Google Cloud KMS oriented Swarmauri certificate service for CSR creation, CSR signing, self-signed certificates, verification, and X.509 parsing.
Project description
Swarmauri Google Cloud KMS Certificate Service
swarmauri_certservice_gcpkms provides GcpKmsCertService, a Swarmauri certificate service for Google Cloud KMS oriented certificate workflows. It creates CSRs, creates self-signed certificates, signs CSRs, verifies certificate validity and signatures, and parses X.509 metadata while resolving signing keys from Google Cloud KMS key-version references.
Why Swarmauri Google Cloud KMS Certificate Service?
Use this package when Swarmauri certificate workflows need to integrate with Google Cloud KMS key versions while preserving the common CertServiceBase interface. The service accepts a caller-provided KMS client or creates KeyManagementServiceClient, resolves key versions from KeyRef, and uses cryptography certificate builders for X.509 output.
FAQ
Q: How does the service find the Google Cloud KMS key version?
A: Key versions are resolved from KeyRef.tags["gcp_kms_key_version"], KeyRef.tags["kms_key_version"], or KeyRef.kid.
Q: Does this package install Google Cloud KMS by default?
A: No. The base package keeps Google Cloud KMS optional. Install swarmauri_certservice_gcpkms[gcp] when the runtime should create a real KeyManagementServiceClient.
Q: What is the current KMS signing boundary?
A: Certificate operations use an internal _make_kms_private_key(client, version) hook to obtain a cryptography-compatible private-key object. Tests can patch this hook; production use should provide or extend that adapter for the selected Google Cloud KMS signing flow.
Q: What certificate operations are implemented?
A: The service implements CSR creation, self-signed certificate creation, CSR signing, signature and validity-window verification, and certificate metadata parsing.
Features
GcpKmsCertServiceclass registered under theswarmauri.cert_servicesentry point.- Optional Google Cloud KMS client creation through
google-cloud-kms. - Caller-provided client support for tests and custom runtimes.
- Key-version resolution from Swarmauri
KeyRef. - CSR creation with subject and DNS/IP SAN support.
- Self-signed certificate creation with KMS-backed private-key adapter.
- CSR signing with issuer metadata and optional extensions.
- Certificate verification against validity window and optional trust root.
- Certificate parsing for version, serial, signature algorithm, issuer, subject, validity, and CA status.
- Python 3.10, 3.11, 3.12, 3.13, and 3.14 support.
Prerequisites
- Google Cloud project with the Cloud KMS API enabled.
- Application credentials available to Google client libraries.
- KMS key versions with asymmetric signing capability.
google-cloud-kmsinstalled through thegcpextra when using the default client.- A runtime adapter for
_make_kms_private_keywhen using live KMS signing.
Installation
Install with uv:
uv add "swarmauri_certservice_gcpkms[gcp]"
Install with pip:
pip install "swarmauri_certservice_gcpkms[gcp]"
Install the package without the Google Cloud client when injecting a test or custom client:
uv add swarmauri_certservice_gcpkms
Usage
Create a service and resolve a KMS key version from KeyRef:
from swarmauri_certservice_gcpkms import GcpKmsCertService
from swarmauri_core.crypto.types import KeyRef
service = GcpKmsCertService()
key = KeyRef(
kid="projects/my-project/locations/us-central1/keyRings/pki/cryptoKeys/root/cryptoKeyVersions/1"
)
print(service.supports()["features"])
Generate a CSR:
import asyncio
from swarmauri_certservice_gcpkms import GcpKmsCertService
from swarmauri_core.crypto.types import KeyRef
async def main() -> None:
service = GcpKmsCertService()
key = KeyRef(
kid="projects/my-project/locations/us-central1/keyRings/pki/cryptoKeys/leaf/cryptoKeyVersions/1"
)
csr = await service.create_csr(
key=key,
subject={"CN": "leaf.example.com", "O": "Example Corp"},
san={"dns": ["leaf.example.com"]},
)
print(csr[:40])
asyncio.run(main())
Sign a CSR after providing a KMS-compatible signing adapter:
import asyncio
from datetime import datetime, timedelta, timezone
from pathlib import Path
from swarmauri_certservice_gcpkms import GcpKmsCertService
from swarmauri_core.crypto.types import KeyRef
async def main() -> None:
service = GcpKmsCertService()
ca_key = KeyRef(
kid="projects/my-project/locations/us-central1/keyRings/pki/cryptoKeys/issuing-ca/cryptoKeyVersions/1"
)
certificate = await service.sign_cert(
csr=Path("leaf.csr").read_bytes(),
ca_key=ca_key,
issuer={"CN": "Example GCP Issuing CA", "O": "Example Corp"},
not_after=int((datetime.now(timezone.utc) + timedelta(days=365)).timestamp()),
)
Path("leaf.pem").write_bytes(certificate)
asyncio.run(main())
Related Packages
Certificate service packages:
- swarmauri_certservice_aws_kms
- swarmauri_certservice_stepca
- swarmauri_certs_azure
- swarmauri_certs_local_ca
- swarmauri_certs_x509
- swarmauri_certs_cfssl
Foundational packages:
- swarmauri_core defines certificate interfaces and
KeyRef. - swarmauri_base provides
CertServiceBaseand component registration. - swarmauri_standard provides standard Swarmauri components for certificate-adjacent workflows.
- swarmauri provides namespace imports and plugin discovery.
Best Practices
- Use least-privilege IAM roles for Cloud KMS signing operations.
- Store fully qualified key-version names in
KeyRef.kidorKeyRef.tags. - Validate that the signing adapter matches the KMS key algorithm before issuing certificates.
- Log certificate serials, issuer metadata, and key-version references for auditability.
License
Apache-2.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_certservice_gcpkms-0.11.0.dev1.tar.gz.
File metadata
- Download URL: swarmauri_certservice_gcpkms-0.11.0.dev1.tar.gz
- Upload date:
- Size: 14.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6b2f6e90156e754bd84c41bd25feb7b1a3ec2581bb01b2c6c5c87f3b5c68eaa2
|
|
| MD5 |
ccfff584b736ba546551f7afb7acd19f
|
|
| BLAKE2b-256 |
eb198a2dacd140b782324ed9310bda48c5e0731e65f935ed874e7fdc9ea5b0c9
|
File details
Details for the file swarmauri_certservice_gcpkms-0.11.0.dev1-py3-none-any.whl.
File metadata
- Download URL: swarmauri_certservice_gcpkms-0.11.0.dev1-py3-none-any.whl
- Upload date:
- Size: 13.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c721e39c9393ac23563c5c1fe7bc1441ed0fa46758edf05f72ea9b08f9ccb63f
|
|
| MD5 |
0bb1fda371cc4f5e9cb55e5a059c26a5
|
|
| BLAKE2b-256 |
a8e9ac2bf93c88182dfdd51657a4ca3a933fea60120c17798f94d782aacad914
|