Skip to main content

YubiKey-backed cipher suite for Swarmauri PIV signing and key transport

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_cipher_suite_yubikey


Swarmauri Cipher Suites YubiKey

YubiKeyCipherSuite models a conservative YubiKey configuration that focuses on PIV-backed signing and key transport. It exposes the algorithms commonly available on non-FIPS YubiKey models without promising token-side bulk encryption.

Features

  • Normalizes YubiKey signing (sign/verify) and key wrap (wrap/unwrap) operations.
  • Provides policy defaults for RSA-PSS and ECDSA, including default hash coupling and salt lengths.
  • Surfaces dialect metadata so crypto providers can route requests to the PIV driver (piv:<alg>), including optional slot tagging.
  • Documents token policy (allowed curves, hash functions, attestation expectations) in a single place.

Installation

pip

pip install swarmauri_cipher_suite_yubikey

uv (dependency)

uv add swarmauri_cipher_suite_yubikey

uv (environment)

uv pip install swarmauri_cipher_suite_yubikey

Usage

1. Instantiate the suite

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite

suite = YubiKeyCipherSuite(name="piv-default")

The suite accepts a friendly name so you can register multiple policy variants if you run different tokens.

2. Normalize a signing request

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite
from swarmauri_core.cipher_suites.types import KeyRef

suite = YubiKeyCipherSuite(name="piv-default")
key = KeyRef(kid="sig-slot-9c", slot="9c")
descriptor = suite.normalize(op="sign", alg="ES256", key=key)

print(descriptor["mapped"]["provider"])  # -> "piv:ES256:slot=9c"
print(descriptor["params"]["hash"])       # -> "SHA256" (defaulted)

normalize returns a dictionary with the canonical algorithm, provider identifier, defaulted parameter set, and suite policy. Crypto providers can forward these values directly to the PIV driver without re-implementing YubiKey-specific logic.

3. Wrap a key for transport

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite

suite = YubiKeyCipherSuite(name="piv-default")
transport_descriptor = suite.normalize(op="wrap")
print(transport_descriptor["mapped"]["provider"])  # -> "piv:RSA-OAEP-256"
print(transport_descriptor["params"])              # -> {"mgf1Hash": "SHA256"}

When no algorithm is supplied, the suite picks sensible defaults (ES256 for signing, RSA-OAEP-256 for key wrap) while still respecting the policy limits.

4. Inspect supported algorithms and features

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite

suite = YubiKeyCipherSuite(name="piv-default")

for op, algs in suite.supports().items():
    print(op, sorted(algs))

print(suite.features()["notes"][0])

These helpers allow orchestration layers to discover the token capabilities, render documentation, or validate client requests before invoking the hardware.

Entry Point

The suite registers under the swarmauri.cipher_suites entry point as YubiKeyCipherSuite.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_cipher_suite_yubikey-0.1.0.dev27.tar.gz (8.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file swarmauri_cipher_suite_yubikey-0.1.0.dev27.tar.gz.

File metadata

  • Download URL: swarmauri_cipher_suite_yubikey-0.1.0.dev27.tar.gz
  • Upload date:
  • Size: 8.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.3 {"installer":{"name":"uv","version":"0.10.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_cipher_suite_yubikey-0.1.0.dev27.tar.gz
Algorithm Hash digest
SHA256 a0c0ea5d2f58576d7b56b24a1ba713107f3e4d84633576bf0efbb2cfed45af28
MD5 5b5405396176b0f00786e399d62ffea3
BLAKE2b-256 b02137c24a24beb46152f20a31175a49eaeb6f69b92f972d9f7b4621b4c50b26

See more details on using hashes here.

File details

Details for the file swarmauri_cipher_suite_yubikey-0.1.0.dev27-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_cipher_suite_yubikey-0.1.0.dev27-py3-none-any.whl
  • Upload date:
  • Size: 9.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.3 {"installer":{"name":"uv","version":"0.10.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_cipher_suite_yubikey-0.1.0.dev27-py3-none-any.whl
Algorithm Hash digest
SHA256 bc45ec4c6f873dca574df3c9846f1e86f0d6ce4a3207e924208f2ddb1a9be2ef
MD5 281b5f2762197a6a1fc5cb49013b1fda
BLAKE2b-256 65111497ea8889d5d49349c7de85e2ccdcf1600858019a8e6c886c24ee14230d

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page