tigrbl_acme_ca 0.1.1.dev2__tar.gz

tigrbl_acme_ca-0.1.1.dev2/LICENSE

@@ -0,0 +1,176 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS

tigrbl_acme_ca-0.1.1.dev2/PKG-INFO

@@ -0,0 +1,68 @@
+Metadata-Version: 2.4
+Name: tigrbl_acme_ca
+Version: 0.1.1.dev2
+Summary: ACME v2 CA tables for Tigrbl.
+Author-email: Jacob Stewart <jacob@swarmauri.com>
+License: Apache-2.0
+Keywords: tigrbl_acme_ca,tigrbl,experimental
+Classifier: Development Status :: 1 - Planning
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: <3.13,>=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: tigrbl>=0.3.0.dev4
+Dynamic: license-file
+
+# tigrbl_acme_ca
+
+A Tigrbl-native ACME v2 Certificate Authority implementation.
+
+## Highlights
+
+- **Tables-first** design: all I/O derives from `tables/` column specs.
+- **Canon verbs**: write flows use model-bound ops that alias to built-in Tigrbl verbs.
+- **Ops/Hooks** only use the request `ctx` and SQLAlchemy session—**no kernel atoms**.
+- **HSM/KMS-ready**: pluggable key providers (file, KMS, PKCS#11 stubs) and a signing engine.
+- **OCSP/CRL/CT**: hooks and workers to publish CRLs, answer OCSP, and submit to CT logs.
+- **Compliance**: audit/evidence hooks, redaction, and control enforcers.
+- **Telemetry**: Prometheus metrics and OpenTelemetry tracing (optional).
+
+## Layout
+
+- `tables/` — database schema (Account, Order, Authorization, Challenge, Certificate, Revocation, Nonce, etc.).
+- `app/` — AppSpec, TableSpec, ApiSpec.
+- `ops/` — ACME verbs and guards.
+- `services/` — RA/VA/CA/Revocation/Audit/Compliance/Integrations.
+- `engines/` — signing engine and session.
+- `key_mgmt/` — key provider interfaces + loader.
+- `libs/` — cert issuance logic and KMS adapter.
+- `workers/` — background tasks (validation, issuance, revocation).
+- `telemetry/` — tracing + metrics helpers.
+- `adapters/` — first-party adapters (JWS parser, HTTP negotiation).
+
+## Dev Quickstart
+
+1. Install dependencies (pseudo):  
+   ```bash
+   pip install -e .  # plus your runtime/gateway deps
+   ```
+2. Configure a dev CA key:  
+   ```toml
+   [acme.ca]
+   key_source = "file"
+   key_path = "ca.key.pem"
+   ```
+3. Wire a `signing_engine` into your gateway context:  
+   ```python
+   from tigrbl_acme_ca.engines.acme_signing import AcmeSigningEngine
+   engine = AcmeSigningEngine.from_config(app_config)
+   ctx["signing_engine"] = engine
+   ```
+4. Hit ACME endpoints: `/.well-known/acme-directory`, `/acme/new-nonce`, `/acme/new-account`, `/acme/new-order`.
+
+## License
+
+Apache License 2.0 — see `LICENSE`.

tigrbl_acme_ca-0.1.1.dev2/README.md

@@ -0,0 +1,50 @@
+# tigrbl_acme_ca
+
+A Tigrbl-native ACME v2 Certificate Authority implementation.
+
+## Highlights
+
+- **Tables-first** design: all I/O derives from `tables/` column specs.
+- **Canon verbs**: write flows use model-bound ops that alias to built-in Tigrbl verbs.
+- **Ops/Hooks** only use the request `ctx` and SQLAlchemy session—**no kernel atoms**.
+- **HSM/KMS-ready**: pluggable key providers (file, KMS, PKCS#11 stubs) and a signing engine.
+- **OCSP/CRL/CT**: hooks and workers to publish CRLs, answer OCSP, and submit to CT logs.
+- **Compliance**: audit/evidence hooks, redaction, and control enforcers.
+- **Telemetry**: Prometheus metrics and OpenTelemetry tracing (optional).
+
+## Layout
+
+- `tables/` — database schema (Account, Order, Authorization, Challenge, Certificate, Revocation, Nonce, etc.).
+- `app/` — AppSpec, TableSpec, ApiSpec.
+- `ops/` — ACME verbs and guards.
+- `services/` — RA/VA/CA/Revocation/Audit/Compliance/Integrations.
+- `engines/` — signing engine and session.
+- `key_mgmt/` — key provider interfaces + loader.
+- `libs/` — cert issuance logic and KMS adapter.
+- `workers/` — background tasks (validation, issuance, revocation).
+- `telemetry/` — tracing + metrics helpers.
+- `adapters/` — first-party adapters (JWS parser, HTTP negotiation).
+
+## Dev Quickstart
+
+1. Install dependencies (pseudo):  
+   ```bash
+   pip install -e .  # plus your runtime/gateway deps
+   ```
+2. Configure a dev CA key:  
+   ```toml
+   [acme.ca]
+   key_source = "file"
+   key_path = "ca.key.pem"
+   ```
+3. Wire a `signing_engine` into your gateway context:  
+   ```python
+   from tigrbl_acme_ca.engines.acme_signing import AcmeSigningEngine
+   engine = AcmeSigningEngine.from_config(app_config)
+   ctx["signing_engine"] = engine
+   ```
+4. Hit ACME endpoints: `/.well-known/acme-directory`, `/acme/new-nonce`, `/acme/new-account`, `/acme/new-order`.
+
+## License
+
+Apache License 2.0 — see `LICENSE`.

tigrbl_acme_ca-0.1.1.dev2/pyproject.toml

@@ -0,0 +1,38 @@
+[project]
+name = "tigrbl_acme_ca"
+version = "0.1.1.dev2"
+description = "ACME v2 CA tables for Tigrbl."
+readme = "README.md"
+requires-python = ">=3.10,<3.13"
+license = { text = "Apache-2.0" }
+authors = [{ name = "Jacob Stewart", email = "jacob@swarmauri.com" }]
+classifiers = [
+    "Development Status :: 1 - Planning",
+    "License :: OSI Approved :: Apache Software License",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+]
+keywords = ["tigrbl_acme_ca", "tigrbl", "experimental"]
+dependencies = ["tigrbl>=0.3.0.dev4"]
+
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[tool.setuptools.packages.find]
+where = ["tigrbl_acme_ca"]
+
+[dependency-groups]
+dev = [
+  "pytest>=8.0",
+  "pytest-asyncio>=0.24.0",
+  "pytest-xdist>=3.6.1",
+  "pytest-json-report>=1.5.0",
+  "python-dotenv",
+  "requests>=2.32.3",
+  "flake8>=7.0",
+  "pytest-timeout>=2.3.1",
+  "ruff>=0.9.9",
+  "pytest-benchmark>=4.0.0",
+]

tigrbl_acme_ca-0.1.1.dev2/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

tigrbl_acme_ca-0.1.1.dev2/tests/test_smoke.py

@@ -0,0 +1,8 @@
+from pathlib import Path
+
+
+def test_package_assets_present() -> None:
+    package_dir = Path(__file__).resolve().parents[1]
+    assert (package_dir / "README.md").is_file()
+    assert (package_dir / "LICENSE").is_file()
+    assert (package_dir / "pyproject.toml").is_file()

tigrbl_acme_ca-0.1.1.dev2/tigrbl_acme_ca/adapters/jws_to_ctx.py

@@ -0,0 +1,95 @@
+from __future__ import annotations
+
+import base64
+import json
+import hashlib
+from typing import Any, Dict
+
+
+def _b64url_to_bytes(data: str) -> bytes:
+    pad = "=" * (-len(data) % 4)
+    return base64.urlsafe_b64decode(data + pad)
+
+
+def _b64url(data: bytes) -> str:
+    return base64.urlsafe_b64encode(data).rstrip(b"=").decode("ascii")
+
+
+def _canonical_json(obj: Dict[str, Any]) -> bytes:
+    # RFC 7638: lexicographic, separators without spaces, ensure_ascii True
+    return json.dumps(
+        obj, sort_keys=True, separators=(",", ":"), ensure_ascii=True
+    ).encode("ascii")
+
+
+def jwk_thumbprint(jwk: Dict[str, Any]) -> str:
+    """Compute RFC 7638 JWK thumbprint (SHA-256 of canonical JSON).
+    Supports RSA (kty/e/n) and EC (kty/crv/x/y).
+    """
+    kty = jwk.get("kty")
+    if kty == "RSA":
+        material = {"e": jwk["e"], "kty": "RSA", "n": jwk["n"]}
+    elif kty == "EC":
+        material = {"crv": jwk["crv"], "kty": "EC", "x": jwk["x"], "y": jwk["y"]}
+    else:
+        raise ValueError("unsupported_jwk_kty")
+    digest = hashlib.sha256(_canonical_json(material)).digest()
+    return _b64url(digest)
+
+
+def parse_acme_jws_from_body(body: bytes) -> Dict[str, Any]:
+    """Parse an ACME JWS object (JSON with base64url fields) from HTTP body.
+    Returns a dict with keys: protected (str), payload (str), signature (str), header (dict).
+    This function DOES NOT verify signatures; guards/engines should perform that step if needed.
+    """
+    try:
+        obj = json.loads(body.decode("utf-8"))
+        protected = obj.get("protected")
+        payload = obj.get("payload")
+        signature = obj.get("signature")
+        if not (
+            isinstance(protected, str)
+            and isinstance(payload, str)
+            and isinstance(signature, str)
+        ):
+            raise ValueError("malformed_jws")
+        header_raw = _b64url_to_bytes(protected)
+        header = json.loads(header_raw.decode("utf-8"))
+        obj["header"] = header
+        return obj
+    except Exception as e:
+        raise ValueError(f"malformed_jws:{e}")
+
+
+def populate_ctx_from_jws(ctx: Dict[str, Any], jws: Dict[str, Any]) -> None:
+    """Populate the Tigrbl request ctx with ACME JWS fields.
+    - ctx['jws'] original object
+    - ctx['jws_header'] parsed protected header
+    - ctx['jws_payload_b64'] base64url payload (do not decode here)
+    - ctx['request_nonce'] from protected header 'nonce'
+    - ctx['account_kid'] from protected header 'kid' (if present)
+    - ctx['account_jwk'] from protected header 'jwk' (if present)
+    - ctx['request_url'] from protected header 'url' (if present)
+    - ctx['actor_account_thumbprint'] optional computed from jwk
+    """
+    header = jws.get("header") or {}
+    ctx["jws"] = jws
+    ctx["jws_header"] = header
+    ctx["jws_payload_b64"] = jws.get("payload")
+    nonce = header.get("nonce")
+    if nonce:
+        ctx["request_nonce"] = nonce
+    kid = header.get("kid")
+    jwk = header.get("jwk")
+    if kid:
+        ctx["account_kid"] = kid
+    if jwk:
+        ctx["account_jwk"] = jwk
+        try:
+            ctx["actor_account_thumbprint"] = jwk_thumbprint(jwk)
+        except Exception:
+            # ignore if unsupported/invalid
+            pass
+    url = header.get("url")
+    if url:
+        ctx["request_url"] = url

tigrbl_acme_ca-0.1.1.dev2/tigrbl_acme_ca/adapters/results_to_http.py

@@ -0,0 +1,37 @@
+from __future__ import annotations
+
+from typing import Dict, Tuple, List
+
+
+def _get_accept(ctx) -> str:
+    hdrs = ctx.get("request_headers") or {}
+    return hdrs.get("accept") or hdrs.get("Accept") or "*/*"
+
+
+def attach_replay_nonce(ctx, value: str) -> None:
+    try:
+        headers = ctx.response_headers()
+        headers["Replay-Nonce"] = value
+    except Exception:
+        pass
+
+
+def negotiate_cert_response(
+    ctx, pem: str, chain: List[str] | None = None
+) -> Tuple[int, Dict[str, str], bytes]:
+    """Negotiate certificate download format based on Accept header.
+    application/pem-certificate-chain: full chain as concatenated PEMs
+    application/pem-certificate: leaf only
+    */*: default to leaf only
+    Returns: (status_code, headers, body_bytes)
+    """
+    accept = _get_accept(ctx).lower()
+    headers: Dict[str, str] = {}
+    if "application/pem-certificate-chain" in accept and chain:
+        body = ("\n".join(chain)).encode("utf-8")
+        headers["Content-Type"] = "application/pem-certificate-chain"
+        return 200, headers, body
+    # default: leaf certificate
+    body = pem.encode("utf-8")
+    headers["Content-Type"] = "application/pem-certificate"
+    return 200, headers, body

tigrbl_acme_ca-0.1.1.dev2/tigrbl_acme_ca/app/api_spec.py

@@ -0,0 +1,17 @@
+from __future__ import annotations
+
+API_ROUTES = [
+    {
+        "method": "GET",
+        "path": "/.well-known/acme-directory",
+        "handler": "schema.directory_extra:build_directory",
+    },
+    {"method": "HEAD", "path": "/acme/new-nonce", "handler": "tables.Nonce:new_nonce"},
+    {"method": "GET", "path": "/acme/new-nonce", "handler": "tables.Nonce:new_nonce"},
+    {
+        "method": "POST",
+        "path": "/acme/new-account",
+        "handler": "tables.Account:new_account",
+    },
+    {"method": "POST", "path": "/acme/new-order", "handler": "tables.Order:new_order"},
+]

tigrbl_acme_ca-0.1.1.dev2/tigrbl_acme_ca/app/app_spec.py

@@ -0,0 +1,17 @@
+from __future__ import annotations
+
+
+class AcmeCaAppSpec:
+    name = "tigrbl_acme_ca"
+    version = "0.1.0"
+
+    def load_tables(self):
+        from tigrbl_acme_ca.app.table_spec import TABLES
+
+        _ = [t for t in TABLES]
+        return TABLES
+
+    def load_api(self):
+        from tigrbl_acme_ca.app.api_spec import API_ROUTES
+
+        return API_ROUTES

tigrbl_acme_ca-0.1.1.dev2/tigrbl_acme_ca/app/table_spec.py

@@ -0,0 +1,25 @@
+from __future__ import annotations
+
+from tigrbl_acme_ca.tables.accounts import Account
+from tigrbl_acme_ca.tables.orders import Order
+from tigrbl_acme_ca.tables.authorizations import Authorization
+from tigrbl_acme_ca.tables.challenges import Challenge
+from tigrbl_acme_ca.tables.certificates import Certificate
+from tigrbl_acme_ca.tables.revocations import Revocation
+from tigrbl_acme_ca.tables.nonces import Nonce
+from tigrbl_acme_ca.tables.audit_events import AuditEvent
+from tigrbl_acme_ca.tables.external_account_bindings import ExternalAccountBinding
+from tigrbl_acme_ca.tables.tos_agreements import TosAgreement
+
+TABLES = [
+    Account,
+    Order,
+    Authorization,
+    Challenge,
+    Certificate,
+    Revocation,
+    Nonce,
+    AuditEvent,
+    ExternalAccountBinding,
+    TosAgreement,
+]

tigrbl_acme_ca-0.1.1.dev2/tigrbl_acme_ca/domain/errors.py

@@ -0,0 +1,5 @@
+from __future__ import annotations
+
+
+class DomainError(Exception):
+    pass

tigrbl_acme_ca-0.1.1.dev2/tigrbl_acme_ca/domain/models.py

@@ -0,0 +1,24 @@
+from __future__ import annotations
+from enum import Enum
+
+
+class OrderStatus(str, Enum):
+    pending = "pending"
+    ready = "ready"
+    processing = "processing"
+    valid = "valid"
+    invalid = "invalid"
+
+
+class AuthorizationStatus(str, Enum):
+    pending = "pending"
+    valid = "valid"
+    invalid = "invalid"
+    expired = "expired"
+
+
+class ChallengeStatus(str, Enum):
+    pending = "pending"
+    processing = "processing"
+    valid = "valid"
+    invalid = "invalid"

tigrbl_acme_ca-0.1.1.dev2/tigrbl_acme_ca/engines/acme_signing/__init__.py

@@ -0,0 +1,4 @@
+from .engine import AcmeSigningEngine
+from .session import AcmeSigningSession
+
+__all__ = ["AcmeSigningEngine", "AcmeSigningSession"]

tigrbl_acme_ca-0.1.1.dev2/tigrbl_acme_ca/engines/acme_signing/engine.py

@@ -0,0 +1,54 @@
+from __future__ import annotations
+from dataclasses import dataclass
+from datetime import datetime, timedelta, timezone
+from typing import Any, Dict, List
+
+from tigrbl_acme_ca.libs.sw_cert_service import CertService, IssueResult
+from tigrbl_acme_ca.key_mgmt.ca_key_loader import CaKeyLoader
+
+
+@dataclass
+class AcmeSigningEngine:
+    """Thin engine that issues end-entity certificates for ACME Orders.
+
+    It delegates to a CertService (which may use cryptography or a backend)
+    and a CaKeyLoader (which provides the issuing CA key material or adapter).
+    """
+
+    cert_service: CertService
+    key_loader: CaKeyLoader
+    default_validity_days: int = 90
+
+    @classmethod
+    def from_config(cls, config: dict) -> "AcmeSigningEngine":
+        service = CertService.from_config(config or {})
+        loader = CaKeyLoader.from_config(config or {})
+        return cls(
+            cert_service=service,
+            key_loader=loader,
+            default_validity_days=int((config or {}).get("acme.validity_days", 90)),
+        )
+
+    async def issue_certificate(
+        self, *, csr_der: bytes, sans: List[str]
+    ) -> Dict[str, Any]:
+        now = datetime.now(timezone.utc)
+        not_before = now
+        not_after = now + timedelta(days=self.default_validity_days)
+
+        issuer = (
+            await self.key_loader.load_issuer_key()
+        )  # may be a cryptography key or adapter
+        issued: IssueResult = await self.cert_service.issue_certificate(
+            csr_der=csr_der,
+            sans=sans,
+            issuer_key=issuer,
+            not_before=not_before,
+            not_after=not_after,
+        )
+        return {
+            "pem": issued.pem,
+            "serial_hex": issued.serial_hex,
+            "not_before": issued.not_before,
+            "not_after": issued.not_after,
+        }

tigrbl_acme_ca-0.1.1.dev2/tigrbl_acme_ca/engines/acme_signing/session.py

@@ -0,0 +1,17 @@
+from __future__ import annotations
+from dataclasses import dataclass
+from typing import Any, Dict, List
+
+from tigrbl_acme_ca.engines.acme_signing.engine import AcmeSigningEngine
+
+
+@dataclass
+class AcmeSigningSession:
+    """Optional per-request session wrapper around the engine."""
+
+    engine: AcmeSigningEngine
+
+    async def issue_certificate(
+        self, *, csr_der: bytes, sans: List[str]
+    ) -> Dict[str, Any]:
+        return await self.engine.issue_certificate(csr_der=csr_der, sans=sans)

tigrbl_acme_ca-0.1.1.dev2/tigrbl_acme_ca/key_mgmt/__init__.py

@@ -0,0 +1,10 @@
+from .ca_key_loader import CaKeyLoader
+from .providers import FileKeyProvider, KeyProvider, KmsKeyProvider, Pkcs11KeyProvider
+
+__all__ = [
+    "CaKeyLoader",
+    "FileKeyProvider",
+    "KeyProvider",
+    "KmsKeyProvider",
+    "Pkcs11KeyProvider",
+]