provide-foundation 0.0.0.dev0__py3-none-any.whl → 0.0.0.dev2__py3-none-any.whl

provide/foundation/crypto/certificates/loader.py

@@ -0,0 +1,130 @@
+"""Certificate loading utilities."""
+
+from datetime import UTC
+import os
+from pathlib import Path
+import traceback
+
+try:
+    from cryptography import x509
+    from cryptography.hazmat.primitives import serialization
+    from cryptography.hazmat.primitives.asymmetric import ec, rsa
+    from cryptography.hazmat.primitives.serialization import load_pem_private_key
+    
+    _HAS_CRYPTO = True
+except ImportError:
+    x509 = None
+    serialization = None
+    ec = None
+    rsa = None
+    load_pem_private_key = None
+    _HAS_CRYPTO = False
+
+from provide.foundation import logger
+from provide.foundation.crypto.certificates.base import CertificateBase, CertificateError
+
+
+def load_from_uri_or_pem(data: str) -> str:
+    """Load PEM data either directly from a string or from a file URI."""
+    try:
+        if data.startswith("file://"):
+            path_str = data.removeprefix("file://")
+            if os.name == "nt" and path_str.startswith("//"):
+                path = Path(path_str)
+            else:
+                path_str = path_str.lstrip("/")
+                if os.name != "nt" and data.startswith("file:///"):
+                    path_str = "/" + path_str
+                path = Path(path_str)
+
+            logger.debug(f"📜📂🚀 Loading data from file: {path}")
+            with path.open("r", encoding="utf-8") as f:
+                loaded_data = f.read().strip()
+            logger.debug("📜📂✅ Loaded data from file")
+            return loaded_data
+
+        loaded_data = data.strip()
+        if not loaded_data.startswith("-----BEGIN"):
+            logger.warning("📜📂⚠️ Data doesn't look like PEM format")
+        return loaded_data
+    except Exception as e:
+        logger.error(f"📜📂❌ Failed to load data: {e}", extra={"error": str(e)})
+        raise CertificateError(f"Failed to load data: {e}") from e
+
+
+def load_certificate_from_pem(
+    cert_pem_or_uri: str, 
+    key_pem_or_uri: str | None = None
+) -> tuple[CertificateBase, "x509.Certificate", "rsa.RSAPrivateKey | ec.EllipticCurvePrivateKey | None", str, str | None]:
+    """
+    Load a certificate and optionally its private key from PEM data or file URIs.
+    
+    Returns:
+        Tuple of (CertificateBase, X509Certificate, private_key, cert_pem, key_pem)
+    """
+    try:
+        logger.debug("📜🔑🚀 Loading certificate from provided data")
+        cert_data = load_from_uri_or_pem(cert_pem_or_uri)
+        
+        logger.debug("📜🔑🔍 Loading X.509 certificate from PEM data")
+        x509_cert = x509.load_pem_x509_certificate(cert_data.encode("utf-8"))
+        logger.debug("📜🔑✅ X.509 certificate object loaded from PEM")
+        
+        private_key = None
+        key_data = None
+        
+        if key_pem_or_uri:
+            logger.debug("📜🔑🚀 Loading private key")
+            key_data = load_from_uri_or_pem(key_pem_or_uri)
+            
+            loaded_priv_key = load_pem_private_key(
+                key_data.encode("utf-8"), password=None
+            )
+            if not isinstance(
+                loaded_priv_key,
+                rsa.RSAPrivateKey | ec.EllipticCurvePrivateKey,
+            ):
+                raise CertificateError(
+                    f"Loaded private key is of unsupported type: {type(loaded_priv_key)}. "
+                    "Expected RSA or ECDSA private key."
+                )
+            private_key = loaded_priv_key
+            logger.debug("📜🔑✅ Private key object loaded and type validated")
+        
+        # Extract certificate details for CertificateBase
+        loaded_not_valid_before = x509_cert.not_valid_before_utc
+        loaded_not_valid_after = x509_cert.not_valid_after_utc
+        if loaded_not_valid_before.tzinfo is None:
+            loaded_not_valid_before = loaded_not_valid_before.replace(tzinfo=UTC)
+        if loaded_not_valid_after.tzinfo is None:
+            loaded_not_valid_after = loaded_not_valid_after.replace(tzinfo=UTC)
+        
+        cert_public_key = x509_cert.public_key()
+        if not isinstance(
+            cert_public_key, rsa.RSAPublicKey | ec.EllipticCurvePublicKey
+        ):
+            raise CertificateError(
+                f"Certificate's public key is of unsupported type: {type(cert_public_key)}. "
+                "Expected RSA or ECDSA public key."
+            )
+        
+        base = CertificateBase(
+            subject=x509_cert.subject,
+            issuer=x509_cert.issuer,
+            public_key=cert_public_key,
+            not_valid_before=loaded_not_valid_before,
+            not_valid_after=loaded_not_valid_after,
+            serial_number=x509_cert.serial_number,
+        )
+        logger.debug("📜🔑✅ Reconstructed CertificateBase from loaded cert")
+        
+        return base, x509_cert, private_key, cert_data, key_data
+        
+    except Exception as e:
+        logger.error(
+            f"📜❌ Failed to load certificate. Error: {type(e).__name__}: {e}",
+            extra={"error": str(e), "trace": traceback.format_exc()},
+        )
+        raise CertificateError(
+            f"Failed to initialize certificate. Original error: {type(e).__name__}"
+        ) from e

provide/foundation/crypto/certificates/operations.py

@@ -0,0 +1,198 @@
+"""Certificate operations: CA creation, signing, and trust verification."""
+
+import traceback
+from typing import cast
+
+try:
+    from cryptography import x509
+    from cryptography.hazmat.primitives import hashes, serialization
+    from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa
+    from cryptography.x509 import Certificate as X509Certificate
+    from cryptography.x509.oid import ExtendedKeyUsageOID
+
+    _HAS_CRYPTO = True
+except ImportError:
+    # Stub out cryptography types for type hints
+    x509 = None
+    hashes = None
+    serialization = None
+    ec = None
+    padding = None
+    rsa = None
+    X509Certificate = None
+    ExtendedKeyUsageOID = None
+    _HAS_CRYPTO = False
+
+from provide.foundation import logger
+from provide.foundation.crypto.constants import (
+    DEFAULT_CERTIFICATE_CURVE,
+    DEFAULT_CERTIFICATE_KEY_TYPE,
+    DEFAULT_CERTIFICATE_VALIDITY_DAYS,
+    DEFAULT_RSA_KEY_SIZE,
+)
+from provide.foundation.crypto.certificates.base import CertificateBase, CertificateError, KeyPair, PublicKey
+
+
+def create_x509_certificate(
+    base: CertificateBase,
+    private_key: "KeyPair",
+    alt_names: list[str] | None = None,
+    issuer_name_override: "x509.Name | None" = None,
+    signing_key_override: "KeyPair | None" = None,
+    is_ca: bool = False,
+    is_client_cert: bool = False,
+) -> "X509Certificate":
+    """Internal helper to build and sign the X.509 certificate object."""
+    try:
+        logger.debug("📜📝🚀 create_x509_certificate: Building certificate")
+
+        actual_issuer_name = issuer_name_override if issuer_name_override else base.issuer
+        actual_signing_key = signing_key_override if signing_key_override else private_key
+
+        if not actual_signing_key:
+            raise CertificateError(
+                "Cannot sign certificate without a signing key (either own or override)"
+            )
+
+        builder = (
+            x509.CertificateBuilder()
+            .subject_name(base.subject)
+            .issuer_name(actual_issuer_name)
+            .public_key(base.public_key)
+            .serial_number(base.serial_number)
+            .not_valid_before(base.not_valid_before)
+            .not_valid_after(base.not_valid_after)
+        )
+
+        san_list = [x509.DNSName(name) for name in (alt_names or []) if name]
+        if san_list:
+            builder = builder.add_extension(
+                x509.SubjectAlternativeName(san_list), critical=False
+            )
+            logger.debug(f"📜📝✅ Added SANs: {alt_names or []}")
+
+        builder = builder.add_extension(
+            x509.BasicConstraints(ca=is_ca, path_length=None),
+            critical=True,
+        )
+
+        if is_ca:
+            builder = builder.add_extension(
+                x509.KeyUsage(
+                    digital_signature=False,
+                    key_encipherment=False,
+                    key_agreement=False,
+                    content_commitment=False,
+                    data_encipherment=False,
+                    key_cert_sign=True,
+                    crl_sign=True,
+                    encipher_only=False,
+                    decipher_only=False,
+                ),
+                critical=True,
+            )
+        else:
+            builder = builder.add_extension(
+                x509.KeyUsage(
+                    digital_signature=True,
+                    key_encipherment=(
+                        True
+                        if not is_client_cert
+                        and isinstance(base.public_key, rsa.RSAPublicKey)
+                        else False
+                    ),
+                    key_agreement=(
+                        True
+                        if isinstance(base.public_key, ec.EllipticCurvePublicKey)
+                        else False
+                    ),
+                    content_commitment=False,
+                    data_encipherment=False,
+                    key_cert_sign=False,
+                    crl_sign=False,
+                    encipher_only=False,
+                    decipher_only=False,
+                ),
+                critical=True,
+            )
+            extended_usages = []
+            if is_client_cert:
+                extended_usages.append(ExtendedKeyUsageOID.CLIENT_AUTH)
+            else:
+                extended_usages.append(ExtendedKeyUsageOID.SERVER_AUTH)
+
+            if extended_usages:
+                builder = builder.add_extension(
+                    x509.ExtendedKeyUsage(extended_usages),
+                    critical=False,
+                )
+
+        logger.debug(
+            f"📜📝✅ Added BasicConstraints (is_ca={is_ca}), "
+            f"KeyUsage, ExtendedKeyUsage (is_client_cert={is_client_cert})"
+        )
+
+        signed_cert = builder.sign(
+            private_key=actual_signing_key,
+            algorithm=hashes.SHA256(),
+        )
+        logger.debug("📜📝✅ Certificate signed successfully")
+        return signed_cert
+
+    except Exception as e:
+        logger.error(
+            f"📜❌ create_x509_certificate: Failed: {e}",
+            extra={"error": str(e), "trace": traceback.format_exc()},
+        )
+        raise CertificateError("Failed to create X.509 certificate object") from e
+
+
+def validate_signature(signed_cert_obj: "X509Certificate", signing_cert_obj: "X509Certificate", signing_public_key: "PublicKey") -> bool:
+    """Internal helper: Validates signature and issuer/subject match."""
+    if signed_cert_obj.issuer != signing_cert_obj.subject:
+        logger.debug(
+            f"📜🔍❌ Signature validation failed: Issuer/Subject mismatch. "
+            f"Signed Issuer='{signed_cert_obj.issuer}', "
+            f"Signing Subject='{signing_cert_obj.subject}'"
+        )
+        return False
+
+    try:
+        if not signing_public_key:
+            logger.error(
+                "📜🔍❌ Cannot validate signature: Signing certificate has no public key"
+            )
+            return False
+
+        signature = signed_cert_obj.signature
+        tbs_certificate_bytes = signed_cert_obj.tbs_certificate_bytes
+        signature_hash_algorithm = signed_cert_obj.signature_hash_algorithm
+
+        if not signature_hash_algorithm:
+            logger.error("📜🔍❌ Cannot validate signature: Unknown hash algorithm")
+            return False
+
+        if isinstance(signing_public_key, rsa.RSAPublicKey):
+            cast(rsa.RSAPublicKey, signing_public_key).verify(
+                signature,
+                tbs_certificate_bytes,
+                padding.PKCS1v15(),
+                signature_hash_algorithm,
+            )
+        elif isinstance(signing_public_key, ec.EllipticCurvePublicKey):
+            cast(ec.EllipticCurvePublicKey, signing_public_key).verify(
+                signature,
+                tbs_certificate_bytes,
+                ec.ECDSA(signature_hash_algorithm),
+            )
+        else:
+            logger.error(
+                f"📜🔍❌ Unsupported signing public key type: {type(signing_public_key)}"
+            )
+            return False
+
+        return True
+
+    except Exception as e:
+        logger.debug(f"📜🔍❌ Signature validation failed: {type(e).__name__}: {e}")
+        return False

provide/foundation/crypto/certificates/trust.py

@@ -0,0 +1,107 @@
+"""Certificate trust chain and verification utilities."""
+
+try:
+    from cryptography import x509
+    from cryptography.hazmat.primitives.asymmetric import ec, rsa
+    
+    _HAS_CRYPTO = True
+except ImportError:
+    x509 = None
+    ec = None
+    rsa = None
+    _HAS_CRYPTO = False
+
+from provide.foundation import logger
+from provide.foundation.crypto.certificates.base import CertificateError
+from provide.foundation.crypto.certificates.operations import validate_signature
+
+
+def verify_trust(
+    cert: "Certificate",
+    other_cert: "Certificate",
+    trust_chain: list["Certificate"],
+) -> bool:
+    """
+    Verifies if the other_cert is trusted based on this certificate's trust chain.
+    
+    Args:
+        cert: The certificate doing the verification
+        other_cert: The certificate to verify
+        trust_chain: List of trusted certificates
+        
+    Returns:
+        True if the certificate is trusted, False otherwise
+    """
+    if other_cert is None:
+        raise CertificateError("Cannot verify trust: other_cert is None")
+    
+    logger.debug(
+        f"📜🔍🚀 Verifying trust for cert S/N {other_cert.serial_number} "
+        f"against chain of S/N {cert.serial_number}"
+    )
+    
+    if not other_cert.is_valid:
+        logger.debug(
+            "📜🔍⚠️ Trust verification failed: Other certificate is not valid"
+        )
+        return False
+    if not other_cert.public_key:
+        raise CertificateError(
+            "Cannot verify trust: Other certificate has no public key"
+        )
+    
+    if cert == other_cert:
+        logger.debug(
+            "📜🔍✅ Trust verified: Certificates are identical (based on subject/serial)"
+        )
+        return True
+    
+    if other_cert in trust_chain:
+        logger.debug(
+            "📜🔍✅ Trust verified: Other certificate found in trust chain"
+        )
+        return True
+    
+    for trusted_cert in trust_chain:
+        logger.debug(
+            f"📜🔍🔁 Checking signature against trusted cert S/N {trusted_cert.serial_number}"
+        )
+        if validate_signature_wrapper(
+            signed_cert=other_cert, signing_cert=trusted_cert
+        ):
+            logger.debug(
+                f"📜🔍✅ Trust verified: Other cert signed by trusted cert S/N "
+                f"{trusted_cert.serial_number}"
+            )
+            return True
+    
+    logger.debug(
+        "📜🔍❌ Trust verification failed: Other certificate not identical, "
+        "not in chain, and not signed by any cert in chain"
+    )
+    return False
+
+
+def validate_signature_wrapper(
+    signed_cert: "Certificate", 
+    signing_cert: "Certificate"
+) -> bool:
+    """
+    Internal helper: Validates signature and issuer/subject match.
+    
+    Args:
+        signed_cert: The certificate that was signed
+        signing_cert: The certificate that did the signing
+        
+    Returns:
+        True if signature is valid, False otherwise
+    """
+    if not hasattr(signed_cert, "_cert") or not hasattr(signing_cert, "_cert"):
+        logger.error(
+            "📜🔍❌ Cannot validate signature: Certificate object(s) not initialized"
+        )
+        return False
+    
+    return validate_signature(
+        signed_cert._cert, signing_cert._cert, signing_cert.public_key
+    )

provide/foundation/errors/__init__.py

@@ -6,6 +6,8 @@ and utilities for robust error handling throughout the application.
 """
 
 from provide.foundation.errors.auth import AuthenticationError, AuthorizationError
+# Re-export from resilience module for compatibility
+from provide.foundation.resilience.decorators import retry as retry_on_error
 from provide.foundation.errors.base import FoundationError
 from provide.foundation.errors.config import (
     ConfigurationError,
@@ -20,7 +22,6 @@ from provide.foundation.errors.context import (
 )
 from provide.foundation.errors.decorators import (
     fallback_on_error,
-    retry_on_error,
     suppress_and_log,
     with_error_handling,
 )
@@ -50,7 +51,6 @@ from provide.foundation.errors.safe_decorators import log_only_error_context
 from provide.foundation.errors.types import (
     ErrorCode,
     ErrorMetadata,
-    RetryPolicy,
 )
 
 __all__ = [
@@ -77,7 +77,6 @@ __all__ = [
     "ProcessError",
     "ProcessTimeoutError",
     "ResourceError",
-    "RetryPolicy",
     "RuntimeError",
     "StateError",
     "TimeoutError",