Skip to main content

FIPS-constrained YubiKey cipher suite for Swarmauri PIV operations

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_cipher_suite_yubikey_fips Discord

Swarmauri Cipher Suites YubiKey FIPS

YubiKeyFipsCipherSuite captures the subset of YubiKey functionality that is available on FIPS Series tokens. It excludes EdDSA, tightens hash policy, and requires slot attestation, making it a drop-in choice for regulated environments.

Features

  • Limits signing algorithms to FIPS-approved RSA-PSS and NIST P-256/P-384 ECDSA.
  • Encodes the requirement for attestation before use so orchestrators can gate slots appropriately.
  • Supplies parameter defaults for RSA-PSS (salt length, MGF1 hash) and ECDSA hashing to avoid mismatched requests.
  • Documents the FIPS policy posture and exposes a provider identifier for the PIV-backed mechanisms (piv:<alg>).

Installation

pip

pip install swarmauri_cipher_suite_yubikey_fips

uv (dependency)

uv add swarmauri_cipher_suite_yubikey_fips

uv (environment)

uv pip install swarmauri_cipher_suite_yubikey_fips

Usage

1. Instantiate the suite with a descriptive name

from swarmauri_cipher_suite_yubikey_fips import YubiKeyFipsCipherSuite

suite = YubiKeyFipsCipherSuite(name="piv-fips")

2. Normalize a FIPS-compliant signing request

from swarmauri_cipher_suite_yubikey_fips import YubiKeyFipsCipherSuite
from swarmauri_core.cipher_suites.types import KeyRef

suite = YubiKeyFipsCipherSuite(name="piv-fips")
key = KeyRef(kid="fips-slot-9a", slot="9a")
descriptor = suite.normalize(op="sign", alg="PS256", key=key)

print(descriptor["mapped"]["provider"])  # -> "piv:PS256:slot=9a"
print(descriptor["params"]["saltLen"])    # -> 32 (hash length default)

All responses include the policy metadata, making it easy to enforce controls (such as requiring attestation) at runtime.

3. Route wrap/unwrap requests

from swarmauri_cipher_suite_yubikey_fips import YubiKeyFipsCipherSuite

suite = YubiKeyFipsCipherSuite(name="piv-fips")
wrap_descriptor = suite.normalize(op="wrap")
unwrap_descriptor = suite.normalize(op="unwrap", alg="RSA-OAEP-256")

for d in (wrap_descriptor, unwrap_descriptor):
    assert d["mapped"]["provider"].startswith("piv:RSA-OAEP-256")

The suite guarantees that both wrap and unwrap operations stay aligned with the RSA-OAEP-256 configuration expected by PIV.

4. Discover compliance metadata

from swarmauri_cipher_suite_yubikey_fips import YubiKeyFipsCipherSuite

suite = YubiKeyFipsCipherSuite(name="piv-fips")
features = suite.features()
print(features["compliance"]["fips"])      # -> True
print(features["constraints"]["hashes"])   # -> ["SHA256", "SHA384"]

Use the feature description to document service capabilities or reject non-compliant requests before they hit hardware.

Entry Point

The suite registers under the swarmauri.cipher_suites entry point as YubiKeyFipsCipherSuite.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file swarmauri_cipher_suite_yubikey_fips-0.11.0.dev2.tar.gz.

File metadata

  • Download URL: swarmauri_cipher_suite_yubikey_fips-0.11.0.dev2.tar.gz
  • Upload date:
  • Size: 8.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_cipher_suite_yubikey_fips-0.11.0.dev2.tar.gz
Algorithm Hash digest
SHA256 e63a0d651c75778bf115026584570019647eac1bacef855706472f44a5bb5aef
MD5 c82050c7ce20b431c28f92cfe7d69635
BLAKE2b-256 40d02778616037bdd7541392652559fc880cfdc15a9d4c51c6e4051b962b99d0

See more details on using hashes here.

File details

Details for the file swarmauri_cipher_suite_yubikey_fips-0.11.0.dev2-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_cipher_suite_yubikey_fips-0.11.0.dev2-py3-none-any.whl
  • Upload date:
  • Size: 9.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_cipher_suite_yubikey_fips-0.11.0.dev2-py3-none-any.whl
Algorithm Hash digest
SHA256 791247e2ede17405b46f40e7950c916a74a693decc5fb724baf2f243c9490feb
MD5 31327decae147e30816d65834ebd4427
BLAKE2b-256 b88bab9acb1082075bd1ca0c14bc24cc943b7545c39dcdd8c84b8cd88259a628

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page