Skip to main content

YubiKey-backed cipher suite for Swarmauri PIV signing and key transport

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_cipher_suite_yubikey


Swarmauri Cipher Suites YubiKey

YubiKeyCipherSuite models a conservative YubiKey configuration that focuses on PIV-backed signing and key transport. It exposes the algorithms commonly available on non-FIPS YubiKey models without promising token-side bulk encryption.

Features

  • Normalizes YubiKey signing (sign/verify) and key wrap (wrap/unwrap) operations.
  • Provides policy defaults for RSA-PSS and ECDSA, including default hash coupling and salt lengths.
  • Surfaces dialect metadata so crypto providers can route requests to the PIV driver (piv:<alg>), including optional slot tagging.
  • Documents token policy (allowed curves, hash functions, attestation expectations) in a single place.

Installation

pip

pip install swarmauri_cipher_suite_yubikey

uv (dependency)

uv add swarmauri_cipher_suite_yubikey

uv (environment)

uv pip install swarmauri_cipher_suite_yubikey

Usage

1. Instantiate the suite

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite

suite = YubiKeyCipherSuite(name="piv-default")

The suite accepts a friendly name so you can register multiple policy variants if you run different tokens.

2. Normalize a signing request

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite
from swarmauri_core.cipher_suites.types import KeyRef

suite = YubiKeyCipherSuite(name="piv-default")
key = KeyRef(kid="sig-slot-9c", slot="9c")
descriptor = suite.normalize(op="sign", alg="ES256", key=key)

print(descriptor["mapped"]["provider"])  # -> "piv:ES256:slot=9c"
print(descriptor["params"]["hash"])       # -> "SHA256" (defaulted)

normalize returns a dictionary with the canonical algorithm, provider identifier, defaulted parameter set, and suite policy. Crypto providers can forward these values directly to the PIV driver without re-implementing YubiKey-specific logic.

3. Wrap a key for transport

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite

suite = YubiKeyCipherSuite(name="piv-default")
transport_descriptor = suite.normalize(op="wrap")
print(transport_descriptor["mapped"]["provider"])  # -> "piv:RSA-OAEP-256"
print(transport_descriptor["params"])              # -> {"mgf1Hash": "SHA256"}

When no algorithm is supplied, the suite picks sensible defaults (ES256 for signing, RSA-OAEP-256 for key wrap) while still respecting the policy limits.

4. Inspect supported algorithms and features

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite

suite = YubiKeyCipherSuite(name="piv-default")

for op, algs in suite.supports().items():
    print(op, sorted(algs))

print(suite.features()["notes"][0])

These helpers allow orchestration layers to discover the token capabilities, render documentation, or validate client requests before invoking the hardware.

Entry Point

The suite registers under the swarmauri.cipher_suites entry point as YubiKeyCipherSuite.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_cipher_suite_yubikey-0.2.0.dev2.tar.gz (8.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file swarmauri_cipher_suite_yubikey-0.2.0.dev2.tar.gz.

File metadata

  • Download URL: swarmauri_cipher_suite_yubikey-0.2.0.dev2.tar.gz
  • Upload date:
  • Size: 8.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_cipher_suite_yubikey-0.2.0.dev2.tar.gz
Algorithm Hash digest
SHA256 b2309d1d11b18d1e20b955311c8c95503fb83704ae8f0de9ac02d5b738ad430d
MD5 b139d8efa01bd12394fff59c9ca40bd2
BLAKE2b-256 9407c79bc271f860ea0c4541e453b80ebb4b0a6fe19ce2de6971591d1262547b

See more details on using hashes here.

File details

Details for the file swarmauri_cipher_suite_yubikey-0.2.0.dev2-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_cipher_suite_yubikey-0.2.0.dev2-py3-none-any.whl
  • Upload date:
  • Size: 9.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_cipher_suite_yubikey-0.2.0.dev2-py3-none-any.whl
Algorithm Hash digest
SHA256 4323d3bf7c2a445856f32ff4ca9fffb94efc35cea066b9ebcd2085f27873bcdc
MD5 0f446a8764ea688713a2f3361a1c5176
BLAKE2b-256 b8f06773d99a0b0b350ae1d8e0f491f4ca0a59efe9bbf9f00c65e3817051ea47

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page