Skip to main content

OpenSSH certificate token service for Swarmauri

Project description

swarmauri_tokens_sshcert

An OpenSSH certificate token service for the Swarmauri framework. This service mints and verifies OpenSSH user and host certificates and exposes no JWKS endpoints.

Usage

SshCertTokenService uses the local ssh-keygen utility to mint and verify OpenSSH certificates. A key provider supplies the certificate authority (CA) key material used for signing. The typical workflow is:

  1. implement or configure an IKeyProvider that returns your CA key
  2. create the token service
  3. mint a certificate for a subject public key
  4. verify the certificate before trusting it
import asyncio
import os
import subprocess
import tempfile
from typing import Iterable, Mapping

from swarmauri_tokens_sshcert import SshCertTokenService
from swarmauri_core.crypto.types import ExportPolicy, KeyRef, KeyType, KeyUse
from swarmauri_core.keys import IKeyProvider


def _generate_keypair() -> tuple[str, str]:
    with tempfile.TemporaryDirectory() as d:
        path = os.path.join(d, "id")
        subprocess.run(
            ["ssh-keygen", "-t", "ed25519", "-N", "", "-f", path],
            check=True,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
        )
        priv = open(path, "r", encoding="utf-8").read()
        pub = open(path + ".pub", "r", encoding="utf-8").read()
    return priv, pub


class DummyKeyProvider(IKeyProvider):
    def __init__(self) -> None:
        self.priv, self.pub = _generate_keypair()
        self.kid = "ca"
        self.version = 1

    async def get_key(
        self, kid: str, version: int | None = None, *, include_secret: bool = False
    ) -> KeyRef:
        material = self.priv if include_secret else None
        return KeyRef(
            kid=self.kid,
            version=self.version,
            type=KeyType.ED25519,
            uses=(KeyUse.SIGN, KeyUse.VERIFY),
            export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
            material=material,
            public=self.pub,
        )

    async def jwks(self, *, prefix_kids: str | None = None) -> dict:
        return {"keys": []}

    def supports(self) -> Mapping[str, Iterable[str]]:
        return {}


async def main() -> None:
    svc = SshCertTokenService(DummyKeyProvider(), ca_kid="ca")
    _, subj_pub = _generate_keypair()
    cert = await svc.mint(
        {"subject_pub": subj_pub, "principals": ["alice"], "key_id": "demo"},
        alg="ssh-ed25519",
    )
    info = await svc.verify(cert, audience="alice")
    print(info["key_id"])


if __name__ == "__main__":
    asyncio.run(main())

The example above mints a certificate for a generated key and verifies it for the principal alice. The service requires the ssh-keygen command to be available on the system path.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_tokens_sshcert-0.3.0.dev3.tar.gz (5.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

swarmauri_tokens_sshcert-0.3.0.dev3-py3-none-any.whl (6.7 kB view details)

Uploaded Python 3

File details

Details for the file swarmauri_tokens_sshcert-0.3.0.dev3.tar.gz.

File metadata

File hashes

Hashes for swarmauri_tokens_sshcert-0.3.0.dev3.tar.gz
Algorithm Hash digest
SHA256 9d7b17aeded6cde348bd1ad009164adf1cd164262cbd0a731b797230b40c0be9
MD5 9a5595e1756780fcc8061f355b03efee
BLAKE2b-256 e1b413647070a845d1c977424617dd5fd12cccb9feb4bb134c85ddcad2545cb6

See more details on using hashes here.

File details

Details for the file swarmauri_tokens_sshcert-0.3.0.dev3-py3-none-any.whl.

File metadata

File hashes

Hashes for swarmauri_tokens_sshcert-0.3.0.dev3-py3-none-any.whl
Algorithm Hash digest
SHA256 a94835934eb69714b88e7a90ff6f18b01f602725e3efa654f4c96ac9a8d5838d
MD5 92a61db7a5ab44ab4c6d26b169a58587
BLAKE2b-256 fcc897198a3d4885571ee1334bcfa2d85474c8af39920a27e688b38be82eb9ea

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page