X.509 certificate service for Swarmauri
Project description
swarmauri_certs_x509
X.509 certificate service plugin for Swarmauri using the cryptography library.
Features
- Create standards-compliant CSRs
- Issue self-signed leaf or CA certificates
- Sign CSRs with an external CA key
- Verify certificate chains with optional intermediates
- Parse certificates to extract subject, issuer, validity, and extension metadata
RFC References
- RFC 2986 – PKCS #10 Certification Request Syntax
- RFC 5280 – Internet X.509 Public Key Infrastructure Certificate and CRL Profile
Installation
The package bundles both the local and in-memory key providers, so no additional extras are required for the example below. Optional PKCS#11 support can be enabled when you need to integrate with hardware modules.
pip
pip install swarmauri_certs_x509
# with PKCS#11 support
pip install 'swarmauri_certs_x509[pkcs11]'
uv
uv pip install swarmauri_certs_x509
# or add to pyproject.toml and install dependencies
uv add swarmauri_certs_x509
uv sync
# enable PKCS#11
uv pip install 'swarmauri_certs_x509[pkcs11]'
Poetry
poetry add swarmauri_certs_x509
# enable PKCS#11
poetry add swarmauri_certs_x509 --extras pkcs11
Usage
The example below uses LocalKeyProvider to create a certificate
authority (CA), issue a leaf certificate, and verify the chain.
import asyncio
from swarmauri_certs_x509 import X509CertService
from swarmauri_keyprovider_local import LocalKeyProvider
from swarmauri_core.key_providers.types import KeySpec, KeyAlg, KeyClass
from swarmauri_core.crypto.types import KeyUse, ExportPolicy
svc = X509CertService()
kp = LocalKeyProvider()
spec = KeySpec(
klass=KeyClass.asymmetric,
alg=KeyAlg.ED25519,
uses=(KeyUse.SIGN,),
export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
)
ca_key = asyncio.run(kp.create_key(spec))
ca_cert = asyncio.run(svc.create_self_signed(ca_key, {"CN": "Example CA"}))
leaf_key = asyncio.run(kp.create_key(spec))
csr = asyncio.run(svc.create_csr(leaf_key, {"CN": "example.org"}))
leaf_cert = asyncio.run(svc.sign_cert(csr, ca_key, ca_cert=ca_cert))
result = asyncio.run(svc.verify_cert(leaf_cert, trust_roots=[ca_cert]))
assert result["valid"]
CMS/S/MIME certificate profile
When preparing identities for CMS or S/MIME signing, include Email Protection extended key usage and an email subject alternative name so that relying parties can validate the certificate purpose.
import asyncio
from swarmauri_core.crypto.types import KeyUse, ExportPolicy
from swarmauri_core.key_providers.types import KeyAlg, KeyClass, KeySpec
from swarmauri_certs_x509 import X509CertService
from swarmauri_keyprovider_local import LocalKeyProvider
async def issue_smime_identity():
provider = LocalKeyProvider()
svc = X509CertService()
ca_spec = KeySpec(
klass=KeyClass.asymmetric,
alg=KeyAlg.ECDSA_P256_SHA256,
uses=(KeyUse.SIGN,),
export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
)
ca_key = await provider.create_key(ca_spec)
ca_cert = await svc.create_self_signed(
ca_key,
{"CN": "Demo CMS Root"},
extensions={
"basic_constraints": {"ca": True, "path_len": 0},
"key_usage": {
"digital_signature": True,
"content_commitment": True,
"key_cert_sign": True,
"crl_sign": True,
},
},
)
leaf_spec = KeySpec(
klass=KeyClass.asymmetric,
alg=KeyAlg.ECDSA_P256_SHA256,
uses=(KeyUse.SIGN,),
export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
)
leaf_key = await provider.create_key(leaf_spec)
csr = await svc.create_csr(
leaf_key,
{"CN": "cms-signer.example", "emailAddress": "signer@example.org"},
san={"email": ["signer@example.org"]},
)
leaf_cert = await svc.sign_cert(
csr,
ca_key,
ca_cert=ca_cert,
extensions={
"basic_constraints": {"ca": False},
"key_usage": {
"digital_signature": True,
"content_commitment": True,
},
"extended_key_usage": {"oids": ["emailProtection"]},
},
)
return {
"ca_cert": ca_cert,
"leaf_cert": leaf_cert,
"leaf_key_pem": leaf_key.material,
}
bundle = asyncio.run(issue_smime_identity())
The bundle dictionary pairs neatly with swarmauri_signing_cms.CMSSigner by
supplying the leaf_key_pem together with the leaf_cert and ca_cert
entries as the PKCS#7 signing material.
Want to help?
If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_certs_x509-0.2.0.dev40.tar.gz.
File metadata
- Download URL: swarmauri_certs_x509-0.2.0.dev40.tar.gz
- Upload date:
- Size: 14.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.8 {"installer":{"name":"uv","version":"0.10.8","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e7bbb11942a4067d002b66144f3cc73d1474da846aa2341a365a6803eba0e188
|
|
| MD5 |
6bc5c80da0569008da11eafa017503a3
|
|
| BLAKE2b-256 |
4306bb66a53be5c6eea936c1b8f087660fd8efebf95906e34e0e29f7e53e12e2
|
File details
Details for the file swarmauri_certs_x509-0.2.0.dev40-py3-none-any.whl.
File metadata
- Download URL: swarmauri_certs_x509-0.2.0.dev40-py3-none-any.whl
- Upload date:
- Size: 13.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.8 {"installer":{"name":"uv","version":"0.10.8","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fe24c1a39e5bcb3f34fad14f70dffe2e417bc420f9e31ad61117ac41a5c7c8f2
|
|
| MD5 |
1b50eafed7a2f731eb42f7e456dcb8f0
|
|
| BLAKE2b-256 |
9e714dd73b7ce4abeeca514c9303949c03f6bd5e4a5ec59a7bbcc2adb0e67816
|
