Skip to main content

YubiKey-backed cipher suite for Swarmauri PIV signing and key transport

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_cipher_suite_yubikey


Swarmauri Cipher Suites YubiKey

YubiKeyCipherSuite models a conservative YubiKey configuration that focuses on PIV-backed signing and key transport. It exposes the algorithms commonly available on non-FIPS YubiKey models without promising token-side bulk encryption.

Features

  • Normalizes YubiKey signing (sign/verify) and key wrap (wrap/unwrap) operations.
  • Provides policy defaults for RSA-PSS and ECDSA, including default hash coupling and salt lengths.
  • Surfaces dialect metadata so crypto providers can route requests to the PIV driver (piv:<alg>), including optional slot tagging.
  • Documents token policy (allowed curves, hash functions, attestation expectations) in a single place.

Installation

pip

pip install swarmauri_cipher_suite_yubikey

uv (dependency)

uv add swarmauri_cipher_suite_yubikey

uv (environment)

uv pip install swarmauri_cipher_suite_yubikey

Usage

1. Instantiate the suite

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite

suite = YubiKeyCipherSuite(name="piv-default")

The suite accepts a friendly name so you can register multiple policy variants if you run different tokens.

2. Normalize a signing request

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite
from swarmauri_core.cipher_suites.types import KeyRef

suite = YubiKeyCipherSuite(name="piv-default")
key = KeyRef(kid="sig-slot-9c", slot="9c")
descriptor = suite.normalize(op="sign", alg="ES256", key=key)

print(descriptor["mapped"]["provider"])  # -> "piv:ES256:slot=9c"
print(descriptor["params"]["hash"])       # -> "SHA256" (defaulted)

normalize returns a dictionary with the canonical algorithm, provider identifier, defaulted parameter set, and suite policy. Crypto providers can forward these values directly to the PIV driver without re-implementing YubiKey-specific logic.

3. Wrap a key for transport

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite

suite = YubiKeyCipherSuite(name="piv-default")
transport_descriptor = suite.normalize(op="wrap")
print(transport_descriptor["mapped"]["provider"])  # -> "piv:RSA-OAEP-256"
print(transport_descriptor["params"])              # -> {"mgf1Hash": "SHA256"}

When no algorithm is supplied, the suite picks sensible defaults (ES256 for signing, RSA-OAEP-256 for key wrap) while still respecting the policy limits.

4. Inspect supported algorithms and features

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite

suite = YubiKeyCipherSuite(name="piv-default")

for op, algs in suite.supports().items():
    print(op, sorted(algs))

print(suite.features()["notes"][0])

These helpers allow orchestration layers to discover the token capabilities, render documentation, or validate client requests before invoking the hardware.

Entry Point

The suite registers under the swarmauri.cipher_suites entry point as YubiKeyCipherSuite.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_cipher_suite_yubikey-0.1.0.dev32.tar.gz (8.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file swarmauri_cipher_suite_yubikey-0.1.0.dev32.tar.gz.

File metadata

  • Download URL: swarmauri_cipher_suite_yubikey-0.1.0.dev32.tar.gz
  • Upload date:
  • Size: 8.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.4 {"installer":{"name":"uv","version":"0.10.4","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_cipher_suite_yubikey-0.1.0.dev32.tar.gz
Algorithm Hash digest
SHA256 e4ae3ea0fc3f65185b71d2b58a9d5b48288bd7d04d0b54e1f97785dc3bc604c4
MD5 b68d4c85c8d2836ff475258bb04d12aa
BLAKE2b-256 dd42d9ccfe26669e8603215d617a21be62b2662c2f868c64cfd6c25db6911a21

See more details on using hashes here.

File details

Details for the file swarmauri_cipher_suite_yubikey-0.1.0.dev32-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_cipher_suite_yubikey-0.1.0.dev32-py3-none-any.whl
  • Upload date:
  • Size: 9.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.4 {"installer":{"name":"uv","version":"0.10.4","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_cipher_suite_yubikey-0.1.0.dev32-py3-none-any.whl
Algorithm Hash digest
SHA256 707a748e8ce41a5d71f5a5ca72b3d1f451a144841a37ece11bd30c016f757575
MD5 e4d327137412325fc8fda65c9eee1212
BLAKE2b-256 0efc8af556ccc2ccab203edb852d2cc5696c1bda73392714eacabf2bfb14b209

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page