Skip to main content

OpenSSH certificate token service for Swarmauri

Project description

swarmauri_tokens_sshcert

An OpenSSH certificate token service for the Swarmauri framework. This service mints and verifies OpenSSH user and host certificates and exposes no JWKS endpoints.

Usage

SshCertTokenService uses the local ssh-keygen utility to mint and verify OpenSSH certificates. A key provider supplies the certificate authority (CA) key material used for signing. The typical workflow is:

  1. implement or configure an IKeyProvider that returns your CA key
  2. create the token service
  3. mint a certificate for a subject public key
  4. verify the certificate before trusting it
import asyncio
import os
import subprocess
import tempfile
from typing import Iterable, Mapping

from swarmauri_tokens_sshcert import SshCertTokenService
from swarmauri_core.crypto.types import ExportPolicy, KeyRef, KeyType, KeyUse
from swarmauri_core.keys import IKeyProvider


def _generate_keypair() -> tuple[str, str]:
    with tempfile.TemporaryDirectory() as d:
        path = os.path.join(d, "id")
        subprocess.run(
            ["ssh-keygen", "-t", "ed25519", "-N", "", "-f", path],
            check=True,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
        )
        priv = open(path, "r", encoding="utf-8").read()
        pub = open(path + ".pub", "r", encoding="utf-8").read()
    return priv, pub


class DummyKeyProvider(IKeyProvider):
    def __init__(self) -> None:
        self.priv, self.pub = _generate_keypair()
        self.kid = "ca"
        self.version = 1

    async def get_key(
        self, kid: str, version: int | None = None, *, include_secret: bool = False
    ) -> KeyRef:
        material = self.priv if include_secret else None
        return KeyRef(
            kid=self.kid,
            version=self.version,
            type=KeyType.ED25519,
            uses=(KeyUse.SIGN, KeyUse.VERIFY),
            export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
            material=material,
            public=self.pub,
        )

    async def jwks(self, *, prefix_kids: str | None = None) -> dict:
        return {"keys": []}

    def supports(self) -> Mapping[str, Iterable[str]]:
        return {}


async def main() -> None:
    svc = SshCertTokenService(DummyKeyProvider(), ca_kid="ca")
    _, subj_pub = _generate_keypair()
    cert = await svc.mint(
        {"subject_pub": subj_pub, "principals": ["alice"], "key_id": "demo"},
        alg="ssh-ed25519",
    )
    info = await svc.verify(cert, audience="alice")
    print(info["key_id"])


if __name__ == "__main__":
    asyncio.run(main())

The example above mints a certificate for a generated key and verifies it for the principal alice. The service requires the ssh-keygen command to be available on the system path.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_tokens_sshcert-0.3.0.dev4.tar.gz (5.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

swarmauri_tokens_sshcert-0.3.0.dev4-py3-none-any.whl (6.7 kB view details)

Uploaded Python 3

File details

Details for the file swarmauri_tokens_sshcert-0.3.0.dev4.tar.gz.

File metadata

File hashes

Hashes for swarmauri_tokens_sshcert-0.3.0.dev4.tar.gz
Algorithm Hash digest
SHA256 33bff6fb18a072af1ec3696ab081965b1bdc5397e0ef02a478e9268fef54e4f0
MD5 a953e63e6aa9954431bc6890a61a0c79
BLAKE2b-256 e48603a298438cc955a7d568777b44029de2860eee611b4d4d8a0ff2e3f15ae4

See more details on using hashes here.

File details

Details for the file swarmauri_tokens_sshcert-0.3.0.dev4-py3-none-any.whl.

File metadata

File hashes

Hashes for swarmauri_tokens_sshcert-0.3.0.dev4-py3-none-any.whl
Algorithm Hash digest
SHA256 1adc3115d14c4a55fb8de6d298d4a78f2f563528645966dba7968daf550e32b6
MD5 352e294f3c84ce4061d0f5782c61282d
BLAKE2b-256 23d5feaec54acaa66381be803ae86284a8e70f14c9756aa9f50c8c7ba6f1e255

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page