X.509 mutual TLS proof-of-possession verifier for Swarmauri
Project description
Swarmauri PoP X.509
swarmauri_pop_x509 validates mutual TLS certificate bindings for Swarmauri PoP
workflows. It matches presented client certificates against access-token
confirmation claims so downstream components can trust mTLS-provided identities.
Features
- Implements
X509PoPVerifierthat matches SHA-256 thumbprints againstcnfvalues for RFC 8705-style confirmation - Reuses the shared Swarmauri PoP contract, allowing X.509 proofs to be interchanged with JWT- and COSE-based strategies
- Accepts asynchronous HTTP request parts and extra context so you can forward peer certificate material from proxies or API gateways
- Provides clear error messaging for missing certificates, mismatched thumbprints, or unsupported binding types
Installation
pip install swarmauri_pop_x509
uv add swarmauri_pop_x509
Usage
The verifier consumes the normalised HTTP request alongside the cnf binding
from the access token. Provide the peer certificate in DER form via the
extras mapping when invoking verify_http.
import asyncio
import ssl
from swarmauri_core.pop import CnfBinding, HttpParts, VerifyPolicy, BindType
from swarmauri_pop_x509 import X509PoPVerifier
async def main() -> None:
verifier = X509PoPVerifier()
cnf = CnfBinding(BindType.X5T_S256, "<thumbprint-from-token>")
request = HttpParts(method="GET", url="https://api.example.com/resource", headers={})
peer_cert_der = ssl.PEM_cert_to_DER_cert(open("client.pem", "r", encoding="utf-8").read())
await verifier.verify_http(
request,
cnf,
policy=VerifyPolicy(),
extras={"peer_cert_der": peer_cert_der},
)
asyncio.run(main())
X509PoPVerifier does not parse any detached proof artefact; the TLS handshake
supplies the evidence. Only the certificate thumbprint comparison is performed,
mirroring the behaviour of OAuth 2.0 mutual TLS confirmation.
Compatibility
- Python 3.10, 3.11, and 3.12
- Works with TLS termination layers that can forward peer certificates into the verification context
- Built on the same asynchronous verification contract exposed by
swarmauri_core
Related Packages
swarmauri_pop_cwtfor COSE Sign1 confirmationswarmauri_pop_dpopfor Demonstrating Proof-of- Possession JWT headersswarmauri_corefor the PoP abstractions and helpers that power all verification implementations
Contributing
Changes and documentation updates should be proposed through the Swarmauri SDK repository. Run the formatting, linting, and targeted tests outlined in the repository guides before submitting pull requests.
Support
For integration questions or bug reports, open an issue on GitHub. Sensitive security matters should follow the disclosure guidance referenced in the repository security policy.
License
Apache License 2.0. See the LICENSE file for details.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_pop_x509-0.11.0.dev1.tar.gz.
File metadata
- Download URL: swarmauri_pop_x509-0.11.0.dev1.tar.gz
- Upload date:
- Size: 8.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9719d11833ba7201048b215f9f65ac6e012ebf0505e922256f024277f402870a
|
|
| MD5 |
5111b7db8daabc51d3a51da6dc0da913
|
|
| BLAKE2b-256 |
bf1c0f5b9bbef481cd21538267a11f781cf65e0278002b8edd05699ad532ae9a
|
File details
Details for the file swarmauri_pop_x509-0.11.0.dev1-py3-none-any.whl.
File metadata
- Download URL: swarmauri_pop_x509-0.11.0.dev1-py3-none-any.whl
- Upload date:
- Size: 12.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
87f071b443eedf4eb72e8b7f6e63509233a90a301ac0d43fff24fda41a5d16fc
|
|
| MD5 |
79b888ef24bb2bcccec053eb8afa1d45
|
|
| BLAKE2b-256 |
958e71b83b1da0d6daad4d549f2eb674899a58836f0264b56fac78c779341bdc
|