Class swarmauri_cipher_suite_pep458.Pep458CipherSuite.Pep458CipherSuite

swarmauri_cipher_suite_pep458.Pep458CipherSuite.Pep458CipherSuite

Bases: CipherSuiteBase

Metadata policy and algorithm registry for PEP 458 repositories.

suite_id

suite_id()

Source code in swarmauri_cipher_suite_pep458/Pep458CipherSuite.py

def suite_id(self) -> str:
    return "pep458"

supports

supports()

Source code in swarmauri_cipher_suite_pep458/Pep458CipherSuite.py

def supports(self) -> Mapping[CipherOp, Iterable[Alg]]:
    return {"sign": _PEP458_ALGS, "verify": _PEP458_ALGS}

default_alg

default_alg(op, *, for_key=None)

Source code in swarmauri_cipher_suite_pep458/Pep458CipherSuite.py

def default_alg(self, op: CipherOp, *, for_key: Optional[KeyRef] = None) -> Alg:
    inferred = _infer_alg_from_key(for_key)
    if inferred:
        return inferred
    return "Ed25519"

features

features()

Source code in swarmauri_cipher_suite_pep458/Pep458CipherSuite.py

def features(self) -> Features:
    return {
        "suite": "pep458",
        "version": 1,
        "dialects": {"provider": ["pep458"], "sigstore": []},
        "ops": {
            "sign": {"default": "Ed25519", "allowed": list(_PEP458_ALGS)},
            "verify": {"default": "Ed25519", "allowed": list(_PEP458_ALGS)},
        },
        "constraints": {
            "canonicalization": _DEFAULT_CANON,
            "signature_format": "detached",
            "min_threshold": 1,
        },
        "compliance": {"pep458": True, "tuf": "1.x"},
        "notes": [
            "Implements offline root and online timestamp role separation per PEP 458.",
            "Pair with swarmauri_signing_pep458.Pep458Signer for signature production.",
        ],
    }

policy

policy()

Source code in swarmauri_cipher_suite_pep458/Pep458CipherSuite.py

def policy(self) -> Mapping[str, Any]:
    return {
        "canonicalization": _DEFAULT_CANON,
        "signature": {
            "format": "tuf/pep458",
            "allowed_algs": list(_PEP458_ALGS),
            "detached": True,
            "keyid_hash": "sha256",
        },
        "roles": {
            "root": {"threshold": 2, "expires": "P365D", "alg": "RSA-PSS-SHA256"},
            "targets": {"threshold": 1, "expires": "P90D", "alg": "Ed25519"},
            "snapshot": {"threshold": 1, "expires": "P14D", "alg": "Ed25519"},
            "timestamp": {"threshold": 1, "expires": "P1D", "alg": "Ed25519"},
        },
    }

normalize

normalize(
    *, op, alg=None, key=None, params=None, dialect=None
)

Source code in swarmauri_cipher_suite_pep458/Pep458CipherSuite.py

def normalize(
    self,
    *,
    op: CipherOp,
    alg: Optional[Alg] = None,
    key: Optional[KeyRef] = None,
    params: Optional[ParamMapping] = None,
    dialect: Optional[str] = None,
) -> NormalizedDescriptor:
    allowed = set(self.supports().get(op, ()))
    chosen_alg = alg or self.default_alg(op, for_key=key)
    if chosen_alg not in allowed:
        raise ValueError(f"{chosen_alg} not supported for operation {op}")

    resolved_params: Dict[str, Any] = dict(params or {})
    canon = resolved_params.pop("canon", _DEFAULT_CANON)
    role = resolved_params.pop("role", resolved_params.pop("tuf_role", "generic"))
    threshold = int(resolved_params.pop("threshold", 1))

    mapped = {
        "provider": {
            "suite": "pep458",
            "signer": "swarmauri_signing_pep458.Pep458Signer",
            "alg": chosen_alg,
            "canon": canon,
            "role": role,
        }
    }

    params_out = {
        "canon": canon,
        "role": role,
        "threshold": threshold,
    }
    if resolved_params:
        params_out.update(resolved_params)

    constraints = {
        "threshold": threshold,
        "detached": True,
    }

    return {
        "op": op,
        "alg": chosen_alg,
        "dialect": "provider" if dialect is None else dialect,
        "mapped": mapped,
        "params": params_out,
        "constraints": constraints,
        "policy": self.policy(),
    }