Skip to main content

YubiKey-backed cipher suite for Swarmauri PIV signing and key transport

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_cipher_suite_yubikey


Swarmauri Cipher Suites YubiKey

YubiKeyCipherSuite models a conservative YubiKey configuration that focuses on PIV-backed signing and key transport. It exposes the algorithms commonly available on non-FIPS YubiKey models without promising token-side bulk encryption.

Features

  • Normalizes YubiKey signing (sign/verify) and key wrap (wrap/unwrap) operations.
  • Provides policy defaults for RSA-PSS and ECDSA, including default hash coupling and salt lengths.
  • Surfaces dialect metadata so crypto providers can route requests to the PIV driver (piv:<alg>), including optional slot tagging.
  • Documents token policy (allowed curves, hash functions, attestation expectations) in a single place.

Installation

pip

pip install swarmauri_cipher_suite_yubikey

uv (dependency)

uv add swarmauri_cipher_suite_yubikey

uv (environment)

uv pip install swarmauri_cipher_suite_yubikey

Usage

1. Instantiate the suite

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite

suite = YubiKeyCipherSuite(name="piv-default")

The suite accepts a friendly name so you can register multiple policy variants if you run different tokens.

2. Normalize a signing request

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite
from swarmauri_core.cipher_suites.types import KeyRef

suite = YubiKeyCipherSuite(name="piv-default")
key = KeyRef(kid="sig-slot-9c", slot="9c")
descriptor = suite.normalize(op="sign", alg="ES256", key=key)

print(descriptor["mapped"]["provider"])  # -> "piv:ES256:slot=9c"
print(descriptor["params"]["hash"])       # -> "SHA256" (defaulted)

normalize returns a dictionary with the canonical algorithm, provider identifier, defaulted parameter set, and suite policy. Crypto providers can forward these values directly to the PIV driver without re-implementing YubiKey-specific logic.

3. Wrap a key for transport

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite

suite = YubiKeyCipherSuite(name="piv-default")
transport_descriptor = suite.normalize(op="wrap")
print(transport_descriptor["mapped"]["provider"])  # -> "piv:RSA-OAEP-256"
print(transport_descriptor["params"])              # -> {"mgf1Hash": "SHA256"}

When no algorithm is supplied, the suite picks sensible defaults (ES256 for signing, RSA-OAEP-256 for key wrap) while still respecting the policy limits.

4. Inspect supported algorithms and features

from swarmauri_cipher_suite_yubikey import YubiKeyCipherSuite

suite = YubiKeyCipherSuite(name="piv-default")

for op, algs in suite.supports().items():
    print(op, sorted(algs))

print(suite.features()["notes"][0])

These helpers allow orchestration layers to discover the token capabilities, render documentation, or validate client requests before invoking the hardware.

Entry Point

The suite registers under the swarmauri.cipher_suites entry point as YubiKeyCipherSuite.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_cipher_suite_yubikey-0.2.0.dev5.tar.gz (8.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file swarmauri_cipher_suite_yubikey-0.2.0.dev5.tar.gz.

File metadata

  • Download URL: swarmauri_cipher_suite_yubikey-0.2.0.dev5.tar.gz
  • Upload date:
  • Size: 8.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_cipher_suite_yubikey-0.2.0.dev5.tar.gz
Algorithm Hash digest
SHA256 65b02da3ddcf9285d87d7529d416ab26d5f6503083ef181540309df1ce35a34b
MD5 fc1202669c6bb584cbefbae9dd75879a
BLAKE2b-256 eb866490c55b498bd32f5ebfbbee7f4e33c4c2a7b3357c8aae3f35414d50871b

See more details on using hashes here.

File details

Details for the file swarmauri_cipher_suite_yubikey-0.2.0.dev5-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_cipher_suite_yubikey-0.2.0.dev5-py3-none-any.whl
  • Upload date:
  • Size: 9.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.12 {"installer":{"name":"uv","version":"0.10.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_cipher_suite_yubikey-0.2.0.dev5-py3-none-any.whl
Algorithm Hash digest
SHA256 2f44c8c68e9980863df218dc4e9f65ac4d6651e9a13048fc83d557877021fe3d
MD5 14e19ae4fcb137ef7b0649c64e36c2de
BLAKE2b-256 46d0b43f39498a7c0bfbdab7160d4e422e04a2823bf844637797f30f3a4e9300

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page