4aca018e7ea5752737f88a1a0eada01190b1c6365bc4f05c44acd43a9df

See more details on using hashes here.

File details

Details for the file swarmauri_certs_x509-0.11.0.dev1-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_certs_x509-0.11.0.dev1-py3-none-any.whl
  • Upload date:
  • Size: 13.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_certs_x509-0.11.0.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 e9dea13e720d93fdfd6e0a275bf7cc0700e431afc5fe2d75f887b42175ecdbe7
MD5 9486c77254c7466b94b45efb66b31735
BLAKE2b-256 c7fce0ace6c321ab09728df17d621560a1146758dd7fef3908fc97b919689dab

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page