Skip to main content

OpenSSH certificate token service for Swarmauri

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_tokens_sshcert


swarmauri_tokens_sshcert

An OpenSSH certificate token service for the Swarmauri framework. This service mints and verifies OpenSSH user and host certificates and exposes no JWKS endpoints.

Usage

SshCertTokenService uses the local ssh-keygen utility to mint and verify OpenSSH certificates. A key provider supplies the certificate authority (CA) key material used for signing. The typical workflow is:

  1. implement or configure an IKeyProvider that returns your CA key
  2. create the token service
  3. mint a certificate for a subject public key
  4. verify the certificate before trusting it
import asyncio
import os
import subprocess
import tempfile
from typing import Iterable, Mapping

from swarmauri_tokens_sshcert import SshCertTokenService
from swarmauri_core.crypto.types import ExportPolicy, KeyRef, KeyType, KeyUse
from swarmauri_core.key_providers import IKeyProvider


def _generate_keypair() -> tuple[str, str]:
    with tempfile.TemporaryDirectory() as d:
        path = os.path.join(d, "id")
        subprocess.run(
            ["ssh-keygen", "-t", "ed25519", "-N", "", "-f", path],
            check=True,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
        )
        priv = open(path, "r", encoding="utf-8").read()
        pub = open(path + ".pub", "r", encoding="utf-8").read()
    return priv, pub


class DummyKeyProvider(IKeyProvider):
    def __init__(self) -> None:
        self.priv, self.pub = _generate_keypair()
        self.kid = "ca"
        self.version = 1

    async def get_key(
        self, kid: str, version: int | None = None, *, include_secret: bool = False
    ) -> KeyRef:
        material = self.priv if include_secret else None
        return KeyRef(
            kid=self.kid,
            version=self.version,
            type=KeyType.ED25519,
            uses=(KeyUse.SIGN, KeyUse.VERIFY),
            export_policy=ExportPolicy.SECRET_WHEN_ALLOWED,
            material=material,
            public=self.pub,
        )

    async def jwks(self, *, prefix_kids: str | None = None) -> dict:
        return {"keys": []}

    def supports(self) -> Mapping[str, Iterable[str]]:
        return {}


async def main() -> None:
    svc = SshCertTokenService(DummyKeyProvider(), ca_kid="ca")
    _, subj_pub = _generate_keypair()
    cert = await svc.mint(
        {"subject_pub": subj_pub, "principals": ["alice"], "key_id": "demo"},
        alg="ssh-ed25519",
    )
    info = await svc.verify(cert, audience="alice")
    print(info["key_id"])


if __name__ == "__main__":
    asyncio.run(main())

The example above mints a certificate for a generated key and verifies it for the principal alice. The service requires the ssh-keygen command to be available on the system path.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_tokens_sshcert-0.3.0.dev48.tar.gz (10.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

swarmauri_tokens_sshcert-0.3.0.dev48-py3-none-any.whl (11.4 kB view details)

Uploaded Python 3

File details

Details for the file swarmauri_tokens_sshcert-0.3.0.dev48.tar.gz.

File metadata

  • Download URL: swarmauri_tokens_sshcert-0.3.0.dev48.tar.gz
  • Upload date:
  • Size: 10.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_tokens_sshcert-0.3.0.dev48.tar.gz
Algorithm Hash digest
SHA256 d2b134a844ce633d132b758d0d79f2a8fd3ff7064eee146f0a38a7236f3cc1f2
MD5 b40385094d0be1ba3990262d9fb00e77
BLAKE2b-256 00c3b012683d5fb06903e8fa48e475801e4fd7ed40e604a65116d10f45040bae

See more details on using hashes here.

File details

Details for the file swarmauri_tokens_sshcert-0.3.0.dev48-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_tokens_sshcert-0.3.0.dev48-py3-none-any.whl
  • Upload date:
  • Size: 11.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_tokens_sshcert-0.3.0.dev48-py3-none-any.whl
Algorithm Hash digest
SHA256 b7b4ecf86e5967d9a8ef2d5cb5761efddf4ff1aec709268b377f73b59cb300e4
MD5 36eed386e21c2182854189f6ebdcf901
BLAKE2b-256 b038919855196f685d1a4474076a47c388fe6a50856b75bdeef488fad20e33fc

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page