Class swarmauri_certservice_aws_kms.AwsKmsCertService.AwsKmsCertService

swarmauri_certservice_aws_kms.AwsKmsCertService.AwsKmsCertService

AwsKmsCertService(
    *,
    region_name=None,
    endpoint_url=None,
    session=None,
    default_sig_alg="RSA-PSS-SHA256",
)

Bases: CertServiceBase

Source code in swarmauri_certservice_aws_kms/AwsKmsCertService.py

def __init__(
    self,
    *,
    region_name: Optional[str] = None,
    endpoint_url: Optional[str] = None,
    session: Optional["boto3.session.Session"] = None,  # type: ignore[name-defined]
    default_sig_alg: str = "RSA-PSS-SHA256",
) -> None:
    super().__init__()
    self._region = region_name
    self._endpoint = endpoint_url
    self._session = session
    self._default_sig_alg = default_sig_alg
    self._kms = None

resource class-attribute instance-attribute

resource = Field(default=CRYPTO.value, frozen=True)

type class-attribute instance-attribute

type = 'AwsKmsCertService'

model_config class-attribute instance-attribute

model_config = ConfigDict(
    extra="allow", arbitrary_types_allowed=True
)

id class-attribute instance-attribute

id = Field(default_factory=generate_id)

members class-attribute instance-attribute

members = None

owners class-attribute instance-attribute

owners = None

host class-attribute instance-attribute

host = None

default_logger class-attribute

default_logger = None

logger class-attribute instance-attribute

logger = None

name class-attribute instance-attribute

name = None

version class-attribute instance-attribute

version = '0.1.0'

supports

supports()

Source code in swarmauri_certservice_aws_kms/AwsKmsCertService.py

def supports(self) -> Mapping[str, Iterable[str]]:
    return {
        "key_algs": ("RSA-2048", "RSA-3072", "RSA-4096", "EC-P256", "EC-P384"),
        "sig_algs": ("RSA-PSS-SHA256", "RSA-SHA256", "ECDSA-P256-SHA256"),
        "features": (
            "sign_from_csr",
            "self_signed",
            "verify",
            "parse",
            "akid",
            "skid",
        ),
        "profiles": ("server", "client", "intermediate", "root"),
    }

create_csr async

create_csr(
    key,
    subject,
    *,
    san=None,
    extensions=None,
    sig_alg=None,
    challenge_password=None,
    output_der=False,
    opts=None,
)

Source code in swarmauri_certservice_aws_kms/AwsKmsCertService.py

async def create_csr(
    self,
    key: KeyRef,
    subject: SubjectSpec,
    *,
    san: Optional[AltNameSpec] = None,
    extensions: Optional[CertExtensionSpec] = None,
    sig_alg: Optional[str] = None,
    challenge_password: Optional[str] = None,
    output_der: bool = False,
    opts: Optional[Dict[str, Any]] = None,
) -> CsrBytes:
    if not key.material:
        raise NotImplementedError(
            "create_csr requires exportable private key material in KeyRef.material"
        )

    priv = serialization.load_pem_private_key(key.material, password=None)
    builder = cx509.CertificateSigningRequestBuilder().subject_name(
        _cryptography_name_from_spec(subject)
    )

    san_list: list[cx509.GeneralName] = []
    if san:
        for d in san.get("dns") or []:
            san_list.append(cx509.DNSName(d))
        for ip in san.get("ip") or []:
            san_list.append(cx509.IPAddress(cx509.ipaddress.ip_address(ip)))
        for uri in san.get("uri") or []:
            san_list.append(cx509.UniformResourceIdentifier(uri))
        for em in san.get("email") or []:
            san_list.append(cx509.RFC822Name(em))
        if san_list:
            builder = builder.add_extension(
                cx509.SubjectAlternativeName(san_list), critical=False
            )

    chosen_hash = hashes.SHA256()
    csr = builder.sign(priv, chosen_hash)
    der = csr.public_bytes(Encoding.DER)
    return (
        der
        if output_der
        else cx509.load_der_x509_csr(der).public_bytes(Encoding.PEM)
    )

create_self_signed async

create_self_signed(
    key,
    subject,
    *,
    serial=None,
    not_before=None,
    not_after=None,
    extensions=None,
    sig_alg=None,
    output_der=False,
    opts=None,
)

Source code in swarmauri_certservice_aws_kms/AwsKmsCertService.py

async def create_self_signed(
    self,
    key: KeyRef,
    subject: SubjectSpec,
    *,
    serial: Optional[int] = None,
    not_before: Optional[int] = None,
    not_after: Optional[int] = None,
    extensions: Optional[CertExtensionSpec] = None,
    sig_alg: Optional[str] = None,
    output_der: bool = False,
    opts: Optional[Dict[str, Any]] = None,
) -> CertBytes:
    kms = self._client()
    key_id = _extract_kms_key_id_from_keyref(key)
    sig = _pick_alg(sig_alg or self._default_sig_alg)
    issuer_name_ax = _name_from_subject_spec(subject)
    issuer_spki, _ = _aws_kms_pubkey_info(kms, key_id)

    nbf = _to_utc(not_before, default=int(_now_utc().timestamp() - 300))
    naf = _to_utc(
        not_after, default=int((_now_utc() + dt.timedelta(days=365)).timestamp())
    )

    tbs = ax509.TbsCertificate(
        {
            "version": "v3",
            "serial_number": serial if serial is not None else _rand_serial_160(),
            "signature": sig.tbs_alg,
            "issuer": issuer_name_ax,
            "validity": _mk_validity(nbf, naf),
            "subject": issuer_name_ax,
            "subject_public_key_info": issuer_spki,
            "extensions": ax509.Extensions(
                [
                    ax509.Extension(
                        {
                            "extn_id": "basic_constraints",
                            "critical": True,
                            "extn_value": ax509.BasicConstraints(
                                {"ca": True, "path_len_constraint": 1}
                            ),
                        }
                    ),
                    ax509.Extension(
                        {
                            "extn_id": "subject_key_identifier",
                            "critical": False,
                            "extn_value": ax509.SubjectKeyIdentifier(
                                _skid_from_pub(issuer_spki)
                            ),
                        }
                    ),
                ]
            ),
        }
    )

    tbs_der = tbs.dump()
    signature = _kms_sign(kms, key_id, sig, tbs_der)
    cert = _assemble_cert(tbs, sig, signature)
    der = cert.dump()
    return der if output_der else _cert_to_pem(cert)

sign_cert async

sign_cert(
    csr,
    ca_key,
    *,
    issuer=None,
    ca_cert=None,
    serial=None,
    not_before=None,
    not_after=None,
    extensions=None,
    sig_alg=None,
    output_der=False,
    opts=None,
)

Source code in swarmauri_certservice_aws_kms/AwsKmsCertService.py

async def sign_cert(
    self,
    csr: CsrBytes,
    ca_key: KeyRef,
    *,
    issuer: Optional[SubjectSpec] = None,
    ca_cert: Optional[CertBytes] = None,
    serial: Optional[int] = None,
    not_before: Optional[int] = None,
    not_after: Optional[int] = None,
    extensions: Optional[CertExtensionSpec] = None,
    sig_alg: Optional[str] = None,
    output_der: bool = False,
    opts: Optional[Dict[str, Any]] = None,
) -> CertBytes:
    kms = self._client()
    key_id = _extract_kms_key_id_from_keyref(ca_key)
    sig = _pick_alg(sig_alg or self._default_sig_alg)

    csr_der, kind = _normalize_bytes_maybe_pem(csr)
    if kind != "CERTIFICATE REQUEST":
        raise ValueError("sign_cert expects a CSR (PKCS#10)")
    csr_obj = cx509.load_der_x509_csr(csr_der)

    if ca_cert is not None:
        ic_der, _ = _normalize_bytes_maybe_pem(ca_cert)
        ic = cx509.load_der_x509_certificate(ic_der)
        issuer_name_ax = _cx509_name_to_ax509_name(ic.subject)
        issuer_spki = ax509.PublicKeyInfo.load(
            ic.public_key().public_bytes(
                Encoding.DER, PublicFormat.SubjectPublicKeyInfo
            )
        )
    else:
        if issuer is None:
            raise ValueError(
                "sign_cert: either 'ca_cert' or 'issuer' must be provided"
            )
        issuer_name_ax = _name_from_subject_spec(issuer)
        issuer_spki, _ = _aws_kms_pubkey_info(kms, key_id)

    nbf = _to_utc(not_before, default=int(_now_utc().timestamp() - 300))
    naf = _to_utc(
        not_after, default=int((_now_utc() + dt.timedelta(days=365)).timestamp())
    )

    tbs, _ = _build_tbs_from_csr(
        csr_obj, issuer_name_ax, serial, nbf, naf, sig, issuer_spki
    )
    signature = _kms_sign(kms, key_id, sig, tbs.dump())
    cert = _assemble_cert(tbs, sig, signature)
    der = cert.dump()
    return der if output_der else _cert_to_pem(cert)

verify_cert async

verify_cert(
    cert,
    *,
    trust_roots=None,
    intermediates=None,
    check_time=None,
    check_revocation=False,
    opts=None,
)

Source code in swarmauri_certservice_aws_kms/AwsKmsCertService.py

async def verify_cert(
    self,
    cert: CertBytes,
    *,
    trust_roots: Optional[Sequence[CertBytes]] = None,
    intermediates: Optional[Sequence[CertBytes]] = None,
    check_time: Optional[int] = None,
    check_revocation: bool = False,
    opts: Optional[Dict[str, Any]] = None,
) -> Dict[str, Any]:
    der, _ = _normalize_bytes_maybe_pem(cert)
    c = cx509.load_der_x509_certificate(der)

    now = _to_utc(check_time) if check_time else _now_utc()
    if c.not_valid_before > now or c.not_valid_after < now:
        return {
            "valid": False,
            "reason": "time_window",
            "not_before": int(c.not_valid_before.timestamp()),
            "not_after": int(c.not_valid_after.timestamp()),
        }

    issuer_cert: Optional[cx509.Certificate] = None
    seq = list(intermediates or []) + list(trust_roots or [])
    for cand in seq:
        cd, _ = _normalize_bytes_maybe_pem(cand)
        try:
            issuer_cert = cx509.load_der_x509_certificate(cd)
            if issuer_cert.subject == c.issuer:
                break
            issuer_cert = None
        except Exception:
            continue

    if issuer_cert is None:
        return {
            "valid": True,
            "reason": None,
            "issuer_known": False,
            "subject": c.subject.rfc4514_string(),
            "not_before": int(c.not_valid_before.timestamp()),
            "not_after": int(c.not_valid_after.timestamp()),
        }

    pub = issuer_cert.public_key()
    tbs = c.tbs_certificate_bytes
    try:
        sa = c.signature_algorithm_oid
        if sa._name in ("sha256_rsa", "sha384_rsa", "sha512_rsa"):
            pub.verify(
                c.signature, tbs, padding.PKCS1v15(), c.signature_hash_algorithm
            )
        elif (
            sa.dotted_string == cx509.SignatureAlgorithmOID.RSASSA_PSS.dotted_string
        ):
            pub.verify(
                c.signature,
                tbs,
                padding.PSS(
                    mgf=padding.MGF1(c.signature_hash_algorithm),
                    salt_length=c.signature_hash_algorithm.digest_size,
                ),
                c.signature_hash_algorithm,
            )
        elif sa._name in (
            "ecdsa_with_sha256",
            "ecdsa_with_sha384",
            "ecdsa_with_sha512",
        ):
            pub.verify(c.signature, tbs, ec.ECDSA(c.signature_hash_algorithm))
        else:
            raise ValueError(
                f"Unsupported signature algorithm for verify: {sa._name}"
            )
    except Exception as e:  # pragma: no cover - errors tested via failure cases
        return {"valid": False, "reason": f"signature:{e.__class__.__name__}"}

    return {
        "valid": True,
        "reason": None,
        "issuer_known": True,
        "issuer": issuer_cert.subject.rfc4514_string(),
        "subject": c.subject.rfc4514_string(),
        "not_before": int(c.not_valid_before.timestamp()),
        "not_after": int(c.not_valid_after.timestamp()),
    }

parse_cert async

parse_cert(cert, *, include_extensions=True, opts=None)

Source code in swarmauri_certservice_aws_kms/AwsKmsCertService.py

async def parse_cert(
    self,
    cert: CertBytes,
    *,
    include_extensions: bool = True,
    opts: Optional[Dict[str, Any]] = None,
) -> Dict[str, Any]:
    der, _ = _normalize_bytes_maybe_pem(cert)
    c = cx509.load_der_x509_certificate(der)

    out: Dict[str, Any] = {
        "serial": c.serial_number,
        "sig_alg": c.signature_algorithm_oid.dotted_string,
        "issuer": c.issuer.rfc4514_string(),
        "subject": c.subject.rfc4514_string(),
        "not_before": int(c.not_valid_before.timestamp()),
        "not_after": int(c.not_valid_after.timestamp()),
        "is_ca": False,
    }
    if include_extensions:
        try:
            bc = c.extensions.get_extension_for_class(cx509.BasicConstraints).value
            out["is_ca"] = bool(bc.ca)
            if bc.path_length is not None:
                out["path_len"] = bc.path_length
        except Exception:
            pass
        try:
            san = c.extensions.get_extension_for_class(
                cx509.SubjectAlternativeName
            ).value
            out["san"] = {
                "dns": [n.value for n in san.get_values_for_type(cx509.DNSName)],
                "ip": [
                    str(n.value) for n in san.get_values_for_type(cx509.IPAddress)
                ],
                "uri": [
                    n.value
                    for n in san.get_values_for_type(
                        cx509.UniformResourceIdentifier
                    )
                ],
                "email": [
                    n.value for n in san.get_values_for_type(cx509.RFC822Name)
                ],
            }
        except Exception:
            pass
        try:
            ku = c.extensions.get_extension_for_class(cx509.KeyUsage).value
            out["key_usage"] = {
                "digital_signature": ku.digital_signature,
                "content_commitment": ku.content_commitment,
                "key_encipherment": ku.key_encipherment,
                "data_encipherment": ku.data_encipherment,
                "key_agreement": ku.key_agreement,
                "key_cert_sign": ku.key_cert_sign,
                "crl_sign": ku.crl_sign,
                "encipher_only": ku.encipher_only,
                "decipher_only": ku.decipher_only,
            }
        except Exception:
            pass
        try:
            eku = c.extensions.get_extension_for_class(cx509.ExtendedKeyUsage).value
            out["eku"] = [oid.dotted_string for oid in eku]
        except Exception:
            pass
    return out

register_model classmethod

register_model()

Decorator to register a base model in the unified registry.

RETURNS	DESCRIPTION
Callable	A decorator function that registers the model class. TYPE: Callable[[Type[BaseModel]], Type[BaseModel]]

Source code in swarmauri_base/DynamicBase.py

@classmethod
def register_model(cls) -> Callable[[Type[BaseModel]], Type[BaseModel]]:
    """
    Decorator to register a base model in the unified registry.

    Returns:
        Callable: A decorator function that registers the model class.
    """

    def decorator(model_cls: Type[BaseModel]):
        """Register ``model_cls`` as a base model."""
        model_name = model_cls.__name__
        if model_name in cls._registry:
            glogger.warning(
                "Model '%s' is already registered; skipping duplicate.", model_name
            )
            return model_cls

        cls._registry[model_name] = {"model_cls": model_cls, "subtypes": {}}
        glogger.debug("Registered base model '%s'.", model_name)
        DynamicBase._recreate_models()
        return model_cls

    return decorator

register_type classmethod

register_type(resource_type=None, type_name=None)

Decorator to register a subtype under one or more base models in the unified registry.

PARAMETER	DESCRIPTION
resource_type	The base model(s) under which to register the subtype. If None, all direct base classes (except DynamicBase) are used. TYPE: Optional[Union[Type[T], List[Type[T]]]] DEFAULT: None
type_name	An optional custom type name for the subtype. TYPE: Optional[str] DEFAULT: None

RETURNS	DESCRIPTION
Callable	A decorator function that registers the subtype. TYPE: Callable[[Type[DynamicBase]], Type[DynamicBase]]

Source code in swarmauri_base/DynamicBase.py

@classmethod
def register_type(
    cls,
    resource_type: Optional[Union[Type[T], List[Type[T]]]] = None,
    type_name: Optional[str] = None,
) -> Callable[[Type["DynamicBase"]], Type["DynamicBase"]]:
    """
    Decorator to register a subtype under one or more base models in the unified registry.

    Parameters:
        resource_type (Optional[Union[Type[T], List[Type[T]]]]):
            The base model(s) under which to register the subtype. If None, all direct base classes (except DynamicBase)
            are used.
        type_name (Optional[str]): An optional custom type name for the subtype.

    Returns:
        Callable: A decorator function that registers the subtype.
    """

    def decorator(subclass: Type["DynamicBase"]):
        """Register ``subclass`` as a subtype."""
        if resource_type is None:
            resource_types = [
                base for base in subclass.__bases__ if base is not cls
            ]
        elif not isinstance(resource_type, list):
            resource_types = [resource_type]
        else:
            resource_types = resource_type

        for rt in resource_types:
            if not issubclass(subclass, rt):
                raise TypeError(
                    f"'{subclass.__name__}' must be a subclass of '{rt.__name__}'."
                )
            final_type_name = type_name or getattr(
                subclass, "_type", subclass.__name__
            )
            base_model_name = rt.__name__

            if base_model_name not in cls._registry:
                cls._registry[base_model_name] = {"model_cls": rt, "subtypes": {}}
                glogger.debug(
                    "Created new registry entry for base model '%s'.",
                    base_model_name,
                )

            subtypes_dict = cls._registry[base_model_name]["subtypes"]
            if final_type_name in subtypes_dict:
                glogger.warning(
                    "Type '%s' already exists under '%s'; skipping duplicate.",
                    final_type_name,
                    base_model_name,
                )
                continue

            subtypes_dict[final_type_name] = subclass
            glogger.debug(
                "Registered '%s' as '%s' under '%s'.",
                subclass.__name__,
                final_type_name,
                base_model_name,
            )

        DynamicBase._recreate_models()
        return subclass

    return decorator

model_validate_toml classmethod

model_validate_toml(toml_data)

Validate a model from a TOML string.

Source code in swarmauri_base/TomlMixin.py

@classmethod
def model_validate_toml(cls, toml_data: str):
    """Validate a model from a TOML string."""
    try:
        # Parse TOML into a Python dictionary
        toml_content = tomllib.loads(toml_data)

        # Convert the dictionary to JSON and validate using Pydantic
        return cls.model_validate_json(json.dumps(toml_content))
    except tomllib.TOMLDecodeError as e:
        raise ValueError(f"Invalid TOML data: {e}")
    except ValidationError as e:
        raise ValueError(f"Validation failed: {e}")

model_dump_toml

model_dump_toml(
    fields_to_exclude=None, api_key_placeholder=None
)

Return a TOML representation of the model.

Source code in swarmauri_base/TomlMixin.py

def model_dump_toml(self, fields_to_exclude=None, api_key_placeholder=None):
    """Return a TOML representation of the model."""
    if fields_to_exclude is None:
        fields_to_exclude = []

    # Load the JSON string into a Python dictionary
    json_data = json.loads(self.model_dump_json())

    # Function to recursively remove specific keys and handle api_key placeholders
    def process_fields(data, fields_to_exclude):
        """Recursively filter fields and apply placeholders."""
        if isinstance(data, dict):
            return {
                key: (
                    api_key_placeholder
                    if key == "api_key" and api_key_placeholder is not None
                    else process_fields(value, fields_to_exclude)
                )
                for key, value in data.items()
                if key not in fields_to_exclude
            }
        elif isinstance(data, list):
            return [process_fields(item, fields_to_exclude) for item in data]
        else:
            return data

    # Filter the JSON data
    filtered_data = process_fields(json_data, fields_to_exclude)

    # Convert the filtered data into TOML
    return toml.dumps(filtered_data)

model_validate_yaml classmethod

model_validate_yaml(yaml_data)

Validate a model from a YAML string.

Source code in swarmauri_base/YamlMixin.py

@classmethod
def model_validate_yaml(cls, yaml_data: str):
    """Validate a model from a YAML string."""
    try:
        # Parse YAML into a Python dictionary
        yaml_content = yaml.safe_load(yaml_data)

        # Convert the dictionary to JSON and validate using Pydantic
        return cls.model_validate_json(json.dumps(yaml_content))
    except yaml.YAMLError as e:
        raise ValueError(f"Invalid YAML data: {e}")
    except ValidationError as e:
        raise ValueError(f"Validation failed: {e}")

model_dump_yaml

model_dump_yaml(
    fields_to_exclude=None, api_key_placeholder=None
)

Return a YAML representation of the model.

Source code in swarmauri_base/YamlMixin.py

def model_dump_yaml(self, fields_to_exclude=None, api_key_placeholder=None):
    """Return a YAML representation of the model."""
    if fields_to_exclude is None:
        fields_to_exclude = []

    # Load the JSON string into a Python dictionary
    json_data = json.loads(self.model_dump_json())

    # Function to recursively remove specific keys and handle api_key placeholders
    def process_fields(data, fields_to_exclude):
        """Recursively filter fields and apply placeholders."""
        if isinstance(data, dict):
            return {
                key: (
                    api_key_placeholder
                    if key == "api_key" and api_key_placeholder is not None
                    else process_fields(value, fields_to_exclude)
                )
                for key, value in data.items()
                if key not in fields_to_exclude
            }
        elif isinstance(data, list):
            return [process_fields(item, fields_to_exclude) for item in data]
        else:
            return data

    # Filter the JSON data
    filtered_data = process_fields(json_data, fields_to_exclude)

    # Convert the filtered data into YAML using safe mode
    return yaml.safe_dump(filtered_data, default_flow_style=False)

model_post_init

model_post_init(logger=None)

Assign a logger instance after model initialization.

Source code in swarmauri_base/LoggerMixin.py

def model_post_init(self, logger: Optional[FullUnion[LoggerBase]] = None) -> None:
    """Assign a logger instance after model initialization."""

    # Directly assign the provided FullUnion[LoggerBase] or fallback to the
    # class-level default.
    self.logger = self.logger or logger or self.default_logger