Skip to content

Class swarmauri_cipher_suite_pep458.Pep458CipherSuite.Pep458CipherSuite

swarmauri_cipher_suite_pep458.Pep458CipherSuite.Pep458CipherSuite

Bases: CipherSuiteBase

Metadata policy and algorithm registry for PEP 458 repositories.

suite_id

suite_id()
Source code in swarmauri_cipher_suite_pep458/Pep458CipherSuite.py
40
41
def suite_id(self) -> str:
    return "pep458"

supports

supports()
Source code in swarmauri_cipher_suite_pep458/Pep458CipherSuite.py
43
44
def supports(self) -> Mapping[CipherOp, Iterable[Alg]]:
    return {"sign": _PEP458_ALGS, "verify": _PEP458_ALGS}

default_alg

default_alg(op, *, for_key=None)
Source code in swarmauri_cipher_suite_pep458/Pep458CipherSuite.py
46
47
48
49
50
def default_alg(self, op: CipherOp, *, for_key: Optional[KeyRef] = None) -> Alg:
    inferred = _infer_alg_from_key(for_key)
    if inferred:
        return inferred
    return "Ed25519"

features

features()
Source code in swarmauri_cipher_suite_pep458/Pep458CipherSuite.py
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
def features(self) -> Features:
    return {
        "suite": "pep458",
        "version": 1,
        "dialects": {"provider": ["pep458"], "sigstore": []},
        "ops": {
            "sign": {"default": "Ed25519", "allowed": list(_PEP458_ALGS)},
            "verify": {"default": "Ed25519", "allowed": list(_PEP458_ALGS)},
        },
        "constraints": {
            "canonicalization": _DEFAULT_CANON,
            "signature_format": "detached",
            "min_threshold": 1,
        },
        "compliance": {"pep458": True, "tuf": "1.x"},
        "notes": [
            "Implements offline root and online timestamp role separation per PEP 458.",
            "Pair with swarmauri_signing_pep458.Pep458Signer for signature production.",
        ],
    }

policy

policy()
Source code in swarmauri_cipher_suite_pep458/Pep458CipherSuite.py
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
def policy(self) -> Mapping[str, Any]:
    return {
        "canonicalization": _DEFAULT_CANON,
        "signature": {
            "format": "tuf/pep458",
            "allowed_algs": list(_PEP458_ALGS),
            "detached": True,
            "keyid_hash": "sha256",
        },
        "roles": {
            "root": {"threshold": 2, "expires": "P365D", "alg": "RSA-PSS-SHA256"},
            "targets": {"threshold": 1, "expires": "P90D", "alg": "Ed25519"},
            "snapshot": {"threshold": 1, "expires": "P14D", "alg": "Ed25519"},
            "timestamp": {"threshold": 1, "expires": "P1D", "alg": "Ed25519"},
        },
    }

normalize

normalize(
    *, op, alg=None, key=None, params=None, dialect=None
)
Source code in swarmauri_cipher_suite_pep458/Pep458CipherSuite.py
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
def normalize(
    self,
    *,
    op: CipherOp,
    alg: Optional[Alg] = None,
    key: Optional[KeyRef] = None,
    params: Optional[ParamMapping] = None,
    dialect: Optional[str] = None,
) -> NormalizedDescriptor:
    allowed = set(self.supports().get(op, ()))
    chosen_alg = alg or self.default_alg(op, for_key=key)
    if chosen_alg not in allowed:
        raise ValueError(f"{chosen_alg} not supported for operation {op}")

    resolved_params: Dict[str, Any] = dict(params or {})
    canon = resolved_params.pop("canon", _DEFAULT_CANON)
    role = resolved_params.pop("role", resolved_params.pop("tuf_role", "generic"))
    threshold = int(resolved_params.pop("threshold", 1))

    mapped = {
        "provider": {
            "suite": "pep458",
            "signer": "swarmauri_signing_pep458.Pep458Signer",
            "alg": chosen_alg,
            "canon": canon,
            "role": role,
        }
    }

    params_out = {
        "canon": canon,
        "role": role,
        "threshold": threshold,
    }
    if resolved_params:
        params_out.update(resolved_params)

    constraints = {
        "threshold": threshold,
        "detached": True,
    }

    return {
        "op": op,
        "alg": chosen_alg,
        "dialect": "provider" if dialect is None else dialect,
        "mapped": mapped,
        "params": params_out,
        "constraints": constraints,
        "policy": self.policy(),
    }