Skip to content

Class swarmauri_cipher_suite_fips1403.FipsCipherSuite.FipsCipherSuite

swarmauri_cipher_suite_fips1403.FipsCipherSuite.FipsCipherSuite

Bases: CipherSuiteBase

FIPS 140-3 compliant algorithm surface.

suite_id

suite_id()
Source code in swarmauri_cipher_suite_fips1403/FipsCipherSuite.py
25
26
def suite_id(self) -> str:
    return "fips140-3"

supports

supports()
Source code in swarmauri_cipher_suite_fips1403/FipsCipherSuite.py
28
29
30
31
32
33
34
35
36
def supports(self) -> Mapping[CipherOp, Iterable[Alg]]:
    return {
        "sign": _ALLOWED_SIGN,
        "verify": _ALLOWED_SIGN,
        "encrypt": _ALLOWED_ENC,
        "decrypt": _ALLOWED_ENC,
        "wrap": _ALLOWED_WRAP,
        "unwrap": _ALLOWED_WRAP,
    }

default_alg

default_alg(op, *, for_key=None)
Source code in swarmauri_cipher_suite_fips1403/FipsCipherSuite.py
38
39
40
41
42
43
def default_alg(self, op: CipherOp, *, for_key: Optional[KeyRef] = None) -> Alg:
    return {
        "sign": "PS256",
        "encrypt": "A256GCM",
        "wrap": "RSA-OAEP-256",
    }.get(op, "A256GCM")

policy

policy()
Source code in swarmauri_cipher_suite_fips1403/FipsCipherSuite.py
45
46
47
48
49
50
51
52
def policy(self) -> Mapping[str, object]:
    return {
        "fips": True,
        "min_rsa_bits": 2048,
        "allowed_curves": ("P-256", "P-384"),
        "hashes": ("SHA256", "SHA384"),
        "aead_tag_bits": 128,
    }

features

features()
Source code in swarmauri_cipher_suite_fips1403/FipsCipherSuite.py
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
def features(self) -> Features:
    return {
        "suite": "fips140-3",
        "version": 1,
        "dialects": {
            "jwa": list(
                {
                    *self.supports()["sign"],
                    *self.supports()["encrypt"],
                    *self.supports()["wrap"],
                }
            ),
        },
        "ops": {
            "sign": {"default": "PS256", "allowed": list(_ALLOWED_SIGN)},
            "encrypt": {"default": "A256GCM", "allowed": list(_ALLOWED_ENC)},
            "wrap": {"default": "RSA-OAEP-256", "allowed": list(_ALLOWED_WRAP)},
        },
        "constraints": {
            "min_rsa_bits": 2048,
            "allowed_curves": ["P-256", "P-384"],
            "aead": {"tagBits": 128, "nonceLen": 12},
        },
        "compliance": {"fips": True},
    }

normalize

normalize(
    *, op, alg=None, key=None, params=None, dialect=None
)
Source code in swarmauri_cipher_suite_fips1403/FipsCipherSuite.py
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
def normalize(
    self,
    *,
    op: CipherOp,
    alg: Optional[Alg] = None,
    key: Optional[KeyRef] = None,
    params: Optional[ParamMapping] = None,
    dialect: Optional[str] = None,
) -> NormalizedDescriptor:
    allowed = set(self.supports().get(op, ()))
    chosen = alg or self.default_alg(op, for_key=key)
    if chosen not in allowed:
        raise ValueError(f"{chosen=} not allowed by FIPS 140-3 for {op=}")

    resolved = dict(params or {})
    if chosen.endswith("GCM"):
        resolved.setdefault("tagBits", self.policy()["aead_tag_bits"])
        resolved.setdefault("nonceLen", 12)
    if chosen.startswith("PS"):
        resolved.setdefault("saltBits", int(chosen[-3:]))
        resolved.setdefault("hash", "SHA" + chosen[-3:])
    if chosen.startswith("ES"):
        resolved.setdefault("hash", "SHA" + chosen[-3:])

    return {
        "op": op,
        "alg": chosen,
        "dialect": "jwa" if dialect is None else dialect,
        "mapped": {"jwa": chosen, "provider": chosen},
        "params": resolved,
        "constraints": {
            "minKeyBits": self.policy()["min_rsa_bits"],
            "curves": self.policy()["allowed_curves"],
            "hashes": self.policy()["hashes"],
        },
        "policy": self.policy(),
    }