YubiKey-backed cipher suite for Swarmauri PIV signing and key transport
Project description
Swarmauri Cipher Suites YubiKey
YubiKeyCipherSuite models a conservative YubiKey configuration that focuses on
PIV-backed signing and key transport. It exposes the algorithms commonly
available on non-FIPS YubiKey models without promising token-side bulk
encryption.
Features
- Normalizes YubiKey signing (
sign/verify) and key wrap (wrap/unwrap) operations. - Provides policy defaults for RSA-PSS and ECDSA, including default hash coupling and salt lengths.
- Surfaces dialect metadata so crypto providers can route requests to the PIV
driver (
piv:<alg>), including optional slot tagging. - Documents token policy (allowed curves, hash functions, attestation expectations) in a single place.
Installation
pip
pip install swarmauri_cipher_suite_yubikey
uv (dependency)
uv add swarmauri_cipher_suite_yubikey
uv (environment)
uv pip install swarmauri_cipher_suite_yubikey
Usage
1. Instantiate the suite
from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite
suite = YubiKeyCipherSuite(name="piv-default")
The suite accepts a friendly name so you can register multiple policy variants if you run different tokens.
2. Normalize a signing request
from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite
from swarmauri_core.cipher_suites.types import KeyRef
suite = YubiKeyCipherSuite(name="piv-default")
key = KeyRef(kid="sig-slot-9c", slot="9c")
descriptor = suite.normalize(op="sign", alg="ES256", key=key)
print(descriptor["mapped"]["provider"]) # -> "piv:ES256:slot=9c"
print(descriptor["params"]["hash"]) # -> "SHA256" (defaulted)
normalize returns a dictionary with the canonical algorithm, provider
identifier, defaulted parameter set, and suite policy. Crypto providers can
forward these values directly to the PIV driver without re-implementing
YubiKey-specific logic.
3. Wrap a key for transport
from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite
suite = YubiKeyCipherSuite(name="piv-default")
transport_descriptor = suite.normalize(op="wrap")
print(transport_descriptor["mapped"]["provider"]) # -> "piv:RSA-OAEP-256"
print(transport_descriptor["params"]) # -> {"mgf1Hash": "SHA256"}
When no algorithm is supplied, the suite picks sensible defaults (ES256 for
signing, RSA-OAEP-256 for key wrap) while still respecting the policy limits.
4. Inspect supported algorithms and features
from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite
suite = YubiKeyCipherSuite(name="piv-default")
for op, algs in suite.supports().items():
print(op, sorted(algs))
print(suite.features()["notes"][0])
These helpers allow orchestration layers to discover the token capabilities, render documentation, or validate client requests before invoking the hardware.
Entry Point
The suite registers under the swarmauri.cipher_suites entry point as
YubiKeyCipherSuite.
Want to help?
If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_cipher_suite_yubikey-0.2.0.dev5.tar.gz.
File metadata
- Download URL: swarmauri_cipher_suite_yubikey-0.2.0.dev5.tar.gz
- Upload date:
- Size: 8.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
65b02da3ddcf9285d87d7529d416ab26d5f6503083ef181540309df1ce35a34b
|
|
| MD5 |
fc1202669c6bb584cbefbae9dd75879a
|
|
| BLAKE2b-256 |
eb866490c55b498bd32f5ebfbbee7f4e33c4c2a7b3357c8aae3f35414d50871b
|
File details
Details for the file swarmauri_cipher_suite_yubikey-0.2.0.dev5-py3-none-any.whl.
File metadata
- Download URL: swarmauri_cipher_suite_yubikey-0.2.0.dev5-py3-none-any.whl
- Upload date:
- Size: 9.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2f44c8c68e9980863df218dc4e9f65ac4d6651e9a13048fc83d557877021fe3d
|
|
| MD5 |
14e19ae4fcb137ef7b0649c64e36c2de
|
|
| BLAKE2b-256 |
46d0b43f39498a7c0bfbdab7160d4e422e04a2823bf844637797f30f3a4e9300
|