Skip to main content

FIPS-constrained YubiKey cipher suite for Swarmauri PIV operations

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_cipher_suite_yubikey_fips


Swarmauri Cipher Suites YubiKey FIPS

YubiKeyFipsCipherSuite captures the subset of YubiKey functionality that is available on FIPS Series tokens. It excludes EdDSA, tightens hash policy, and requires slot attestation, making it a drop-in choice for regulated environments.

Features

  • Limits signing algorithms to FIPS-approved RSA-PSS and NIST P-256/P-384 ECDSA.
  • Encodes the requirement for attestation before use so orchestrators can gate slots appropriately.
  • Supplies parameter defaults for RSA-PSS (salt length, MGF1 hash) and ECDSA hashing to avoid mismatched requests.
  • Documents the FIPS policy posture and exposes a provider identifier for the PIV-backed mechanisms (piv:<alg>).

Installation

pip

pip install swarmauri_cipher_suite_yubikey_fips

uv (dependency)

uv add swarmauri_cipher_suite_yubikey_fips

uv (environment)

uv pip install swarmauri_cipher_suite_yubikey_fips

Usage

1. Instantiate the suite with a descriptive name

from swarmauri_cipher_suite_yubikey_fips import YubiKeyFipsCipherSuite

suite = YubiKeyFipsCipherSuite(name="piv-fips")

2. Normalize a FIPS-compliant signing request

from swarmauri_cipher_suite_yubikey_fips import YubiKeyFipsCipherSuite
from swarmauri_core.cipher_suites.types import KeyRef

suite = YubiKeyFipsCipherSuite(name="piv-fips")
key = KeyRef(kid="fips-slot-9a", slot="9a")
descriptor = suite.normalize(op="sign", alg="PS256", key=key)

print(descriptor["mapped"]["provider"])  # -> "piv:PS256:slot=9a"
print(descriptor["params"]["saltLen"])    # -> 32 (hash length default)

All responses include the policy metadata, making it easy to enforce controls (such as requiring attestation) at runtime.

3. Route wrap/unwrap requests

from swarmauri_cipher_suite_yubikey_fips import YubiKeyFipsCipherSuite

suite = YubiKeyFipsCipherSuite(name="piv-fips")
wrap_descriptor = suite.normalize(op="wrap")
unwrap_descriptor = suite.normalize(op="unwrap", alg="RSA-OAEP-256")

for d in (wrap_descriptor, unwrap_descriptor):
    assert d["mapped"]["provider"].startswith("piv:RSA-OAEP-256")

The suite guarantees that both wrap and unwrap operations stay aligned with the RSA-OAEP-256 configuration expected by PIV.

4. Discover compliance metadata

from swarmauri_cipher_suite_yubikey_fips import YubiKeyFipsCipherSuite

suite = YubiKeyFipsCipherSuite(name="piv-fips")
features = suite.features()
print(features["compliance"]["fips"])      # -> True
print(features["constraints"]["hashes"])   # -> ["SHA256", "SHA384"]

Use the feature description to document service capabilities or reject non-compliant requests before they hit hardware.

Entry Point

The suite registers under the swarmauri.cipher_suites entry point as YubiKeyFipsCipherSuite.

Want to help?

If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file swarmauri_cipher_suite_yubikey_fips-0.1.0.dev28.tar.gz.

File metadata

  • Download URL: swarmauri_cipher_suite_yubikey_fips-0.1.0.dev28.tar.gz
  • Upload date:
  • Size: 8.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.3 {"installer":{"name":"uv","version":"0.10.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_cipher_suite_yubikey_fips-0.1.0.dev28.tar.gz
Algorithm Hash digest
SHA256 060905adb8fdeac85ad888aeb5f4c60f51d7e2f2366f458511c568cd3f21cdae
MD5 36d060a2fdb55e0788d131157b339a5a
BLAKE2b-256 a8f7f1e5247e791f3e74aa875a07e034045c6a13a3c924ebfe9e0f249ad0622c

See more details on using hashes here.

File details

Details for the file swarmauri_cipher_suite_yubikey_fips-0.1.0.dev28-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_cipher_suite_yubikey_fips-0.1.0.dev28-py3-none-any.whl
  • Upload date:
  • Size: 9.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.10.3 {"installer":{"name":"uv","version":"0.10.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_cipher_suite_yubikey_fips-0.1.0.dev28-py3-none-any.whl
Algorithm Hash digest
SHA256 56f8d805117211183e70f6d79aee8c01bf659d96f336df2e86cab7a657ddb04b
MD5 70b0a8d60fd4cfc23eda5e9fc6c1e4d2
BLAKE2b-256 52e51e734322b8a73dd9cad018f33ef85170e1cca639444f6f24966219ec1e92

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page