OpenSSH certificate token service for Swarmauri
Project description
swarmauri_tokens_sshcert
An OpenSSH certificate token service for the Swarmauri framework. This service mints and verifies OpenSSH user and host certificates and exposes no JWKS endpoints.
Usage
SshCertTokenService uses the local ssh-keygen utility to mint and verify
OpenSSH certificates. A key provider supplies the certificate authority (CA)
key material used for signing. The typical workflow is:
- implement or configure an
IKeyProviderthat returns your CA key - create the token service
- mint a certificate for a subject public key
- verify the certificate before trusting it
import asyncio
import os
import subprocess
import tempfile
from typing import Iterable, Mapping
from swarmauri_tokens_sshcert import SshCertTokenService
from swarmauri_core.crypto.types import ExportPolicy, KeyRef, KeyType, KeyUse
from swarmauri_core.keys import IKeyProvider
def _generate_keypair() -> tuple[str, str]:
with tempfile.TemporaryDirectory() as d:
path = os.path.join(d, "id")
subprocess.run(
["ssh-keygen", "-t", "ed25519", "-N", "", "-f", path],
check=True,
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
)
priv = open(path, "r", encoding="utf-8").read()
pub = open(path + ".pub", "r", encoding="utf-8").read()
return priv, pub
class DummyKeyProvider(IKeyProvider):
def __init__(self) -> None:
self.priv, self.pub = _generate_keypair()
self.kid = "ca"
self.version = 1
async def get_key(
self, kid: str, version: int | None = None, *, include_secret: bool = False
) -> KeyRef:
material = self.priv if include_secret else None
return KeyRef(
kid=self.kid,
version=self.version,
type=KeyType.ED25519,
uses=(KeyUse.SIGN, KeyUse.VERIFY),
export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
material=material,
public=self.pub,
)
async def jwks(self, *, prefix_kids: str | None = None) -> dict:
return {"keys": []}
def supports(self) -> Mapping[str, Iterable[str]]:
return {}
async def main() -> None:
svc = SshCertTokenService(DummyKeyProvider(), ca_kid="ca")
_, subj_pub = _generate_keypair()
cert = await svc.mint(
{"subject_pub": subj_pub, "principals": ["alice"], "key_id": "demo"},
alg="ssh-ed25519",
)
info = await svc.verify(cert, audience="alice")
print(info["key_id"])
if __name__ == "__main__":
asyncio.run(main())
The example above mints a certificate for a generated key and verifies it for
the principal alice. The service requires the ssh-keygen command to be
available on the system path.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_tokens_sshcert-0.3.0.dev3.tar.gz.
File metadata
- Download URL: swarmauri_tokens_sshcert-0.3.0.dev3.tar.gz
- Upload date:
- Size: 5.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.8.17
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9d7b17aeded6cde348bd1ad009164adf1cd164262cbd0a731b797230b40c0be9
|
|
| MD5 |
9a5595e1756780fcc8061f355b03efee
|
|
| BLAKE2b-256 |
e1b413647070a845d1c977424617dd5fd12cccb9feb4bb134c85ddcad2545cb6
|
File details
Details for the file swarmauri_tokens_sshcert-0.3.0.dev3-py3-none-any.whl.
File metadata
- Download URL: swarmauri_tokens_sshcert-0.3.0.dev3-py3-none-any.whl
- Upload date:
- Size: 6.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.8.17
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a94835934eb69714b88e7a90ff6f18b01f602725e3efa654f4c96ac9a8d5838d
|
|
| MD5 |
92a61db7a5ab44ab4c6d26b169a58587
|
|
| BLAKE2b-256 |
fcc897198a3d4885571ee1334bcfa2d85474c8af39920a27e688b38be82eb9ea
|