FIPS-constrained YubiKey cipher suite for Swarmauri PIV operations
Project description
Swarmauri Cipher Suites YubiKey FIPS
YubiKeyFipsCipherSuite captures the subset of YubiKey functionality that is
available on FIPS Series tokens. It excludes EdDSA, tightens hash policy, and
requires slot attestation, making it a drop-in choice for regulated
environments.
Features
- Limits signing algorithms to FIPS-approved RSA-PSS and NIST P-256/P-384 ECDSA.
- Encodes the requirement for attestation before use so orchestrators can gate slots appropriately.
- Supplies parameter defaults for RSA-PSS (salt length, MGF1 hash) and ECDSA hashing to avoid mismatched requests.
- Documents the FIPS policy posture and exposes a provider identifier for the
PIV-backed mechanisms (
piv:<alg>).
Installation
pip
pip install swarmauri_cipher_suite_yubikey_fips
uv (dependency)
uv add swarmauri_cipher_suite_yubikey_fips
uv (environment)
uv pip install swarmauri_cipher_suite_yubikey_fips
Usage
1. Instantiate the suite with a descriptive name
from swarmauri_cipher_suite_yubikey_fips import YubiKeyFipsCipherSuite
suite = YubiKeyFipsCipherSuite(name="piv-fips")
2. Normalize a FIPS-compliant signing request
from swarmauri_cipher_suite_yubikey_fips import YubiKeyFipsCipherSuite
from swarmauri_core.cipher_suites.types import KeyRef
suite = YubiKeyFipsCipherSuite(name="piv-fips")
key = KeyRef(kid="fips-slot-9a", slot="9a")
descriptor = suite.normalize(op="sign", alg="PS256", key=key)
print(descriptor["mapped"]["provider"]) # -> "piv:PS256:slot=9a"
print(descriptor["params"]["saltLen"]) # -> 32 (hash length default)
All responses include the policy metadata, making it easy to enforce controls (such as requiring attestation) at runtime.
3. Route wrap/unwrap requests
from swarmauri_cipher_suite_yubikey_fips import YubiKeyFipsCipherSuite
suite = YubiKeyFipsCipherSuite(name="piv-fips")
wrap_descriptor = suite.normalize(op="wrap")
unwrap_descriptor = suite.normalize(op="unwrap", alg="RSA-OAEP-256")
for d in (wrap_descriptor, unwrap_descriptor):
assert d["mapped"]["provider"].startswith("piv:RSA-OAEP-256")
The suite guarantees that both wrap and unwrap operations stay aligned with the RSA-OAEP-256 configuration expected by PIV.
4. Discover compliance metadata
from swarmauri_cipher_suite_yubikey_fips import YubiKeyFipsCipherSuite
suite = YubiKeyFipsCipherSuite(name="piv-fips")
features = suite.features()
print(features["compliance"]["fips"]) # -> True
print(features["constraints"]["hashes"]) # -> ["SHA256", "SHA384"]
Use the feature description to document service capabilities or reject non-compliant requests before they hit hardware.
Entry Point
The suite registers under the swarmauri.cipher_suites entry point as
YubiKeyFipsCipherSuite.
Want to help?
If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_cipher_suite_yubikey_fips-0.1.0.dev28.tar.gz.
File metadata
- Download URL: swarmauri_cipher_suite_yubikey_fips-0.1.0.dev28.tar.gz
- Upload date:
- Size: 8.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.3 {"installer":{"name":"uv","version":"0.10.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
060905adb8fdeac85ad888aeb5f4c60f51d7e2f2366f458511c568cd3f21cdae
|
|
| MD5 |
36d060a2fdb55e0788d131157b339a5a
|
|
| BLAKE2b-256 |
a8f7f1e5247e791f3e74aa875a07e034045c6a13a3c924ebfe9e0f249ad0622c
|
File details
Details for the file swarmauri_cipher_suite_yubikey_fips-0.1.0.dev28-py3-none-any.whl.
File metadata
- Download URL: swarmauri_cipher_suite_yubikey_fips-0.1.0.dev28-py3-none-any.whl
- Upload date:
- Size: 9.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.3 {"installer":{"name":"uv","version":"0.10.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
56f8d805117211183e70f6d79aee8c01bf659d96f336df2e86cab7a657ddb04b
|
|
| MD5 |
70b0a8d60fd4cfc23eda5e9fc6c1e4d2
|
|
| BLAKE2b-256 |
52e51e734322b8a73dd9cad018f33ef85170e1cca639444f6f24966219ec1e92
|