Skip to main content

OpenSSH certificate token service for Swarmauri

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_tokens_sshcert


swarmauri_tokens_sshcert

An OpenSSH certificate token service for the Swarmauri framework. This service mints and verifies OpenSSH user and host certificates and exposes no JWKS endpoints.

Usage

SshCertTokenService uses the local ssh-keygen utility to mint and verify OpenSSH certificates. A key provider supplies the certificate authority (CA) key material used for signing. The typical workflow is:

  1. implement or configure an IKeyProvider that returns your CA key
  2. create the token service
  3. mint a certificate for a subject public key
  4. verify the certificate before trusting it
import asyncio
import os
import subprocess
import tempfile
from typing import Iterable, Mapping

from swarmauri_tokens_sshcert import SshCertTokenService
from swarmauri_core.crypto.types import ExportPolicy, KeyRef, KeyType, KeyUse
from swarmauri_core.key_providers import IKeyProvider


def _generate_keypair() -> tuple[str, str]:
    with tempfile.TemporaryDirectory() as d:
        path = os.path.join(d, "id")
        subprocess.run(
            ["ssh-keygen", "-t", "ed25519", "-N", "", "-f", path],
            check=True,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
        )
        priv = open(path, "r", encoding="utf-8").read()
        pub = open(path + ".pub", "r", encoding="utf-8").read()
    return priv, pub


class DummyKeyProvider(IKeyProvider):
    def __init__(self) -> None:
        self.priv, self.pub = _generate_keypair()
        self.kid = "ca"
        self.version = 1

    async def get_key(
        self, kid: str, version: int | None = None, *, include_secret: bool = False
    ) -> KeyRef:
        material = self.priv if include_secret else None
        return KeyRef(
            kid=self.kid,
            version=self.version,
            type=KeyType.ED25519,
            uses=(KeyUse.SIGN, KeyUse.VERIFY),
            export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
            material=material,
            public=self.pub,
        )

    async def jwks(self, *, prefix_kids: str | None = None) -> dict:
        return {"keys": []}

    def supports(self) -> Mapping[str, Iterable[str]]:
        return {}


async def main() -> None:
    svc = SshCertTokenService(DummyKeyProvider(), ca_kid="ca")
    _, subj_pub = _generate_keypair()
    cert = await svc.mint(
        {"subject_pub": subj_pub, "principals": ["alice"], "key_id": "demo"},
        alg="ssh-ed25519",
    )
    info = await svc.verify(cert, audience="alice")
    print(info["key_id"])


if __name__ == "__main__":
    asyncio.run(main())

The example above mints a certificate for a generated key and verifies it for the principal alice. The service requires the ssh-keygen command to be available on the system path.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_tokens_sshcert-0.3.0.dev46.tar.gz (10.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

swarmauri_tokens_sshcert-0.3.0.dev46-py3-none-any.whl (11.4 kB view details)

Uploaded Python 3

File details

Details for the file swarmauri_tokens_sshcert-0.3.0.dev46.tar.gz.

File metadata

  • Download URL: swarmauri_tokens_sshcert-0.3.0.dev46.tar.gz
  • Upload date:
  • Size: 10.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_tokens_sshcert-0.3.0.dev46.tar.gz
Algorithm Hash digest
SHA256 c8a9bbc6f3006f7d51947fc2cbc3d2ef6fb4ba7a57e8fd994d927ece8ce7f5e9
MD5 a2b12ab5f0e8ff6432eb2e1d6c149243
BLAKE2b-256 2e2db4669ae7fb158751a842c2c4bb5d5b1782102e62767a055a23d10ddd9777

See more details on using hashes here.

File details

Details for the file swarmauri_tokens_sshcert-0.3.0.dev46-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_tokens_sshcert-0.3.0.dev46-py3-none-any.whl
  • Upload date:
  • Size: 11.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_tokens_sshcert-0.3.0.dev46-py3-none-any.whl
Algorithm Hash digest
SHA256 28371fcb8c999e65912384bed14b60d28201e2e6072048f5a99574b99bfd7ff4
MD5 4dde905af2bbd2a99e3763c4dae265d1
BLAKE2b-256 1b592167e7f09341274472eec86649a73b7a79fd5d54c8d7aa63392a3bb7b5bd

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page