- Schema fix: Avoid name collision in 'oneOf' of certificateExtensions

- Schema fix: Define items in ikeV2 arrays
- Schema extension: in protocolProperties/cipherSuites, adds explicit tlsGroups and tlsSignatureSchemes properties
- Updates valid-cryptography-full-1.7 and valid-cryptography-implementation.1.7 test cases

Signed-off-by: Basil Hess <[email protected]>

Author: bhess

schema/bom-1.7.schema.json

@@ -5802,8 +5802,7 @@
               "additionalProperties": false,
               "properties": {
                 "encr": {
-                  "type": "array",
-                  "$ref": "#/definitions/ikeV2Enc",
+                  "type": "string",
                   "title": "Encryption Algorithms (ENCR)",
                   "description": "Transform Type 1: encryption algorithms"
                 },
@@ -5895,6 +5894,35 @@
               "0x9E"
             ]
           }
+        },
+        "tlsGroups": {
+          "type": "array",
+          "title": "TLS Groups",
+          "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.",
+          "items": {
+            "type": "string",
+            "title": "Group Name",
+            "description": "The name of the TLS group",
+            "examples": [
+              "x25519",
+              "ffdhe2048"
+            ]
+          }
+        },
+        "tlsSignatureSchemes": {
+          "type": "array",
+          "title": "TLS Signature Schemes",
+          "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.",
+          "items": {
+            "type": "string",
+            "title": "Signature Scheme",
+            "description": "The name of the TLS signature scheme",
+            "examples": [
+              "ecdsa_secp256r1_sha256",
+              "rsa_pss_rsae_sha256",
+              "ed25519"
+            ]
+          }
         }
       }
     },

schema/cryptography-defs.json

@@ -100,6 +100,10 @@
         {
           "pattern": "ECDH[E][-{ellipticCurve}]",
           "primitive": "key-agree"
+        },
+        {
+          "pattern": "x25519|x448",
+          "primitive": "key-agree"
         }
       ]
     },

tools/src/test/resources/1.7/valid-cryptography-full-1.7.json

@@ -12,88 +12,279 @@
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "primitive": "ae",
+          "primitive": "key-agree",
+          "algorithmFamily": "ECDH",
           "parameterSetIdentifier": "128",
-          "curve": "brainpoolP160r1",
+          "curve": "brainpool/brainpoolP160r1",
+          "ellipticCurve": "brainpool/brainpoolP160r1",
           "executionEnvironment": "software-plain-ram",
           "implementationPlatform": "x86_64",
-          "certificationLevel": [ "fips140-1-l4" ],
+          "certificationLevel": [ "fips140-3-l4" ],
           "mode": "gcm",
           "padding": "pkcs5",
-          "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"],
-          "classicalSecurityLevel": 128,
-          "nistQuantumSecurityLevel": 1
+          "cryptoFunctions": ["keygen", "keyderive"],
+          "classicalSecurityLevel": 96,
+          "nistQuantumSecurityLevel": 0
         },
         "oid": "oid:1.2.3.4.5.6.7.8.9"
       }
     },
     {
       "type": "cryptographic-asset",
       "bom-ref": "asset-2",
-      "name": "Name here",
+      "name": "Example Certificate with All Properties",
       "cryptoProperties": {
         "assetType": "certificate",
         "certificateProperties": {
-          "subjectName": "Subject name here",
-          "issuerName": "Issuer name here",
+          "serialNumber": "0B:35:82:6D:F5:7A:02:0A:0A:21:8F:BD:F3:91:43:C3",
+          "subjectName": "CN=example.com, O=Example Corp, C=US",
+          "issuerName": "CN=Example CA, O=Example Trust Services, C=US",
           "notValidBefore": "2022-01-01T00:00:00.000Z",
           "notValidAfter": "2024-01-01T00:00:00.000Z",
           "signatureAlgorithmRef": "bom-ref-to-algorithm",
           "subjectPublicKeyRef": "bom-ref-to-public-key",
           "certificateFormat": "X.509",
-          "certificateExtension": "crt"
+          "certificateExtension": "crt",
+          "certificateFileExtension": "crt",
+          "fingerprint": {
+            "alg": "SHA-256",
+            "content": "3942447fac867ae5cdb3229b658f4d48"
+          },
+          "certificateState": [
+            {
+              "state": "pre-activation",
+              "reason": "Certificate created but not yet active"
+            },
+            {
+              "state": "active",
+              "reason": "Certificate in active use for TLS connections"
+            },
+            {
+              "state": "suspended",
+              "reason": "Temporary suspension due to security audit"
+            },
+            {
+              "state": "deactivated",
+              "reason": "Replaced by new certificate"
+            },
+            {
+              "state": "revoked",
+              "reason": "Private key compromise suspected"
+            },
+            {
+              "state": "destroyed",
+              "reason": "Certificate and associated keys securely destroyed"
+            }
+          ],
+          "creationDate": "2022-01-01T00:00:00.000Z",
+          "activationDate": "2022-01-02T00:00:00.000Z",
+          "deactivationDate": "2023-12-31T23:59:59.000Z",
+          "revocationDate": "2024-01-01T00:00:00.000Z",
+          "destructionDate": "2024-01-02T00:00:00.000Z",
+          "certificateExtensions": [
+            {
+              "commonExtensionName": "basicConstraints",
+              "commonExtensionValue": "CA:FALSE, pathlen:0"
+            },
+            {
+              "commonExtensionName": "keyUsage",
+              "commonExtensionValue": "digitalSignature, keyEncipherment"
+            },
+            {
+              "commonExtensionName": "extendedKeyUsage",
+              "commonExtensionValue": "serverAuth, clientAuth"
+            },
+            {
+              "commonExtensionName": "subjectAlternativeName",
+              "commonExtensionValue": "DNS:example.com, DNS:www.example.com"
+            },
+            {
+              "commonExtensionName": "authorityKeyIdentifier",
+              "commonExtensionValue": "keyid:12:34:56:78:90:AB:CD:EF"
+            },
+            {
+              "commonExtensionName": "subjectKeyIdentifier",
+              "commonExtensionValue": "AA:BB:CC:DD:EE:FF:00:11"
+            },
+            {
+              "commonExtensionName": "authorityInformationAccess",
+              "commonExtensionValue": "OCSP - URI:http://ocsp.example.com"
+            },
+            {
+              "commonExtensionName": "certificatePolicies",
+              "commonExtensionValue": "Policy: 2.23.140.1.2.1"
+            },
+            {
+              "commonExtensionName": "crlDistributionPoints",
+              "commonExtensionValue": "URI:http://crl.example.com/root.crl"
+            },
+            {
+              "commonExtensionName": "signedCertificateTimestamp",
+              "commonExtensionValue": "Signed by Example CT log at 2022-01-01T00:00:00Z"
+            },
+            {
+              "customExtensionName": "someCustomExtension",
+              "customExtensionValue": "Custom value for this extension"
+            }
+
+          ],
+          "relatedCryptographicAssets": [
+            {
+              "type": "publicKey",
+              "ref": "public-key-ref"
+            },
+            {
+              "type": "privateKey",
+              "ref": "private-key-ref"
+            },
+            {
+              "type": "algorithm",
+              "ref": "signing-algorithm-ref"
+            }
+          ]
         },
-        "oid": "oid:1.2.3.4.5.6.7.8.9"
+        "oid": "oid:2.5.4.3"
       }
     },
     {
       "type": "cryptographic-asset",
       "bom-ref": "asset-3",
-      "name": "Name here",
+      "name": "Example Protocol with All Properties",
       "cryptoProperties": {
         "assetType": "protocol",
         "protocolProperties": {
           "type": "tls",
           "version": "1.3",
           "cipherSuites": [
             {
-              "name": "TLS_DHE_RSA_WITH_AES_128_CCM",
+              "name": "TLS_AES_128_GCM_SHA256",
               "algorithms": [
-                "bom-ref-to-algorithm"
+                "aes-128-gcm-ref",
+                "sha256-ref"
               ],
               "identifiers": [
-                "0xC0"
+                "0x1301"
+              ],
+              "tlsGroups": [
+                "x25519",
+                "secp256r1",
+                "secp384r1",
+                "secp521r1",
+                "ffdhe2048",
+                "ffdhe3072"
+              ],
+              "tlsSignatureSchemes": [
+                "ecdsa_secp256r1_sha256",
+                "ecdsa_secp384r1_sha384",
+                "ecdsa_secp521r1_sha512",
+                "rsa_pss_rsae_sha256",
+                "rsa_pss_rsae_sha384",
+                "rsa_pss_rsae_sha512",
+                "ed25519",
+                "ed448"
+              ]
+            },
+            {
+              "name": "TLS_AES_256_GCM_SHA384",
+              "algorithms": [
+                "aes-256-gcm-ref",
+                "sha384-ref"
+              ],
+              "identifiers": [
+                "0x1302"
+              ]
+            },
+            {
+              "name": "TLS_CHACHA20_POLY1305_SHA256",
+              "algorithms": [
+                "chacha20-poly1305-ref",
+                "sha256-ref"
+              ],
+              "identifiers": [
+                "0x1303"
               ]
             }
-          ]
+          ],
+          "ikev2TransformTypes": {
+            "encr": [
+              {
+                "name": "AES-128-GCM",
+                "keyLength": 128,
+                "algorithm": "aes-128-gcm-ref"
+              }
+            ],
+            "prf": [
+              {
+                "name": "SHA-256",
+                "algorithm": "sha256-ref"
+              }
+            ],
+            "integ": [
+              {
+                "name": "SHA-256",
+                "algorithm": "sha256-ref"
+              }
+            ],
+            "ke": [
+              {
+                "group": 14,
+                "algorithm": "diffie-hellman-group14-sha256-ref"
+              }
+            ],
+            "esn": true,
+            "auth": [
+              {
+                "name": "ECDSA",
+                "algorithm": "ecdsa_secp256r1_sha256"
+              }
+            ]
+          }
         },
-        "oid": "oid:1.2.3.4.5.6.7.8.9"
+        "oid": "oid:1.3.6.1.5.5.7.3.1"
       }
     },
     {
       "type": "cryptographic-asset",
       "bom-ref": "asset-4",
-      "name": "Name here",
+      "name": "Example Related Crypto Material with All Properties",
       "cryptoProperties": {
         "assetType": "related-crypto-material",
         "relatedCryptoMaterialProperties": {
-          "type": "private-key",
-          "id": "12345",
+          "type": "public-key",
+          "id": "key-12345-67890",
           "state": "active",
-          "algorithmRef": "bom-ref-to-algorithm",
+          "algorithmRef": "rsa-4096-ref",
           "creationDate": "2024-01-01T00:00:00.000Z",
           "activationDate": "2024-01-02T00:00:00.000Z",
           "updateDate": "2024-01-03T00:00:00.000Z",
-          "expirationDate": "2024-01-04T00:00:00.000Z",
-          "value": "Value here",
-          "size": 1024,
-          "format": "PEM",
+          "expirationDate": "2026-01-01T00:00:00.000Z",
+          "value": "-----BEGIN PUBLIC KEY-----",
+          "size": 4096,
+          "format": "PKCS#8",
           "securedBy": {
             "mechanism": "HSM",
-            "algorithmRef": "bom-ref-to-algorithm"
-          }
+            "algorithmRef": "aes-256-gcm-ref"
+          },
+          "fingerprint": {
+            "alg": "SHA-256",
+            "content": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+          },
+          "relatedCryptographicAssets": [
+            {
+              "type": "publicKey",
+              "ref": "corresponding-public-key-ref"
+            },
+            {
+              "type": "certificate",
+              "ref": "certificate-using-this-key-ref"
+            },
+            {
+              "type": "algorithm",
+              "ref": "rsa-4096-ref"
+            }
+          ]
         },
-        "oid": "oid:1.2.3.4.5.6.7.8.9"
+        "oid": "oid:1.2.840.113549.1.1.1"
       }
     }
   ]