Class swarmauri_certservice_scep.ScepCertService.ScepCertService

swarmauri_certservice_scep.ScepCertService.ScepCertService

ScepCertService(scep_url, *, challenge_password=None)

Bases: CertServiceBase

Certificate enrollment via SCEP (Simple Certificate Enrollment Protocol).

The service maps :class:~swarmauri_core.certs.ICertService flows onto the SCEP message exchange so that clients can issue and validate X.509 certificates.

scep_url (str): Base URL of the SCEP server. challenge_password (str / None): RA challenge password if required.

Initialise the SCEP certificate service.

scep_url (str): Base URL of the SCEP server. challenge_password (str / None): RA challenge password for enrollment.

Source code in swarmauri_certservice_scep/ScepCertService.py

def __init__(
    self, scep_url: str, *, challenge_password: Optional[str] = None
) -> None:
    """Initialise the SCEP certificate service.

    scep_url (str): Base URL of the SCEP server.
    challenge_password (str / None): RA challenge password for enrollment.
    """
    super().__init__()
    self._url = scep_url.rstrip("/")
    self._challenge = challenge_password

type class-attribute instance-attribute

type = 'ScepCertService'

model_config class-attribute instance-attribute

model_config = ConfigDict(
    extra="allow", arbitrary_types_allowed=True
)

id class-attribute instance-attribute

id = Field(default_factory=generate_id)

members class-attribute instance-attribute

members = None

owners class-attribute instance-attribute

owners = None

host class-attribute instance-attribute

host = None

default_logger class-attribute

default_logger = None

logger class-attribute instance-attribute

logger = None

name class-attribute instance-attribute

name = None

resource class-attribute instance-attribute

resource = Field(default=CRYPTO.value, frozen=True)

version class-attribute instance-attribute

version = '0.1.0'

supports

supports()

Return supported algorithms and features.

RETURNS (Mapping[str, Iterable[str]]): Supported keys, signatures, and features.

Source code in swarmauri_certservice_scep/ScepCertService.py

def supports(self) -> Mapping[str, Iterable[str]]:
    """Return supported algorithms and features.

    RETURNS (Mapping[str, Iterable[str]]): Supported keys, signatures, and features.
    """
    return {
        "key_algs": ("RSA-2048", "RSA-3072", "EC-P256", "EC-P384"),
        "sig_algs": (
            "RSA-PKCS1-SHA256",
            "RSA-PSS-SHA256",
            "ECDSA-P256-SHA256",
        ),
        "features": ("csr", "sign_from_csr", "verify", "parse"),
        "profiles": ("scep",),
    }

create_csr async

create_csr(
    key,
    subject,
    *,
    san=None,
    extensions=None,
    sig_alg=None,
    challenge_password=None,
    output_der=False,
    opts=None,
)

Build a PKCS#10 certificate signing request.

key (KeyRef): Private key used to sign the CSR. subject (SubjectSpec): Distinguished name of the subject. san (AltNameSpec / None): Subject alternative names to include. extensions (CertExtensionSpec / None): Additional X.509 extensions. sig_alg (str / None): Signature algorithm to use. challenge_password (str / None): Challenge password embedded in the CSR. output_der (bool): If True, return DER; otherwise PEM. opts (Dict[str, Any] / None): Implementation-specific options. RETURNS (CsrBytes): The serialized CSR.

Source code in swarmauri_certservice_scep/ScepCertService.py

async def create_csr(
    self,
    key: KeyRef,
    subject: SubjectSpec,
    *,
    san: Optional[AltNameSpec] = None,
    extensions: Optional[CertExtensionSpec] = None,
    sig_alg: Optional[str] = None,
    challenge_password: Optional[str] = None,
    output_der: bool = False,
    opts: Optional[Dict[str, Any]] = None,
) -> CsrBytes:
    """Build a PKCS#10 certificate signing request.

    key (KeyRef): Private key used to sign the CSR.
    subject (SubjectSpec): Distinguished name of the subject.
    san (AltNameSpec / None): Subject alternative names to include.
    extensions (CertExtensionSpec / None): Additional X.509 extensions.
    sig_alg (str / None): Signature algorithm to use.
    challenge_password (str / None): Challenge password embedded in the CSR.
    output_der (bool): If True, return DER; otherwise PEM.
    opts (Dict[str, Any] / None): Implementation-specific options.
    RETURNS (CsrBytes): The serialized CSR.
    """
    from cryptography import x509
    from cryptography.x509.oid import NameOID
    from cryptography.hazmat.primitives import serialization, hashes

    if not key.material:
        raise ValueError("Private key material required for CSR generation")

    priv = serialization.load_pem_private_key(key.material, password=None)
    name = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, subject["CN"])])
    csr_builder = x509.CertificateSigningRequestBuilder().subject_name(name)

    if san:
        alt_names = [x509.DNSName(d) for d in san.get("dns", [])]
        if alt_names:
            csr_builder = csr_builder.add_extension(
                x509.SubjectAlternativeName(alt_names), critical=False
            )

    if challenge_password or self._challenge:
        cp = challenge_password or self._challenge
        csr_builder = csr_builder.add_attribute(
            x509.oid.AttributeOID.CHALLENGE_PASSWORD, cp.encode("utf-8")
        )

    csr = csr_builder.sign(priv, hashes.SHA256())
    encoding = (
        serialization.Encoding.DER if output_der else serialization.Encoding.PEM
    )
    return csr.public_bytes(encoding)

sign_cert async

sign_cert(
    csr,
    ca_key,
    *,
    issuer=None,
    ca_cert=None,
    serial=None,
    not_before=None,
    not_after=None,
    extensions=None,
    sig_alg=None,
    output_der=False,
    opts=None,
)

Submit the CSR to the SCEP server and return the issued certificate.

csr (CsrBytes): Certificate signing request to submit. ca_key (KeyRef): Unused but required by the interface. issuer (SubjectSpec / None): Ignored for SCEP. ca_cert (CertBytes / None): Optional CA certificate. serial (int / None): Preferred serial number for the certificate. not_before (int / None): Desired start of validity period (UNIX time). not_after (int / None): Desired end of validity period (UNIX time). extensions (CertExtensionSpec / None): Extra X.509 extensions. sig_alg (str / None): Signature algorithm to request. output_der (bool): If True, return DER; otherwise PEM. opts (Dict[str, Any] / None): Implementation-specific options. RETURNS (CertBytes): The certificate returned by the server.

Source code in swarmauri_certservice_scep/ScepCertService.py

async def sign_cert(
    self,
    csr: CsrBytes,
    ca_key: KeyRef,
    *,
    issuer: Optional[SubjectSpec] = None,
    ca_cert: Optional[CertBytes] = None,
    serial: Optional[int] = None,
    not_before: Optional[int] = None,
    not_after: Optional[int] = None,
    extensions: Optional[CertExtensionSpec] = None,
    sig_alg: Optional[str] = None,
    output_der: bool = False,
    opts: Optional[Dict[str, Any]] = None,
) -> CertBytes:
    """Submit the CSR to the SCEP server and return the issued certificate.

    csr (CsrBytes): Certificate signing request to submit.
    ca_key (KeyRef): Unused but required by the interface.
    issuer (SubjectSpec / None): Ignored for SCEP.
    ca_cert (CertBytes / None): Optional CA certificate.
    serial (int / None): Preferred serial number for the certificate.
    not_before (int / None): Desired start of validity period (UNIX time).
    not_after (int / None): Desired end of validity period (UNIX time).
    extensions (CertExtensionSpec / None): Extra X.509 extensions.
    sig_alg (str / None): Signature algorithm to request.
    output_der (bool): If True, return DER; otherwise PEM.
    opts (Dict[str, Any] / None): Implementation-specific options.
    RETURNS (CertBytes): The certificate returned by the server.
    """
    resp = requests.post(
        f"{self._url}/pkiclient.exe?operation=PKIOperation", data=csr
    )
    resp.raise_for_status()
    return resp.content

verify_cert async

verify_cert(
    cert,
    *,
    trust_roots=None,
    intermediates=None,
    check_time=None,
    check_revocation=False,
    opts=None,
)

Verify an X.509 certificate.

cert (CertBytes): Certificate to verify. trust_roots (Sequence[CertBytes] / None): Trusted root certificates. intermediates (Sequence[CertBytes] / None): Intermediate certificates. check_time (int / None): Verification time as UNIX timestamp. check_revocation (bool): Enable revocation checks. opts (Dict[str, Any] / None): Implementation-specific options. RETURNS (Dict[str, Any]): Verification result details.

Source code in swarmauri_certservice_scep/ScepCertService.py

async def verify_cert(
    self,
    cert: CertBytes,
    *,
    trust_roots: Optional[Sequence[CertBytes]] = None,
    intermediates: Optional[Sequence[CertBytes]] = None,
    check_time: Optional[int] = None,
    check_revocation: bool = False,
    opts: Optional[Dict[str, Any]] = None,
) -> Dict[str, Any]:
    """Verify an X.509 certificate.

    cert (CertBytes): Certificate to verify.
    trust_roots (Sequence[CertBytes] / None): Trusted root certificates.
    intermediates (Sequence[CertBytes] / None): Intermediate certificates.
    check_time (int / None): Verification time as UNIX timestamp.
    check_revocation (bool): Enable revocation checks.
    opts (Dict[str, Any] / None): Implementation-specific options.
    RETURNS (Dict[str, Any]): Verification result details.
    """
    from cryptography import x509

    c = (
        x509.load_pem_x509_certificate(cert)
        if cert.strip().startswith(b"-----")
        else x509.load_der_x509_certificate(cert)
    )
    nb = int(time.mktime(c.not_valid_before.timetuple()))
    na = int(time.mktime(c.not_valid_after.timetuple()))
    return {
        "valid": True,
        "reason": None,
        "issuer": c.issuer.rfc4514_string(),
        "subject": c.subject.rfc4514_string(),
        "not_before": nb,
        "not_after": na,
        "serial": c.serial_number,
        "is_ca": any(
            ext.value.ca
            for ext in c.extensions
            if ext.oid.dotted_string == "2.5.29.19"
        ),
    }

parse_cert async

parse_cert(cert, *, include_extensions=True, opts=None)

Parse an X.509 certificate into a JSON-compatible mapping.

cert (CertBytes): Certificate to parse. include_extensions (bool): If True, include extensions. opts (Dict[str, Any] / None): Implementation-specific options. RETURNS (Dict[str, Any]): Certificate metadata.

Source code in swarmauri_certservice_scep/ScepCertService.py

async def parse_cert(
    self,
    cert: CertBytes,
    *,
    include_extensions: bool = True,
    opts: Optional[Dict[str, Any]] = None,
) -> Dict[str, Any]:
    """Parse an X.509 certificate into a JSON-compatible mapping.

    cert (CertBytes): Certificate to parse.
    include_extensions (bool): If True, include extensions.
    opts (Dict[str, Any] / None): Implementation-specific options.
    RETURNS (Dict[str, Any]): Certificate metadata.
    """
    from cryptography import x509

    c = (
        x509.load_pem_x509_certificate(cert)
        if cert.strip().startswith(b"-----")
        else x509.load_der_x509_certificate(cert)
    )
    return {
        "subject": c.subject.rfc4514_string(),
        "issuer": c.issuer.rfc4514_string(),
        "serial": c.serial_number,
        "not_before": c.not_valid_before.isoformat(),
        "not_after": c.not_valid_after.isoformat(),
    }

register_model classmethod

register_model()

Decorator to register a base model in the unified registry.

RETURNS	DESCRIPTION
Callable	A decorator function that registers the model class. TYPE: Callable[[Type[BaseModel]], Type[BaseModel]]

Source code in swarmauri_base/DynamicBase.py

@classmethod
def register_model(cls) -> Callable[[Type[BaseModel]], Type[BaseModel]]:
    """
    Decorator to register a base model in the unified registry.

    Returns:
        Callable: A decorator function that registers the model class.
    """

    def decorator(model_cls: Type[BaseModel]):
        """Register ``model_cls`` as a base model."""
        model_name = model_cls.__name__
        if model_name in cls._registry:
            glogger.warning(
                "Model '%s' is already registered; skipping duplicate.", model_name
            )
            return model_cls

        cls._registry[model_name] = {"model_cls": model_cls, "subtypes": {}}
        glogger.debug("Registered base model '%s'.", model_name)
        DynamicBase._recreate_models()
        return model_cls

    return decorator

register_type classmethod

register_type(resource_type=None, type_name=None)

Decorator to register a subtype under one or more base models in the unified registry.

PARAMETER	DESCRIPTION
resource_type	The base model(s) under which to register the subtype. If None, all direct base classes (except DynamicBase) are used. TYPE: Optional[Union[Type[T], List[Type[T]]]] DEFAULT: None
type_name	An optional custom type name for the subtype. TYPE: Optional[str] DEFAULT: None

RETURNS	DESCRIPTION
Callable	A decorator function that registers the subtype. TYPE: Callable[[Type[DynamicBase]], Type[DynamicBase]]

Source code in swarmauri_base/DynamicBase.py

@classmethod
def register_type(
    cls,
    resource_type: Optional[Union[Type[T], List[Type[T]]]] = None,
    type_name: Optional[str] = None,
) -> Callable[[Type["DynamicBase"]], Type["DynamicBase"]]:
    """
    Decorator to register a subtype under one or more base models in the unified registry.

    Parameters:
        resource_type (Optional[Union[Type[T], List[Type[T]]]]):
            The base model(s) under which to register the subtype. If None, all direct base classes (except DynamicBase)
            are used.
        type_name (Optional[str]): An optional custom type name for the subtype.

    Returns:
        Callable: A decorator function that registers the subtype.
    """

    def decorator(subclass: Type["DynamicBase"]):
        """Register ``subclass`` as a subtype."""
        if resource_type is None:
            resource_types = [
                base for base in subclass.__bases__ if base is not cls
            ]
        elif not isinstance(resource_type, list):
            resource_types = [resource_type]
        else:
            resource_types = resource_type

        for rt in resource_types:
            if not issubclass(subclass, rt):
                raise TypeError(
                    f"'{subclass.__name__}' must be a subclass of '{rt.__name__}'."
                )
            final_type_name = type_name or getattr(
                subclass, "_type", subclass.__name__
            )
            base_model_name = rt.__name__

            if base_model_name not in cls._registry:
                cls._registry[base_model_name] = {"model_cls": rt, "subtypes": {}}
                glogger.debug(
                    "Created new registry entry for base model '%s'.",
                    base_model_name,
                )

            subtypes_dict = cls._registry[base_model_name]["subtypes"]
            if final_type_name in subtypes_dict:
                glogger.warning(
                    "Type '%s' already exists under '%s'; skipping duplicate.",
                    final_type_name,
                    base_model_name,
                )
                continue

            subtypes_dict[final_type_name] = subclass
            glogger.debug(
                "Registered '%s' as '%s' under '%s'.",
                subclass.__name__,
                final_type_name,
                base_model_name,
            )

        DynamicBase._recreate_models()
        return subclass

    return decorator

model_validate_toml classmethod

model_validate_toml(toml_data)

Validate a model from a TOML string.

Source code in swarmauri_base/TomlMixin.py

@classmethod
def model_validate_toml(cls, toml_data: str):
    """Validate a model from a TOML string."""
    try:
        # Parse TOML into a Python dictionary
        toml_content = tomllib.loads(toml_data)

        # Convert the dictionary to JSON and validate using Pydantic
        return cls.model_validate_json(json.dumps(toml_content))
    except tomllib.TOMLDecodeError as e:
        raise ValueError(f"Invalid TOML data: {e}")
    except ValidationError as e:
        raise ValueError(f"Validation failed: {e}")

model_dump_toml

model_dump_toml(
    fields_to_exclude=None, api_key_placeholder=None
)

Return a TOML representation of the model.

Source code in swarmauri_base/TomlMixin.py

def model_dump_toml(self, fields_to_exclude=None, api_key_placeholder=None):
    """Return a TOML representation of the model."""
    if fields_to_exclude is None:
        fields_to_exclude = []

    # Load the JSON string into a Python dictionary
    json_data = json.loads(self.model_dump_json())

    # Function to recursively remove specific keys and handle api_key placeholders
    def process_fields(data, fields_to_exclude):
        """Recursively filter fields and apply placeholders."""
        if isinstance(data, dict):
            return {
                key: (
                    api_key_placeholder
                    if key == "api_key" and api_key_placeholder is not None
                    else process_fields(value, fields_to_exclude)
                )
                for key, value in data.items()
                if key not in fields_to_exclude
            }
        elif isinstance(data, list):
            return [process_fields(item, fields_to_exclude) for item in data]
        else:
            return data

    # Filter the JSON data
    filtered_data = process_fields(json_data, fields_to_exclude)

    # Convert the filtered data into TOML
    return toml.dumps(filtered_data)

model_validate_yaml classmethod

model_validate_yaml(yaml_data)

Validate a model from a YAML string.

Source code in swarmauri_base/YamlMixin.py

@classmethod
def model_validate_yaml(cls, yaml_data: str):
    """Validate a model from a YAML string."""
    try:
        # Parse YAML into a Python dictionary
        yaml_content = yaml.safe_load(yaml_data)

        # Convert the dictionary to JSON and validate using Pydantic
        return cls.model_validate_json(json.dumps(yaml_content))
    except yaml.YAMLError as e:
        raise ValueError(f"Invalid YAML data: {e}")
    except ValidationError as e:
        raise ValueError(f"Validation failed: {e}")

model_dump_yaml

model_dump_yaml(
    fields_to_exclude=None, api_key_placeholder=None
)

Return a YAML representation of the model.

Source code in swarmauri_base/YamlMixin.py

def model_dump_yaml(self, fields_to_exclude=None, api_key_placeholder=None):
    """Return a YAML representation of the model."""
    if fields_to_exclude is None:
        fields_to_exclude = []

    # Load the JSON string into a Python dictionary
    json_data = json.loads(self.model_dump_json())

    # Function to recursively remove specific keys and handle api_key placeholders
    def process_fields(data, fields_to_exclude):
        """Recursively filter fields and apply placeholders."""
        if isinstance(data, dict):
            return {
                key: (
                    api_key_placeholder
                    if key == "api_key" and api_key_placeholder is not None
                    else process_fields(value, fields_to_exclude)
                )
                for key, value in data.items()
                if key not in fields_to_exclude
            }
        elif isinstance(data, list):
            return [process_fields(item, fields_to_exclude) for item in data]
        else:
            return data

    # Filter the JSON data
    filtered_data = process_fields(json_data, fields_to_exclude)

    # Convert the filtered data into YAML using safe mode
    return yaml.safe_dump(filtered_data, default_flow_style=False)

model_post_init

model_post_init(logger=None)

Assign a logger instance after model initialization.

Source code in swarmauri_base/LoggerMixin.py

def model_post_init(self, logger: Optional[FullUnion[LoggerBase]] = None) -> None:
    """Assign a logger instance after model initialization."""

    # Directly assign the provided FullUnion[LoggerBase] or fallback to the
    # class-level default.
    self.logger = self.logger or logger or self.default_logger

create_self_signed async

create_self_signed(*a, **kw)

Source code in swarmauri_base/certs/CertServiceBase.py

async def create_self_signed(self, *a, **kw):
    raise NotImplementedError(
        "create_self_signed() must be implemented by subclass"
    )