Google Cloud KMS Certificate Service for Swarmauri
Project description
swarmauri_certservice_gcpkms
Google Cloud KMS backed certificate service for Swarmauri.
This package exposes a GcpKmsCertService component implementing
CertServiceBase. It can create CSRs, generate self-signed certificates,
issue certificates from CSRs, verify certificates and parse their
metadata while using keys stored in Google Cloud KMS.
Features
- Create certificate signing requests using keys stored in KMS
- Issue self-signed or CA-signed certificates
- Verify signatures and validity windows
- Parse certificate metadata including extensions
Prerequisites
- A Google Cloud project with the Cloud KMS API enabled
- Credentials available to the application (for example via the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable) - Keys provisioned in Cloud KMS with the
AsymmetricSigncapability (RSA 2048, EC P-256, or Ed25519). - Python 3.10 or newer and the
google-cloud-kmsdependency (installed via the extras shown below). - Network access to the Google Cloud KMS endpoint for the target location.
Installation
# pip
pip install swarmauri_certservice_gcpkms[gcp]
# poetry
poetry add swarmauri_certservice_gcpkms -E gcp
# uv (pyproject-based projects)
uv add "swarmauri_certservice_gcpkms[gcp]"
The optional gcp extra installs the google-cloud-kms dependency.
Usage
Issue a Certificate from a CSR
import asyncio
from datetime import datetime, timedelta, timezone
from pathlib import Path
from swarmauri_certservice_gcpkms import GcpKmsCertService
from swarmauri_core.crypto.types import KeyRef
async def issue_certificate() -> None:
service = GcpKmsCertService()
csr_bytes = Path("leaf.csr").read_bytes()
kms_ca_key = KeyRef(
kid="projects/my-project/locations/us-central1/keyRings/pki/cryptoKeys/issuing-ca/cryptoKeyVersions/1"
)
certificate_pem = await service.sign_cert(
csr=csr_bytes,
ca_key=kms_ca_key,
issuer={"CN": "Example GCP Issuing CA", "O": "Example Corp"},
not_after=int((datetime.now(timezone.utc) + timedelta(days=365)).timestamp()),
)
Path("leaf.pem").write_bytes(certificate_pem)
print("Issued certificate saved to leaf.pem")
if __name__ == "__main__":
asyncio.run(issue_certificate())
Create CSRs and Self-Signed Roots
import asyncio
from datetime import datetime, timedelta, timezone
from pathlib import Path
from swarmauri_certservice_gcpkms import GcpKmsCertService
from swarmauri_core.crypto.types import KeyRef
async def bootstrap_pki() -> None:
service = GcpKmsCertService()
# Generate a CSR using an exportable private key
local_key = KeyRef(material=Path("intermediate-key.pem").read_bytes())
csr_pem = await service.create_csr(
key=local_key,
subject={"CN": "Intermediate CA", "O": "Example Corp"},
san={"dns": ["intermediate.example.com"]},
)
Path("intermediate.csr").write_bytes(csr_pem)
# Create a self-signed root using Cloud KMS
root_key = KeyRef(
kid="projects/my-project/locations/us-central1/keyRings/pki/cryptoKeys/root-ca/cryptoKeyVersions/1"
)
root_pem = await service.create_self_signed(
key=root_key,
subject={"CN": "Example Root CA", "O": "Example Corp"},
not_after=int((datetime.now(timezone.utc) + timedelta(days=3650)).timestamp()),
)
Path("root-ca.pem").write_bytes(root_pem)
if __name__ == "__main__":
asyncio.run(bootstrap_pki())
Verification and Parsing
import asyncio
from pathlib import Path
from swarmauri_certservice_gcpkms import GcpKmsCertService
async def inspect() -> None:
service = GcpKmsCertService()
cert_bytes = Path("leaf.pem").read_bytes()
root_bytes = Path("root-ca.pem").read_bytes()
verification = await service.verify_cert(
cert=cert_bytes,
trust_roots=[root_bytes],
)
print("Valid:", verification["valid"], "Issuer:", verification.get("issuer"))
metadata = await service.parse_cert(cert_bytes)
print("Subject:", metadata["subject"])
print("Not after:", metadata["not_after"])
if __name__ == "__main__":
asyncio.run(inspect())
License
Apache-2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_certservice_gcpkms-0.2.3.dev22.tar.gz.
File metadata
- Download URL: swarmauri_certservice_gcpkms-0.2.3.dev22.tar.gz
- Upload date:
- Size: 11.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b2c6837143a2fd6f3fdb65c091ff4bbe0a185f05c44fce74faa369c54b257cf1
|
|
| MD5 |
3176aeb83b6deb84c020eaa7c002c769
|
|
| BLAKE2b-256 |
e52473553f3992c60efdf0f737e43d0cbd8f6605c5e33d2aba1f88245d1705ca
|
File details
Details for the file swarmauri_certservice_gcpkms-0.2.3.dev22-py3-none-any.whl.
File metadata
- Download URL: swarmauri_certservice_gcpkms-0.2.3.dev22-py3-none-any.whl
- Upload date:
- Size: 12.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8deef0c17766d9a51c951730521c2b0c1a7026ace709e4fce689d94e7a425be0
|
|
| MD5 |
e974675850b6301258c8796540cb4e50
|
|
| BLAKE2b-256 |
6e483b03f435808e2399149b314f7ac63e0b0edc6dd9366bbabe7a89fc0bd77c
|
