From 76745f22c352e21f7b62abe50379a207269018e2 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 21 Mar 2025 22:07:39 -0500 Subject: [PATCH 01/54] Initial checkin of algorithm family support. Signed-off-by: Steve Springett --- schema/cryptography-defs.json | 92 ++++++++++++++++++++++++++++ schema/cryptography-defs.schema.json | 76 +++++++++++++++++++++++ 2 files changed, 168 insertions(+) create mode 100644 schema/cryptography-defs.json create mode 100644 schema/cryptography-defs.schema.json diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json new file mode 100644 index 00000000..b466767f --- /dev/null +++ b/schema/cryptography-defs.json @@ -0,0 +1,92 @@ +{ + "$schema": "http://cyclonedx.org/schema/cryptography-defs.schema.json", + "lastUpdated": "2025-03-22T00:00:00Z", + "algorithms": [ + { + "family": "RSASSA-PKCS1", + "standard": [ + {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"}, + {"name": "IEEE1363", "url": "https://standards.ieee.org/ieee/1363/"} + ], + "variant": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}", + "primitive": "signature" + }, + { + "family": "RSASSA-PSS", + "standard": [ + {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"}, + {"name": "IEEE1363A", "url": "https://standards.ieee.org/ieee/1363a/"} + ], + "variant": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}", + "primitive": "signature" + }, + { + "family": "RSAES-PKCS1", + "standard": [ + {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"} + ], + "variant": "RSA-PKCS1-1.5-{keyLength}", + "primitive": "pke" + }, + { + "family": "RSAES-OAEP", + "standard": [ + {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"} + ], + "variant": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}", + "primitive": "pke" + }, + { + "family": "EdDSA", + "standard": [ + {"name": "RFC8032", "url": "https://datatracker.ietf.org/doc/html/rfc8032"} + ], + "variant": "Ed{25519|448}{|ph|ctx}", + "primitive": "signature" + }, + { + "family": "ECDSA", + "standard": [ + {"name": "FIPS186-4", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf"}, + {"name": "X9.62", "url": "https://x9.org/standards/x9-62/"} + ], + "variant": "ECDSA-{curve}-{hash}", + "primitive": "signature" + }, + { + "family": "ECDH", + "standard": [ + {"name": "SP800-56A", "url": "https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final"}, + {"name": "IEEE1363", "url": "https://standards.ieee.org/ieee/1363/"}, + {"name": "X9.63", "url": "https://x9.org/standards/x9-63/"} + ], + "variant": "ECDH-{curve}", + "primitive": "key-agree" + }, + { + "family": "FFDH", + "standard": [ + {"name": "RFC7919", "url": "https://datatracker.ietf.org/doc/html/rfc7919"}, + {"name": "SP800-56A", "url": "https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final"} + ], + "variant": "FFDH-{named_group}", + "primitive": "key-agree" + }, + { + "family": "SHA-1", + "standard": [ + {"name": "FIPS180-4", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf"} + ], + "variant": "SHA-1", + "primitive": "hash" + }, + { + "family": "SHA-2", + "standard": [ + {"name": "FIPS180-4", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf"} + ], + "variant": "SHA-{224|256|384|512|512/224|512/256}", + "primitive": "hash" + } + ] +} \ No newline at end of file diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json new file mode 100644 index 00000000..7c6aeedb --- /dev/null +++ b/schema/cryptography-defs.schema.json @@ -0,0 +1,76 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/cryptography-defs.schema.json", + "title": "Cryptographic Algorithm Family Definitions", + "description": "Enumerates cryptographic algorithm families and their specific metadata.", + "type": "object", + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string" + }, + "lastUpdated": { + "type": "string", + "format": "date-time", + "title": "Last Updated", + "description": "The date and time (timestamp) when the data was last updated." + }, + "algorithms": { + "type": "array", + "title": "Algorithm Families", + "description": "An array of cryptographic algorithm family definitions.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Algorithm Family", + "description": "Defines a cryptographic algorithm family and its metadata.", + "additionalProperties": false, + "properties": { + "family": { + "type": "string", + "title": "Algorithm Family", + "description": "The name of the cryptographic algorithm family." + }, + "standard": { + "type": "array", + "title": "Standards", + "description": "List of standards defining or relating to the algorithm family.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Standard Name", + "description": "The name or identifier of the standard." + }, + "url": { + "type": "string", + "format": "iri", + "title": "Standard URL", + "description": "A URL pointing to the standard's official documentation." + } + }, + "required": ["name", "url"] + } + }, + "variant": { + "type": "string", + "title": "Variant", + "description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for algorithm-specific properties." + }, + "primitive": { + "type": "string", + "title": "Primitive", + "description": "Type of cryptographic primitive (e.g., signature, encryption, hash)." + } + }, + "required": ["family", "variant", "primitive"] + } + } + }, + "required": ["lastUpdated", "algorithms"] +} \ No newline at end of file From 5b8fff68db87d35c03bdaf7a092ddf58003fa5bc Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 10 Apr 2025 15:50:58 +0200 Subject: [PATCH 02/54] Update cryptography-defs.json - Adds a few more algorithm - Converts urls to standards to doi links, where available. - Checks if urls work Signed-off-by: Basil Hess --- schema/cryptography-defs.json | 87 +++++++++++++++++++++++++++-------- 1 file changed, 69 insertions(+), 18 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index b466767f..2b17d88b 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -5,8 +5,8 @@ { "family": "RSASSA-PKCS1", "standard": [ - {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"}, - {"name": "IEEE1363", "url": "https://standards.ieee.org/ieee/1363/"} + {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, + {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"} ], "variant": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}", "primitive": "signature" @@ -14,8 +14,8 @@ { "family": "RSASSA-PSS", "standard": [ - {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"}, - {"name": "IEEE1363A", "url": "https://standards.ieee.org/ieee/1363a/"} + {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, + {"name": "IEEE1363A", "url": "https://doi.org/10.1109/IEEESTD.2004.94612"} ], "variant": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}", "primitive": "signature" @@ -23,7 +23,7 @@ { "family": "RSAES-PKCS1", "standard": [ - {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"} + {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} ], "variant": "RSA-PKCS1-1.5-{keyLength}", "primitive": "pke" @@ -31,7 +31,7 @@ { "family": "RSAES-OAEP", "standard": [ - {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"} + {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} ], "variant": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}", "primitive": "pke" @@ -39,7 +39,7 @@ { "family": "EdDSA", "standard": [ - {"name": "RFC8032", "url": "https://datatracker.ietf.org/doc/html/rfc8032"} + {"name": "RFC8032", "url": "https://doi.org/10.17487/RFC8032"} ], "variant": "Ed{25519|448}{|ph|ctx}", "primitive": "signature" @@ -47,8 +47,8 @@ { "family": "ECDSA", "standard": [ - {"name": "FIPS186-4", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf"}, - {"name": "X9.62", "url": "https://x9.org/standards/x9-62/"} + {"name": "FIPS186-4", "url": "https://doi.org/10.6028/NIST.FIPS.186-4"}, + {"name": "X9.62", "url": "https://standards.globalspec.com/std/1955141/ansi-x9-62"} ], "variant": "ECDSA-{curve}-{hash}", "primitive": "signature" @@ -56,9 +56,9 @@ { "family": "ECDH", "standard": [ - {"name": "SP800-56A", "url": "https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final"}, - {"name": "IEEE1363", "url": "https://standards.ieee.org/ieee/1363/"}, - {"name": "X9.63", "url": "https://x9.org/standards/x9-63/"} + {"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"}, + {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"}, + {"name": "X9.63", "url": "https://webstore.ansi.org/standards/ASCX9/ansix9632011r2017"} ], "variant": "ECDH-{curve}", "primitive": "key-agree" @@ -66,8 +66,8 @@ { "family": "FFDH", "standard": [ - {"name": "RFC7919", "url": "https://datatracker.ietf.org/doc/html/rfc7919"}, - {"name": "SP800-56A", "url": "https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final"} + {"name": "RFC7919", "url": "https://doi.org/10.17487/RFC7919"}, + {"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"} ], "variant": "FFDH-{named_group}", "primitive": "key-agree" @@ -75,7 +75,7 @@ { "family": "SHA-1", "standard": [ - {"name": "FIPS180-4", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf"} + {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} ], "variant": "SHA-1", "primitive": "hash" @@ -83,10 +83,61 @@ { "family": "SHA-2", "standard": [ - {"name": "FIPS180-4", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf"} + {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} ], "variant": "SHA-{224|256|384|512|512/224|512/256}", "primitive": "hash" - } + }, + { + "family": "AES", + "standard": [ + {"name": "FIPS197", "url": "https://doi.org/10.6028/NIST.FIPS.197-upd1"}, + {"name": "SP800-38{A-G}", "url": "https://doi.org/10.6028/NIST.SP.800-38A"}, + {"name": "RFC 5116", "url": "https://doi.org/10.17487/RFC5116"} + ], + "variant": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|128)|OFB|CTR|)", + "primitive": "block-cipher" + }, + { + "family": "HKDF", + "standard": [ + {"name": "RFC5869", "url": "https://doi.org/10.17487/RFC5869"} + ], + "variant": "HKDF-{hash}", + "primitive": "kdf" + }, + { + "family": "HMAC", + "standard": [ + {"name": "SP800-224", "url": "https://doi.org/10.6028/NIST.SP.800-224.ipd"}, + {"name": "RFC2104", "url": "https://doi.org/10.17487/RFC2104"} + ], + "variant": "HMAC-{hash}-{length}", + "primitive": "mac" + }, + { + "family": "ChaCha", + "standard": [ + {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} + ], + "variant": "ChaCha20-{AES|other}", + "primitive": "stream-cipher" + }, + { + "family": "Poly1305", + "standard": [ + {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} + ], + "variant": "Poly1305", + "primitive": "mac" + }, + { + "family": "ChaCha20-Poly1305", + "standard": [ + {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} + ], + "variant": "ChaCha20-Poly1305", + "primitive": "ae" + } ] -} \ No newline at end of file +} From 643fca9c392581be87e62d1dbe252e263584fd6a Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 17 Apr 2025 14:52:11 +0200 Subject: [PATCH 03/54] Add more algorithms, used by SSLv3, TLS1.0-1.3 Signed-off-by: Basil Hess --- schema/cryptography-defs.json | 64 +++++++++++++++++++++++++++++++++-- 1 file changed, 61 insertions(+), 3 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 2b17d88b..7d0640f8 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -60,7 +60,7 @@ {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"}, {"name": "X9.63", "url": "https://webstore.ansi.org/standards/ASCX9/ansix9632011r2017"} ], - "variant": "ECDH-{curve}", + "variant": "ECDH{E}-{curve}", "primitive": "key-agree" }, { @@ -69,7 +69,7 @@ {"name": "RFC7919", "url": "https://doi.org/10.17487/RFC7919"}, {"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"} ], - "variant": "FFDH-{named_group}", + "variant": "FFDH{E}-{named_group}", "primitive": "key-agree" }, { @@ -138,6 +138,64 @@ ], "variant": "ChaCha20-Poly1305", "primitive": "ae" - } + }, + { + "family": "MD5", + "standard": [ + {"name": "RFC1321", "url": "https://doi.org/10.17487/RFC1321"} + ], + "variant": "MD5", + "primitive": "hash" + }, + { + "family": "MD4", + "standard": [ + {"name": "RFC1320", "url": "https://doi.org/10.17487/RFC1320"} + ], + "variant": "MD4", + "primitive": "hash" + }, + { + "family": "RC4", + "standard": [ + {"name": "Applied Cryptography: Protocols, Algorithms, and Source Code in C", "url": "https://dl.acm.org/doi/book/10.5555/572932"} + ], + "variant": "RC4-{length}", + "primitive": "stream-cipher" + }, + { + "family": "3DES", + "standard": [ + {"name": "RFC1851", "url": "https://doi.org/10.17487/RFC1851"}, + {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} + ], + "variant": "3DES-{length}-{mode}", + "primitive": "block-cipher" + }, + { + "family": "DES", + "standard": [ + {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"}, + {"name": "ANSI INCITS 92-1981", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} + ], + "variant": "DES-{length}-{mode}", + "primitive": "block-cipher" + }, + { + "family": "IDEA", + "standard": [ + {"name": "A Proposal for a New Block Encryption Standard", "url": "https://doi.org/10.1007%2F3-540-46877-3_35"} + ], + "variant": "IDEA-{mode}", + "primitive": "block-cipher" + }, + { + "family": "RC2", + "standard": [ + {"name": "RFC2268", "url": "https://doi.org/10.17487/RFC2268"} + ], + "variant": "RC2-{length}-{mode}", + "primitive": "block-cipher" + } ] } From 9f243b0018d1c2b98859cba8db9112ea20a7d62a Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Fri, 9 May 2025 16:04:20 +0200 Subject: [PATCH 04/54] Revise variants structure Signed-off-by: Basil Hess --- schema/cryptography-defs.json | 222 +++++++++++++++++++++++++++------- 1 file changed, 177 insertions(+), 45 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 7d0640f8..e6bf90bf 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -8,8 +8,12 @@ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"} ], - "variant": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}", - "primitive": "signature" + "variants": [ + { + "pattern": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}", + "primitive": "signature" + } + ] }, { "family": "RSASSA-PSS", @@ -17,32 +21,48 @@ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, {"name": "IEEE1363A", "url": "https://doi.org/10.1109/IEEESTD.2004.94612"} ], - "variant": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}", - "primitive": "signature" + "variants": [ + { + "pattern": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}", + "primitive": "signature" + } + ] }, { "family": "RSAES-PKCS1", "standard": [ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} ], - "variant": "RSA-PKCS1-1.5-{keyLength}", - "primitive": "pke" + "variants": [ + { + "pattern": "RSA-PKCS1-1.5-{keyLength}", + "primitive": "pke" + } + ] }, { "family": "RSAES-OAEP", "standard": [ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} ], - "variant": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}", - "primitive": "pke" + "variants": [ + { + "pattern": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}", + "primitive": "pke" + } + ] }, { "family": "EdDSA", "standard": [ {"name": "RFC8032", "url": "https://doi.org/10.17487/RFC8032"} ], - "variant": "Ed{25519|448}{|ph|ctx}", - "primitive": "signature" + "variants": [ + { + "pattern": "Ed{25519|448}{|ph|ctx}", + "primitive": "signature" + } + ] }, { "family": "ECDSA", @@ -50,8 +70,12 @@ {"name": "FIPS186-4", "url": "https://doi.org/10.6028/NIST.FIPS.186-4"}, {"name": "X9.62", "url": "https://standards.globalspec.com/std/1955141/ansi-x9-62"} ], - "variant": "ECDSA-{curve}-{hash}", - "primitive": "signature" + "variants": [ + { + "pattern": "ECDSA-{curve}-{hash}", + "primitive": "signature" + } + ] }, { "family": "ECDH", @@ -60,8 +84,12 @@ {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"}, {"name": "X9.63", "url": "https://webstore.ansi.org/standards/ASCX9/ansix9632011r2017"} ], - "variant": "ECDH{E}-{curve}", - "primitive": "key-agree" + "variants": [ + { + "pattern": "ECDH{E}-{curve}", + "primitive": "key-agree" + } + ] }, { "family": "FFDH", @@ -69,24 +97,36 @@ {"name": "RFC7919", "url": "https://doi.org/10.17487/RFC7919"}, {"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"} ], - "variant": "FFDH{E}-{named_group}", - "primitive": "key-agree" + "variants": [ + { + "pattern": "FFDH{E}-{named_group}", + "primitive": "key-agree" + } + ] }, { "family": "SHA-1", "standard": [ {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} ], - "variant": "SHA-1", - "primitive": "hash" + "variants": [ + { + "pattern": "SHA-1", + "primitive": "hash" + } + ] }, { "family": "SHA-2", "standard": [ {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} ], - "variant": "SHA-{224|256|384|512|512/224|512/256}", - "primitive": "hash" + "variants": [ + { + "pattern": "SHA-{224|256|384|512|512/224|512/256}", + "primitive": "hash" + } + ] }, { "family": "AES", @@ -95,16 +135,32 @@ {"name": "SP800-38{A-G}", "url": "https://doi.org/10.6028/NIST.SP.800-38A"}, {"name": "RFC 5116", "url": "https://doi.org/10.17487/RFC5116"} ], - "variant": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|128)|OFB|CTR|)", - "primitive": "block-cipher" + "variants": [ + { + "pattern": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|128)|OFB|CTR|)-(ivlen)", + "primitive": "block-cipher" + }, + { + "standard": [ + {"name": "SP800-38D", "url": "https://doi.org/10.6028/NIST.SP.800-38D"}, + {"name": "RFC 3610", "url": "https://doi.org/10.17487/RFC5116"} + ], + "pattern": "AES-{128|192|256}-(GCM|CCM)-(taglen)-(ivlen)", + "primitive": "ae" + } + ] }, { "family": "HKDF", "standard": [ {"name": "RFC5869", "url": "https://doi.org/10.17487/RFC5869"} ], - "variant": "HKDF-{hash}", - "primitive": "kdf" + "variants": [ + { + "pattern": "HKDF-{hash}", + "primitive": "kdf" + } + ] }, { "family": "HMAC", @@ -112,47 +168,67 @@ {"name": "SP800-224", "url": "https://doi.org/10.6028/NIST.SP.800-224.ipd"}, {"name": "RFC2104", "url": "https://doi.org/10.17487/RFC2104"} ], - "variant": "HMAC-{hash}-{length}", - "primitive": "mac" + "variants": [ + { + "pattern": "HMAC-{hash}-{length}", + "primitive": "mac" + } + ] }, { "family": "ChaCha", "standard": [ {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} ], - "variant": "ChaCha20-{AES|other}", - "primitive": "stream-cipher" + "variants": [ + { + "pattern": "ChaCha20-{AES|other}", + "primitive": "stream-cipher" + } + ] }, { "family": "Poly1305", "standard": [ {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} ], - "variant": "Poly1305", - "primitive": "mac" + "variants": [ + { + "pattern": "Poly1305", + "primitive": "mac" + } + ] }, { "family": "ChaCha20-Poly1305", "standard": [ {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} ], - "variant": "ChaCha20-Poly1305", - "primitive": "ae" + "variants": [ + { + "pattern": "ChaCha20-Poly1305", + "primitive": "ae" + } + ] }, { "family": "MD5", "standard": [ {"name": "RFC1321", "url": "https://doi.org/10.17487/RFC1321"} ], - "variant": "MD5", - "primitive": "hash" + "variants": [ + { + "pattern": "MD5", + "primitive": "hash" + } + ] }, { "family": "MD4", "standard": [ {"name": "RFC1320", "url": "https://doi.org/10.17487/RFC1320"} ], - "variant": "MD4", + "pattern": "MD4", "primitive": "hash" }, { @@ -160,8 +236,12 @@ "standard": [ {"name": "Applied Cryptography: Protocols, Algorithms, and Source Code in C", "url": "https://dl.acm.org/doi/book/10.5555/572932"} ], - "variant": "RC4-{length}", - "primitive": "stream-cipher" + "variants": [ + { + "pattern": "RC4-{length}", + "primitive": "stream-cipher" + } + ] }, { "family": "3DES", @@ -169,8 +249,12 @@ {"name": "RFC1851", "url": "https://doi.org/10.17487/RFC1851"}, {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} ], - "variant": "3DES-{length}-{mode}", - "primitive": "block-cipher" + "variants": [ + { + "pattern": "3DES-{length}-{mode}", + "primitive": "block-cipher" + } + ] }, { "family": "DES", @@ -178,24 +262,72 @@ {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"}, {"name": "ANSI INCITS 92-1981", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} ], - "variant": "DES-{length}-{mode}", - "primitive": "block-cipher" + "variants": [ + { + "pattern": "DES-{length}-{mode}", + "primitive": "block-cipher" + } + ] }, { "family": "IDEA", "standard": [ {"name": "A Proposal for a New Block Encryption Standard", "url": "https://doi.org/10.1007%2F3-540-46877-3_35"} ], - "variant": "IDEA-{mode}", - "primitive": "block-cipher" + "variants": [ + { + "pattern": "IDEA-{mode}", + "primitive": "block-cipher" + } + ] }, { "family": "RC2", "standard": [ {"name": "RFC2268", "url": "https://doi.org/10.17487/RFC2268"} ], - "variant": "RC2-{length}-{mode}", - "primitive": "block-cipher" + "variants": [ + { + "pattern": "RC2-{length}-{mode}", + "primitive": "block-cipher" + } + ] + }, + { + "family": "ML-DSA", + "standard": [ + {"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"} + ], + "variants": [ + { + "pattern": "ML-DSA-(44|65|87)", + "primitive": "signature" + } + ] + }, + { + "family": "HashML-DSA", + "standard": [ + {"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"} + ], + "variants": [ + { + "pattern": "HashML-DSA-(44|65|87)-(hash)", + "primitive": "signature" + } + ] + }, + { + "family": "HashSLH-DSA", + "standard": [ + {"name": "FIPS 205", "url": "https://doi.org/10.6028/NIST.FIPS.205"} + ], + "variants": [ + { + "pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)-", + "primitive": "signature" + } + ] } ] } From d376ff5db7d44b35ff0a14770ada5a56282f691e Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 14 May 2025 11:11:31 +0200 Subject: [PATCH 05/54] - Extends cryptography-defs list by Algorithms from PKCS11 - Changes schma for crypto-defs to allow different variant patterns corresponding to different primitives - Adds "key-wrap" as a new primitive Signed-off-by: Basil Hess --- schema/bom-1.7.schema.json | 2 + schema/cryptography-defs.json | 432 +++++++++++++++++++++++++-- schema/cryptography-defs.schema.json | 58 +++- 3 files changed, 456 insertions(+), 36 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index e1dd5b1d..3ab604b5 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5091,6 +5091,7 @@ "kem", "ae", "combiner", + "key-wrap", "other", "unknown" ], @@ -5108,6 +5109,7 @@ "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.", "other": "Another primitive type.", "unknown": "The primitive is not known." } diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index e6bf90bf..c2e6cd4a 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -8,7 +8,7 @@ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"} ], - "variants": [ + "variant": [ { "pattern": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}", "primitive": "signature" @@ -21,7 +21,7 @@ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, {"name": "IEEE1363A", "url": "https://doi.org/10.1109/IEEESTD.2004.94612"} ], - "variants": [ + "variant": [ { "pattern": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}", "primitive": "signature" @@ -33,7 +33,7 @@ "standard": [ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} ], - "variants": [ + "variant": [ { "pattern": "RSA-PKCS1-1.5-{keyLength}", "primitive": "pke" @@ -45,7 +45,7 @@ "standard": [ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} ], - "variants": [ + "variant": [ { "pattern": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}", "primitive": "pke" @@ -57,7 +57,7 @@ "standard": [ {"name": "RFC8032", "url": "https://doi.org/10.17487/RFC8032"} ], - "variants": [ + "variant": [ { "pattern": "Ed{25519|448}{|ph|ctx}", "primitive": "signature" @@ -70,13 +70,25 @@ {"name": "FIPS186-4", "url": "https://doi.org/10.6028/NIST.FIPS.186-4"}, {"name": "X9.62", "url": "https://standards.globalspec.com/std/1955141/ansi-x9-62"} ], - "variants": [ + "variant": [ { "pattern": "ECDSA-{curve}-{hash}", "primitive": "signature" } ] }, + { + "family": "DSA", + "standard": [ + {"name": "FIPS186-4", "url": "https://doi.org/10.6028/NIST.FIPS.186-4"} + ], + "variant": [ + { + "pattern": "DSA-{length}-{hash}", + "primitive": "signature" + } + ] + }, { "family": "ECDH", "standard": [ @@ -84,7 +96,7 @@ {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"}, {"name": "X9.63", "url": "https://webstore.ansi.org/standards/ASCX9/ansix9632011r2017"} ], - "variants": [ + "variant": [ { "pattern": "ECDH{E}-{curve}", "primitive": "key-agree" @@ -97,7 +109,7 @@ {"name": "RFC7919", "url": "https://doi.org/10.17487/RFC7919"}, {"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"} ], - "variants": [ + "variant": [ { "pattern": "FFDH{E}-{named_group}", "primitive": "key-agree" @@ -109,7 +121,7 @@ "standard": [ {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} ], - "variants": [ + "variant": [ { "pattern": "SHA-1", "primitive": "hash" @@ -121,13 +133,58 @@ "standard": [ {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} ], - "variants": [ + "variant": [ { "pattern": "SHA-{224|256|384|512|512/224|512/256}", "primitive": "hash" } ] }, + { + "family": "SHA-3", + "standard": [ + {"name": "FIPS202", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"} + {"name": "SP800-185", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"} + ], + "variant": [ + { + "pattern": "SHA-3-(224|256|384|512)", + "primitive": "hash" + }, + { + "pattern": "SHAKE(128|256)", + "primitive": "xof" + }, + { + "pattern": "cSHAKE(128|256)", + "primitive": "xof" + }, + { + "pattern": "KMAC(128|256)", + "primitive": "mac" + }, + { + "pattern": "HMACXOF(128|256)", + "primitive": "mac" + }, + { + "pattern": "TupleHash(128|256)", + "primitive": "hash" + }, + { + "pattern": "TupleHashXOF(128|256)", + "primitive": "xof" + }, + { + "pattern": "ParallelHash(128|256)", + "primitive": "hash" + }, + { + "pattern": "ParallelHashXOF(128|256)", + "primitive": "xof" + } + ] + }, { "family": "AES", "standard": [ @@ -135,9 +192,9 @@ {"name": "SP800-38{A-G}", "url": "https://doi.org/10.6028/NIST.SP.800-38A"}, {"name": "RFC 5116", "url": "https://doi.org/10.17487/RFC5116"} ], - "variants": [ + "variant": [ { - "pattern": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|128)|OFB|CTR|)-(ivlen)", + "pattern": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|64|128)|OFB|CTR|XTS|CTS)-(padding)-(ivlen)", "primitive": "block-cipher" }, { @@ -147,6 +204,21 @@ ], "pattern": "AES-{128|192|256}-(GCM|CCM)-(taglen)-(ivlen)", "primitive": "ae" + }, + { + "standard": [ + {"name": "RFC5649", "url": "https://doi.org/10.17487/RFC5649"} + ], + "pattern": "AES-{128|192|256}-Wrap-(PAD|KWP|PKCS7)", + "primitive": "key-wrap" + }, + { + "pattern": "AES-{128|192|256}-(GMAC|CMAC)", + "primitive": "mac" + }, + { + "pattern": "AES-{128|192|256}-(XCBC_MAC(_96))", + "primitive": "mac" } ] }, @@ -155,7 +227,7 @@ "standard": [ {"name": "RFC5869", "url": "https://doi.org/10.17487/RFC5869"} ], - "variants": [ + "variant": [ { "pattern": "HKDF-{hash}", "primitive": "kdf" @@ -168,19 +240,43 @@ {"name": "SP800-224", "url": "https://doi.org/10.6028/NIST.SP.800-224.ipd"}, {"name": "RFC2104", "url": "https://doi.org/10.17487/RFC2104"} ], - "variants": [ + "variant": [ { "pattern": "HMAC-{hash}-{length}", "primitive": "mac" } ] }, + { + "family": "CMAC", + "standard": [ + {"name": "SP800-38B", "url": "https://doi.org/10.6028/NIST.SP.800-38B"} + ], + "variant": [ + { + "pattern": "CMAC-{cipher_algorithm}-{length}", + "primitive": "mac" + } + ] + }, + { + "family": "KMAC", + "standard": [ + {"name": "SP800-108r1", "url": "https://doi.org/10.6028/NIST.SP.800-108r1-upd1"} + ], + "variant": [ + { + "pattern": "KMAC-(128|256)", + "primitive": "mac" + } + ] + }, { "family": "ChaCha", "standard": [ {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} ], - "variants": [ + "variant": [ { "pattern": "ChaCha20-{AES|other}", "primitive": "stream-cipher" @@ -192,7 +288,7 @@ "standard": [ {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} ], - "variants": [ + "variant": [ { "pattern": "Poly1305", "primitive": "mac" @@ -200,23 +296,43 @@ ] }, { - "family": "ChaCha20-Poly1305", + "family": "ChaCha20", "standard": [ {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} ], - "variants": [ + "variant": [ + { + "pattern": "ChaCha20", + "primitive": "stream-cipher" + }, { "pattern": "ChaCha20-Poly1305", "primitive": "ae" } ] }, + { + "family": "Salsa20", + "standard": [ + {"name": "The Salsa20 Family of Stream Ciphers", "url": "https://doi.org/10.1007/978-3-540-68351-3_8"} + ], + "variant": [ + { + "pattern": "Salsa20", + "primitive": "stream-cipher" + }, + { + "pattern": "Salsa20-Poly1305", + "primitive": "ae" + } + ] + }, { "family": "MD5", "standard": [ {"name": "RFC1321", "url": "https://doi.org/10.17487/RFC1321"} ], - "variants": [ + "variant": [ { "pattern": "MD5", "primitive": "hash" @@ -236,7 +352,7 @@ "standard": [ {"name": "Applied Cryptography: Protocols, Algorithms, and Source Code in C", "url": "https://dl.acm.org/doi/book/10.5555/572932"} ], - "variants": [ + "variant": [ { "pattern": "RC4-{length}", "primitive": "stream-cipher" @@ -249,7 +365,7 @@ {"name": "RFC1851", "url": "https://doi.org/10.17487/RFC1851"}, {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} ], - "variants": [ + "variant": [ { "pattern": "3DES-{length}-{mode}", "primitive": "block-cipher" @@ -262,7 +378,7 @@ {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"}, {"name": "ANSI INCITS 92-1981", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} ], - "variants": [ + "variant": [ { "pattern": "DES-{length}-{mode}", "primitive": "block-cipher" @@ -274,7 +390,7 @@ "standard": [ {"name": "A Proposal for a New Block Encryption Standard", "url": "https://doi.org/10.1007%2F3-540-46877-3_35"} ], - "variants": [ + "variant": [ { "pattern": "IDEA-{mode}", "primitive": "block-cipher" @@ -286,7 +402,7 @@ "standard": [ {"name": "RFC2268", "url": "https://doi.org/10.17487/RFC2268"} ], - "variants": [ + "variant": [ { "pattern": "RC2-{length}-{mode}", "primitive": "block-cipher" @@ -298,7 +414,7 @@ "standard": [ {"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"} ], - "variants": [ + "variant": [ { "pattern": "ML-DSA-(44|65|87)", "primitive": "signature" @@ -310,7 +426,7 @@ "standard": [ {"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"} ], - "variants": [ + "variant": [ { "pattern": "HashML-DSA-(44|65|87)-(hash)", "primitive": "signature" @@ -322,12 +438,274 @@ "standard": [ {"name": "FIPS 205", "url": "https://doi.org/10.6028/NIST.FIPS.205"} ], - "variants": [ + "variant": [ { "pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)-", "primitive": "signature" } ] + }, + { + "family": "XMSS", + "standard": [ + {"name": "SP800-208", "url": "https://doi.org/10.6028/NIST.SP.800-208"}, + {"name": "RFC8391", "url": "https://doi.org/10.17487/RFC8391"} + ], + "variant": [ + { + "pattern": "XMSS-(SHA2|SHAKE)_(h)_(nbits)", + "primitive": "signature" + }, + { + "pattern": "XMSSMT-(SHA2|SHAKE)_(h)/(d)_(nbits)", + "primitive": "signature" + }, + { + "pattern": "WOTSP-(SHA2|SHAKE)_(nbits)", + "primitive": "signature" + } + ] + }, + { + "family": "LMS", + "standard": [ + {"name": "SP800-208", "url": "https://doi.org/10.6028/NIST.SP.800-208"}, + {"name": "RFC8554", "url": "https://doi.org/10.17487/RFC8554"} + ], + "variant": [ + { + "pattern": "LMS_(hashfun)_M(bytespernode)_H(treeheight)", + "primitive": "signature" + }, + { + "pattern": "LMOTS_(hashfun)_N(bytespernode)_H(treeheight)", + "primitive": "signature" + } + ] + }, + { + "family": "ML-KEM", + "standard": [ + {"name": "FIPS 203", "url": "https://doi.org/10.6028/NIST.FIPS.203"} + ], + "variant": [ + { + "pattern": "ML-KEM-(512|768|1024)", + "primitive": "kem" + } + ] + }, + { + "family": "IKE-PRF", + "standard": [ + {"name": "RFC2409", "url": "https://doi.org/10.17487/RFC2409"}, + {"name": "RFC5996", "url": "https://doi.org/10.17487/RFC5996"} + ], + "variant": [ + { + "pattern": "IKE_PRF_DERIVE", + "primitive": "key-agree" + }, + { + "pattern": "IKE1_(PRF|Extended)_DERIVE", + "primitive": "key-agree" + }, + { + "pattern": "IKE2_PRF_PLUS_DERIVE", + "primitive": "key-agree" + } + ] + }, + { + "family": "GOST", + "variant": [ + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOSTR3410", + "primitive": "signature" + }, + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOSTR3411", + "primitive": "hash" + }, + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOSTR3411_HMAC", + "primitive": "mac" + }, + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOST38147-(mode)-(padding)", + "primitive": "block-cipher" + }, + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOST38147_MAC", + "primitive": "mac" + } + ] + }, + { + "family": "SEED", + "standard": [ + {"name": "RFC4269", "url": "https://doi.org/10.17487/RFC4269"}, + {"name": "RFC5669", "url": "https://doi.org/10.17487/RFC5669"} + ], + "variant": [ + { + "pattern": "SEED-128-(mode)-(padding)", + "primitive": "block-cipher" + }, + { + "pattern": "SEED-128-(mode)-(padding)-HMAC-(hash)-length", + "primitive": "ae" + }, + { + "pattern": "SEED-128-(CCM|GCM)", + "primitive": "ae" + } + ] + }, + { + "family": "ARIA", + "standard": [ + {"name": "RFC5794", "url": "https://doi.org/10.17487/RFC5794"} + ], + "variant": [ + { + "pattern": "ARIA-(128|192|256)-(mode)-(padding)", + "primitive": "block-cipher" + }, + { + "pattern": "ARIA-(128|192|256)-(authmode)-(padding)", + "primitive": "ae" + } + ] + }, + { + "family": "CAMELLIA", + "standard": [ + {"name": "RFC3713", "url": "https://doi.org/10.17487/RFC3713"} + ], + "variant": [ + { + "pattern": "CAMELLIA-(128|192|256)-(mode)-(padding)", + "primitive": "block-cipher" + }, + { + "pattern": "CAMELLIA-(128|192|256)-(authmode)-(padding)", + "primitive": "ae" + } + ] + }, + { + "family": "Twofish", + "standard": [ + {"name": "Twofish: A 128-Bit Block Cipher", "url": "https://www.schneier.com/academic/twofish/"} + ], + "variant": [ + { + "pattern": "Twofish-(128|192|256)-(mode)-(padding)", + "primitive": "block-cipher" + } + ] + }, + { + "family": "Blowfish", + "standard": [ + {"name": "Description of a new variable-length key, 64-bit block cipher (Blowfish)", "url": "https://doi.org/10.1007/3-540-58108-1_24"} + ], + "variant": [ + { + "pattern": "Blowfish-(keylength)-(mode)-(padding)", + "primitive": "block-cipher" + } + ] + }, + { + "family": "SP800-108", + "standard": [ + {"name": "SP800-108", "url": "https://doi.org/10.6028/NIST.SP.800-108r1-upd1"} + ], + "variant": [ + { + "pattern": "SP800_108_(CounterKDF|FeedbackKDF|DoublePipelineKDF)-(prf-function)-(dkmlength)", + "primitive": "key-derive" + } + ] + }, + { + "family": "PKCS12-PBEA", + "variant": [ + { + "pattern": "SHA1-PBE-(2|3)K-3DES-CBC", + "primitive": "block-cipher" + }, + { + "pattern": "SHA1-PBA-SHA1-HMAC", + "primitive": "mac" + } + ] + }, + { + "family": "PKCS5-PBE", + "variant": [ + { + "pattern": "SHA1-PBE-DES(2|3)-EDE-CBC", + "primitive": "block-cipher" + }, + { + "pattern": "SHA1-PBA-SHA1-HMAC", + "primitive": "mac" + }, + { + "pattern": "(hash)-PBE-(block_cipher)", + "primitive": "block-cipher" + }, + { + "pattern": "PBKDF2", + "primitive": "key-derive" + } + ] + }, + { + "family": "BLAKE2b", + "standard": [ + {"name": "RFC7693", "url": "https://doi.org/10.17487/RFC7693"} + ], + "variant": [ + { + "pattern": "BLAKE2b-(160|256|384|512)", + "primitive": "hash" + }, + { + "pattern": "BLAKE2b-(160|256|384|512)-HMAC", + "primitive": "mac" + } + ] + }, + { + "family": "X3DH", + "standard": [ + {"name": "The X3DH Key Agreement Protocol", "url": "https://signal.org/docs/specifications/x3dh/"} + ], + "variant": [ + { + "pattern": "X3DH-(hash)", + "primitive": "key-agree" + } + ] } ] } diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json index 7c6aeedb..4964b6a1 100644 --- a/schema/cryptography-defs.schema.json +++ b/schema/cryptography-defs.schema.json @@ -58,17 +58,57 @@ } }, "variant": { - "type": "string", - "title": "Variant", - "description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for algorithm-specific properties." - }, - "primitive": { - "type": "string", - "title": "Primitive", - "description": "Type of cryptographic primitive (e.g., signature, encryption, hash)." + "type": "array", + "title": "Variants", + "description": "Defines algorithm variants by a naming pattern and the corrsponding cryptographic primitive.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "pattern": { + "type": "string", + "title": "Standard Name", + "description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for algorithm-specific properties." + }, + "primitive": { + "type": "string", + "title": "Primitive", + "description": "Type of cryptographic primitive (e.g., signature, encryption, hash)." + }, + "standard": { + "type": "array", + "title": "Standards", + "description": "List of standards defining or relating to the algorithm variant.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Standard Name", + "description": "The name or identifier of the standard." + }, + "url": { + "type": "string", + "format": "iri", + "title": "Standard URL", + "description": "A URL pointing to the standard's official documentation." + } + }, + "required": ["name", "url"] + } + }, + "required": ["pattern", "primitive"] + } } }, - "required": ["family", "variant", "primitive"] + "required": ["family", "variant"] } } }, From b05ba4d095ebd711e5a8f45ab3cc7d2c5bd91b10 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 14 May 2025 12:55:00 +0200 Subject: [PATCH 06/54] Add missing closing bracket Signed-off-by: Basil Hess --- schema/cryptography-defs.schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json index 4964b6a1..d6f7b623 100644 --- a/schema/cryptography-defs.schema.json +++ b/schema/cryptography-defs.schema.json @@ -103,6 +103,7 @@ }, "required": ["name", "url"] } + } }, "required": ["pattern", "primitive"] } From cb07283b902969247f064ec700b7af84f7cd53b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicklas=20K=C3=B6rtge?= Date: Thu, 22 May 2025 15:38:35 +0200 Subject: [PATCH 07/54] add python script to generate algorithm families MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Nicklas Körtge --- tools/algorithmFamiliyGeneration.py | 32 +++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 tools/algorithmFamiliyGeneration.py diff --git a/tools/algorithmFamiliyGeneration.py b/tools/algorithmFamiliyGeneration.py new file mode 100644 index 00000000..10ed7e4b --- /dev/null +++ b/tools/algorithmFamiliyGeneration.py @@ -0,0 +1,32 @@ +import json + +# Step 1: Load JSON data safely using context managers +with open("cryptography-defs.json", "r", encoding="utf-8") as defs_file: + defs_data = json.load(defs_file) + +with open("bom-1.7.schema.json", "r", encoding="utf-8") as schema_file: + schema_data = json.load(schema_file) + +# Step 2: Extract unique algorithm families and sort them +families = sorted({algo['family'] for algo in defs_data.get('algorithms', [])}) + +# Step 3: Update the schema with the extracted families +try: + algorithm_properties = ( + schema_data['definitions']['cryptoProperties']['properties']['algorithmProperties']['properties'] + ) +except KeyError as e: + raise KeyError(f"Schema path missing: {e}") + +algorithm_properties['algorithmFamily'] = { + "type": "object", + "title": "Algorithm Family", + "description": "The algorithm family for the given algorithm.", + "enum": families, +} + +# Step 4: Write the updated schema back to the file +with open("bom-1.7.schema.json", "w", encoding="utf-8") as update_file: + json.dump(schema_data, update_file, indent=2, ensure_ascii=False) + +print("Schema updated successfully.") \ No newline at end of file From fb68b2514db248cf4bb9a2bc1da20ba63e6bed42 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 5 Jun 2025 14:23:54 +0200 Subject: [PATCH 08/54] Review algorithm list, the following rules for the patterns apply: {placeholder} -> required parameter with placeholder (option1|option2) -> required parameter with fixed alternatives [parameter] -> optional parameter [-{placeholder}] -> optional paremeter with literal separator Signed-off-by: Basil Hess --- schema/cryptography-defs.json | 104 ++++++++++++++++++++-------------- 1 file changed, 60 insertions(+), 44 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index c2e6cd4a..dcb6d0ac 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -10,7 +10,7 @@ ], "variant": [ { - "pattern": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}", + "pattern": "RSA-PKCS1-1.5[-{digestAlgorithm}][-{keyLength}]", "primitive": "signature" } ] @@ -23,7 +23,7 @@ ], "variant": [ { - "pattern": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}", + "pattern": "RSA-PSS[-{digestAlgorithm}][-{saltLength}][-{keyLength}]", "primitive": "signature" } ] @@ -35,7 +35,7 @@ ], "variant": [ { - "pattern": "RSA-PKCS1-1.5-{keyLength}", + "pattern": "RSA-PKCS1-1.5[-{keyLength}]", "primitive": "pke" } ] @@ -47,7 +47,7 @@ ], "variant": [ { - "pattern": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}", + "pattern": "RSA-OAEP[-{hashAlgorithm}][-{maskGenAlgorithm}][-{keyLength}]", "primitive": "pke" } ] @@ -59,7 +59,7 @@ ], "variant": [ { - "pattern": "Ed{25519|448}{|ph|ctx}", + "pattern": "Ed(25519|448)[-(ph|ctx)]", "primitive": "signature" } ] @@ -72,7 +72,7 @@ ], "variant": [ { - "pattern": "ECDSA-{curve}-{hash}", + "pattern": "ECDSA[-{ellipticCurve}][-{hash}]", "primitive": "signature" } ] @@ -84,7 +84,7 @@ ], "variant": [ { - "pattern": "DSA-{length}-{hash}", + "pattern": "DSA[-{length}][-{hash}]", "primitive": "signature" } ] @@ -98,7 +98,7 @@ ], "variant": [ { - "pattern": "ECDH{E}-{curve}", + "pattern": "ECDH[E][-{ellipticCurve}]", "primitive": "key-agree" } ] @@ -111,7 +111,7 @@ ], "variant": [ { - "pattern": "FFDH{E}-{named_group}", + "pattern": "FFDH(E)[-{namedGroup}]", "primitive": "key-agree" } ] @@ -135,7 +135,7 @@ ], "variant": [ { - "pattern": "SHA-{224|256|384|512|512/224|512/256}", + "pattern": "SHA-(224|256|384|512|512/224|512/256)", "primitive": "hash" } ] @@ -194,7 +194,7 @@ ], "variant": [ { - "pattern": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|64|128)|OFB|CTR|XTS|CTS)-(padding)-(ivlen)", + "pattern": "AES[-(128|192|256)][-(ECB|CBC|CFB(1|8|64|128)|OFB|CTR|XTS|CTS)][-{padding}][-{ivlen}]", "primitive": "block-cipher" }, { @@ -202,22 +202,22 @@ {"name": "SP800-38D", "url": "https://doi.org/10.6028/NIST.SP.800-38D"}, {"name": "RFC 3610", "url": "https://doi.org/10.17487/RFC5116"} ], - "pattern": "AES-{128|192|256}-(GCM|CCM)-(taglen)-(ivlen)", + "pattern": "AES[-(128|192|256)][-(GCM|CCM)][-{tagLength}][-{ivLength}]", "primitive": "ae" }, { "standard": [ {"name": "RFC5649", "url": "https://doi.org/10.17487/RFC5649"} ], - "pattern": "AES-{128|192|256}-Wrap-(PAD|KWP|PKCS7)", + "pattern": "AES[-(128|192|256)]-Wrap[-(PAD|KWP|PKCS7)]", "primitive": "key-wrap" }, { - "pattern": "AES-{128|192|256}-(GMAC|CMAC)", + "pattern": "AES[-(128|192|256)][-(GMAC|CMAC)]", "primitive": "mac" }, { - "pattern": "AES-{128|192|256}-(XCBC_MAC(_96))", + "pattern": "AES[-(128|192|256)][-(XCBC_MAC[_96])]", "primitive": "mac" } ] @@ -229,7 +229,7 @@ ], "variant": [ { - "pattern": "HKDF-{hash}", + "pattern": "HKDF[-{hashFunction}]", "primitive": "kdf" } ] @@ -242,7 +242,7 @@ ], "variant": [ { - "pattern": "HMAC-{hash}-{length}", + "pattern": "HMAC[-{hashFunction}][-{tagLength}]", "primitive": "mac" } ] @@ -254,7 +254,7 @@ ], "variant": [ { - "pattern": "CMAC-{cipher_algorithm}-{length}", + "pattern": "CMAC[-{cipherAlgorithm}][-{length}]", "primitive": "mac" } ] @@ -266,7 +266,7 @@ ], "variant": [ { - "pattern": "KMAC-(128|256)", + "pattern": "KMAC[-(128|256)]", "primitive": "mac" } ] @@ -278,7 +278,7 @@ ], "variant": [ { - "pattern": "ChaCha20-{AES|other}", + "pattern": "ChaCha20[-(AES|{otherBlockCipher})]", "primitive": "stream-cipher" } ] @@ -354,7 +354,7 @@ ], "variant": [ { - "pattern": "RC4-{length}", + "pattern": "RC4[-{keyLength}]", "primitive": "stream-cipher" } ] @@ -367,7 +367,7 @@ ], "variant": [ { - "pattern": "3DES-{length}-{mode}", + "pattern": "3DES[-{keyLength}][-{mode}]", "primitive": "block-cipher" } ] @@ -380,7 +380,7 @@ ], "variant": [ { - "pattern": "DES-{length}-{mode}", + "pattern": "DES[-{keyLength}][-{mode}]", "primitive": "block-cipher" } ] @@ -392,7 +392,7 @@ ], "variant": [ { - "pattern": "IDEA-{mode}", + "pattern": "IDEA[-{mode}]", "primitive": "block-cipher" } ] @@ -404,7 +404,7 @@ ], "variant": [ { - "pattern": "RC2-{length}-{mode}", + "pattern": "RC2[-{keyLength}][-{mode}]", "primitive": "block-cipher" } ] @@ -428,7 +428,7 @@ ], "variant": [ { - "pattern": "HashML-DSA-(44|65|87)-(hash)", + "pattern": "HashML-DSA-(44|65|87)[-{hashFunction}]", "primitive": "signature" } ] @@ -440,7 +440,7 @@ ], "variant": [ { - "pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)-", + "pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)", "primitive": "signature" } ] @@ -453,15 +453,15 @@ ], "variant": [ { - "pattern": "XMSS-(SHA2|SHAKE)_(h)_(nbits)", + "pattern": "XMSS-(SHA2|SHAKE)[_{h}][_{nbits}]", "primitive": "signature" }, { - "pattern": "XMSSMT-(SHA2|SHAKE)_(h)/(d)_(nbits)", + "pattern": "XMSSMT-(SHA2|SHAKE)[_{h}/{d}][_{nbits}]", "primitive": "signature" }, { - "pattern": "WOTSP-(SHA2|SHAKE)_(nbits)", + "pattern": "WOTSP-(SHA2|SHAKE)[_{nbits}]", "primitive": "signature" } ] @@ -474,11 +474,11 @@ ], "variant": [ { - "pattern": "LMS_(hashfun)_M(bytespernode)_H(treeheight)", + "pattern": "LMS[_{hashFunction}[_M{bytesPerNode}][_H{treeHeight}]", "primitive": "signature" }, { - "pattern": "LMOTS_(hashfun)_N(bytespernode)_H(treeheight)", + "pattern": "LMOTS[_{hashfun}][_N{bytespernode}][_H{treeheight}]", "primitive": "signature" } ] @@ -544,7 +544,7 @@ "standard": [ {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} ], - "pattern": "GOST38147-(mode)-(padding)", + "pattern": "GOST38147[-{mode}][-{padding}]", "primitive": "block-cipher" }, { @@ -564,11 +564,11 @@ ], "variant": [ { - "pattern": "SEED-128-(mode)-(padding)", + "pattern": "SEED-128[-{mode}][-{padding}]", "primitive": "block-cipher" }, { - "pattern": "SEED-128-(mode)-(padding)-HMAC-(hash)-length", + "pattern": "SEED-128[-{mode}][-{padding}]-HMAC[-{hashFunction}][-{tagLength}]", "primitive": "ae" }, { @@ -584,11 +584,11 @@ ], "variant": [ { - "pattern": "ARIA-(128|192|256)-(mode)-(padding)", + "pattern": "ARIA-(128|192|256)[-{mode}][-{padding}]", "primitive": "block-cipher" }, { - "pattern": "ARIA-(128|192|256)-(authmode)-(padding)", + "pattern": "ARIA-(128|192|256)[-{authmode}][-{padding}]", "primitive": "ae" } ] @@ -600,11 +600,11 @@ ], "variant": [ { - "pattern": "CAMELLIA-(128|192|256)-(mode)-(padding)", + "pattern": "CAMELLIA-(128|192|256)[-{mode}][-{padding}]", "primitive": "block-cipher" }, { - "pattern": "CAMELLIA-(128|192|256)-(authmode)-(padding)", + "pattern": "CAMELLIA-(128|192|256)[-{authmode}][-{padding}]", "primitive": "ae" } ] @@ -616,7 +616,7 @@ ], "variant": [ { - "pattern": "Twofish-(128|192|256)-(mode)-(padding)", + "pattern": "Twofish-(128|192|256)[-{mode}][-{padding}]", "primitive": "block-cipher" } ] @@ -628,7 +628,7 @@ ], "variant": [ { - "pattern": "Blowfish-(keylength)-(mode)-(padding)", + "pattern": "Blowfish[-{keyLength}][-{mode}][-{padding}]", "primitive": "block-cipher" } ] @@ -640,7 +640,7 @@ ], "variant": [ { - "pattern": "SP800_108_(CounterKDF|FeedbackKDF|DoublePipelineKDF)-(prf-function)-(dkmlength)", + "pattern": "SP800_108_(CounterKDF|FeedbackKDF|DoublePipelineKDF)[-{prfFunction}][-{dkmLength}]", "primitive": "key-derive" } ] @@ -670,7 +670,7 @@ "primitive": "mac" }, { - "pattern": "(hash)-PBE-(block_cipher)", + "pattern": "{hashFunction}-PBE-{blockCipher}", "primitive": "block-cipher" }, { @@ -702,10 +702,26 @@ ], "variant": [ { - "pattern": "X3DH-(hash)", + "pattern": "X3DH[-{hashFunction}]", "primitive": "key-agree" } ] + }, + { + "family": "BLS", + "standard": [ + {"name": "Short Signatures from the Weil Pairing", "url": "https://dx.doi.org/10.1007/3-540-45682-1_30"} + ], + "variant": [ + { + "pattern": "BLS(13-381|13-377|BN254)", + "primitive": "signature" + }, + { + "pattern": "BLS[-{ellipticCurve}]", + "primitive": "signature" + } + ] } ] } From 193c4d8f6824f592307473c8a4c170a8e67bbb4c Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 5 Jun 2025 15:14:58 +0200 Subject: [PATCH 09/54] fix LMS pattern Signed-off-by: Basil Hess --- schema/cryptography-defs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index dcb6d0ac..c374c09f 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -474,7 +474,7 @@ ], "variant": [ { - "pattern": "LMS[_{hashFunction}[_M{bytesPerNode}][_H{treeHeight}]", + "pattern": "LMS[_{hashFunction}][_M{bytesPerNode}][_H{treeHeight}]", "primitive": "signature" }, { From c8734da2fe8ae04bb9fd8f9f052661fe1840c770 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicklas=20K=C3=B6rtge?= Date: Thu, 12 Jun 2025 08:34:28 +0200 Subject: [PATCH 10/54] fix json syntax error --- schema/cryptography-defs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index c2e6cd4a..9fac1aba 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -143,7 +143,7 @@ { "family": "SHA-3", "standard": [ - {"name": "FIPS202", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"} + {"name": "FIPS202", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"}, {"name": "SP800-185", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"} ], "variant": [ From f504252a7f12eb66d7a84e204897942bd1e7502c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicklas=20K=C3=B6rtge?= Date: Thu, 12 Jun 2025 08:34:52 +0200 Subject: [PATCH 11/54] update python script to generate algorithm falimiles in the cryptography-defs.schema.json --- schema/cryptography-defs.schema.json | 79 ++++++++++++++++++++++++++-- tools/algorithmFamiliyGeneration.py | 18 +++---- 2 files changed, 82 insertions(+), 15 deletions(-) diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json index d6f7b623..d6a28466 100644 --- a/schema/cryptography-defs.schema.json +++ b/schema/cryptography-defs.schema.json @@ -54,7 +54,10 @@ "description": "A URL pointing to the standard's official documentation." } }, - "required": ["name", "url"] + "required": [ + "name", + "url" + ] } }, "variant": { @@ -101,17 +104,83 @@ "description": "A URL pointing to the standard's official documentation." } }, - "required": ["name", "url"] + "required": [ + "name", + "url" + ] } } }, - "required": ["pattern", "primitive"] + "required": [ + "pattern", + "primitive" + ] } } }, - "required": ["family", "variant"] + "required": [ + "family", + "variant" + ] } + }, + "algorithmFamilies": { + "type": "string", + "title": "Algorithm Families", + "description": "An enum for the The algorithm families.", + "enum": [ + "3DES", + "AES", + "ARIA", + "BLAKE2b", + "Blowfish", + "CAMELLIA", + "CMAC", + "ChaCha", + "ChaCha20", + "DES", + "DSA", + "ECDH", + "ECDSA", + "EdDSA", + "FFDH", + "GOST", + "HKDF", + "HMAC", + "HashML-DSA", + "HashSLH-DSA", + "IDEA", + "IKE-PRF", + "KMAC", + "LMS", + "MD4", + "MD5", + "ML-DSA", + "ML-KEM", + "PKCS12-PBEA", + "PKCS5-PBE", + "Poly1305", + "RC2", + "RC4", + "RSAES-OAEP", + "RSAES-PKCS1", + "RSASSA-PKCS1", + "RSASSA-PSS", + "SEED", + "SHA-1", + "SHA-2", + "SHA-3", + "SP800-108", + "Salsa20", + "Twofish", + "X3DH", + "XMSS" + ] } }, - "required": ["lastUpdated", "algorithms"] + "required": [ + "lastUpdated", + "algorithms", + "algorithmFamilies" + ] } \ No newline at end of file diff --git a/tools/algorithmFamiliyGeneration.py b/tools/algorithmFamiliyGeneration.py index 10ed7e4b..09b6b1cb 100644 --- a/tools/algorithmFamiliyGeneration.py +++ b/tools/algorithmFamiliyGeneration.py @@ -1,10 +1,10 @@ import json # Step 1: Load JSON data safely using context managers -with open("cryptography-defs.json", "r", encoding="utf-8") as defs_file: +with open("../schema/cryptography-defs.json", "r", encoding="utf-8") as defs_file: defs_data = json.load(defs_file) -with open("bom-1.7.schema.json", "r", encoding="utf-8") as schema_file: +with open("../schema/cryptography-defs.schema.json", "r", encoding="utf-8") as schema_file: schema_data = json.load(schema_file) # Step 2: Extract unique algorithm families and sort them @@ -12,21 +12,19 @@ # Step 3: Update the schema with the extracted families try: - algorithm_properties = ( - schema_data['definitions']['cryptoProperties']['properties']['algorithmProperties']['properties'] - ) + schema_properties = schema_data['properties'] except KeyError as e: raise KeyError(f"Schema path missing: {e}") -algorithm_properties['algorithmFamily'] = { - "type": "object", - "title": "Algorithm Family", - "description": "The algorithm family for the given algorithm.", +schema_data['properties']['algorithmFamilies'] = { + "type": "string", + "title": "Algorithm Families", + "description": "An enum for the The algorithm families.", "enum": families, } # Step 4: Write the updated schema back to the file -with open("bom-1.7.schema.json", "w", encoding="utf-8") as update_file: +with open("../schema/cryptography-defs.schema.json", "w", encoding="utf-8") as update_file: json.dump(schema_data, update_file, indent=2, ensure_ascii=False) print("Schema updated successfully.") \ No newline at end of file From 599be387acd1b1c1490e979200ad9644192a1ba6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicklas=20K=C3=B6rtge?= Date: Thu, 12 Jun 2025 08:48:32 +0200 Subject: [PATCH 12/54] refine a script, add $comment to schema for the date of the last update --- schema/cryptography-defs.schema.json | 3 ++- tools/algorithmFamiliyGeneration.py | 30 --------------------- tools/algorithmFamilyGeneration.py | 39 ++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+), 31 deletions(-) delete mode 100644 tools/algorithmFamiliyGeneration.py create mode 100644 tools/algorithmFamilyGeneration.py diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json index d6a28466..06cb9cf4 100644 --- a/schema/cryptography-defs.schema.json +++ b/schema/cryptography-defs.schema.json @@ -1,6 +1,7 @@ { "$schema": "http://json-schema.org/draft-07/schema#", "$id": "http://cyclonedx.org/schema/cryptography-defs.schema.json", + "$comment": "2025-06-12T08:47:23.114985", "title": "Cryptographic Algorithm Family Definitions", "description": "Enumerates cryptographic algorithm families and their specific metadata.", "type": "object", @@ -127,7 +128,7 @@ "algorithmFamilies": { "type": "string", "title": "Algorithm Families", - "description": "An enum for the The algorithm families.", + "description": "An enum for the algorithm families.", "enum": [ "3DES", "AES", diff --git a/tools/algorithmFamiliyGeneration.py b/tools/algorithmFamiliyGeneration.py deleted file mode 100644 index 09b6b1cb..00000000 --- a/tools/algorithmFamiliyGeneration.py +++ /dev/null @@ -1,30 +0,0 @@ -import json - -# Step 1: Load JSON data safely using context managers -with open("../schema/cryptography-defs.json", "r", encoding="utf-8") as defs_file: - defs_data = json.load(defs_file) - -with open("../schema/cryptography-defs.schema.json", "r", encoding="utf-8") as schema_file: - schema_data = json.load(schema_file) - -# Step 2: Extract unique algorithm families and sort them -families = sorted({algo['family'] for algo in defs_data.get('algorithms', [])}) - -# Step 3: Update the schema with the extracted families -try: - schema_properties = schema_data['properties'] -except KeyError as e: - raise KeyError(f"Schema path missing: {e}") - -schema_data['properties']['algorithmFamilies'] = { - "type": "string", - "title": "Algorithm Families", - "description": "An enum for the The algorithm families.", - "enum": families, -} - -# Step 4: Write the updated schema back to the file -with open("../schema/cryptography-defs.schema.json", "w", encoding="utf-8") as update_file: - json.dump(schema_data, update_file, indent=2, ensure_ascii=False) - -print("Schema updated successfully.") \ No newline at end of file diff --git a/tools/algorithmFamilyGeneration.py b/tools/algorithmFamilyGeneration.py new file mode 100644 index 00000000..eb285c76 --- /dev/null +++ b/tools/algorithmFamilyGeneration.py @@ -0,0 +1,39 @@ +import json +from datetime import datetime +from pathlib import Path +from typing import Dict, List, Any + +# Step 1: Load JSON data safely using context managers +SCHEMA_DIR = Path(__file__).parent.parent / "schema" +DEFS_FILE = SCHEMA_DIR / "cryptography-defs.json" +SCHEMA_FILE = SCHEMA_DIR / "cryptography-defs.schema.json" + +with DEFS_FILE.open("r", encoding="utf-8") as defs_file: + defs_data: Dict[str, List[Dict[str, Any]]] = json.load(defs_file) + +with SCHEMA_FILE.open("r", encoding="utf-8") as schema_file: + schema_data: Dict[str, Any] = json.load(schema_file) + +# Step 2: Extract unique algorithm families and sort them +families: List[str] = sorted({algo['family'] for algo in defs_data.get('algorithms', [])}) + +# Step 3: Update the schema with the extracted families +try: + schema_properties = schema_data['properties'] +except KeyError as e: + raise KeyError(f"Required schema property 'properties' missing: {e}") + +schema_data['$comment'] = datetime.now().isoformat() + +schema_data['properties']['algorithmFamilies'] = { + "type": "string", + "title": "Algorithm Families", + "description": "An enum for the algorithm families.", + "enum": families, +} + +# Step 4: Write the updated schema back to the file +with SCHEMA_FILE.open("w", encoding="utf-8") as update_file: + json.dump(schema_data, update_file, indent=2, ensure_ascii=False) + +print("Schema updated successfully.") From 4cc3d6fc767033689022cbf9cd669b674fb50cd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicklas=20K=C3=B6rtge?= Date: Thu, 12 Jun 2025 09:08:06 +0200 Subject: [PATCH 13/54] add algorithm family to cyclondx schema --- schema/bom-1.7.schema.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 3ab604b5..5ad37bcd 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5114,6 +5114,12 @@ "unknown": "The primitive is not known." } }, + "algorithmFamily": { + "$ref": "cryptography-defs.schema.json#/properties/algorithmFamilies", + "title": "Algorithm Family", + "description": "A valid algorithm family identifier. If specified, this value must be one of the enumeration of valid algorithm Family identifiers defined in the cryptography-defs.schema.json subschema.", + "examples": ["3DES", "Blowfish", "ECDH"] + }, "parameterSetIdentifier": { "type": "string", "title": "Parameter Set Identifier", From 2481f1afd48f062101b3339ce5d18b61f38a2a08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicklas=20K=C3=B6rtge?= Date: Thu, 12 Jun 2025 09:09:25 +0200 Subject: [PATCH 14/54] add new protocol typs --- schema/bom-1.7.schema.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 5ad37bcd..32da4917 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5532,6 +5532,8 @@ "ike", "sstp", "wpa", + "dtls", + "quic", "other", "unknown" ], From b1a254b161460eb13052567a11c5fd3f3dc9cb67 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sun, 29 Jun 2025 21:50:47 -0500 Subject: [PATCH 15/54] Added EC and moved algorithmFamilies to definitions. Signed-off-by: Steve Springett --- schema/bom-1.7.schema.json | 10 +- schema/cryptography-defs.json | 2316 +++++++++++++++++++++++++- schema/cryptography-defs.schema.json | 381 ++++- 3 files changed, 2695 insertions(+), 12 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 32da4917..e8dc1ee6 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5115,7 +5115,7 @@ } }, "algorithmFamily": { - "$ref": "cryptography-defs.schema.json#/properties/algorithmFamilies", + "$ref": "cryptography-defs.schema.json#/definitions/algorithmFamiliesEnum", "title": "Algorithm Family", "description": "A valid algorithm family identifier. If specified, this value must be one of the enumeration of valid algorithm Family identifiers defined in the cryptography-defs.schema.json subschema.", "examples": ["3DES", "Blowfish", "ECDH"] @@ -5128,7 +5128,13 @@ "curve": { "type": "string", "title": "Elliptic Curve", - "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends using curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source of which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves)." + "description": "[Deprecated] The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends using curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source of which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves).", + "deprecated": true + }, + "ellipticCurve": { + "$ref": "cryptography-defs.schema.json#/definitions/ellipticCurvesEnum", + "title": "Elliptic Curve", + "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity." }, "executionEnvironment": { "type": "string", diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index c5b942c9..1742baad 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -344,8 +344,12 @@ "standard": [ {"name": "RFC1320", "url": "https://doi.org/10.17487/RFC1320"} ], - "pattern": "MD4", - "primitive": "hash" + "variant": [ + { + "pattern": "MD4", + "primitive": "hash" + } + ] }, { "family": "RC4", @@ -723,5 +727,2313 @@ } ] } + ], + "ellipticCurves": [ + { + "name": "anssi", + "description": "Agence nationale de la s\u00e9curit\u00e9 des syst\u00e8mes d'information: Publication d'un param\u00e9trage de courbe elliptique visant des applications de passeport \u00e9lectronique et de l'administration \u00e9lectronique fran\u00e7aise. 21 November 2011", + "curves": [ + { + "name": "FRP256v1", + "description": null, + "oid": "1.2.250.1.223.101.256.1", + "form": "Weierstrass" + } + ] + }, + { + "name": "bls", + "description": "BLS curves. A family of pairing friendly curves, with embedding degree = 12 or 24.", + "curves": [ + { + "name": "BLS12-377", + "description": "Curve from Zexe paper: https://eprint.iacr.org/2018/962, params taken from: https://eips.ethereum.org/EIPS/eip-2539 where they are explicitly listed.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BLS12-381", + "description": "Curve from https://electriccoin.co/blog/new-snark-curve/. As used in ZCash.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BLS12-446", + "description": "Curve from https://github.com/relic-toolkit/relic.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BLS12-455", + "description": "Curve from https://github.com/relic-toolkit/relic.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BLS12-638", + "description": "Curve from https://github.com/relic-toolkit/relic. Also in https://eprint.iacr.org/2012/232.pdf.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BLS24-477", + "description": "Curve from https://github.com/relic-toolkit/relic. Also in https://eprint.iacr.org/2012/232.pdf.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Bandersnatch", + "description": "Curve from https://ethresear.ch/t/introducing-bandersnatch-a-fast-elliptic-curve-built-over-the-bls12-381-scalar-field/9957", + "oid": null, + "form": "TwistedEdwards" + } + ] + }, + { + "name": "bn", + "description": "BN (Barreto, Naehrig curves) from: A Family of Implementation-Friendly BN Elliptic Curves - .", + "curves": [ + { + "name": "bn158", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn190", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn222", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn254", + "description": null, + "oid": null, + "form": "Weierstrass", + "aliases": [ + { + "category": "other", + "name": "Fp254BNb" + } + ] + }, + { + "name": "bn286", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn318", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn350", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn382", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn414", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn446", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn478", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn510", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn542", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn574", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn606", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "bn638", + "description": null, + "oid": null, + "form": "Weierstrass" + } + ] + }, + { + "name": "brainpool", + "description": "ECC Brainpool Standard Curves and Curve Generation v. 1.0 19.10.2005", + "curves": [ + { + "name": "brainpoolP160r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.1", + "form": "Weierstrass" + }, + { + "name": "brainpoolP160t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.2", + "form": "Weierstrass" + }, + { + "name": "brainpoolP192r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.3", + "form": "Weierstrass" + }, + { + "name": "brainpoolP192t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.4", + "form": "Weierstrass" + }, + { + "name": "brainpoolP224r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.5", + "form": "Weierstrass" + }, + { + "name": "brainpoolP224t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.6", + "form": "Weierstrass" + }, + { + "name": "brainpoolP256r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.7", + "form": "Weierstrass" + }, + { + "name": "brainpoolP256t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.8", + "form": "Weierstrass" + }, + { + "name": "brainpoolP320r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.9", + "form": "Weierstrass" + }, + { + "name": "brainpoolP320t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.10", + "form": "Weierstrass" + }, + { + "name": "brainpoolP384r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.11", + "form": "Weierstrass" + }, + { + "name": "brainpoolP384t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.12", + "form": "Weierstrass" + }, + { + "name": "brainpoolP512r1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.13", + "form": "Weierstrass" + }, + { + "name": "brainpoolP512t1", + "description": null, + "oid": "1.3.36.3.3.2.8.1.1.14", + "form": "Weierstrass" + } + ] + }, + { + "name": "gost", + "description": "GOST R 34.10-2001: RFC5832, GOST R 34.10-2012: RFC7836", + "curves": [ + { + "name": "gost256", + "description": "RFC5832", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "gost512", + "description": "RFC5832", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "id-GostR3410-2001-CryptoPro-A-ParamSet", + "description": "RFC4357", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "id-GostR3410-2001-CryptoPro-B-ParamSet", + "description": "RFC4357", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "id-GostR3410-2001-CryptoPro-C-ParamSet", + "description": "RFC4357", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "id-tc26-gost-3410-12-512-paramSetA", + "description": "RFC7836", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "id-tc26-gost-3410-12-512-paramSetB", + "description": "RFC7836", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "id-tc26-gost-3410-2012-256-paramSetA", + "description": "RFC5832", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "id-tc26-gost-3410-2012-512-paramSetC", + "description": "RFC5832", + "oid": null, + "form": "TwistedEdwards" + } + ] + }, + { + "name": "mnt", + "description": "MNT (Miyaji, Nakabayashi, and Takano curves) example curves from: New explicit conditions of elliptic curve traces for FR-reduction - https://dspace.jaist.ac.jp/dspace/bitstream/10119/4432/1/73-48.pdf.", + "curves": [ + { + "name": "mnt1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt2/1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt2/2", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt3/1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt3/2", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt3/3", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt4", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt5/1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt5/2", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "mnt5/3", + "description": null, + "oid": null, + "form": "Weierstrass" + } + ] + }, + { + "name": "nist", + "description": "RECOMMENDED ELLIPTIC CURVES FOR FEDERAL GOVERNMENT USE July 1999", + "curves": [ + { + "name": "B-163", + "description": null, + "oid": "1.3.132.0.15", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect163r2" + }, + { + "category": "x963", + "name": "ansit163r2" + } + ] + }, + { + "name": "B-233", + "description": null, + "oid": "1.3.132.0.27", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect233r1" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls11" + }, + { + "category": "x963", + "name": "ansit233r1" + } + ] + }, + { + "name": "B-283", + "description": null, + "oid": "1.3.132.0.17", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect283r1" + }, + { + "category": "x963", + "name": "ansit283r1" + } + ] + }, + { + "name": "B-409", + "description": null, + "oid": "1.3.132.0.37", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect409r1" + }, + { + "category": "x963", + "name": "ansit409r1" + } + ] + }, + { + "name": "B-571", + "description": null, + "oid": "1.3.132.0.39", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect571r1" + }, + { + "category": "x963", + "name": "ansit571r1" + } + ] + }, + { + "name": "K-163", + "description": "Koblitz curve.", + "oid": "1.3.132.0.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect163k1" + }, + { + "category": "x963", + "name": "ansit163k1" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls3" + } + ] + }, + { + "name": "K-233", + "description": "Koblitz curve.", + "oid": "1.3.132.0.26", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect233k1" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls10" + }, + { + "category": "x963", + "name": "ansit233k1" + } + ] + }, + { + "name": "K-283", + "description": "Koblitz curve.", + "oid": "1.3.132.0.16", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect283k1" + }, + { + "category": "x963", + "name": "ansit283k1" + } + ] + }, + { + "name": "K-409", + "description": "Koblitz curve.", + "oid": "1.3.132.0.36", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect409k1" + }, + { + "category": "x963", + "name": "ansit409k1" + } + ] + }, + { + "name": "K-571", + "description": "Koblitz curve.", + "oid": "1.3.132.0.38", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect571k1" + }, + { + "category": "x963", + "name": "ansit571k1" + } + ] + }, + { + "name": "P-192", + "description": null, + "oid": "1.2.840.10045.3.1.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp192r1" + }, + { + "category": "x962", + "name": "prime192v1" + } + ] + }, + { + "name": "P-224", + "description": null, + "oid": "1.3.132.0.33", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp224r1" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls12" + }, + { + "category": "x963", + "name": "ansip224r1" + } + ] + }, + { + "name": "P-256", + "description": null, + "oid": "1.2.840.10045.3.1.7", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp256r1" + }, + { + "category": "x962", + "name": "prime256v1" + } + ] + }, + { + "name": "P-384", + "description": null, + "oid": "1.3.132.0.34", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp384r1" + }, + { + "category": "x963", + "name": "ansip384r1" + } + ] + }, + { + "name": "P-521", + "description": null, + "oid": "1.3.132.0.35", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp521r1" + }, + { + "category": "x963", + "name": "ansip521r1" + } + ] + } + ] + }, + { + "name": "nums", + "description": "Microsoft Nothing Up My Sleeve (NUMS) curves from: and ", + "curves": [ + { + "name": "ed-254-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-255-mers", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-256-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-382-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-383-mers", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-384-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-510-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-511-mers", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "ed-512-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "numsp256d1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "numsp256t1", + "description": null, + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "numsp384d1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "numsp384t1", + "description": null, + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "numsp512d1", + "description": null, + "oid": null, + "form": "Weierstrass" + }, + { + "name": "numsp512t1", + "description": null, + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "w-254-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-255-mers", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-256-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-382-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-383-mers", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-384-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-510-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-511-mers", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "w-512-mont", + "description": "Curve from https://eprint.iacr.org/2014/130.pdf. No generator present.", + "oid": null, + "form": "Weierstrass" + } + ] + }, + { + "name": "oakley", + "description": "Oakley groups from and ", + "curves": [ + { + "name": "192-bit Random ECP Group", + "description": "Defined in IETF in RFC5114", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "224-bit Random ECP Group", + "description": "Defined in IETF in RFC5114", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "256-bit Random ECP Group", + "description": "Defined in IETF in RFC5114", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "384-bit Random ECP Group", + "description": "Defined in IETF in RFC5114", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "521-bit Random ECP Group", + "description": "Defined in IETF in RFC5114", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Oakley Group 3", + "description": "Defined in IETF in RFC2409, no generator present.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Oakley Group 4", + "description": "Defined in IETF in RFC2409, no generator present.", + "oid": null, + "form": "Weierstrass" + } + ] + }, + { + "name": "oscaa", + "description": "http://gmssl.org/english.html", + "curves": [ + { + "name": "SM2", + "description": null, + "oid": "1.2.156.10197.1.301", + "form": "Weierstrass" + } + ] + }, + { + "name": "other", + "description": "An assortment of some other curves.", + "curves": [ + { + "name": "BADA55-R-256", + "description": "BADA55 curve from the https://bada55.cr.yp.to/bada55-20150927.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BADA55-VPR-224", + "description": "BADA55 curve from the https://bada55.cr.yp.to/bada55-20150927.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BADA55-VPR2-224", + "description": "BADA55 curve from the https://bada55.cr.yp.to/bada55-20150927.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BADA55-VR-224", + "description": "BADA55 curve from the https://bada55.cr.yp.to/bada55-20150927.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BADA55-VR-256", + "description": "BADA55 curve from the https://bada55.cr.yp.to/bada55-20150927.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "BADA55-VR-384", + "description": "BADA55 curve from the https://bada55.cr.yp.to/bada55-20150927.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Curve1174", + "description": "Curve from https://eprint.iacr.org/2013/325.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Curve22103", + "description": "Curve from https://github.com/relic-toolkit/relic", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Curve25519", + "description": "Curve from https://cr.yp.to/ecdh.html", + "oid": null, + "form": "Montgomery" + }, + { + "name": "Curve383187", + "description": null, + "oid": null, + "form": "Montgomery" + }, + { + "name": "Curve41417", + "description": "Curve from https://cr.yp.to/talks/2013.09.16/slides-djb-20130916-a4.pdf", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "Curve4417", + "description": "Curve from https://github.com/relic-toolkit/relic", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Curve448", + "description": "Curve from https://datatracker.ietf.org/doc/html/rfc7748", + "oid": null, + "form": "Montgomery" + }, + { + "name": "Curve67254", + "description": "Curve from https://github.com/relic-toolkit/relic", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "E-222", + "description": "Curve from https://eprint.iacr.org/2013/647.pdf", + "oid": null, + "form": "Edwards" + }, + { + "name": "E-382", + "description": "Curve from https://eprint.iacr.org/2013/647.pdf", + "oid": null, + "form": "Edwards" + }, + { + "name": "E-521", + "description": "Curve from https://eprint.iacr.org/2013/647.pdf", + "oid": null, + "form": "Edwards" + }, + { + "name": "Ed25519", + "description": "Curve from https://ed25519.cr.yp.to", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "Ed448", + "description": "Curve from https://datatracker.ietf.org/doc/html/draft-ietf-lwig-curve-representations-23", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "Ed448-Goldilocks", + "description": "Curve from https://eprint.iacr.org/2015/625.pdf", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "FourQ", + "description": "Curve used in https://eprint.iacr.org/2015/565.pdf", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "Fp224BN", + "description": "Curve described in https://www.iso.org/standard/80241.html", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Fp254BNa", + "description": "Curve used in: https://eprint.iacr.org/2010/354.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Fp254BNb", + "description": "Curve used in https://www.iacr.org/archive/eurocrypt2011/66320047/66320047.pdf", + "oid": null, + "form": "Weierstrass", + "aliases": [ + { + "category": "bn", + "name": "bn254" + } + ] + }, + { + "name": "Fp254n2BNa", + "description": "Curve used in: https://eprint.iacr.org/2010/354.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Fp256BN", + "description": "Curve described in https://www.iso.org/standard/80241.html", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Fp384BN", + "description": "Curve described in https://www.iso.org/standard/80241.html", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Fp512BN", + "description": "Curve described in https://www.iso.org/standard/80241.html", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "JubJub", + "description": "JubJub curve from .", + "oid": null, + "form": "TwistedEdwards" + }, + { + "name": "M-221", + "description": "Curve from https://eprint.iacr.org/2013/647.pdf", + "oid": null, + "form": "Montgomery" + }, + { + "name": "M-383", + "description": "Curve from https://eprint.iacr.org/2013/647.pdf", + "oid": null, + "form": "Montgomery" + }, + { + "name": "M-511", + "description": "Curve from https://eprint.iacr.org/2013/647.pdf", + "oid": null, + "form": "Montgomery" + }, + { + "name": "MDC201601", + "description": "The Million Dollar Curve", + "oid": null, + "form": "Edwards" + }, + { + "name": "Pallas", + "description": "Pallas curve from the [Pasta curves](https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/).", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Tom-256", + "description": "Tom-256 curve from https://eprint.iacr.org/2021/1183.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Tom-384", + "description": "Tom-384 curve from https://eprint.iacr.org/2021/1183.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Tom-521", + "description": "Tom-521 curve from https://eprint.iacr.org/2021/1183.pdf", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Tweedledee", + "description": "Tweedledee pairing friendly curve from .", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Tweedledum", + "description": "Tweedledum pairing friendly curve from .", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "Vesta", + "description": "Vesta curve from the [Pasta curves](https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/).", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-160", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-192", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-224", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-256", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-288", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-320", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-384", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + }, + { + "name": "ssc-512", + "description": "A prime order curve from MIRACL: https://github.com/miracl/MIRACL/blob/master/docs/miracl-explained/miracl-standard-curves.md. Has no generator specified.", + "oid": null, + "form": "Weierstrass" + } + ] + }, + { + "name": "secg", + "description": "SEC 2: Recommended Elliptic Curve Domain Parameters version 2.0 January 27, 2010", + "curves": [ + { + "name": "secp112r1", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.6", + "form": "Weierstrass", + "aliases": [ + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls6" + } + ] + }, + { + "name": "secp112r2", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.7", + "form": "Weierstrass" + }, + { + "name": "secp128r1", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.28", + "form": "Weierstrass" + }, + { + "name": "secp128r2", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.29", + "form": "Weierstrass" + }, + { + "name": "secp160k1", + "description": "A Koblitz curve.", + "oid": "1.3.132.0.9", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansip160k1" + } + ] + }, + { + "name": "secp160r1", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.8", + "form": "Weierstrass", + "aliases": [ + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls7" + }, + { + "category": "x963", + "name": "ansip160r1" + } + ] + }, + { + "name": "secp160r2", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.30", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansip160r2" + } + ] + }, + { + "name": "secp192k1", + "description": "A Koblitz curve.", + "oid": "1.3.132.0.31", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansip192k1" + } + ] + }, + { + "name": "secp192r1", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.2.840.10045.3.1.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "P-192" + }, + { + "category": "x962", + "name": "prime192v1" + } + ] + }, + { + "name": "secp224k1", + "description": "A Koblitz curve.", + "oid": "1.3.132.0.32", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansip224k1" + } + ] + }, + { + "name": "secp224r1", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.3.132.0.33", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "P-224" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls12" + }, + { + "category": "x963", + "name": "ansip224r1" + } + ] + }, + { + "name": "secp256k1", + "description": "A Koblitz curve.", + "oid": "1.3.132.0.10", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansip256k1" + } + ] + }, + { + "name": "secp256r1", + "description": "A randomly generated curve. [SEC2v1](https://www.secg.org/SEC2-Ver-1.0.pdf) states 'E was chosen verifiably at random as specified in ANSI X9.62 [1] from the seed'.", + "oid": "1.2.840.10045.3.1.7", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "P-256" + }, + { + "category": "x962", + "name": "prime256v1" + } + ] + }, + { + "name": "secp384r1", + "description": null, + "oid": "1.3.132.0.34", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "P-384" + }, + { + "category": "x963", + "name": "ansip384r1" + } + ] + }, + { + "name": "secp521r1", + "description": null, + "oid": "1.3.132.0.35", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "P-521" + }, + { + "category": "x963", + "name": "ansip521r1" + } + ] + }, + { + "name": "sect113r1", + "description": null, + "oid": "1.3.132.0.4", + "form": "Weierstrass", + "aliases": [ + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls4" + } + ] + }, + { + "name": "sect113r2", + "description": null, + "oid": "1.3.132.0.5", + "form": "Weierstrass" + }, + { + "name": "sect131r1", + "description": null, + "oid": "1.3.132.0.22", + "form": "Weierstrass" + }, + { + "name": "sect131r2", + "description": null, + "oid": "1.3.132.0.23", + "form": "Weierstrass" + }, + { + "name": "sect163k1", + "description": null, + "oid": "1.3.132.0.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-163" + }, + { + "category": "x963", + "name": "ansit163k1" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls3" + } + ] + }, + { + "name": "sect163r1", + "description": "A randomly generated curve, using the SECG/X9.62 method. 'However for historical reasons the method used to generate E from S differs slightly from the method described in ANSI X9.62 [X9.62]. Specifically the coefficient b produced from S is the reverse of the coefficient that would have been produced by the method described in ANSI X9.62.'", + "oid": "1.3.132.0.2", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansit163r1" + } + ] + }, + { + "name": "sect163r2", + "description": "A randomly generated curve. 'E was selected from S as specified in ANSI X9.62 [X9.62] in normal basis representation and converted into polynomial basis representation.'", + "oid": "1.3.132.0.15", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-163" + }, + { + "category": "x963", + "name": "ansit163r2" + } + ] + }, + { + "name": "sect193r1", + "description": null, + "oid": "1.3.132.0.24", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansit193r1" + } + ] + }, + { + "name": "sect193r2", + "description": null, + "oid": "1.3.132.0.25", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansit193r2" + } + ] + }, + { + "name": "sect233k1", + "description": null, + "oid": "1.3.132.0.26", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-233" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls10" + }, + { + "category": "x963", + "name": "ansit233k1" + } + ] + }, + { + "name": "sect233r1", + "description": null, + "oid": "1.3.132.0.27", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-233" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls11" + }, + { + "category": "x963", + "name": "ansit233r1" + } + ] + }, + { + "name": "sect239k1", + "description": null, + "oid": "1.3.132.0.3", + "form": "Weierstrass", + "aliases": [ + { + "category": "x963", + "name": "ansit239k1" + } + ] + }, + { + "name": "sect283k1", + "description": null, + "oid": "1.3.132.0.16", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-283" + }, + { + "category": "x963", + "name": "ansit283k1" + } + ] + }, + { + "name": "sect283r1", + "description": null, + "oid": "1.3.132.0.17", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-283" + }, + { + "category": "x963", + "name": "ansit283r1" + } + ] + }, + { + "name": "sect409k1", + "description": null, + "oid": "1.3.132.0.36", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-409" + }, + { + "category": "x963", + "name": "ansit409k1" + } + ] + }, + { + "name": "sect409r1", + "description": null, + "oid": "1.3.132.0.37", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-409" + }, + { + "category": "x963", + "name": "ansit409r1" + } + ] + }, + { + "name": "sect571k1", + "description": null, + "oid": "1.3.132.0.38", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-571" + }, + { + "category": "x963", + "name": "ansit571k1" + } + ] + }, + { + "name": "sect571r1", + "description": null, + "oid": "1.3.132.0.39", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-571" + }, + { + "category": "x963", + "name": "ansit571r1" + } + ] + } + ] + }, + { + "name": "wtls", + "description": "Wireless Application Protocol - Wireless Transport Layer Security (WAP-WTLS) curves: ", + "curves": [ + { + "name": "wap-wsg-idm-ecid-wtls1", + "description": null, + "oid": "2.23.43.1.4.1", + "form": "Weierstrass" + }, + { + "name": "wap-wsg-idm-ecid-wtls10", + "description": null, + "oid": "2.23.43.1.4.10", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect233k1" + }, + { + "category": "nist", + "name": "K-233" + }, + { + "category": "x963", + "name": "ansit233k1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls11", + "description": null, + "oid": "2.23.43.1.4.11", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect233r1" + }, + { + "category": "nist", + "name": "B-233" + }, + { + "category": "x963", + "name": "ansit233r1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls12", + "description": null, + "oid": "2.23.43.1.4.12", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp224r1" + }, + { + "category": "nist", + "name": "P-224" + }, + { + "category": "x963", + "name": "ansip224r1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls3", + "description": null, + "oid": "2.23.43.1.4.3", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-163" + }, + { + "category": "secg", + "name": "sect163k1" + }, + { + "category": "x963", + "name": "ansit163k1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls4", + "description": null, + "oid": "2.23.43.1.4.4", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect113r1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls5", + "description": null, + "oid": "2.23.43.1.4.5", + "form": "Weierstrass", + "aliases": [ + { + "category": "x962", + "name": "c2pnb163v1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls6", + "description": null, + "oid": "2.23.43.1.4.6", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp112r1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls7", + "description": null, + "oid": "2.23.43.1.4.7", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp160r1" + }, + { + "category": "x963", + "name": "ansip160r1" + } + ] + }, + { + "name": "wap-wsg-idm-ecid-wtls8", + "description": null, + "oid": "2.23.43.1.4.8", + "form": "Weierstrass" + }, + { + "name": "wap-wsg-idm-ecid-wtls9", + "description": null, + "oid": "2.23.43.1.4.9", + "form": "Weierstrass" + } + ] + }, + { + "name": "x962", + "description": "ANSI x9.62 example curves.", + "curves": [ + { + "name": "c2onb191v4", + "description": "A binary-field curve in optimal normal basis", + "oid": "1.2.840.10045.3.0.8", + "form": "Weierstrass" + }, + { + "name": "c2onb191v5", + "description": "A binary-field curve in optimal normal basis", + "oid": "1.2.840.10045.3.0.9", + "form": "Weierstrass" + }, + { + "name": "c2onb239v4", + "description": "A binary-field curve in optimal normal basis", + "oid": "1.2.840.10045.3.0.14", + "form": "Weierstrass" + }, + { + "name": "c2onb239v5", + "description": "A binary-field curve in optimal normal basis", + "oid": "1.2.840.10045.3.0.15", + "form": "Weierstrass" + }, + { + "name": "c2pnb163v1", + "description": null, + "oid": "1.2.840.10045.3.0.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls5" + } + ] + }, + { + "name": "c2pnb163v2", + "description": null, + "oid": "1.2.840.10045.3.0.2", + "form": "Weierstrass" + }, + { + "name": "c2pnb163v3", + "description": null, + "oid": "1.2.840.10045.3.0.3", + "form": "Weierstrass" + }, + { + "name": "c2pnb176w1", + "description": null, + "oid": "1.2.840.10045.3.0.4", + "form": "Weierstrass" + }, + { + "name": "c2pnb208w1", + "description": null, + "oid": "1.2.840.10045.3.0.10", + "form": "Weierstrass" + }, + { + "name": "c2pnb272w1", + "description": null, + "oid": "1.2.840.10045.3.0.16", + "form": "Weierstrass" + }, + { + "name": "c2pnb304w1", + "description": null, + "oid": "1.2.840.10045.3.0.17", + "form": "Weierstrass" + }, + { + "name": "c2pnb368w1", + "description": null, + "oid": "1.2.840.10045.3.0.19", + "form": "Weierstrass" + }, + { + "name": "c2tnb191v1", + "description": null, + "oid": "1.2.840.10045.3.0.5", + "form": "Weierstrass" + }, + { + "name": "c2tnb191v2", + "description": null, + "oid": "1.2.840.10045.3.0.6", + "form": "Weierstrass" + }, + { + "name": "c2tnb191v3", + "description": null, + "oid": "1.2.840.10045.3.0.7", + "form": "Weierstrass" + }, + { + "name": "c2tnb239v1", + "description": null, + "oid": "1.2.840.10045.3.0.11", + "form": "Weierstrass" + }, + { + "name": "c2tnb239v2", + "description": null, + "oid": "1.2.840.10045.3.0.12", + "form": "Weierstrass" + }, + { + "name": "c2tnb239v3", + "description": null, + "oid": "1.2.840.10045.3.0.13", + "form": "Weierstrass" + }, + { + "name": "c2tnb359v1", + "description": null, + "oid": "1.2.840.10045.3.0.18", + "form": "Weierstrass" + }, + { + "name": "c2tnb431r1", + "description": null, + "oid": "1.2.840.10045.3.0.20", + "form": "Weierstrass" + }, + { + "name": "prime192v1", + "description": null, + "oid": "1.2.840.10045.3.1.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp192r1" + }, + { + "category": "nist", + "name": "P-192" + } + ] + }, + { + "name": "prime192v2", + "description": null, + "oid": "1.2.840.10045.3.1.2", + "form": "Weierstrass" + }, + { + "name": "prime192v3", + "description": null, + "oid": "1.2.840.10045.3.1.3", + "form": "Weierstrass" + }, + { + "name": "prime239v1", + "description": null, + "oid": "1.2.840.10045.3.1.4", + "form": "Weierstrass" + }, + { + "name": "prime239v2", + "description": null, + "oid": "1.2.840.10045.3.1.5", + "form": "Weierstrass" + }, + { + "name": "prime239v3", + "description": null, + "oid": "1.2.840.10045.3.1.6", + "form": "Weierstrass" + }, + { + "name": "prime256v1", + "description": null, + "oid": "1.2.840.10045.3.1.7", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp256r1" + }, + { + "category": "nist", + "name": "P-256" + } + ] + } + ] + }, + { + "name": "x963", + "description": "ANSI x9.63 example curves.", + "curves": [ + { + "name": "ansip160k1", + "description": null, + "oid": "1.3.132.0.9", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp160k1" + } + ] + }, + { + "name": "ansip160r1", + "description": null, + "oid": "1.3.132.0.8", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp160r1" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls7" + } + ] + }, + { + "name": "ansip160r2", + "description": null, + "oid": "1.3.132.0.30", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp160r2" + } + ] + }, + { + "name": "ansip192k1", + "description": null, + "oid": "1.3.132.0.31", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp192k1" + } + ] + }, + { + "name": "ansip224k1", + "description": null, + "oid": "1.3.132.0.32", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp224k1" + } + ] + }, + { + "name": "ansip224r1", + "description": null, + "oid": "1.3.132.0.33", + "form": "Weierstrass", + "aliases": [ + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls12" + }, + { + "category": "nist", + "name": "P-224" + }, + { + "category": "secg", + "name": "secp224r1" + } + ] + }, + { + "name": "ansip256k1", + "description": null, + "oid": "1.3.132.0.10", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp256k1" + } + ] + }, + { + "name": "ansip384r1", + "description": null, + "oid": "1.3.132.0.34", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp384r1" + }, + { + "category": "nist", + "name": "P-384" + } + ] + }, + { + "name": "ansip521r1", + "description": null, + "oid": "1.3.132.0.35", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "secp521r1" + }, + { + "category": "nist", + "name": "P-521" + } + ] + }, + { + "name": "ansit163k1", + "description": null, + "oid": "1.3.132.0.1", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect163k1" + }, + { + "category": "nist", + "name": "k-163" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls3" + } + ] + }, + { + "name": "ansit163r1", + "description": null, + "oid": "1.3.132.0.2", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect163r1" + } + ] + }, + { + "name": "ansit163r2", + "description": null, + "oid": "1.3.132.0.15", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect163r2" + }, + { + "category": "nist", + "name": "B-163" + } + ] + }, + { + "name": "ansit193r1", + "description": null, + "oid": "1.3.132.0.24", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect193r1" + } + ] + }, + { + "name": "ansit193r2", + "description": null, + "oid": "1.3.132.0.25", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect193r2" + } + ] + }, + { + "name": "ansit233k1", + "description": null, + "oid": "1.3.132.0.26", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect233k1" + }, + { + "category": "nist", + "name": "K-233" + }, + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls10" + } + ] + }, + { + "name": "ansit233r1", + "description": null, + "oid": "1.3.132.0.27", + "form": "Weierstrass", + "aliases": [ + { + "category": "wtls", + "name": "wap-wsg-idm-ecid-wtls11" + }, + { + "category": "nist", + "name": "B-233" + }, + { + "category": "secg", + "name": "sect233r1" + } + ] + }, + { + "name": "ansit239k1", + "description": null, + "oid": "1.3.132.0.3", + "form": "Weierstrass", + "aliases": [ + { + "category": "secg", + "name": "sect239k1" + } + ] + }, + { + "name": "ansit283k1", + "description": null, + "oid": "1.3.132.0.16", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-283" + }, + { + "category": "secg", + "name": "sect283k1" + } + ] + }, + { + "name": "ansit283r1", + "description": null, + "oid": "1.3.132.0.17", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-283" + }, + { + "category": "secg", + "name": "sect283r1" + } + ] + }, + { + "name": "ansit409k1", + "description": null, + "oid": "1.3.132.0.36", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-409" + }, + { + "category": "secg", + "name": "sect409k1" + } + ] + }, + { + "name": "ansit409r1", + "description": null, + "oid": "1.3.132.0.37", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-409" + }, + { + "category": "secg", + "name": "sect409r1" + } + ] + }, + { + "name": "ansit571k1", + "description": null, + "oid": "1.3.132.0.38", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "K-571" + }, + { + "category": "secg", + "name": "sect571k1" + } + ] + }, + { + "name": "ansit571r1", + "description": null, + "oid": "1.3.132.0.39", + "form": "Weierstrass", + "aliases": [ + { + "category": "nist", + "name": "B-571" + }, + { + "category": "secg", + "name": "sect571r1" + } + ] + } + ] + } ] } diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json index 06cb9cf4..57704917 100644 --- a/schema/cryptography-defs.schema.json +++ b/schema/cryptography-defs.schema.json @@ -125,7 +125,126 @@ ] } }, - "algorithmFamilies": { + "ellipticCurves": { + "type": "array", + "title": "Elliptic Curves", + "description": "An array of elliptic curve family definitions.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Elliptic Curve Family", + "description": "Defines an elliptic curve family and its metadata.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Curve Family Name", + "description": "The name of the elliptic curve family." + }, + "description": { + "type": [ + "string", + "null" + ], + "title": "Description", + "description": "A description of the elliptic curve family." + }, + "curves": { + "type": "array", + "title": "Curves", + "description": "List of curves in this family.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Curve", + "description": "Defines a specific elliptic curve and its metadata.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Curve Name", + "description": "The name of the elliptic curve." + }, + "description": { + "type": [ + "string", + "null" + ], + "title": "Description", + "description": "A description of the elliptic curve." + }, + "oid": { + "type": [ + "string", + "null" + ], + "title": "OID", + "description": "The Object Identifier (OID) of the elliptic curve." + }, + "form": { + "type": "string", + "title": "Form", + "description": "The form of the elliptic curve.", + "enum": [ + "Weierstrass", + "Edwards", + "TwistedEdwards", + "Montgomery" + ] + }, + "aliases": { + "type": "array", + "title": "Aliases", + "description": "List of aliases for this curve.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Alias", + "description": "An alias for the curve.", + "additionalProperties": false, + "properties": { + "category": { + "type": "string", + "title": "Category", + "description": "The category of the alias." + }, + "name": { + "type": "string", + "title": "Name", + "description": "The name of the alias." + } + }, + "required": [ + "category", + "name" + ] + } + } + }, + "required": [ + "name", + "description", + "oid", + "form" + ] + } + } + }, + "required": [ + "name", + "description", + "curves" + ] + } + } + }, + "required": [ + "lastUpdated", + "algorithms", + "ellipticCurves" + ], + "definitions": { + "algorithmFamiliesEnum": { "type": "string", "title": "Algorithm Families", "description": "An enum for the algorithm families.", @@ -177,11 +296,257 @@ "X3DH", "XMSS" ] + }, + "ellipticCurvesEnum": { + "type": "string", + "enum": [ + "anssi/FRP256v1", + "bls/BLS12-377", + "bls/BLS12-381", + "bls/BLS12-446", + "bls/BLS12-455", + "bls/BLS12-638", + "bls/BLS24-477", + "bls/Bandersnatch", + "bn/bn158", + "bn/bn190", + "bn/bn222", + "bn/bn254", + "bn/bn286", + "bn/bn318", + "bn/bn350", + "bn/bn382", + "bn/bn414", + "bn/bn446", + "bn/bn478", + "bn/bn510", + "bn/bn542", + "bn/bn574", + "bn/bn606", + "bn/bn638", + "brainpool/brainpoolP160r1", + "brainpool/brainpoolP160t1", + "brainpool/brainpoolP192r1", + "brainpool/brainpoolP192t1", + "brainpool/brainpoolP224r1", + "brainpool/brainpoolP224t1", + "brainpool/brainpoolP256r1", + "brainpool/brainpoolP256t1", + "brainpool/brainpoolP320r1", + "brainpool/brainpoolP320t1", + "brainpool/brainpoolP384r1", + "brainpool/brainpoolP384t1", + "brainpool/brainpoolP512r1", + "brainpool/brainpoolP512t1", + "gost/gost256", + "gost/gost512", + "gost/id-GostR3410-2001-CryptoPro-A-ParamSet", + "gost/id-GostR3410-2001-CryptoPro-B-ParamSet", + "gost/id-GostR3410-2001-CryptoPro-C-ParamSet", + "gost/id-tc26-gost-3410-12-512-paramSetA", + "gost/id-tc26-gost-3410-12-512-paramSetB", + "gost/id-tc26-gost-3410-2012-256-paramSetA", + "gost/id-tc26-gost-3410-2012-512-paramSetC", + "mnt/mnt1", + "mnt/mnt2/1", + "mnt/mnt2/2", + "mnt/mnt3/1", + "mnt/mnt3/2", + "mnt/mnt3/3", + "mnt/mnt4", + "mnt/mnt5/1", + "mnt/mnt5/2", + "mnt/mnt5/3", + "nist/B-163", + "nist/B-233", + "nist/B-283", + "nist/B-409", + "nist/B-571", + "nist/K-163", + "nist/K-233", + "nist/K-283", + "nist/K-409", + "nist/K-571", + "nist/P-192", + "nist/P-224", + "nist/P-256", + "nist/P-384", + "nist/P-521", + "nums/ed-254-mont", + "nums/ed-255-mers", + "nums/ed-256-mont", + "nums/ed-382-mont", + "nums/ed-383-mers", + "nums/ed-384-mont", + "nums/ed-510-mont", + "nums/ed-511-mers", + "nums/ed-512-mont", + "nums/numsp256d1", + "nums/numsp256t1", + "nums/numsp384d1", + "nums/numsp384t1", + "nums/numsp512d1", + "nums/numsp512t1", + "nums/w-254-mont", + "nums/w-255-mers", + "nums/w-256-mont", + "nums/w-382-mont", + "nums/w-383-mers", + "nums/w-384-mont", + "nums/w-510-mont", + "nums/w-511-mers", + "nums/w-512-mont", + "oakley/192-bit Random ECP Group", + "oakley/224-bit Random ECP Group", + "oakley/256-bit Random ECP Group", + "oakley/384-bit Random ECP Group", + "oakley/521-bit Random ECP Group", + "oakley/Oakley Group 3", + "oakley/Oakley Group 4", + "oscaa/SM2", + "other/BADA55-R-256", + "other/BADA55-VPR-224", + "other/BADA55-VPR2-224", + "other/BADA55-VR-224", + "other/BADA55-VR-256", + "other/BADA55-VR-384", + "other/Curve1174", + "other/Curve22103", + "other/Curve25519", + "other/Curve383187", + "other/Curve41417", + "other/Curve4417", + "other/Curve448", + "other/Curve67254", + "other/E-222", + "other/E-382", + "other/E-521", + "other/Ed25519", + "other/Ed448", + "other/Ed448-Goldilocks", + "other/FourQ", + "other/Fp224BN", + "other/Fp254BNa", + "other/Fp254BNb", + "other/Fp254n2BNa", + "other/Fp256BN", + "other/Fp384BN", + "other/Fp512BN", + "other/JubJub", + "other/M-221", + "other/M-383", + "other/M-511", + "other/MDC201601", + "other/Pallas", + "other/Tom-256", + "other/Tom-384", + "other/Tom-521", + "other/Tweedledee", + "other/Tweedledum", + "other/Vesta", + "other/ssc-160", + "other/ssc-192", + "other/ssc-224", + "other/ssc-256", + "other/ssc-288", + "other/ssc-320", + "other/ssc-384", + "other/ssc-512", + "secg/secp112r1", + "secg/secp112r2", + "secg/secp128r1", + "secg/secp128r2", + "secg/secp160k1", + "secg/secp160r1", + "secg/secp160r2", + "secg/secp192k1", + "secg/secp192r1", + "secg/secp224k1", + "secg/secp224r1", + "secg/secp256k1", + "secg/secp256r1", + "secg/secp384r1", + "secg/secp521r1", + "secg/sect113r1", + "secg/sect113r2", + "secg/sect131r1", + "secg/sect131r2", + "secg/sect163k1", + "secg/sect163r1", + "secg/sect163r2", + "secg/sect193r1", + "secg/sect193r2", + "secg/sect233k1", + "secg/sect233r1", + "secg/sect239k1", + "secg/sect283k1", + "secg/sect283r1", + "secg/sect409k1", + "secg/sect409r1", + "secg/sect571k1", + "secg/sect571r1", + "wtls/wap-wsg-idm-ecid-wtls1", + "wtls/wap-wsg-idm-ecid-wtls10", + "wtls/wap-wsg-idm-ecid-wtls11", + "wtls/wap-wsg-idm-ecid-wtls12", + "wtls/wap-wsg-idm-ecid-wtls3", + "wtls/wap-wsg-idm-ecid-wtls4", + "wtls/wap-wsg-idm-ecid-wtls5", + "wtls/wap-wsg-idm-ecid-wtls6", + "wtls/wap-wsg-idm-ecid-wtls7", + "wtls/wap-wsg-idm-ecid-wtls8", + "wtls/wap-wsg-idm-ecid-wtls9", + "x962/c2onb191v4", + "x962/c2onb191v5", + "x962/c2onb239v4", + "x962/c2onb239v5", + "x962/c2pnb163v1", + "x962/c2pnb163v2", + "x962/c2pnb163v3", + "x962/c2pnb176w1", + "x962/c2pnb208w1", + "x962/c2pnb272w1", + "x962/c2pnb304w1", + "x962/c2pnb368w1", + "x962/c2tnb191v1", + "x962/c2tnb191v2", + "x962/c2tnb191v3", + "x962/c2tnb239v1", + "x962/c2tnb239v2", + "x962/c2tnb239v3", + "x962/c2tnb359v1", + "x962/c2tnb431r1", + "x962/prime192v1", + "x962/prime192v2", + "x962/prime192v3", + "x962/prime239v1", + "x962/prime239v2", + "x962/prime239v3", + "x962/prime256v1", + "x963/ansip160k1", + "x963/ansip160r1", + "x963/ansip160r2", + "x963/ansip192k1", + "x963/ansip224k1", + "x963/ansip224r1", + "x963/ansip256k1", + "x963/ansip384r1", + "x963/ansip521r1", + "x963/ansit163k1", + "x963/ansit163r1", + "x963/ansit163r2", + "x963/ansit193r1", + "x963/ansit193r2", + "x963/ansit233k1", + "x963/ansit233r1", + "x963/ansit239k1", + "x963/ansit283k1", + "x963/ansit283r1", + "x963/ansit409k1", + "x963/ansit409r1", + "x963/ansit571k1", + "x963/ansit571r1" + ] } - }, - "required": [ - "lastUpdated", - "algorithms", - "algorithmFamilies" - ] -} \ No newline at end of file + } +} From 486f8674e27c8284e548fe8f1acec9460a8cd728 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 30 Jun 2025 20:46:00 -0500 Subject: [PATCH 16/54] Attempting to resolve unit tests Signed-off-by: Steve Springett --- tools/src/test/js/json-schema-functional-tests.js | 6 ++++-- tools/src/test/js/json-schema-lint-tests.js | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/tools/src/test/js/json-schema-functional-tests.js b/tools/src/test/js/json-schema-functional-tests.js index b165e65e..81970498 100644 --- a/tools/src/test/js/json-schema-functional-tests.js +++ b/tools/src/test/js/json-schema-functional-tests.js @@ -44,9 +44,10 @@ console.debug('DEBUG | testdataDir = ', testdataDir); // region validator -const [spdxSchema, jsfSchema, bomSchema] = await Promise.all([ +const [spdxSchema, jsfSchema, cryptoDefsSchema, bomSchema] = await Promise.all([ readFile(join(schemaDir, 'spdx.schema.json'), 'utf-8').then(JSON.parse), readFile(join(schemaDir, 'jsf-0.82.schema.json'), 'utf-8').then(JSON.parse), + readFile(join(schemaDir, 'cryptography-defs.schema.json'), 'utf-8').then(JSON.parse), readFile(schemaFile, 'utf-8').then(JSON.parse) ]) @@ -57,7 +58,8 @@ const ajv = new Ajv({ addUsedSchema: false, schemas: { 'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema, - 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema + 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema, + 'http://cyclonedx.org/schema/cryptography-defs.schema.json': cryptoDefsSchema } }); addFormats(ajv) diff --git a/tools/src/test/js/json-schema-lint-tests.js b/tools/src/test/js/json-schema-lint-tests.js index 5033ac6b..df692dae 100644 --- a/tools/src/test/js/json-schema-lint-tests.js +++ b/tools/src/test/js/json-schema-lint-tests.js @@ -17,9 +17,10 @@ const schemaDir = join(dirname(fileURLToPath(import.meta.url)), '..', '..', '..' // endregion config -const [spdxSchema, jsfSchema, bomSchemas] = await Promise.all([ +const [spdxSchema, jsfSchema, cryptoDefsSchema, bomSchemas] = await Promise.all([ readFile(join(schemaDir, 'spdx.schema.json'), 'utf-8').then(JSON.parse), readFile(join(schemaDir, 'jsf-0.82.schema.json'), 'utf-8').then(JSON.parse), + readFile(join(schemaDir, 'cryptography-defs.schema.json'), 'utf-8').then(JSON.parse), glob(join(schemaDir, bomSchemasGlob)).then(l => l.sort()) ]) assert.notStrictEqual(bomSchemas.length, 0) @@ -53,7 +54,8 @@ function getAjv(strict) { keywords: ["meta:enum"], schemas: { 'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema, - 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema + 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema, + 'http://cyclonedx.org/schema/cryptography-defs.schema.json': cryptoDefsSchema } }); addFormats(ajv) From d037d71781c8747ca31c947ab74552e57e2f4791 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 30 Jun 2025 20:48:39 -0500 Subject: [PATCH 17/54] Removing unnecessary additionalItems from schema Signed-off-by: Steve Springett --- schema/cryptography-defs.schema.json | 7 ------- 1 file changed, 7 deletions(-) diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json index 57704917..cc4f8795 100644 --- a/schema/cryptography-defs.schema.json +++ b/schema/cryptography-defs.schema.json @@ -20,7 +20,6 @@ "type": "array", "title": "Algorithm Families", "description": "An array of cryptographic algorithm family definitions.", - "additionalItems": false, "items": { "type": "object", "title": "Algorithm Family", @@ -36,7 +35,6 @@ "type": "array", "title": "Standards", "description": "List of standards defining or relating to the algorithm family.", - "additionalItems": false, "items": { "type": "object", "title": "Standard Reference", @@ -65,7 +63,6 @@ "type": "array", "title": "Variants", "description": "Defines algorithm variants by a naming pattern and the corrsponding cryptographic primitive.", - "additionalItems": false, "items": { "type": "object", "title": "Standard Reference", @@ -86,7 +83,6 @@ "type": "array", "title": "Standards", "description": "List of standards defining or relating to the algorithm variant.", - "additionalItems": false, "items": { "type": "object", "title": "Standard Reference", @@ -129,7 +125,6 @@ "type": "array", "title": "Elliptic Curves", "description": "An array of elliptic curve family definitions.", - "additionalItems": false, "items": { "type": "object", "title": "Elliptic Curve Family", @@ -153,7 +148,6 @@ "type": "array", "title": "Curves", "description": "List of curves in this family.", - "additionalItems": false, "items": { "type": "object", "title": "Curve", @@ -196,7 +190,6 @@ "type": "array", "title": "Aliases", "description": "List of aliases for this curve.", - "additionalItems": false, "items": { "type": "object", "title": "Alias", From 9eeaa26ad360d7f23c584ad4395f73dba80d8834 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 30 Jun 2025 20:50:44 -0500 Subject: [PATCH 18/54] changed iri to iri-reference Signed-off-by: Steve Springett --- schema/cryptography-defs.schema.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json index cc4f8795..aba29a5d 100644 --- a/schema/cryptography-defs.schema.json +++ b/schema/cryptography-defs.schema.json @@ -48,7 +48,7 @@ }, "url": { "type": "string", - "format": "iri", + "format": "iri-reference", "title": "Standard URL", "description": "A URL pointing to the standard's official documentation." } @@ -96,7 +96,7 @@ }, "url": { "type": "string", - "format": "iri", + "format": "iri-reference", "title": "Standard URL", "description": "A URL pointing to the standard's official documentation." } From 83494704365df9f334175025c14190794f320905 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Mon, 30 Jun 2025 20:58:20 -0500 Subject: [PATCH 19/54] Moved generator. Added missing BLS Signed-off-by: Steve Springett --- schema/cryptography-defs.schema.json | 5 +++-- tools/{ => src/main/python}/algorithmFamilyGeneration.py | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) rename tools/{ => src/main/python}/algorithmFamilyGeneration.py (91%) diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json index aba29a5d..fb5696f1 100644 --- a/schema/cryptography-defs.schema.json +++ b/schema/cryptography-defs.schema.json @@ -1,7 +1,7 @@ { "$schema": "http://json-schema.org/draft-07/schema#", "$id": "http://cyclonedx.org/schema/cryptography-defs.schema.json", - "$comment": "2025-06-12T08:47:23.114985", + "$comment": "2025-06-30T20:56:28.764708", "title": "Cryptographic Algorithm Family Definitions", "description": "Enumerates cryptographic algorithm families and their specific metadata.", "type": "object", @@ -246,6 +246,7 @@ "AES", "ARIA", "BLAKE2b", + "BLS", "Blowfish", "CAMELLIA", "CMAC", @@ -542,4 +543,4 @@ ] } } -} +} \ No newline at end of file diff --git a/tools/algorithmFamilyGeneration.py b/tools/src/main/python/algorithmFamilyGeneration.py similarity index 91% rename from tools/algorithmFamilyGeneration.py rename to tools/src/main/python/algorithmFamilyGeneration.py index eb285c76..3d1f314b 100644 --- a/tools/algorithmFamilyGeneration.py +++ b/tools/src/main/python/algorithmFamilyGeneration.py @@ -4,7 +4,7 @@ from typing import Dict, List, Any # Step 1: Load JSON data safely using context managers -SCHEMA_DIR = Path(__file__).parent.parent / "schema" +SCHEMA_DIR = Path(__file__).parent.parent / "../../../schema" DEFS_FILE = SCHEMA_DIR / "cryptography-defs.json" SCHEMA_FILE = SCHEMA_DIR / "cryptography-defs.schema.json" @@ -25,7 +25,7 @@ schema_data['$comment'] = datetime.now().isoformat() -schema_data['properties']['algorithmFamilies'] = { +schema_data['definitions']['algorithmFamiliesEnum'] = { "type": "string", "title": "Algorithm Families", "description": "An enum for the algorithm families.", From 35ba915b6bd252e592af8f5a2ef021cf718237ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicklas=20K=C3=B6rtge?= Date: Tue, 1 Jul 2025 10:53:44 +0200 Subject: [PATCH 20/54] add lost changes to the spec MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Nicklas Körtge --- schema/bom-1.7.schema.json | 391 +++++++++++++++++++++++++++++++++++-- 1 file changed, 379 insertions(+), 12 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index e8dc1ee6..e6942a71 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5342,6 +5342,11 @@ "description": "Properties for cryptographic assets of asset type 'certificate'", "additionalProperties": false, "properties": { + "serialNumber": { + "type": "string", + "title": "Serial Number", + "description": "The serial number is a unique identifier for the certificate issued by a CA." + }, "subjectName": { "type": "string", "title": "Subject Name", @@ -5365,11 +5370,13 @@ "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" }, "signatureAlgorithmRef": { + "deprecated": true, "$ref": "#/definitions/refType", "title": "Algorithm Reference", "description": "The bom-ref to signature algorithm used by the certificate" }, "subjectPublicKeyRef": { + "deprecated": true, "$ref": "#/definitions/refType", "title": "Key reference", "description": "The bom-ref to the public key of the subject" @@ -5386,6 +5393,7 @@ ] }, "certificateExtension": { + "deprecated": true, "type": "string", "title": "Certificate File Extension", "description": "The file extension of the certificate", @@ -5396,6 +5404,205 @@ "der", "p12" ] + }, + "certificateFileExtension": { + "type": "string", + "title": "Certificate File Extension", + "description": "The file extension of the certificate.", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + }, + "fingerprint": { + "type": "object", + "$ref": "#/definitions/hash", + "title": "Certificate Fingerprint", + "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." + }, + "certificateState": { + "type": "array", + "title": "Certificate Lifecycle State", + "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages", + "items": { + "type": "object", + "title": "State", + "description": "The state of the certificate.", + "oneOf": [ + { + "title": "Pre-Defined State", + "required": [ + "state" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "A pre-defined state in the certificate lifecycle.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "revoked", + "destroyed" + ], + "meta:enum": { + "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", + "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", + "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", + "suspended": "The use of a certifacte may be suspended for several possible reasons.", + "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", + "destroyed": "The certificate has been destroyed." + } + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + }, + { + "title": "Custom State", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "The name of the certificate lifecycle state." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the certificate lifecycle state." + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + } + ] + } + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the certificate was created or pre-activated." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the certificate was activated." + }, + "deactivationDate": { + "type": "string", + "format": "date-time", + "title": "Deactivation Date", + "description": "The date and time (timestamp) when the related certificate was deactiviated." + }, + "revocationDate": { + "type": "string", + "format": "date-time", + "title": "Revokation Date", + "description": "The date and time (timestamp) when the certificate was revoked." + }, + "destructionDate": { + "type": "string", + "format": "date-time", + "title": "Destruction Date", + "description": "The date and time (timestamp) when the certificate was destroyed." + }, + "certificateExtensions": { + "type": "array", + "title": "Certificate Extensions", + "description": "", + "items": { + "type": "object", + "title": "Extension", + "description": "", + "oneOf": [ + { + "title": "Common Extensions", + "required": [ + "name", + "value" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "name", + "description": "The name of the extention.", + "enum": [ + "basicConstraints", + "keyUsage", + "extendedKeyUsage", + "subjectAlternativeName", + "authorityKeyIdentifier", + "subjectKeyIdentifier", + "authorityInformationAccess", + "certificatePolicies", + "crlDistributionPoints", + "signedCertificateTimestamp" + ], + "meta:enum": { + "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", + "keyUsage": "Specifies the allowed uses of the public key in the certificate.", + "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", + "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", + "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", + "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", + "authorityInformationAccess": "Contains CA issuers and OCSP information.", + "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", + "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", + "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." + } + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the certificate extension." + } + } + }, + { + "title": "Custom Extensions", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name for the custom certificate extension." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The description of the custom certificate extension." + } + } + } + ] + } + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component." } } }, @@ -5471,6 +5678,7 @@ ] }, "algorithmRef": { + "deprecated": true, "$ref": "#/definitions/refType", "title": "Algorithm Reference", "description": "The bom-ref to the algorithm used to generate the related cryptographic material." @@ -5518,6 +5726,17 @@ "$ref": "#/definitions/securedBy", "title": "Secured By", "description": "The mechanism by which the cryptographic asset is secured by." + }, + "fingerprint": { + "type": "object", + "$ref": "#/definitions/hash", + "title": "Fingerprint", + "description": "The fingerprint is a cryptographic hash of the asset." + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component." } } }, @@ -5580,41 +5799,52 @@ "additionalProperties": false, "properties": { "encr": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Encryption Algorithm (ENCR)", + "type": "array", + "$ref": "#/definitions/ikeV2Enc", + "title": "Encryption Algorithms (ENCR)", "description": "Transform Type 1: encryption algorithms" }, "prf": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Pseudorandom Function (PRF)", + "type": "array", + "$ref": "#/definitions/ikeV2Prf", + "title": "Pseudorandom Functions (PRF)", "description": "Transform Type 2: pseudorandom functions" }, "integ": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Integrity Algorithm (INTEG)", + "type": "array", + "$ref": "#/definitions/ikeV2Integ", + "title": "Integrity Algorithms (INTEG)", "description": "Transform Type 3: integrity algorithms" }, "ke": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Key Exchange Method (KE)", + "type": "array", + "$ref": "#/definitions/ikeV2Ke", + "title": "Key Exchange Methods (KE)", "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." }, "esn": { "type": "boolean", - "title": "Extended Sequence Numbers (ESN)", + "title": "Extended Sequence Number (ESN)", "description": "Specifies if an Extended Sequence Number (ESN) is used." }, "auth": { - "$ref": "#/definitions/cryptoRefArray", - "title": "IKEv2 Authentication method", - "description": "IKEv2 Authentication method" + "type": "array", + "$ref": "#/definitions/ikeV2Auth", + "title": "IKEv2 Authentication methods", + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html)." } } }, "cryptoRefArray": { + "deprecated": true, "$ref": "#/definitions/cryptoRefArray", "title": "Cryptographic References", "description": "A list of protocol-related cryptographic assets" + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", } } }, @@ -5665,12 +5895,149 @@ } } }, + "ikeV2Enc": { + "type": "object", + "title": "Encryption Algorithm (ENCR)", + "description": "Object representing an encryption algorithm (ENCR)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the encryption method.", + "examples": [ + "ENCR_AES_GCM_16" + ] + }, + "keyLength": { + "type": "integer", + "title": "Encryption algorithm key length", + "description": "The key length of the encryption algorithm." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Prf": { + "type": "object", + "title": "Pseudorandom Function (PRF)", + "description": "Object representing a pseudorandom function (PRF)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the pseudorandom function.", + "examples": [ + "PRF_HMAC_SHA2_256" + ] + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Integ": { + "type": "object", + "title": "Integrity Algorithm (INTEG)", + "description": "Object representing an integrity algorithm (INTEG)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the integrity algorithm.", + "examples": [ + "AUTH_HMAC_SHA2_256_128" + ] + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Ke": { + "type": "object", + "title": "Key Exchange Method (KE)", + "description": "Object representing a key exchange method (KE)", + "additionalProperties": false, + "properties": { + "group": { + "type": "integer", + "title": "Group Identifier", + "description": "A group identifier for the key exchange algorithm." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Auth": { + "type": "object", + "title": "IKEv2 Authentication method", + "description": "Object representing a IKEv2 Authentication method", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the authentication method." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, "cryptoRefArray" : { + "deprecated": true, "type": "array", "items": { "$ref": "#/definitions/refType" } }, + "relatedCryptographicAssets": { + "type": "array", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + "items": { + "$ref": "#/definitions/relatedCryptographicAsset", + "title": "Related Cryptographic Asset" + } + }, + "relatedCryptographicAsset": { + "type": "object", + "title": "Related Cryptographic Asset", + "description": "A cryptographic assets related to this component.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "publicKey", + "privateKey", + "algorithm" + ] + }, + "ref": { + "$ref": "#/definitions/refType", + "title": "Reference to cryptographic asset", + "description": "The bom-ref to cryptographic asset." + } + } + }, "securedBy": { "type": "object", "title": "Secured By", From ec5d576cd75f40d13eaa00ee509a9bf96c7e95da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicklas=20K=C3=B6rtge?= Date: Tue, 1 Jul 2025 10:54:13 +0200 Subject: [PATCH 21/54] add lost changes to the spec MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Nicklas Körtge --- schema/bom-1.7.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index e6942a71..f2bc3cb2 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5844,7 +5844,7 @@ "relatedCryptographicAssets": { "$ref": "#/definitions/relatedCryptographicAssets", "title": "Related Cryptographic Assets", - "description": "A list of cryptographic assets related to this component.", + "description": "A list of cryptographic assets related to this component." } } }, From 6f93579c21012568b560ad01d94d94dec0866d37 Mon Sep 17 00:00:00 2001 From: "steve.springett" Date: Thu, 3 Jul 2025 08:35:30 -0500 Subject: [PATCH 22/54] Added missing doc Signed-off-by: steve.springett --- schema/bom-1.7.schema.json | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index f2bc3cb2..c379e714 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5455,7 +5455,7 @@ "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", - "suspended": "The use of a certifacte may be suspended for several possible reasons.", + "suspended": "The use of a certificate may be suspended for several possible reasons.", "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", "destroyed": "The certificate has been destroyed." } @@ -5510,12 +5510,12 @@ "type": "string", "format": "date-time", "title": "Deactivation Date", - "description": "The date and time (timestamp) when the related certificate was deactiviated." + "description": "The date and time (timestamp) when the related certificate was deactivated." }, "revocationDate": { "type": "string", "format": "date-time", - "title": "Revokation Date", + "title": "Revocation Date", "description": "The date and time (timestamp) when the certificate was revoked." }, "destructionDate": { @@ -5527,7 +5527,7 @@ "certificateExtensions": { "type": "array", "title": "Certificate Extensions", - "description": "", + "description": "A certificate extension is an optional field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields.", "items": { "type": "object", "title": "Extension", @@ -5544,7 +5544,7 @@ "name": { "type": "string", "title": "name", - "description": "The name of the extention.", + "description": "The name of the extension.", "enum": [ "basicConstraints", "keyUsage", @@ -5579,6 +5579,7 @@ }, { "title": "Custom Extensions", + "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", "required": [ "name" ], @@ -5769,6 +5770,8 @@ "ike": "Internet Key Exchange", "sstp": "Secure Socket Tunneling Protocol", "wpa": "Wi-Fi Protected Access", + "dtls": "Datagram Transport Layer Security", + "quic": "Quick UDP Internet Connections", "other": "Another protocol type", "unknown": "The protocol type is not known" } From 5ed95f6a0859fb09f5d16ac04aa97d2fa7004910 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 17 Jul 2025 10:43:15 +0200 Subject: [PATCH 23/54] - Schema fix: Avoid name collision in 'oneOf' of certificateExtensions - Schema fix: Define items in ikeV2 arrays - Schema extension: in protocolProperties/cipherSuites, adds explicit tlsGroups and tlsSignatureSchemes properties - Updates valid-cryptography-full-1.7 and valid-cryptography-implementation.1.7 test cases Signed-off-by: Basil Hess --- schema/bom-1.7.schema.json | 32 ++- schema/cryptography-defs.json | 4 + .../1.7/valid-cryptography-full-1.7.json | 247 ++++++++++++++++-- ...valid-cryptography-implementation-1.7.json | 102 ++++++-- 4 files changed, 331 insertions(+), 54 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index c379e714..36769a7b 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5802,8 +5802,7 @@ "additionalProperties": false, "properties": { "encr": { - "type": "array", - "$ref": "#/definitions/ikeV2Enc", + "type": "string", "title": "Encryption Algorithms (ENCR)", "description": "Transform Type 1: encryption algorithms" }, @@ -5895,6 +5894,35 @@ "0x9E" ] } + }, + "tlsGroups": { + "type": "array", + "title": "TLS Groups", + "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", + "items": { + "type": "string", + "title": "Group Name", + "description": "The name of the TLS group", + "examples": [ + "x25519", + "ffdhe2048" + ] + } + }, + "tlsSignatureSchemes": { + "type": "array", + "title": "TLS Signature Schemes", + "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", + "items": { + "type": "string", + "title": "Signature Scheme", + "description": "The name of the TLS signature scheme", + "examples": [ + "ecdsa_secp256r1_sha256", + "rsa_pss_rsae_sha256", + "ed25519" + ] + } } } }, diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 1742baad..7c5552b9 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -100,6 +100,10 @@ { "pattern": "ECDH[E][-{ellipticCurve}]", "primitive": "key-agree" + }, + { + "pattern": "x25519|x448", + "primitive": "key-agree" } ] }, diff --git a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.json index adf03047..546691f5 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.json +++ b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.json @@ -12,17 +12,19 @@ "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { - "primitive": "ae", + "primitive": "key-agree", + "algorithmFamily": "ECDH", "parameterSetIdentifier": "128", - "curve": "brainpoolP160r1", + "curve": "brainpool/brainpoolP160r1", + "ellipticCurve": "brainpool/brainpoolP160r1", "executionEnvironment": "software-plain-ram", "implementationPlatform": "x86_64", - "certificationLevel": [ "fips140-1-l4" ], + "certificationLevel": [ "fips140-3-l4" ], "mode": "gcm", "padding": "pkcs5", - "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], - "classicalSecurityLevel": 128, - "nistQuantumSecurityLevel": 1 + "cryptoFunctions": ["keygen", "keyderive"], + "classicalSecurityLevel": 96, + "nistQuantumSecurityLevel": 0 }, "oid": "oid:1.2.3.4.5.6.7.8.9" } @@ -30,26 +32,124 @@ { "type": "cryptographic-asset", "bom-ref": "asset-2", - "name": "Name here", + "name": "Example Certificate with All Properties", "cryptoProperties": { "assetType": "certificate", "certificateProperties": { - "subjectName": "Subject name here", - "issuerName": "Issuer name here", + "serialNumber": "0B:35:82:6D:F5:7A:02:0A:0A:21:8F:BD:F3:91:43:C3", + "subjectName": "CN=example.com, O=Example Corp, C=US", + "issuerName": "CN=Example CA, O=Example Trust Services, C=US", "notValidBefore": "2022-01-01T00:00:00.000Z", "notValidAfter": "2024-01-01T00:00:00.000Z", "signatureAlgorithmRef": "bom-ref-to-algorithm", "subjectPublicKeyRef": "bom-ref-to-public-key", "certificateFormat": "X.509", - "certificateExtension": "crt" + "certificateExtension": "crt", + "certificateFileExtension": "crt", + "fingerprint": { + "alg": "SHA-256", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + "certificateState": [ + { + "state": "pre-activation", + "reason": "Certificate created but not yet active" + }, + { + "state": "active", + "reason": "Certificate in active use for TLS connections" + }, + { + "state": "suspended", + "reason": "Temporary suspension due to security audit" + }, + { + "state": "deactivated", + "reason": "Replaced by new certificate" + }, + { + "state": "revoked", + "reason": "Private key compromise suspected" + }, + { + "state": "destroyed", + "reason": "Certificate and associated keys securely destroyed" + } + ], + "creationDate": "2022-01-01T00:00:00.000Z", + "activationDate": "2022-01-02T00:00:00.000Z", + "deactivationDate": "2023-12-31T23:59:59.000Z", + "revocationDate": "2024-01-01T00:00:00.000Z", + "destructionDate": "2024-01-02T00:00:00.000Z", + "certificateExtensions": [ + { + "commonExtensionName": "basicConstraints", + "commonExtensionValue": "CA:FALSE, pathlen:0" + }, + { + "commonExtensionName": "keyUsage", + "commonExtensionValue": "digitalSignature, keyEncipherment" + }, + { + "commonExtensionName": "extendedKeyUsage", + "commonExtensionValue": "serverAuth, clientAuth" + }, + { + "commonExtensionName": "subjectAlternativeName", + "commonExtensionValue": "DNS:example.com, DNS:www.example.com" + }, + { + "commonExtensionName": "authorityKeyIdentifier", + "commonExtensionValue": "keyid:12:34:56:78:90:AB:CD:EF" + }, + { + "commonExtensionName": "subjectKeyIdentifier", + "commonExtensionValue": "AA:BB:CC:DD:EE:FF:00:11" + }, + { + "commonExtensionName": "authorityInformationAccess", + "commonExtensionValue": "OCSP - URI:http://ocsp.example.com" + }, + { + "commonExtensionName": "certificatePolicies", + "commonExtensionValue": "Policy: 2.23.140.1.2.1" + }, + { + "commonExtensionName": "crlDistributionPoints", + "commonExtensionValue": "URI:http://crl.example.com/root.crl" + }, + { + "commonExtensionName": "signedCertificateTimestamp", + "commonExtensionValue": "Signed by Example CT log at 2022-01-01T00:00:00Z" + }, + { + "customExtensionName": "someCustomExtension", + "customExtensionValue": "Custom value for this extension" + } + + ], + "relatedCryptographicAssets": [ + { + "type": "publicKey", + "ref": "public-key-ref" + }, + { + "type": "privateKey", + "ref": "private-key-ref" + }, + { + "type": "algorithm", + "ref": "signing-algorithm-ref" + } + ] }, - "oid": "oid:1.2.3.4.5.6.7.8.9" + "oid": "oid:2.5.4.3" } }, { "type": "cryptographic-asset", "bom-ref": "asset-3", - "name": "Name here", + "name": "Example Protocol with All Properties", "cryptoProperties": { "assetType": "protocol", "protocolProperties": { @@ -57,43 +157,134 @@ "version": "1.3", "cipherSuites": [ { - "name": "TLS_DHE_RSA_WITH_AES_128_CCM", + "name": "TLS_AES_128_GCM_SHA256", "algorithms": [ - "bom-ref-to-algorithm" + "aes-128-gcm-ref", + "sha256-ref" ], "identifiers": [ - "0xC0" + "0x1301" + ], + "tlsGroups": [ + "x25519", + "secp256r1", + "secp384r1", + "secp521r1", + "ffdhe2048", + "ffdhe3072" + ], + "tlsSignatureSchemes": [ + "ecdsa_secp256r1_sha256", + "ecdsa_secp384r1_sha384", + "ecdsa_secp521r1_sha512", + "rsa_pss_rsae_sha256", + "rsa_pss_rsae_sha384", + "rsa_pss_rsae_sha512", + "ed25519", + "ed448" + ] + }, + { + "name": "TLS_AES_256_GCM_SHA384", + "algorithms": [ + "aes-256-gcm-ref", + "sha384-ref" + ], + "identifiers": [ + "0x1302" + ] + }, + { + "name": "TLS_CHACHA20_POLY1305_SHA256", + "algorithms": [ + "chacha20-poly1305-ref", + "sha256-ref" + ], + "identifiers": [ + "0x1303" ] } - ] + ], + "ikev2TransformTypes": { + "encr": [ + { + "name": "AES-128-GCM", + "keyLength": 128, + "algorithm": "aes-128-gcm-ref" + } + ], + "prf": [ + { + "name": "SHA-256", + "algorithm": "sha256-ref" + } + ], + "integ": [ + { + "name": "SHA-256", + "algorithm": "sha256-ref" + } + ], + "ke": [ + { + "group": 14, + "algorithm": "diffie-hellman-group14-sha256-ref" + } + ], + "esn": true, + "auth": [ + { + "name": "ECDSA", + "algorithm": "ecdsa_secp256r1_sha256" + } + ] + } }, - "oid": "oid:1.2.3.4.5.6.7.8.9" + "oid": "oid:1.3.6.1.5.5.7.3.1" } }, { "type": "cryptographic-asset", "bom-ref": "asset-4", - "name": "Name here", + "name": "Example Related Crypto Material with All Properties", "cryptoProperties": { "assetType": "related-crypto-material", "relatedCryptoMaterialProperties": { - "type": "private-key", - "id": "12345", + "type": "public-key", + "id": "key-12345-67890", "state": "active", - "algorithmRef": "bom-ref-to-algorithm", + "algorithmRef": "rsa-4096-ref", "creationDate": "2024-01-01T00:00:00.000Z", "activationDate": "2024-01-02T00:00:00.000Z", "updateDate": "2024-01-03T00:00:00.000Z", - "expirationDate": "2024-01-04T00:00:00.000Z", - "value": "Value here", - "size": 1024, - "format": "PEM", + "expirationDate": "2026-01-01T00:00:00.000Z", + "value": "-----BEGIN PUBLIC KEY-----", + "size": 4096, + "format": "PKCS#8", "securedBy": { "mechanism": "HSM", - "algorithmRef": "bom-ref-to-algorithm" - } + "algorithmRef": "aes-256-gcm-ref" + }, + "fingerprint": { + "alg": "SHA-256", + "content": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + }, + "relatedCryptographicAssets": [ + { + "type": "publicKey", + "ref": "corresponding-public-key-ref" + }, + { + "type": "certificate", + "ref": "certificate-using-this-key-ref" + }, + { + "type": "algorithm", + "ref": "rsa-4096-ref" + } + ] }, - "oid": "oid:1.2.3.4.5.6.7.8.9" + "oid": "oid:1.2.840.113549.1.1.1" } } ] diff --git a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.json index d2499425..cf58acdb 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.json +++ b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.json @@ -1,60 +1,114 @@ { - "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.7", - "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2", "version": 1, "metadata": { + "timestamp": "2025-07-09T12:00:00Z", "component": { "type": "application", - "bom-ref": "acme-application", - "name": "Acme Application", + "name": "my application", "version": "1.0" } }, "components": [ { "type": "cryptographic-asset", - "bom-ref": "aes128gcm", - "name": "AES", + "name": "AES-128-GCM-128-12", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { + "algorithmFamily": "AES", "primitive": "ae", "parameterSetIdentifier": "128", + "mode": "gcm", "executionEnvironment": "software-plain-ram", "implementationPlatform": "x86_64", "certificationLevel": [ "none" ], - "mode": "gcm", - "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], + "cryptoFunctions": [ "keygen", "encrypt", "decrypt", "tag" ], "classicalSecurityLevel": 128, "nistQuantumSecurityLevel": 1 }, - "oid": "oid:2.16.840.1.101.3.4.1.7" + "oid": "2.16.840.1.101.3.4.1.6" + } + }, + { + "name": "RSA-PKCS1-1.5-SHA512-2048", + "type": "cryptographic-asset", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "algorithmFamily": "RSASSA-PKCS1", + "primitive": "signature", + "parameterSetIdentifier": "512", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "none" ], + "cryptoFunctions": [ "sign", "verify" ], + "nistQuantumSecurityLevel": 0 + }, + "oid": "1.2.840.113549.1.1.13" } }, { - "type": "library", - "bom-ref": "crypto-library", - "name": "Crypto library", - "version": "1.0.0" + "name": "ECDH-secp521r1", + "bom-ref": "ecdhsecp521r1", + "type": "cryptographic-asset", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "algorithmFamily": "ECDH", + "ellipticCurve": "secg/secp521r1", + "primitive": "key-agree", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "none" ], + "cryptoFunctions": [ "keygen", "keyderive" ], + "nistQuantumSecurityLevel": 0 + }, + "oid": "1.3.132.0.35" + } }, { - "type": "library", - "bom-ref": "some-library", - "name": "Some library", - "version": "1.0.0" + "name": "ML-KEM-1024", + "bom-ref": "mlkem1024", + "type": "cryptographic-asset", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "algorithmFamily": "ML-KEM", + "primitive": "kem", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "none" ], + "cryptoFunctions": [ "keygen", "keyderive" ], + "nistQuantumSecurityLevel": 5 + }, + "oid": "2.16.840.1.101.3.4.1.48" + } + }, + { + "name": "draft-ietf-tls-hybrid-design-13", + "bom-ref": "draftietftlshybriddesign13", + "type": "cryptographic-asset", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "combiner", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "none" ], + "cryptoFunctions": [ "keygen", "keyderive" ], + "nistQuantumSecurityLevel": 0 + }, + "oid": "1.3.101.110" + } } ], "dependencies": [ { - "ref": "acme-application", - "dependsOn": ["crypto-library"] - }, - { - "ref": "crypto-library", - "provides": ["aes128gcm"], - "dependsOn": ["some-library"] + "ref": "draftietftlshybriddesign13", + "dependsOn": ["mlkem1024", "ecdhsecp521r1"] } ] } From 22f8d2de6765457cd65b56c1b5f1b9fbb0f2cb35 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 17 Jul 2025 15:17:52 +0200 Subject: [PATCH 24/54] Add certificate cases Signed-off-by: Basil Hess --- .../valid-cryptography-certificate-1.7.json | 161 ++++++++++ ...cryptography-certificate-advanced-1.7.json | 279 ++++++++++++++++++ 2 files changed, 440 insertions(+) create mode 100644 tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json create mode 100644 tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.json diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json new file mode 100644 index 00000000..ea4d3794 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json @@ -0,0 +1,161 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2", + "version": 1, + "metadata": { + "timestamp": "2024-01-09T12:00:00Z", + "component": { + "type": "application", + "name": "my application", + "version": "1.0" + } + }, + "components": [ + { + "name": "google.com", + "type": "cryptographic-asset", + "bom-ref": "c9c7ac91-2115-45e8-ae13-7d0e1dec74be", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "serialNumber": "1234567890ABCDEF", + "subjectName": "CN = www.google.com", + "issuerName": "C = US, O = Google Trust Services LLC, CN = GTS CA 1C3", + "notValidBefore": "2016-11-21T08:00:00Z", + "notValidAfter": "2017-11-22T07:59:59Z", + "certificateFormat": "X.509", + "certificateFileExtension": "crt", + "fingerprint": { + "alg": "SHA-256", + "content": "1e15e0fbd3ce95bde5945633ae96add551341b11e5bae7bba12e98ad84a5beb4" + }, + "certificateState": [ + { + "state": "active", + "reason": "Certificate is currently valid and in use" + } + ], + "creationDate": "2016-11-21T07:30:00Z", + "activationDate": "2016-11-21T08:00:00Z", + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "6b00f384-6c39-420f-91eb-94de0f7be569RR" + }, + { + "type": "publicKey", + "ref": "ceb37320-8239-40e8-ab77-8798dbd98773" + } + ] + }, + "oid": "2.5.4.3" + } + }, + { + "name": "SHA512withRSA", + "type": "cryptographic-asset", + "bom-ref": "6b00f384-6c39-420f-91eb-94de0f7be569", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "signature", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "none" ], + "padding": "pkcs1v15", + "cryptoFunctions": [ "sign", "verify" ] + }, + "oid": "1.2.840.113549.1.1.13" + } + }, + { + "name": "RSA-2048", + "type": "cryptographic-asset", + "bom-ref": "ceb37320-8239-40e8-ab77-8798dbd98773", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "public-key", + "id": "2e9ef09e-dfac-4526-96b4-d02f31af1b22", + "state": "active", + "size": 2048, + "format": "PEM", + "value": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...\n-----END PUBLIC KEY-----", + "creationDate": "2016-11-21T08:00:00Z", + "activationDate": "2016-11-21T08:20:00Z", + "updateDate": "2016-11-21T08:00:00Z", + "expirationDate": "2017-11-22T07:59:59Z", + "securedBy": { + "mechanism": "None" + }, + "fingerprint": { + "alg": "SHA-256", + "content": "a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456" + }, + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "a154af0a-0dca-4ed5-b611-2405a3a6ae47" + } + ] + }, + "oid": "1.2.840.113549.1.1.1" + } + }, + { + "name": "RSA-2048", + "type": "cryptographic-asset", + "bom-ref": "a154af0a-0dca-4ed5-b611-2405a3a6ae47", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "pke", + "algorithmFamily": "RSAES-OAEP", + "parameterSetIdentifier": "2048", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "none" ], + "padding": "oaep", + "cryptoFunctions": [ "encrypt", "decrypt" ] + }, + "oid": "1.2.840.113549.1.1.1" + } + }, + { + "name": "TLS 1.3 Protocol", + "type": "cryptographic-asset", + "bom-ref": "a3553dc1-f376-43d1-89dc-87bb71981c0c", + "cryptoProperties": { + "assetType": "protocol", + "protocolProperties": { + "type": "tls", + "version": "1.3", + "cipherSuites": [ + { + "name": "TLS_AES_256_GCM_SHA384", + "algorithms": [ + "1977d71b-8981-4292-b40d-842a019c2229", + "422fa336-b401-42b7-89b8-8966aa30bca0" + ], + "identifiers": [ + "0x13,0x02" + ] + }, + { + "name": "TLS_CHACHA20_POLY1305_SHA256", + "algorithms": [ + "1af4fc08-5d0d-436e-8058-eeef921983d0", + "6af3066b-ab66-4593-975f-d9ba2c623a89" + ], + "identifiers": [ + "0x13,0x03" + ] + } + ] + }, + "oid": "1.3.6.1.5.5.7.3.1" + } + } + ] +} diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.json new file mode 100644 index 00000000..d98233de --- /dev/null +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.json @@ -0,0 +1,279 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:f47ac10b-58cc-4372-a567-0e02b2c3d479", + "version": 1, + "metadata": { + "timestamp": "2024-01-15T14:30:00Z", + "component": { + "type": "application", + "name": "enterprise-security-app", + "version": "2.1.0" + } + }, + "components": [ + { + "name": "revoked-internal-ca.example.com", + "type": "cryptographic-asset", + "bom-ref": "840ADC47-55CD-44C6-A306-B37A9149B066", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "serialNumber": "ABCDEF1234567890FEDCBA", + "subjectName": "CN = internal-ca.example.com, OU = IT Security, O = Example Corp, C = US", + "issuerName": "CN = Example Root CA, O = Example Corp, C = US", + "notValidBefore": "2023-01-01T00:00:00Z", + "notValidAfter": "2025-12-31T23:59:59Z", + "certificateFormat": "X.509", + "certificateFileExtension": "pem", + "fingerprint": { + "alg": "SHA-256", + "content": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + }, + "certificateState": [ + { + "state": "revoked", + "reason": "Certificate was compromised due to private key exposure in security incident #2024-001" + } + ], + "creationDate": "2022-12-15T10:00:00Z", + "activationDate": "2023-01-01T00:00:00Z", + "revocationDate": "2024-01-10T15:45:30Z", + "certificateExtensions": [ + { + "extension": "basicConstraints", + "value": "CA:TRUE, pathlen:2" + }, + { + "extension": "keyUsage", + "value": "Certificate Sign, CRL Sign, Digital Signature" + }, + { + "extension": "extendedKeyUsage", + "value": "TLS Web Server Authentication, TLS Web Client Authentication" + }, + { + "extension": "subjectAlternativeName", + "value": "DNS:internal-ca.example.com, DNS:ca.internal.example.com, IP:192.168.1.100" + }, + { + "extension": "authorityKeyIdentifier", + "value": "keyid:01:02:03:04:05:06:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" + }, + { + "extension": "subjectKeyIdentifier", + "value": "A1:B2:C3:D4:E5:F6:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" + }, + { + "extension": "crlDistributionPoints", + "value": "URI:http://crl.example.com/root-ca.crl" + }, + { + "extension": "authorityInformationAccess", + "value": "OCSP - URI:http://ocsp.example.com, CA Issuers - URI:http://certs.example.com/root-ca.crt" + }, + { + "extension": "certificatePolicies", + "value": "Policy: 1.2.3.4.5.6.7.8.1, CPS: http://www.example.com/cps" + }, + { + "name": "organizationalSecurityLevel", + "value": "HIGH" + }, + { + "name": "incidentTrackingId", + "value": "SEC-2024-001" + }, + { + "name": "complianceFramework", + "value": "SOX, PCI-DSS Level 1, ISO 27001" + } + ], + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8" + }, + { + "type": "publicKey", + "ref": "ACCAF8BC-5F73-4869-A3FE-1C64E8D96408" + } + ] + }, + "oid": "2.5.4.3" + } + }, + { + "name": "active-server.example.com", + "type": "cryptographic-asset", + "bom-ref": "4497B977-4D07-4245-9457-C2CF37FF399A", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "serialNumber": "1122334455667788AABBCCDD", + "subjectName": "CN = server.example.com, OU = Web Services, O = Example Corp, C = US", + "issuerName": "CN = Example Intermediate CA, O = Example Corp, C = US", + "notValidBefore": "2024-01-01T00:00:00Z", + "notValidAfter": "2025-01-01T23:59:59Z", + "certificateFormat": "X.509", + "certificateFileExtension": "crt", + "fingerprint": { + "alg": "SHA-256", + "content": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + }, + "certificateState": [ + { + "name": "monitored", + "description": "Certificate is under enhanced monitoring due to recent security incidents", + "reason": "Proactive monitoring following organizational security policy updates" + } + ], + "creationDate": "2023-12-20T09:00:00Z", + "activationDate": "2024-01-01T00:00:00Z", + "certificateExtensions": [ + { + "commonExtensionName": "keyUsage", + "commonExtensionValue": "Digital Signature, Key Encipherment" + }, + { + "commonExtensionName": "extendedKeyUsage", + "commonExtensionValue": "TLS Web Server Authentication" + }, + { + "commonExtensionName": "subjectAlternativeName", + "commonExtensionValue": "DNS:server.example.com, DNS:www.server.example.com, DNS:api.server.example.com" + }, + { + "commonExtensionName": "signedCertificateTimestamp", + "commonExtensionValue": "Log ID: ABCD1234..., Timestamp: 2024-01-01T00:00:00Z, Signature: 3045022100..." + }, + { + "commonExtensionName": "deploymentEnvironment", + "commonExtensionValue": "PRODUCTION" + }, + { + "commonExtensionName": "businessCriticality", + "commonExtensionValue": "CRITICAL" + }, + { + "commonExtensionName": "autoRenewalEnabled", + "commonExtensionValue": "true" + } + ], + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "14478B86-9306-45B5-BA2A-1660B723244C" + }, + { + "type": "publicKey", + "ref": "F1F3D902-0A1B-4C0C-9F6A-F36E041B0B7D" + } + ] + }, + "oid": "2.5.4.3" + } + }, + { + "name": "RSA-SHA256", + "type": "cryptographic-asset", + "bom-ref": "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "signature", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "padding": "pkcs1v15", + "cryptoFunctions": ["sign", "verify"] + }, + "oid": "1.2.840.113549.1.1.11" + } + }, + { + "name": "ECDSA-P256", + "type": "cryptographic-asset", + "bom-ref": "14478B86-9306-45B5-BA2A-1660B723244C", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "signature", + "curve": "secp256r1", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": ["fips140-3-l1"], + "cryptoFunctions": ["sign", "verify"] + }, + "oid": "1.2.840.10045.4.3.2" + } + }, + { + "name": "RSA-4096-Revoked-CA-Key", + "type": "cryptographic-asset", + "bom-ref": "ACCAF8BC-5F73-4869-A3FE-1C64E8D96408", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "public-key", + "id": "revoked-ca-key-2024", + "state": "compromised", + "size": 4096, + "format": "PEM", + "value": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA...\n-----END PUBLIC KEY-----", + "creationDate": "2022-12-15T10:00:00Z", + "activationDate": "2023-01-01T00:00:00Z", + "updateDate": "2024-01-10T15:45:30Z", + "securedBy": { + "mechanism": "HSM", + "algorithmRef": "aes-256-gcm-ref" + }, + "fingerprint": { + "alg": "SHA-256", + "content": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + }, + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8" + } + ] + }, + "oid": "1.2.840.113549.1.1.1" + } + }, + { + "name": "ECDSA-P256-Server-Key", + "type": "cryptographic-asset", + "bom-ref": "F1F3D902-0A1B-4C0C-9F6A-F36E041B0B7D", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "public-key", + "id": "server-key-2024", + "state": "active", + "size": 256, + "format": "PEM", + "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE...\n-----END PUBLIC KEY-----", + "creationDate": "2023-12-20T09:00:00Z", + "activationDate": "2024-01-01T00:00:00Z", + "expirationDate": "2025-01-01T23:59:59Z", + "securedBy": { + "mechanism": "HSM", + "algorithmRef": "aes-256-gcm-ref" + }, + "fingerprint": { + "alg": "SHA-256", + "content": "d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0123456" + }, + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "14478B86-9306-45B5-BA2A-1660B723244C" + } + ] + }, + "oid": "1.2.840.10045.2.1" + } + } + ] +} From 6e24424db491f6e3ca75e617fb85edb3bc7c0c34 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 17 Jul 2025 15:25:41 +0200 Subject: [PATCH 25/54] fix custom state schema Signed-off-by: Basil Hess --- schema/bom-1.7.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 36769a7b..00aaf39a 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5474,7 +5474,7 @@ ], "additionalProperties": false, "properties": { - "state": { + "name": { "type": "string", "title": "State", "description": "The name of the certificate lifecycle state." From 94141ea423b6f73435ca4ba77bf700ccf4fe2584 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 17 Jul 2025 15:59:11 +0200 Subject: [PATCH 26/54] Schema Fixes Signed-off-by: Basil Hess --- schema/bom-1.7.schema.json | 52 ++++++++++------ ...cryptography-certificate-advanced-1.7.json | 60 +++++++++---------- 2 files changed, 64 insertions(+), 48 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 00aaf39a..bb631929 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5536,12 +5536,12 @@ { "title": "Common Extensions", "required": [ - "name", - "value" + "commonExtensionName", + "commonExtensionValue" ], "additionalProperties": false, "properties": { - "name": { + "commonExtensionName": { "type": "string", "title": "name", "description": "The name of the extension.", @@ -5570,7 +5570,7 @@ "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." } }, - "value": { + "commonExtensionValue": { "type": "string", "title": "Value", "description": "The value of the certificate extension." @@ -5581,16 +5581,16 @@ "title": "Custom Extensions", "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", "required": [ - "name" + "customExtensionName" ], "additionalProperties": false, "properties": { - "name": { + "customExtensionName": { "type": "string", "title": "Name", "description": "The name for the custom certificate extension." }, - "value": { + "customExtensionValue": { "type": "string", "title": "Value", "description": "The description of the custom certificate extension." @@ -5802,27 +5802,40 @@ "additionalProperties": false, "properties": { "encr": { - "type": "string", + "type": "array", "title": "Encryption Algorithms (ENCR)", - "description": "Transform Type 1: encryption algorithms" - }, + "description": "Transform Type 1: encryption algorithms", + "items": { + "$ref": "#/definitions/ikeV2Enc", + "title": "Encryption Algorithm (ENCR)" + } + }, "prf": { "type": "array", - "$ref": "#/definitions/ikeV2Prf", "title": "Pseudorandom Functions (PRF)", - "description": "Transform Type 2: pseudorandom functions" + "description": "Transform Type 2: pseudorandom functions", + "items": { + "$ref": "#/definitions/ikeV2Prf", + "title": "Pseudorandom Function (PRF)" + } }, "integ": { "type": "array", - "$ref": "#/definitions/ikeV2Integ", "title": "Integrity Algorithms (INTEG)", - "description": "Transform Type 3: integrity algorithms" + "description": "Transform Type 3: integrity algorithms", + "items": { + "$ref": "#/definitions/ikeV2Integ", + "title": "Integrity Algorithm (INTEG)" + } }, "ke": { "type": "array", - "$ref": "#/definitions/ikeV2Ke", "title": "Key Exchange Methods (KE)", - "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." + "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", + "items": { + "$ref": "#/definitions/ikeV2Ke", + "title": "Key Exchange Method (KE)" + } }, "esn": { "type": "boolean", @@ -5831,9 +5844,12 @@ }, "auth": { "type": "array", - "$ref": "#/definitions/ikeV2Auth", "title": "IKEv2 Authentication methods", - "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html)." + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", + "items": { + "$ref": "#/definitions/ikeV2Auth", + "title": "IKEv2 Authentication Method" + } } } }, diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.json index d98233de..2fe0f660 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.json +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.json @@ -41,52 +41,52 @@ "revocationDate": "2024-01-10T15:45:30Z", "certificateExtensions": [ { - "extension": "basicConstraints", - "value": "CA:TRUE, pathlen:2" + "commonExtensionName": "basicConstraints", + "commonExtensionValue": "CA:TRUE, pathlen:2" }, { - "extension": "keyUsage", - "value": "Certificate Sign, CRL Sign, Digital Signature" + "commonExtensionName": "keyUsage", + "commonExtensionValue": "Certificate Sign, CRL Sign, Digital Signature" }, { - "extension": "extendedKeyUsage", - "value": "TLS Web Server Authentication, TLS Web Client Authentication" + "commonExtensionName": "extendedKeyUsage", + "commonExtensionValue": "TLS Web Server Authentication, TLS Web Client Authentication" }, { - "extension": "subjectAlternativeName", - "value": "DNS:internal-ca.example.com, DNS:ca.internal.example.com, IP:192.168.1.100" + "commonExtensionName": "subjectAlternativeName", + "commonExtensionValue": "DNS:internal-ca.example.com, DNS:ca.internal.example.com, IP:192.168.1.100" }, { - "extension": "authorityKeyIdentifier", - "value": "keyid:01:02:03:04:05:06:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" + "commonExtensionName": "authorityKeyIdentifier", + "commonExtensionValue": "keyid:01:02:03:04:05:06:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" }, { - "extension": "subjectKeyIdentifier", - "value": "A1:B2:C3:D4:E5:F6:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" + "commonExtensionName": "subjectKeyIdentifier", + "commonExtensionValue": "A1:B2:C3:D4:E5:F6:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" }, { - "extension": "crlDistributionPoints", - "value": "URI:http://crl.example.com/root-ca.crl" + "commonExtensionName": "crlDistributionPoints", + "commonExtensionValue": "URI:http://crl.example.com/root-ca.crl" }, { - "extension": "authorityInformationAccess", - "value": "OCSP - URI:http://ocsp.example.com, CA Issuers - URI:http://certs.example.com/root-ca.crt" + "commonExtensionName": "authorityInformationAccess", + "commonExtensionValue": "OCSP - URI:http://ocsp.example.com, CA Issuers - URI:http://certs.example.com/root-ca.crt" }, { - "extension": "certificatePolicies", - "value": "Policy: 1.2.3.4.5.6.7.8.1, CPS: http://www.example.com/cps" + "commonExtensionName": "certificatePolicies", + "commonExtensionValue": "Policy: 1.2.3.4.5.6.7.8.1, CPS: http://www.example.com/cps" }, { - "name": "organizationalSecurityLevel", - "value": "HIGH" + "customExtensionName": "organizationalSecurityLevel", + "customExtensionValue": "HIGH" }, { - "name": "incidentTrackingId", - "value": "SEC-2024-001" + "customExtensionName": "incidentTrackingId", + "customExtensionValue": "SEC-2024-001" }, { - "name": "complianceFramework", - "value": "SOX, PCI-DSS Level 1, ISO 27001" + "customExtensionName": "complianceFramework", + "customExtensionValue": "SOX, PCI-DSS Level 1, ISO 27001" } ], "relatedCryptographicAssets": [ @@ -148,16 +148,16 @@ "commonExtensionValue": "Log ID: ABCD1234..., Timestamp: 2024-01-01T00:00:00Z, Signature: 3045022100..." }, { - "commonExtensionName": "deploymentEnvironment", - "commonExtensionValue": "PRODUCTION" + "customExtensionName": "deploymentEnvironment", + "customExtensionValue": "PRODUCTION" }, { - "commonExtensionName": "businessCriticality", - "commonExtensionValue": "CRITICAL" + "customExtensionName": "businessCriticality", + "customExtensionValue": "CRITICAL" }, { - "commonExtensionName": "autoRenewalEnabled", - "commonExtensionValue": "true" + "customExtensionName": "autoRenewalEnabled", + "customExtensionValue": "true" } ], "relatedCryptographicAssets": [ From 4aa6f1a88b654e07fb62823a837f9b87807cf1de Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Fri, 18 Jul 2025 17:30:33 +0200 Subject: [PATCH 27/54] Adding 3GPP algorithms and protocols, thanks to Ian Deakin Signed-off-by: Basil Hess --- schema/bom-1.7.schema.json | 8 ++++ schema/cryptography-defs.json | 80 +++++++++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index bb631929..6f439f30 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5760,6 +5760,10 @@ "wpa", "dtls", "quic", + "eap-aka", + "prins", + "5g-aka", + "jose", "other", "unknown" ], @@ -5772,6 +5776,10 @@ "wpa": "Wi-Fi Protected Access", "dtls": "Datagram Transport Layer Security", "quic": "Quick UDP Internet Connections", + "eap-aka": "Extensible Authentication Protocol variant", + "prins": "Protection of Inter-Network Signaling", + "5g-aka": "Authentication and Key Agreement for 5G", + "jose": "JSON Object Signing and Encryption", "other": "Another protocol type", "unknown": "The protocol type is not known" } diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 7c5552b9..aa24a47d 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -730,6 +730,86 @@ "primitive": "signature" } ] + }, + { + "family": "MILENAGE", + "standard": [ + {"name": "3GPP TS 35.206", "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.206/35206-i00.zip"} + ], + "variant": [ + { + "pattern": "MILENAGE[-MAC]", + "primitive": "mac" + }, + { + "pattern": "MILENAGE[-KDF]", + "primitive": "kdf" + } + ] + }, + { + "family": "TUAK", + "standard": [ + {"name": "SHA-3 based authentication algorithm (3GPP TS 35.231)", "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.231/35231-i00.zip"} + ], + "variant": [ + { + "pattern": "TUAC[-MAC]", + "primitive": "mac" + }, + { + "pattern": "TUAC[-KDF]", + "primitive": "kdf" + } + ] + }, + { + "family": "ZUC", + "standard": [ + {"name": "3GPP TS 35.221", "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.221/35221-i00.zip"} + ], + "variant": [ + { + "pattern": "128-EEA3", + "primitive": "stream-cipher" + }, + { + "pattern": "128-EIA3", + "primitive": "mac" + } + ] + }, + { + "family": "SNOW3G", + "standard": [ + {"name": "3GPP TS 35.216", "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.216/35216-i00.zip"} + ], + "variant": [ + { + "pattern": "128-EEA1", + "primitive": "stream-cipher" + }, + { + "pattern": "128-EIA1", + "primitive": "mac" + } + ] + }, + { + "family": "3GPP-XOR", + "standard": [ + {"name": "Legacy XOR-based AV generation algorithm (3GPP TS 35.201)", "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.201/35201-i00.zip"} + ], + "variant": [ + { + "pattern": "3GPP-XOR[-MAC]", + "primitive": "mac" + }, + { + "pattern": "3GPP-XOR[-KDF]", + "primitive": "kdf" + } + ] } ], "ellipticCurves": [ From e4de2768494225cd7b71f3026ad1f19163638b27 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 24 Jul 2025 15:39:46 +0200 Subject: [PATCH 28/54] Add eap-aka-prime Signed-off-by: Basil Hess --- schema/bom-1.7.schema.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 6f439f30..b4218e7d 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5761,6 +5761,7 @@ "dtls", "quic", "eap-aka", + "eap-aka-prime", "prins", "5g-aka", "jose", @@ -5777,6 +5778,7 @@ "dtls": "Datagram Transport Layer Security", "quic": "Quick UDP Internet Connections", "eap-aka": "Extensible Authentication Protocol variant", + "eap-aka-prime": "Enhanced version of EAP-AKA", "prins": "Protection of Inter-Network Signaling", "5g-aka": "Authentication and Key Agreement for 5G", "jose": "JSON Object Signing and Encryption", From cb133aa6fc704d8a16303e47a2ade94e9fd74762 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 25 Jul 2025 11:27:04 -0500 Subject: [PATCH 29/54] Porting changes from JSON to XML Signed-off-by: Steve Springett --- schema/bom-1.7.xsd | 615 +++++++++++++++++- .../valid-cryptography-certificate-1.7.xml | 156 +++++ ...-cryptography-certificate-advanced-1.7.xml | 259 ++++++++ .../1.7/valid-cryptography-full-1.7.xml | 226 ++++++- 4 files changed, 1223 insertions(+), 33 deletions(-) create mode 100644 tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.xml create mode 100644 tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.xml diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 594d2bfb..aca1b279 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -6499,6 +6499,14 @@ limitations under the License. + + + + Key-wrap is a cryptographic technique used to securely encrypt and + protect cryptographic keys using algorithms like AES. + + + @@ -6516,6 +6524,15 @@ limitations under the License. + + + + A valid algorithm family identifier. If specified, this value must be one of the + enumeration of valid algorithm Family identifiers defined in the + cryptography-defs.json subschema. A corresponding schema for XML is not available. + + + @@ -6529,6 +6546,7 @@ limitations under the License. + DEPRECATED. Use ellipticCurve instead. The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as @@ -6537,6 +6555,15 @@ limitations under the License. + + + + The specific underlying Elliptic Curve (EC) definition employed which is an indicator + of the level of security strength, performance and complexity. Curves are defined in + the cryptography-defs.json subschema. A corresponding schema for XML is not available. + + + @@ -7030,6 +7057,13 @@ limitations under the License. + + + + The serial number is a unique identifier for the certificate issued by a CA. + + + @@ -7061,6 +7095,7 @@ limitations under the License. + DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to signature algorithm used by the certificate @@ -7068,6 +7103,7 @@ limitations under the License. + DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to the public key of the subject @@ -7082,10 +7118,339 @@ limitations under the License. + [DEPRECATED] Use certificateFileExtension instead. The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + + + + The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + + + + + + + The fingerprint is a cryptographic hash of the certificate excluding it's signature. + + + + + + + The certificate lifecycle is a comprehensive process that manages digital + certificates from their initial creation to eventual expiration or revocation. + It typically involves several stages. + + + + + + + + + + A pre-defined state in the certificate lifecycle. + + + + + + + + The certificate has been issued by the issuing + certificate authority (CA) but has not been authorized + for use. + + + + + + + The certificate may be used to cryptographically protect + information, cryptographically process previously protected + information, or both. + + + + + + + Certificates in the deactivated state shall not be used + to apply cryptographic protection but, in some cases, + may be used to process cryptographically protected + information. + + + + + + + The use of a certificate may be suspended for several + possible reasons. + + + + + + + A revoked certificate is a digital certificate that has + been invalidated by the issuing certificate authority (CA) + before its scheduled expiration date. + + + + + + + The certificate has been destroyed. + + + + + + + + + + A reason for the certificate being in this state. + + + + + + + + + + The name of the certificate lifecycle state. + + + + + + + The description of the certificate lifecycle state. + + + + + + + A reason for the certificate being in this state. + + + + + + + + + + + The date and time (timestamp) when the certificate was created or pre-activated. + + + + + + + The date and time (timestamp) when the certificate was activated. + + + + + + + The date and time (timestamp) when the related certificate was deactivated. + + + + + + + The date and time (timestamp) when the certificate was revoked. + + + + + + + The date and time (timestamp) when the certificate was destroyed. + + + + + + + A certificate extension is an optional field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields. + + + + + + + + Extension: This can be either a common extension + (with a well-known name and value) or a custom extension + (for application or vendor-specific data). + + + + + + + + + + The name of the extension. + + + + + + + + Specifies whether a certificate can be used as a CA certificate or not. + + + + + + + Specifies the allowed uses of the public key in the certificate. + + + + + + + Specifies additional purposes for which the public key can be used. + + + + + + + Allows inclusion of additional names to identify the entity associated with the certificate. + + + + + + + Identifies the public key of the CA that issued the certificate. + + + + + + + Identifies the public key associated with the entity the certificate was issued to. + + + + + + + Contains CA issuers and OCSP information. + + + + + + + Defines the policies under which the certificate was issued and can be used. + + + + + + + Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained. + + + + + + + Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof. + + + + + + + + + + The value of the certificate extension. + + + + + + + + + + The name for the custom certificate extension. + + + + + + + The description of the custom certificate extension. + + + + + + + + + + + + + + A list of cryptographic assets related to this component. + + + + + + + + A cryptographic asset related to this component. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples: "publicKey", "privateKey", "algorithm" + + + + + + + The bom-ref to cryptographic asset. + + + + + + + + + @@ -7233,6 +7598,50 @@ limitations under the License. + + + + The fingerprint is a cryptographic hash of the related cryptographic material, excluding it's signature. + + + + + + + A list of cryptographic assets related to this component. + + + + + + + + A cryptographic asset related to this component. + + + + + + + + Specifies the mechanism by which the cryptographic asset is secured by. + Examples: "publicKey", "privateKey", "algorithm" + + + + + + + The bom-ref to cryptographic asset. + + + + + + + + + @@ -7294,6 +7703,55 @@ limitations under the License. + + + + Datagram Transport Layer Security + + + + + + + Quick UDP Internet Connections + + + + + + + Extensible Authentication Protocol variant + + + + + + + Enhanced version of EAP-AKA + + + + + + + Protection of Inter-Network Signaling + + + + + + + Authentication and Key Agreement for 5G + + + + + + + JSON Object Signing and Encryption + + + @@ -7372,6 +7830,48 @@ limitations under the License. + + + + A list of TLS named groups (formerly known as curves) for + this cipher suite. These groups define the parameters for + key exchange algorithms like ECDHE. + + + + + + + + The name of the TLS group. + Example values: x25519, ffdhe2048 + + + + + + + + + + A list of signature schemes supported for cipher suite. + These schemes specify the algorithms used for digital + signatures in TLS handshakes and certificate verification. + + + + + + + + The name of the TLS signature scheme. + Example values: ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, ed25519 + + + + + + @@ -7387,28 +7887,28 @@ limitations under the License. - + Transform Type 1: encryption algorithms - + Transform Type 2: pseudorandom functions - + Transform Type 3: integrity algorithms - + Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) @@ -7422,7 +7922,7 @@ limitations under the License. - + IKEv2 Authentication method @@ -7450,6 +7950,111 @@ limitations under the License. + + + + + + A name for the encryption method. + Example: ENCR_AES_GCM_16 + + + + + + + The key length of the encryption algorithm. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + + + A name for the pseudorandom function. + Example: PRF_HMAC_SHA2_256 + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + + + A name for the integrity algorithm. + Example: AUTH_HMAC_SHA2_256_128 + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + + + A group identifier for the key exchange algorithm. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + + + + + + + A name for the authentication method. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + + diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.xml b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.xml new file mode 100644 index 00000000..9f98e139 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.xml @@ -0,0 +1,156 @@ + + + + 2024-01-09T12:00:00Z + + my application + 1.0 + + + + + google.com + + certificate + + 1234567890ABCDEF + CN = www.google.com + C = US, O = Google Trust Services LLC, CN = GTS CA 1C3 + 2016-11-21T08:00:00Z + 2017-11-22T07:59:59Z + X.509 + crt + 1e15e0fbd3ce95bde5945633ae96add551341b11e5bae7bba12e98ad84a5beb4 + + active + Certificate is currently valid and in use + + 2016-11-21T07:30:00Z + 2016-11-21T08:00:00Z + + + algorithm + 6b00f384-6c39-420f-91eb-94de0f7be569RR + + + publicKey + ceb37320-8239-40e8-ab77-8798dbd98773 + + + + 2.5.4.3 + + + + + SHA512withRSA + + algorithm + + signature + software-plain-ram + x86_64 + none + pkcs1v15 + + sign + verify + + + 1.2.840.113549.1.1.13 + + + + + RSA-2048 + + related-crypto-material + + public-key + 2e9ef09e-dfac-4526-96b4-d02f31af1b22 + active + 2016-11-21T08:00:00Z + 2016-11-21T08:20:00Z + 2016-11-21T08:00:00Z + 2017-11-22T07:59:59Z + + + 2048 + PEM + + None + + a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456 + + + algorithm + a154af0a-0dca-4ed5-b611-2405a3a6ae47 + + + + 1.2.840.113549.1.1.1 + + + + + RSA-2048 + + algorithm + + pke + RSAES-OAEP + 2048 + software-plain-ram + x86_64 + none + oaep + + encrypt + decrypt + + + 1.2.840.113549.1.1.1 + + + + + TLS 1.3 Protocol + + protocol + + tls + 1.3 + + + TLS_AES_256_GCM_SHA384 + + 1977d71b-8981-4292-b40d-842a019c2229 + 422fa336-b401-42b7-89b8-8966aa30bca0 + + + 0x13,0x02 + + + + TLS_CHACHA20_POLY1305_SHA256 + + 1af4fc08-5d0d-436e-8058-eeef921983d0 + 6af3066b-ab66-4593-975f-d9ba2c623a89 + + + 0x13,0x03 + + + + + 1.3.6.1.5.5.7.3.1 + + + + diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.xml b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.xml new file mode 100644 index 00000000..3da26a41 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.xml @@ -0,0 +1,259 @@ + + + + 2024-01-15T14:30:00Z + + enterprise-security-app + 2.1.0 + + + + + revoked-internal-ca.example.com + + certificate + + ABCDEF1234567890FEDCBA + CN = internal-ca.example.com, OU = IT Security, O = Example Corp, C = US + CN = Example Root CA, O = Example Corp, C = US + 2023-01-01T00:00:00Z + 2025-12-31T23:59:59Z + X.509 + pem + 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 + + revoked + Certificate was compromised due to private key exposure in security incident #2024-001 + + 2022-12-15T10:00:00Z + 2023-01-01T00:00:00Z + 2024-01-10T15:45:30Z + + + basicConstraints + CA:TRUE, pathlen:2 + + + keyUsage + Certificate Sign, CRL Sign, Digital Signature + + + extendedKeyUsage + TLS Web Server Authentication, TLS Web Client Authentication + + + subjectAlternativeName + DNS:internal-ca.example.com, DNS:ca.internal.example.com, IP:192.168.1.100 + + + authorityKeyIdentifier + keyid:01:02:03:04:05:06:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14 + + + subjectKeyIdentifier + A1:B2:C3:D4:E5:F6:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14 + + + crlDistributionPoints + URI:http://crl.example.com/root-ca.crl + + + authorityInformationAccess + OCSP - URI:http://ocsp.example.com, CA Issuers - URI:http://certs.example.com/root-ca.crt + + + certificatePolicies + Policy: 1.2.3.4.5.6.7.8.1, CPS: http://www.example.com/cps + + + organizationalSecurityLevel + HIGH + + + incidentTrackingId + SEC-2024-001 + + + complianceFramework + SOX, PCI-DSS Level 1, ISO 27001 + + + + + algorithm + 2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8 + + + publicKey + ACCAF8BC-5F73-4869-A3FE-1C64E8D96408 + + + + 2.5.4.3 + + + + active-server.example.com + + certificate + + 1122334455667788AABBCCDD + CN = server.example.com, OU = Web Services, O = Example Corp, C = US + CN = Example Intermediate CA, O = Example Corp, C = US + 2024-01-01T00:00:00Z + 2025-01-01T23:59:59Z + X.509 + crt + 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 + + monitored + Certificate is under enhanced monitoring due to recent security incidents + Proactive monitoring following organizational security policy updates + + 2023-12-20T09:00:00Z + 2024-01-01T00:00:00Z + + + keyUsage + Digital Signature, Key Encipherment + + + extendedKeyUsage + TLS Web Server Authentication + + + subjectAlternativeName + DNS:server.example.com, DNS:www.server.example.com, DNS:api.server.example.com + + + signedCertificateTimestamp + Log ID: ABCD1234..., Timestamp: 2024-01-01T00:00:00Z, Signature: 3045022100... + + + deploymentEnvironment + PRODUCTION + + + businessCriticality + CRITICAL + + + autoRenewalEnabled + true + + + + + algorithm + 14478B86-9306-45B5-BA2A-1660B723244C + + + publicKey + F1F3D902-0A1B-4C0C-9F6A-F36E041B0B7D + + + + 2.5.4.3 + + + + RSA-SHA256 + + algorithm + + signature + software-plain-ram + x86_64 + pkcs1v15 + + sign + verify + + + 1.2.840.113549.1.1.11 + + + + ECDSA-P256 + + algorithm + + signature + secp256r1 + software-plain-ram + x86_64 + fips140-3-l1 + + sign + verify + + + 1.2.840.10045.4.3.2 + + + + RSA-4096-Revoked-CA-Key + + related-crypto-material + + public-key + revoked-ca-key-2024 + compromised + 2022-12-15T10:00:00Z + 2023-01-01T00:00:00Z + 2024-01-10T15:45:30Z + + 4096 + PEM + + HSM + aes-256-gcm-ref + + 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 + + + algorithm + 2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8 + + + + 1.2.840.113549.1.1.1 + + + + ECDSA-P256-Server-Key + + related-crypto-material + + public-key + server-key-2024 + active + 2023-12-20T09:00:00Z + 2024-01-01T00:00:00Z + 2025-01-01T23:59:59Z + + 256 + PEM + + HSM + aes-256-gcm-ref + + d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0123456 + + + algorithm + 14478B86-9306-45B5-BA2A-1660B723244C + + + + 1.2.840.10045.2.1 + + + + diff --git a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.xml b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.xml index ef2c46df..0f9c667e 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.xml +++ b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.xml @@ -6,45 +6,137 @@ algorithm - ae + key-agree + ECDH 128 - brainpoolP160r1 + brainpool/brainpoolP160r1 + brainpool/brainpoolP160r1 software-plain-ram x86_64 - fips140-1-l4 + fips140-3-l4 gcm pkcs5 keygen - encrypt - decrypt - tag + keyderive - 128 - 1 + 96 + 0 oid:1.2.3.4.5.6.7.8.9 - Name here + Example Certificate with All Properties certificate - Subject name here - Issuer name here + 0B:35:82:6D:F5:7A:02:0A:0A:21:8F:BD:F3:91:43:C3 + CN=example.com, O=Example Corp, C=US + CN=Example CA, O=Example Trust Services, C=US 2022-01-01T00:00:00.000Z 2024-01-01T00:00:00.000Z bom-ref-to-algorithm bom-ref-to-public-key X.509 crt + crt + 3942447fac867ae5cdb3229b658f4d48 + + pre-activation + Certificate created but not yet active + + + active + Certificate in active use for TLS connections + + + suspended + Temporary suspension due to security audit + + + deactivated + Replaced by new certificate + + + revoked + Private key compromise suspected + + + destroyed + Certificate and associated keys securely destroyed + + 2022-01-01T00:00:00.000Z + 2022-01-02T00:00:00.000Z + 2023-12-31T23:59:59.000Z + 2024-01-01T00:00:00.000Z + 2024-01-02T00:00:00.000Z + + + basicConstraints + CA:FALSE, pathlen:0 + + + keyUsage + digitalSignature, keyEncipherment + + + extendedKeyUsage + serverAuth, clientAuth + + + subjectAlternativeName + DNS:example.com, DNS:www.example.com + + + authorityKeyIdentifier + keyid:12:34:56:78:90:AB:CD:EF + + + subjectKeyIdentifier + AA:BB:CC:DD:EE:FF:00:11 + + + authorityInformationAccess + OCSP - URI:http://ocsp.example.com + + + certificatePolicies + Policy: 2.23.140.1.2.1 + + + crlDistributionPoints + URI:http://crl.example.com/root.crl + + + signedCertificateTimestamp + Signed by Example CT log at 2022-01-01T00:00:00Z + + + someCustomExtension + Custom value for this extension + + + + + publicKey + public-key-ref + + + privateKey + private-key-ref + + + algorithm + signing-algorithm-ref + + - oid:1.2.3.4.5.6.7.8.9 + oid:2.5.4.3 - Name here + Example Protocol with All Properties protocol @@ -52,42 +144,120 @@ 1.3 - TLS_DHE_RSA_WITH_AES_128_CCM + TLS_AES_128_GCM_SHA256 + + aes-128-gcm-ref + sha256-ref + + + 0x1301 + + + x25519 + secp256r1 + secp384r1 + secp521r1 + ffdhe2048 + ffdhe3072 + + + ecdsa_secp256r1_sha256 + ecdsa_secp384r1_sha384 + ecdsa_secp521r1_sha512 + rsa_pss_rsae_sha256 + rsa_pss_rsae_sha384 + rsa_pss_rsae_sha512 + ed25519 + ed448 + + + + TLS_AES_256_GCM_SHA384 - bom-ref-to-algorithm + aes-256-gcm-ref + sha384-ref - 0xC0 + 0x1302 + + + + TLS_CHACHA20_POLY1305_SHA256 + + chacha20-poly1305-ref + sha256-ref + + + 0x1303 + + + AES-128-GCM + 128 + aes-128-gcm-ref + + + SHA-256 + sha256-ref + + + SHA-256 + sha256-ref + + + 14 + diffie-hellman-group14-sha256-ref + + true + + ECDSA + ecdsa_secp256r1_sha256 + + - oid:1.2.3.4.5.6.7.8.9 + oid:1.3.6.1.5.5.7.3.1 - Name here + Example Related Crypto Material with All Properties related-crypto-material - private-key - 12345 + public-key + key-12345-67890 active - bom-ref-to-algorithm + rsa-4096-ref 2024-01-01T00:00:00.000Z 2024-01-02T00:00:00.000Z 2024-01-03T00:00:00.000Z - 2024-01-04T00:00:00.000Z - Value here - 1024 - PEM + 2026-01-01T00:00:00.000Z + -----BEGIN PUBLIC KEY----- + 4096 + PKCS#8 HSM - bom-ref-to-algorithm + aes-256-gcm-ref + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + + + publicKey + corresponding-public-key-ref + + + certificate + certificate-using-this-key-ref + + + algorithm + rsa-4096-ref + + - oid:1.2.3.4.5.6.7.8.9 + oid:1.2.840.113549.1.1.1 - + \ No newline at end of file From bc0b8fc1f55c20fa03cf49c9b40751860340de13 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 25 Jul 2025 11:30:19 -0500 Subject: [PATCH 30/54] Clarified deprecations Signed-off-by: Steve Springett --- schema/bom-1.7.schema.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index b4218e7d..c09ea3d4 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5373,13 +5373,13 @@ "deprecated": true, "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "The bom-ref to signature algorithm used by the certificate" + "description": "[DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to signature algorithm used by the certificate" }, "subjectPublicKeyRef": { "deprecated": true, "$ref": "#/definitions/refType", "title": "Key reference", - "description": "The bom-ref to the public key of the subject" + "description": "[DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to the public key of the subject" }, "certificateFormat": { "type": "string", @@ -5682,7 +5682,7 @@ "deprecated": true, "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "The bom-ref to the algorithm used to generate the related cryptographic material." + "description": "[DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to the algorithm used to generate the related cryptographic material." }, "creationDate": { "type": "string", @@ -5867,7 +5867,7 @@ "deprecated": true, "$ref": "#/definitions/cryptoRefArray", "title": "Cryptographic References", - "description": "A list of protocol-related cryptographic assets" + "description": "[DEPRECATED] Use relatedCryptographicAssets instead. A list of protocol-related cryptographic assets" }, "relatedCryptographicAssets": { "$ref": "#/definitions/relatedCryptographicAssets", From e9a9d93460ce3f777d990460d4aeee1cb1f9790a Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 25 Jul 2025 11:54:12 -0500 Subject: [PATCH 31/54] Porting JSON changes to XML Signed-off-by: Steve Springett --- .../valid-cryptography-implementation-1.7.xml | 65 ++++++++++++++++++- 1 file changed, 63 insertions(+), 2 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.xml b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.xml index 47ce09cc..b81d4982 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.xml +++ b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.xml @@ -1,5 +1,5 @@ - + Acme Application @@ -27,7 +27,64 @@ 128 1 - oid:2.16.840.1.101.3.4.1.7 + 2.16.840.1.101.3.4.1.6 + + + + ECDH-secp521r1 + + algorithm + + key-agree + ECDH + secg/secp521r1 + software-plain-ram + x86_64 + none + + keygen + keyderive + + 0 + + 1.3.132.0.35 + + + + ML-KEM-1024 + + algorithm + + kem + ML-KEM + software-plain-ram + x86_64 + none + + keygen + keyderive + + 5 + + 2.16.840.1.101.3.4.1.48 + + + + draft-ietf-tls-hybrid-design-13 + + algorithm + + combiner + software-plain-ram + x86_64 + none + + keygen + keyderive + + 0 + + 1.3.101.110 @@ -47,5 +104,9 @@ + + + + From 839896cd93c2819aa181d62270785e8abe51263f Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 25 Jul 2025 16:04:28 -0500 Subject: [PATCH 32/54] Porting JSON changes to protobuf Signed-off-by: Steve Springett --- schema/bom-1.7.proto | 205 +++++++++++++++++- schema/bom-1.7.schema.json | 2 +- ...lid-cryptography-certificate-1.7.textproto | 80 +++++++ ...ography-certificate-advanced-1.7.textproto | 191 ++++++++++++++++ .../1.7/valid-cryptography-full-1.7.textproto | 185 +++++++++++++--- 5 files changed, 618 insertions(+), 45 deletions(-) create mode 100644 tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.textproto create mode 100644 tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.textproto diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 2f1aaf0d..e54a83e5 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -2078,6 +2078,8 @@ message CryptoProperties { CRYPTO_PRIMITIVE_AE = 14; // A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive. CRYPTO_PRIMITIVE_COMBINER = 15; + // Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES. + CRYPTO_PRIMITIVE_KEY_WRAP = 16; } // Execution Environment @@ -2209,6 +2211,41 @@ message CryptoProperties { optional int32 nistQuantumSecurityLevel = 11; } // end of AlgorithmProperties + // Certificate State + message CertificateState { + // Pre-defined certificate states + enum PredefinedState { + // ProtoBuff's default value + PREDEFINED_STATE_UNSPECIFIED = 0; + // The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use. + PREDEFINED_STATE_PRE_ACTIVATION = 1; + // The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both. + PREDEFINED_STATE_ACTIVE = 2; + // The use of a certificate may be suspended for several possible reasons. + PREDEFINED_STATE_SUSPENDED = 3; + // Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information. + PREDEFINED_STATE_DEACTIVATED = 4; + // A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date. + PREDEFINED_STATE_REVOKED = 5; + // The certificate has been destroyed. + PREDEFINED_STATE_DESTROYED = 6; + } + + // A reason for the certificate being in this state. + optional string reason = 1; + + // The state can be either a predefined state or a custom state + oneof state { + // A pre-defined state in the certificate lifecycle. + PredefinedState predefined_state = 2; + // The name of the certificate lifecycle state for custom states. + string name = 3; + } + + // The description of the certificate lifecycle state (only used with custom states). + optional string description = 4; + } + // Certificate Properties message CertificateProperties { // The subject name for the certificate @@ -2219,16 +2256,100 @@ message CryptoProperties { optional google.protobuf.Timestamp notValidBefore = 3; // The date and time according to ISO-8601 standard from which the certificate is not valid anymore optional google.protobuf.Timestamp notValidAfter = 4; - // The bom-ref to signature algorithm used by the certificate + // [DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to signature algorithm used by the certificate optional string signatureAlgorithmRef = 5; - // The bom-ref to the public key of the subject + // [DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to the public key of the subject optional string subjectPublicKeyRef = 6; // The format of the certificate. Examples include X.509, PEM, DER, and CVC. optional string certificateFormat = 7; - // The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + // [DEPRECATED] Use certificateFileExtension instead. The file extension of the certificate. Examples include crt, pem, cer, der, and p12. optional string certificateExtension = 8; + // The serial number is a unique identifier for the certificate issued by a CA. + optional string serialNumber = 9; + // The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + optional string certificateFileExtension = 10; + // The fingerprint is a cryptographic hash of the certificate excluding it's signature. + optional Hash fingerprint = 11; + // The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages. + repeated CertificateState certificateState = 12; + // The date and time (timestamp) when the certificate was created or pre-activated. + optional google.protobuf.Timestamp creationDate = 13; + // The date and time (timestamp) when the certificate was activated. + optional google.protobuf.Timestamp activationDate = 14; + // The date and time (timestamp) when the related certificate was deactivated. + optional google.protobuf.Timestamp deactivationDate = 15; + // The date and time (timestamp) when the certificate was revoked. + optional google.protobuf.Timestamp revocationDate = 16; + // The date and time (timestamp) when the certificate was destroyed. + optional google.protobuf.Timestamp destructionDate = 17; + // A certificate extension is an optional field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields. + optional CertificateExtensions certificateExtensions = 18; + // A list of cryptographic assets related to this component. + optional RelatedCryptographicAssets relatedCryptographicAssets = 19; } // end of CertificateProperties + // Certificate Extensions + message CertificateExtensions { + // Common extension names + enum CommonExtensionName { + // ProtoBuff's default value + COMMON_EXTENSION_NAME_UNSPECIFIED = 0; + COMMON_EXTENSION_NAME_BASIC_CONSTRAINTS = 1; + COMMON_EXTENSION_NAME_KEY_USAGE = 2; + COMMON_EXTENSION_NAME_EXTENDED_KEY_USAGE = 3; + COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME = 4; + COMMON_EXTENSION_NAME_AUTHORITY_KEY_IDENTIFIER = 5; + COMMON_EXTENSION_NAME_SUBJECT_KEY_IDENTIFIER = 6; + COMMON_EXTENSION_NAME_AUTHORITY_INFORMATION_ACCESS = 7; + COMMON_EXTENSION_NAME_CERTIFICATE_POLICIES = 8; + COMMON_EXTENSION_NAME_CRL_DISTRIBUTION_POINTS = 9; + COMMON_EXTENSION_NAME_SIGNED_CERTIFICATE_TIMESTAMP = 10; + } + + // Extension represents either a common extension or a custom extension + message Extension { + oneof extension_type { + // Common extension with predefined name + CommonExtension commonExtension = 1; + // Custom extension with user-defined name + CustomExtension customExtension = 2; + } + } + + // Common extension with predefined name + message CommonExtension { + // The name of the extension + CommonExtensionName name = 1; + // The value of the certificate extension + string value = 2; + } + + // Custom extension with user-defined name + message CustomExtension { + // The name for the custom certificate extension + string name = 1; + // The description of the custom certificate extension + optional string value = 2; + } + + // List of certificate extensions + repeated Extension extensions = 1; + } + + // Related Cryptographic Assets + message RelatedCryptographicAssets { + // Related Cryptographic Asset + message RelatedCryptographicAsset { + // The type of the related cryptographic asset + string type = 1; + // The reference to the related cryptographic asset + string ref = 2; + } + + // List of related cryptographic assets + repeated RelatedCryptographicAsset assets = 1; + } + // Related Cryptographic Material Properties message RelatedCryptoMaterialProperties { @@ -2285,7 +2406,7 @@ message CryptoProperties { optional string id = 2; // The key state as defined by NIST SP 800-57. optional CryptoRelatedState state = 3; - // The bom-ref to the algorithm used to generate the related cryptographic material. + // [DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to the algorithm used to generate the related cryptographic material. optional string algorithmRef = 4; // The date and time (timestamp) when the related cryptographic material was created. optional google.protobuf.Timestamp creationDate = 5; @@ -2303,6 +2424,10 @@ message CryptoProperties { optional string format = 11; // The mechanism by which the cryptographic asset is secured. optional CryptoRelatedSecuredBy securedBy = 12; + // The fingerprint is a cryptographic hash of the asset. + optional Hash fingerprint = 13; + // A list of cryptographic assets related to this component. + optional RelatedCryptographicAssets relatedCryptographicAssets = 14; } // end of RelatedCryptoMaterialProperties // Protocol Properties @@ -2326,6 +2451,20 @@ message CryptoProperties { CRYPTO_PROTOCOL_TYPE_SSTP = 7; // Wi-Fi Protected Access CRYPTO_PROTOCOL_TYPE_WPA = 8; + // Datagram Transport Layer Security + CRYPTO_PROTOCOL_TYPE_DTLS = 9; + // Quick UDP Internet Connections + CRYPTO_PROTOCOL_TYPE_QUIC = 10; + // Extensible Authentication Protocol variant + CRYPTO_PROTOCOL_TYPE_EAP_AKA = 11; + // Enhanced version of EAP-AKA + CRYPTO_PROTOCOL_TYPE_EAP_AKA_PRIME = 12; + // Protection of Inter-Network Signaling + CRYPTO_PROTOCOL_TYPE_PRINS = 13; + // Authentication and Key Agreement for 5G + CRYPTO_PROTOCOL_TYPE_5G_AKA = 14; + // JSON Object Signing and Encryption + CRYPTO_PROTOCOL_TYPE_JOSE = 15; } // Object representing a cipher suite @@ -2336,22 +2475,68 @@ message CryptoProperties { repeated string algorithms = 2; // A list of common identifiers for the cipher suite. For example: 0xC0 and 0x9E repeated string identifiers = 3; + // A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE. + repeated string tlsGroups = 4; + // A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification. + repeated string tlsSignatureSchemes = 5; + } + + // Encryption Algorithm (ENCR) + message IkeV2Enc { + // A name for the encryption method + optional string name = 1; + // The key length of the encryption algorithm + optional int32 keyLength = 2; + // The bom-ref to algorithm cryptographic asset + optional string algorithm = 3; + } + + // Pseudorandom Function (PRF) + message IkeV2Prf { + // A name for the pseudorandom function + optional string name = 1; + // The bom-ref to algorithm cryptographic asset + optional string algorithm = 2; + } + + // Integrity Algorithm (INTEG) + message IkeV2Integ { + // A name for the integrity algorithm + optional string name = 1; + // The bom-ref to algorithm cryptographic asset + optional string algorithm = 2; + } + + // Key Exchange Method (KE) + message IkeV2Ke { + // A group identifier for the key exchange algorithm + optional int32 group = 1; + // The bom-ref to algorithm cryptographic asset + optional string algorithm = 2; + } + + // IKEv2 Authentication method + message IkeV2Auth { + // A name for the authentication method + optional string name = 1; + // The bom-ref to algorithm cryptographic asset + optional string algorithm = 2; } // IKEv2 Transform Types message Ikev2TransformTypes { // Transform Type 1: encryption algorithms - repeated string encr = 1; + repeated IkeV2Enc encr = 1; // Transform Type 2: pseudorandom functions - repeated string prf = 2; + repeated IkeV2Prf prf = 2; // Transform Type 3: integrity algorithms - repeated string integ = 3; + repeated IkeV2Integ integ = 3; // Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) - repeated string ke = 4; + repeated IkeV2Ke ke = 4; // Specifies if an Extended Sequence Number (ESN) is used. optional bool esn = 5; // IKEv2 Authentication method - repeated string auth = 6; + repeated IkeV2Auth auth = 6; } // The concrete protocol type. @@ -2364,6 +2549,8 @@ message CryptoProperties { optional Ikev2TransformTypes ikev2TransformTypes = 4; // The bom-ref(s) to protocol-related cryptographic assets repeated string cryptoRef = 5; + // A list of cryptographic assets related to this component. + optional RelatedCryptographicAssets relatedCryptographicAssets = 6; } // end of ProtocolProperties // Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled. diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index c09ea3d4..35356b1f 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5396,7 +5396,7 @@ "deprecated": true, "type": "string", "title": "Certificate File Extension", - "description": "The file extension of the certificate", + "description": "[DEPRECATED] Use certificateFileExtension instead. The file extension of the certificate", "examples": [ "crt", "pem", diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.textproto b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.textproto new file mode 100644 index 00000000..5cd72953 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.textproto @@ -0,0 +1,80 @@ +# proto-file: schema/bom-1.7.proto +# proto-message: Bom + +spec_version: "1.7" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components: [ + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "9AADCCE0-F5AD-4A26-A1A9-5B3C85323E9B" + name: "example-certificate.example.com" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_CERTIFICATE + certificateProperties: { + serialNumber: "AABBCCDDEEFF00112233" + subjectName: "CN = example.example.com, OU = Security, O = Example Corp, C = US" + issuerName: "CN = Example CA, O = Example Corp, C = US" + notValidBefore { + seconds: 1672531200 # 2023-01-01T00:00:00Z + } + notValidAfter { + seconds: 1704067199 # 2023-12-31T23:59:59Z + } + certificateFormat: "X.509" + certificateFileExtension: "pem" + fingerprint { + alg: HASH_ALG_SHA_256 + value: "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + } + certificateState: [ + { + predefined_state: PREDEFINED_STATE_ACTIVE + reason: "Certificate is in active use" + } + ] + creationDate { + seconds: 1671091200 # 2022-12-15T10:00:00Z + } + activationDate { + seconds: 1672531200 # 2023-01-01T00:00:00Z + } + certificateExtensions { + extensions: [ + { + commonExtension { + name: COMMON_EXTENSION_NAME_BASIC_CONSTRAINTS + value: "CA:FALSE" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_KEY_USAGE + value: "Digital Signature, Key Encipherment" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_EXTENDED_KEY_USAGE + value: "TLS Web Server Authentication, TLS Web Client Authentication" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME + value: "DNS:example.example.com, DNS:www.example.example.com" + } + }, + { + customExtension { + name: "environmentType" + value: "Production" + } + } + ] + } + } + oid: "2.5.4.3" + } + } +] \ No newline at end of file diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.textproto b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.textproto new file mode 100644 index 00000000..de86a450 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.textproto @@ -0,0 +1,191 @@ +# proto-file: schema/bom-1.7.proto +# proto-message: Bom + +spec_version: "1.7" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components: [ + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "9AADCCE0-F5AD-4A26-A1A9-5B3C85323E9B" + name: "revoked-ca.example.com" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_CERTIFICATE + certificateProperties: { + serialNumber: "AABBCCDDEEFF00112233" + subjectName: "CN = internal-ca.example.com, OU = Security, O = Example Corp, C = US" + issuerName: "CN = Example Root CA, O = Example Corp, C = US" + notValidBefore { + seconds: 1672531200 # 2023-01-01T00:00:00Z + } + notValidAfter { + seconds: 1704067199 # 2023-12-31T23:59:59Z + } + certificateFormat: "X.509" + certificateFileExtension: "pem" + fingerprint { + alg: HASH_ALG_SHA_256 + value: "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + } + certificateState: [ + { + predefined_state: PREDEFINED_STATE_REVOKED + reason: "Certificate was compromised due to private key exposure in security incident #2024-001" + } + ] + creationDate { + seconds: 1671091200 # 2022-12-15T10:00:00Z + } + activationDate { + seconds: 1672531200 # 2023-01-01T00:00:00Z + } + revocationDate { + seconds: 1704888330 # 2024-01-10T15:45:30Z + } + certificateExtensions { + extensions: [ + { + commonExtension { + name: COMMON_EXTENSION_NAME_BASIC_CONSTRAINTS + value: "CA:TRUE, pathlen:2" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_KEY_USAGE + value: "Certificate Sign, CRL Sign, Digital Signature" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_EXTENDED_KEY_USAGE + value: "TLS Web Server Authentication, TLS Web Client Authentication" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME + value: "DNS:internal-ca.example.com, DNS:ca.internal.example.com, IP:192.168.1.100" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_AUTHORITY_KEY_IDENTIFIER + value: "keyid:01:02:03:04:05:06:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_SUBJECT_KEY_IDENTIFIER + value: "A1:B2:C3:D4:E5:F6:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_CRL_DISTRIBUTION_POINTS + value: "URI:http://crl.example.com/root-ca.crl" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_AUTHORITY_INFORMATION_ACCESS + value: "OCSP - URI:http://ocsp.example.com, CA Issuers - URI:http://certs.example.com/root-ca.crt" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_CERTIFICATE_POLICIES + value: "Policy: 1.2.3.4.5.6.7.8.1, CPS: http://www.example.com/cps" + } + }, + { + customExtension { + name: "organizationalSecurityLevel" + value: "HIGH" + } + }, + { + customExtension { + name: "incidentTrackingId" + value: "SEC-2024-001" + } + }, + { + customExtension { + name: "complianceFramework" + value: "SOX, PCI-DSS Level 1, ISO 27001" + } + } + ] + } + } + oid: "2.5.4.3" + } + }, + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "4497B977-4D07-4245-9457-C2CF37FF399A" + name: "active-server.example.com" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_CERTIFICATE + certificateProperties: { + serialNumber: "1122334455667788AABBCCDD" + subjectName: "CN = server.example.com, OU = Web Services, O = Example Corp, C = US" + issuerName: "CN = Example Intermediate CA, O = Example Corp, C = US" + notValidBefore { + seconds: 1704067200 # 2024-01-01T00:00:00Z + } + notValidAfter { + seconds: 1735689599 # 2025-01-01T23:59:59Z + } + certificateFormat: "X.509" + certificateFileExtension: "crt" + fingerprint { + alg: HASH_ALG_SHA_256 + value: "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + } + certificateState: [ + { + name: "monitored" + description: "Certificate is under enhanced monitoring due to recent security incidents" + reason: "Proactive monitoring following organizational security policy updates" + } + ] + creationDate { + seconds: 1703059200 # 2023-12-20T09:00:00Z + } + activationDate { + seconds: 1704067200 # 2024-01-01T00:00:00Z + } + certificateExtensions { + extensions: [ + { + commonExtension { + name: COMMON_EXTENSION_NAME_KEY_USAGE + value: "Digital Signature, Key Encipherment" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_EXTENDED_KEY_USAGE + value: "TLS Web Server Authentication" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME + value: "DNS:server.example.com, DNS:www.server.example.com, DNS:api.server.example.com" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_SIGNED_CERTIFICATE_TIMESTAMP + value: "Log ID: ABCD1234..., Timestamp: 2024-01-01T00:00:00Z, Signature: 3045022100..." + } + } + ] + } + } + } + } +] \ No newline at end of file diff --git a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto index d2065ff9..30f0567d 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto @@ -12,55 +12,85 @@ components: [ cryptoProperties: { assetType: CRYPTO_ASSET_TYPE_ALGORITHM algorithmProperties: { - primitive: CRYPTO_PRIMITIVE_AE + primitive: CRYPTO_PRIMITIVE_KEY_AGREE parameterSetIdentifier: "128" - curve: "brainpoolP160r1" + curve: "brainpool/brainpoolP160r1" executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 - certificationLevel: [ "fips140-1-l4" ] + certificationLevel: [ "fips140-3-l4" ] mode: CRYPTO_ALGORITHM_MODE_GCM padding: CRYPTO_ALGORITHM_PADDING_PKCS5 cryptoFunctions: [ CRYPTO_ALGORITHM_FUNCTION_KEYGEN, - CRYPTO_ALGORITHM_FUNCTION_ENCRYPT, - CRYPTO_ALGORITHM_FUNCTION_DECRYPT, - CRYPTO_ALGORITHM_FUNCTION_TAG + CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE ] - classicalSecurityLevel: 128 - nistQuantumSecurityLevel: 1 - }, + classicalSecurityLevel: 96 + nistQuantumSecurityLevel: 0 + } oid: "oid:1.2.3.4.5.6.7.8.9" } }, { type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET bom_ref: "asset-2" - name: "Name here" + name: "Example Certificate with All Properties" cryptoProperties: { assetType: CRYPTO_ASSET_TYPE_CERTIFICATE certificateProperties: { - subjectName: "Subject name here" - issuerName: "Issuer name here" + subjectName: "CN=example.com, O=Example Corp, C=US" + issuerName: "CN=Example CA, O=Example Trust Services, C=US" notValidBefore { seconds: 1640995200 - nanos: 0 } notValidAfter { seconds: 1704067200 - nanos: 0 } signatureAlgorithmRef: "bom-ref-to-algorithm" subjectPublicKeyRef: "bom-ref-to-public-key" certificateFormat: "X.509" - certificateExtension: "crt" + certificateFileExtension: "crt" + certificateExtensions { + extensions: [ + { + commonExtension { + name: COMMON_EXTENSION_NAME_BASIC_CONSTRAINTS + value: "CA:FALSE" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_KEY_USAGE + value: "Digital Signature, Key Encipherment" + } + }, + { + commonExtension { + name: COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME + value: "DNS:example.com, DNS:www.example.com" + } + } + ] + } + relatedCryptographicAssets { + assets: [ + { + type: "algorithm" + ref: "asset-1" + }, + { + type: "publicKey" + ref: "asset-4" + } + ] + } } - oid: "oid:1.2.3.4.5.6.7.8.9" + oid: "oid:2.5.4.3" } }, { type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET bom_ref: "asset-3" - name: "Name here" + name: "Example Protocol with All Properties" cryptoProperties: { assetType: CRYPTO_ASSET_TYPE_PROTOCOL protocolProperties: { @@ -68,55 +98,140 @@ components: [ version: "1.3" cipherSuites: [ { - name: "TLS_DHE_RSA_WITH_AES_128_CCM" + name: "TLS_AES_128_GCM_SHA256" + algorithms: [ + "aes-128-gcm-ref", + "sha256-ref" + ] + identifiers: [ + "0x1301" + ] + tlsGroups: [ + "x25519", + "secp256r1", + "secp384r1", + "secp521r1", + "ffdhe2048", + "ffdhe3072" + ] + tlsSignatureSchemes: [ + "ecdsa_secp256r1_sha256", + "ecdsa_secp384r1_sha384", + "ecdsa_secp521r1_sha512", + "rsa_pss_rsae_sha256", + "rsa_pss_rsae_sha384", + "rsa_pss_rsae_sha512", + "ed25519", + "ed448" + ] + }, + { + name: "TLS_AES_256_GCM_SHA384" algorithms: [ - "bom-ref-to-algorithm" + "aes-256-gcm-ref", + "sha384-ref" ] identifiers: [ - "0xC0" + "0x1302" + ] + }, + { + name: "TLS_CHACHA20_POLY1305_SHA256" + algorithms: [ + "chacha20-poly1305-ref", + "sha256-ref" + ] + identifiers: [ + "0x1303" ] } ] + ikev2TransformTypes: { + encr: [ + { + name: "ENCR_AES_GCM_16" + keyLength: 128 + algorithm: "aes-128-gcm-ref" + } + ] + prf: [ + { + name: "PRF_HMAC_SHA2_256" + algorithm: "sha256-ref" + } + ] + integ: [ + { + name: "AUTH_HMAC_SHA2_256_128" + algorithm: "sha256-ref" + } + ] + ke: [ + { + group: 14 + algorithm: "dh-2048-ref" + } + ] + esn: true + auth: [ + { + name: "ECDSA" + algorithm: "ecdsa-ref" + } + ] + } + relatedCryptographicAssets { + assets: [ + { + type: "algorithm" + ref: "asset-1" + } + ] + } } - oid: "oid:1.2.3.4.5.6.7.8.9" + oid: "oid:1.3.6.1.5.5.7.3.1" } }, { type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET bom_ref: "asset-4" - name: "Name here" + name: "Example Related Crypto Material with All Properties" cryptoProperties: { assetType: CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL relatedCryptoMaterialProperties: { - type: CRYPTO_RELATED_TYPE_PRIVATE_KEY - id: "12345" + type: CRYPTO_RELATED_TYPE_PUBLIC_KEY + id: "key-12345-67890" state: CRYPTO_RELATED_STATE_ACTIVE - algorithmRef: "bom-ref-to-algorithm" + algorithmRef: "rsa-4096-ref" creationDate { seconds: 1704067200 - nanos: 0 } activationDate { seconds: 1704153600 - nanos: 0 } updateDate { seconds: 1704240000 - nanos: 0 } expirationDate { - seconds: 1704326400 - nanos: 0 + seconds: 1767225600 } - value: "Value here" - size: 1024 - format: "PEM" + value: "-----BEGIN PUBLIC KEY-----" + size: 4096 + format: "PKCS#8" securedBy: { mechanism: "HSM" - algorithmRef: "bom-ref-to-algorithm" + algorithmRef: "aes-256-gcm-ref" + } + relatedCryptographicAssets { + assets: [ + { + type: "algorithm" + ref: "asset-1" + } + ] } } - oid: "oid:1.2.3.4.5.6.7.8.9" + oid: "oid:1.2.840.113549.1.1.1" } } ] From ff2734a15118086b4b6368514f53b4b1e2b37d7b Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 29 Jul 2025 11:37:38 +0200 Subject: [PATCH 33/54] tests: fix Java schema tests regarding `cryptography-defs.schema.json` Signed-off-by: Jan Kowalleck --- schema/xmlcatalog.xml | 2 ++ .../org/cyclonedx/schema/JsonSchemaVerificationTest.java | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/schema/xmlcatalog.xml b/schema/xmlcatalog.xml index e250aa74..f0374eca 100644 --- a/schema/xmlcatalog.xml +++ b/schema/xmlcatalog.xml @@ -26,6 +26,8 @@ limitations under the License. + + diff --git a/tools/src/test/java/org/cyclonedx/schema/JsonSchemaVerificationTest.java b/tools/src/test/java/org/cyclonedx/schema/JsonSchemaVerificationTest.java index adfd59ee..39a4a4ed 100644 --- a/tools/src/test/java/org/cyclonedx/schema/JsonSchemaVerificationTest.java +++ b/tools/src/test/java/org/cyclonedx/schema/JsonSchemaVerificationTest.java @@ -47,6 +47,7 @@ class JsonSchemaVerificationTest extends BaseSchemaVerificationTest { private static final String JSF_NAMESPACE = "http://cyclonedx.org/schema/jsf-0.82.schema.json"; private static final String SPDX_NAMESPACE = "http://cyclonedx.org/schema/spdx.schema.json"; + private static final String CRYPTO_DEF_NAMESPACE = "http://cyclonedx.org/schema/cryptography-defs.schema.json"; private static final JsonSchema VERSION_12; private static final JsonSchema VERSION_13; @@ -69,8 +70,9 @@ public JsonMetaSchema getMetaSchema( .metaSchemaFactory(metaSchemaFactory) .schemaLoaders(b -> b.add(new ClasspathSchemaLoader()).add(DisallowSchemaLoader.getInstance())) .schemaMappers(b -> b.mapPrefix(SPDX_NAMESPACE, "classpath:spdx.schema.json") - .mapPrefix(JSF_NAMESPACE, "classpath:jsf-0.82.schema.json")) - .build(); + .mapPrefix(JSF_NAMESPACE, "classpath:jsf-0.82.schema.json") + .mapPrefix(CRYPTO_DEF_NAMESPACE, "classpath:cryptography-defs.schema.json") + ).build(); VERSION_12 = factory.getSchema(SchemaLocation.of("classpath:bom-1.2-strict.schema.json")); VERSION_13 = factory.getSchema(SchemaLocation.of("classpath:bom-1.3-strict.schema.json")); VERSION_14 = factory.getSchema(SchemaLocation.of("classpath:bom-1.4.schema.json")); From a647e1a62bc37ba468cbada0cd0691b3d1650287 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 8 Aug 2025 15:49:13 +0200 Subject: [PATCH 34/54] streamline proto schema Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index e54a83e5..5622ba53 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -2189,26 +2189,30 @@ message CryptoProperties { // Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2). optional CryptoPrimitive primitive = 1; + // A valid algorithm family identifier. If specified, this value must be one of the + // enumeration of valid algorithm Family identifiers defined in the + // cryptography-defs.json subschema. A corresponding schema for ProtoBuf is not available. + optional string algorithmFamily = 2; // An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). - optional string parameterSetIdentifier = 2; + optional string parameterSetIdentifier = 3; // The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves). - optional string curve = 3; + optional string curve = 4; // The target and execution environment in which the algorithm is implemented in. - optional CryptoExecutionEnvironment executionEnvironment = 4; + optional CryptoExecutionEnvironment executionEnvironment = 5; // The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform. - optional CryptoImplementationPlatform implementationPlatform = 5; + optional CryptoImplementationPlatform implementationPlatform = 6; // The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL). - repeated string certificationLevel = 6; + repeated string certificationLevel = 7; // The mode of operation in which the cryptographic algorithm (block cipher) is used. - optional CryptoAlgorithmMode mode = 7; + optional CryptoAlgorithmMode mode = 8; // The padding scheme that is used for the cryptographic algorithm. - optional CryptoAlgorithmPadding padding = 8; + optional CryptoAlgorithmPadding padding = 9; // The cryptographic functions implemented by the cryptographic algorithm. - repeated CryptoAlgorithmFunction cryptoFunctions = 9; + repeated CryptoAlgorithmFunction cryptoFunctions = 10; // The classical security level that a cryptographic algorithm provides (in bits). - optional int32 classicalSecurityLevel = 10; + optional int32 classicalSecurityLevel = 11; // The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met. - optional int32 nistQuantumSecurityLevel = 11; + optional int32 nistQuantumSecurityLevel = 12; } // end of AlgorithmProperties // Certificate State From 12f716c7bdd5db20edf8c15582b7db0e9f0199e9 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 8 Aug 2025 15:51:21 +0200 Subject: [PATCH 35/54] tests: streamline test data Signed-off-by: Jan Kowalleck --- .../valid-cryptography-certificate-1.7.json | 1 + ...lid-cryptography-certificate-1.7.textproto | 213 ++++++++++++------ 2 files changed, 145 insertions(+), 69 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json index ea4d3794..4fc8b60d 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json @@ -1,4 +1,5 @@ { + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.7", "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2", diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.textproto b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.textproto index 5cd72953..fd173daa 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.textproto @@ -3,78 +3,153 @@ spec_version: "1.7" version: 1 -serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" -components: [ - { - type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET - bom_ref: "9AADCCE0-F5AD-4A26-A1A9-5B3C85323E9B" - name: "example-certificate.example.com" - cryptoProperties: { - assetType: CRYPTO_ASSET_TYPE_CERTIFICATE - certificateProperties: { - serialNumber: "AABBCCDDEEFF00112233" - subjectName: "CN = example.example.com, OU = Security, O = Example Corp, C = US" - issuerName: "CN = Example CA, O = Example Corp, C = US" - notValidBefore { - seconds: 1672531200 # 2023-01-01T00:00:00Z - } - notValidAfter { - seconds: 1704067199 # 2023-12-31T23:59:59Z - } - certificateFormat: "X.509" - certificateFileExtension: "pem" - fingerprint { - alg: HASH_ALG_SHA_256 - value: "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" - } - certificateState: [ - { - predefined_state: PREDEFINED_STATE_ACTIVE - reason: "Certificate is in active use" - } - ] - creationDate { - seconds: 1671091200 # 2022-12-15T10:00:00Z +serial_number: "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2" + +metadata { + timestamp { seconds: 1704801600 } + component { + type: CLASSIFICATION_APPLICATION + name: "my application" + version: "1.0" + } +} + +components { + name: "google.com" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "c9c7ac91-2115-45e8-ae13-7d0e1dec74be" + cryptoProperties { + assetType: CRYPTO_ASSET_TYPE_CERTIFICATE + certificateProperties { + serialNumber: "1234567890ABCDEF" + subjectName: "CN = www.google.com" + issuerName: "C = US O = Google Trust Services LLC CN = GTS CA 1C3" + notValidBefore { seconds: 1479715200 } + notValidAfter { seconds: 1511337599 } + certificateFormat: "X.509" + certificateFileExtension: "crt" + fingerprint { + alg: HASH_ALG_SHA_256 + value: "1e15e0fbd3ce95bde5945633ae96add551341b11e5bae7bba12e98ad84a5beb4" + } + certificateState { + predefined_state: PREDEFINED_STATE_ACTIVE + reason: "Certificate is currently valid and in use" + } + creationDate { seconds: 1479713400 } + activationDate { seconds: 1479715200 } + relatedCryptographicAssets { + assets { + type: "algorithm" + ref: "6b00f384-6c39-420f-91eb-94de0f7be569RR" } - activationDate { - seconds: 1672531200 # 2023-01-01T00:00:00Z + assets { + type: "publicKey" + ref: "ceb37320-8239-40e8-ab77-8798dbd98773" } - certificateExtensions { - extensions: [ - { - commonExtension { - name: COMMON_EXTENSION_NAME_BASIC_CONSTRAINTS - value: "CA:FALSE" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_KEY_USAGE - value: "Digital Signature, Key Encipherment" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_EXTENDED_KEY_USAGE - value: "TLS Web Server Authentication, TLS Web Client Authentication" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME - value: "DNS:example.example.com, DNS:www.example.example.com" - } - }, - { - customExtension { - name: "environmentType" - value: "Production" - } - } - ] + } + } + oid: "2.5.4.3" + } +} + +components { + name: "SHA512withRSA" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "6b00f384-6c39-420f-91eb-94de0f7be569" + cryptoProperties { + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties { + primitive: CRYPTO_PRIMITIVE_SIGNATURE + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "none" + padding: CRYPTO_ALGORITHM_PADDING_PKCS1V15 + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_SIGN + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_VERIFY + } + oid: "1.2.840.113549.1.1.13" + } +} + +components { + name: "RSA-2048" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "ceb37320-8239-40e8-ab77-8798dbd98773" + cryptoProperties { + assetType: CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL + relatedCryptoMaterialProperties { + type: CRYPTO_RELATED_TYPE_PUBLIC_KEY + id: "2e9ef09e-dfac-4526-96b4-d02f31af1b22" + state: CRYPTO_RELATED_STATE_ACTIVE + size: 2048 + format: "PEM" + value: "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...\n-----END PUBLIC KEY-----" + creationDate { seconds: 1479715200 } + activationDate { seconds: 1479716400 } + updateDate { seconds: 1479715200 } + expirationDate { seconds: 1511337599 } + securedBy { + mechanism: "None" + } + fingerprint { + alg: HASH_ALG_SHA_256 + value: "a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456" + } + relatedCryptographicAssets { + assets { + type: "algorithm" + ref: "a154af0a-0dca-4ed5-b611-2405a3a6ae47" } } - oid: "2.5.4.3" } + oid: "1.2.840.113549.1.1.1" + } +} + +components { + name: "RSA-2048" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "a154af0a-0dca-4ed5-b611-2405a3a6ae47" + cryptoProperties { + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties { + primitive: CRYPTO_PRIMITIVE_PKE + algorithmFamily: "RSAES-OAEP" + parameterSetIdentifier: "2048" + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "none" + padding: CRYPTO_ALGORITHM_PADDING_OAEP + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_ENCRYPT + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_DECRYPT + } + oid: "1.2.840.113549.1.1.1" + } +} + +components { + name: "TLS 1.3 Protocol" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "a3553dc1-f376-43d1-89dc-87bb71981c0c" + cryptoProperties { + assetType: CRYPTO_ASSET_TYPE_PROTOCOL + protocolProperties { + type: CRYPTO_PROTOCOL_TYPE_TLS + version: "1.3" + cipherSuites { + name: "TLS_AES_256_GCM_SHA384" + algorithms: "1977d71b-8981-4292-b40d-842a019c2229" + algorithms: "422fa336-b401-42b7-89b8-8966aa30bca0" + identifiers: "0x130x02" + } + cipherSuites { + name: "TLS_CHACHA20_POLY1305_SHA256" + algorithms: "1af4fc08-5d0d-436e-8058-eeef921983d0" + algorithms: "6af3066b-ab66-4593-975f-d9ba2c623a89" + identifiers: "0x130x03" + } + } + oid: "1.3.6.1.5.5.7.3.1" } -] \ No newline at end of file +} From 493c84e0a3e61a03336b2165fbfeb1ae48457713 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Aug 2025 10:14:34 +0200 Subject: [PATCH 36/54] tests: streamline test data Signed-off-by: Jan Kowalleck --- .../valid-cryptography-certificate-1.7.json | 18 +++++++++--- .../valid-cryptography-certificate-1.7.xml | 28 ++++++++++++++----- 2 files changed, 35 insertions(+), 11 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json index 4fc8b60d..a2d79c92 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json @@ -63,9 +63,14 @@ "primitive": "signature", "executionEnvironment": "software-plain-ram", "implementationPlatform": "x86_64", - "certificationLevel": [ "none" ], + "certificationLevel": [ + "none" + ], "padding": "pkcs1v15", - "cryptoFunctions": [ "sign", "verify" ] + "cryptoFunctions": [ + "sign", + "verify" + ] }, "oid": "1.2.840.113549.1.1.13" } @@ -116,9 +121,14 @@ "parameterSetIdentifier": "2048", "executionEnvironment": "software-plain-ram", "implementationPlatform": "x86_64", - "certificationLevel": [ "none" ], + "certificationLevel": [ + "none" + ], "padding": "oaep", - "cryptoFunctions": [ "encrypt", "decrypt" ] + "cryptoFunctions": [ + "encrypt", + "decrypt" + ] }, "oid": "1.2.840.113549.1.1.1" } diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.xml b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.xml index 9f98e139..1706d827 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.xml +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.xml @@ -10,7 +10,9 @@ - + google.com certificate @@ -22,7 +24,9 @@ 2017-11-22T07:59:59Z X.509 crt - 1e15e0fbd3ce95bde5945633ae96add551341b11e5bae7bba12e98ad84a5beb4 + + 1e15e0fbd3ce95bde5945633ae96add551341b11e5bae7bba12e98ad84a5beb4 + active Certificate is currently valid and in use @@ -44,7 +48,9 @@ - + SHA512withRSA algorithm @@ -63,7 +69,9 @@ - + RSA-2048 related-crypto-material @@ -86,7 +94,9 @@ None - a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456 + + a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456 + algorithm @@ -98,7 +108,9 @@ - + RSA-2048 algorithm @@ -119,7 +131,9 @@ - + TLS 1.3 Protocol protocol From fdf8627dc24c479dc7cd0ab3e895483a41bcfdc3 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Aug 2025 11:29:19 +0200 Subject: [PATCH 37/54] tests: streamline test data Signed-off-by: Jan Kowalleck --- ...ography-certificate-advanced-1.7.textproto | 480 +++++++++++------- 1 file changed, 302 insertions(+), 178 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.textproto b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.textproto index de86a450..55156668 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.textproto @@ -4,188 +4,312 @@ spec_version: "1.7" version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" -components: [ - { - type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET - bom_ref: "9AADCCE0-F5AD-4A26-A1A9-5B3C85323E9B" - name: "revoked-ca.example.com" - cryptoProperties: { - assetType: CRYPTO_ASSET_TYPE_CERTIFICATE - certificateProperties: { - serialNumber: "AABBCCDDEEFF00112233" - subjectName: "CN = internal-ca.example.com, OU = Security, O = Example Corp, C = US" - issuerName: "CN = Example Root CA, O = Example Corp, C = US" - notValidBefore { - seconds: 1672531200 # 2023-01-01T00:00:00Z - } - notValidAfter { - seconds: 1704067199 # 2023-12-31T23:59:59Z - } - certificateFormat: "X.509" - certificateFileExtension: "pem" - fingerprint { - alg: HASH_ALG_SHA_256 - value: "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" - } - certificateState: [ - { - predefined_state: PREDEFINED_STATE_REVOKED - reason: "Certificate was compromised due to private key exposure in security incident #2024-001" - } - ] - creationDate { - seconds: 1671091200 # 2022-12-15T10:00:00Z - } - activationDate { - seconds: 1672531200 # 2023-01-01T00:00:00Z - } - revocationDate { - seconds: 1704888330 # 2024-01-10T15:45:30Z - } - certificateExtensions { - extensions: [ - { - commonExtension { - name: COMMON_EXTENSION_NAME_BASIC_CONSTRAINTS - value: "CA:TRUE, pathlen:2" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_KEY_USAGE - value: "Certificate Sign, CRL Sign, Digital Signature" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_EXTENDED_KEY_USAGE - value: "TLS Web Server Authentication, TLS Web Client Authentication" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME - value: "DNS:internal-ca.example.com, DNS:ca.internal.example.com, IP:192.168.1.100" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_AUTHORITY_KEY_IDENTIFIER - value: "keyid:01:02:03:04:05:06:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_SUBJECT_KEY_IDENTIFIER - value: "A1:B2:C3:D4:E5:F6:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_CRL_DISTRIBUTION_POINTS - value: "URI:http://crl.example.com/root-ca.crl" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_AUTHORITY_INFORMATION_ACCESS - value: "OCSP - URI:http://ocsp.example.com, CA Issuers - URI:http://certs.example.com/root-ca.crt" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_CERTIFICATE_POLICIES - value: "Policy: 1.2.3.4.5.6.7.8.1, CPS: http://www.example.com/cps" - } - }, - { - customExtension { - name: "organizationalSecurityLevel" - value: "HIGH" - } - }, - { - customExtension { - name: "incidentTrackingId" - value: "SEC-2024-001" - } - }, - { - customExtension { - name: "complianceFramework" - value: "SOX, PCI-DSS Level 1, ISO 27001" - } - } - ] + +metadata { + timestamp { seconds: 1705329000 } + component { + type: CLASSIFICATION_APPLICATION + name: "enterprise-security-app" + version: "2.1.0" + } +} + +components { + name: "revoked-internal-ca.example.com" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "840ADC47-55CD-44C6-A306-B37A9149B066" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_CERTIFICATE + certificateProperties: { + serialNumber: "ABCDEF1234567890FEDCBA" + subjectName: "CN = internal-ca.example.com, OU = IT Security, O = Example Corp, C = US" + issuerName: "CN = Example Root CA, O = Example Corp, C = US" + notValidBefore: { seconds: 1672531200 } + notValidAfter: { seconds: 1767225599 } + certificateFormat: "X.509" + certificateFileExtension: "pem" + fingerprint: { + alg: HASH_ALG_SHA_256 + value: "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + } + certificateState { + predefined_state: PREDEFINED_STATE_REVOKED + reason: "Certificate was compromised due to private key exposure in security incident #2024-001" + } + creationDate: { seconds: 1671098400 } + activationDate: { seconds: 1672531200 } + revocationDate: { seconds: 1704901530 } + certificateExtensions: { + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_BASIC_CONSTRAINTS + value: "CA:TRUE, pathlen:2" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_EXTENDED_KEY_USAGE + value: "Certificate Sign, CRL Sign, Digital Signature" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_EXTENDED_KEY_USAGE + value: "TLS Web Server Authentication, TLS Web Client Authentication" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME + value: "DNS:internal-ca.example.com, DNS:ca.internal.example.com, IP:192.168.1.100" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_AUTHORITY_KEY_IDENTIFIER + value: "keyid:01:02:03:04:05:06:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_SUBJECT_KEY_IDENTIFIER + value: "A1:B2:C3:D4:E5:F6:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_CRL_DISTRIBUTION_POINTS + value: "URI:http://crl.example.com/root-ca.crl" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_AUTHORITY_INFORMATION_ACCESS + value: "OCSP - URI:http://ocsp.example.com, CA Issuers - URI:http://certs.example.com/root-ca.crt" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_CERTIFICATE_POLICIES + value: "Policy: 1.2.3.4.5.6.7.8.1, CPS: http://www.example.com/cps" + } + } + extensions { + customExtension { + name: "organizationalSecurityLevel" + value: "HIGH" + } + } + extensions { + customExtension { + name: "incidentTrackingId" + value: "SEC-2024-001" + } + } + extensions { + customExtension { + name: "complianceFramework" + value: "SOX, PCI-DSS Level 1, ISO 27001" + } + } + } + relatedCryptographicAssets { + assets { + ref: "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8" + type: "algorithm" + } + assets { + ref: "ACCAF8BC-5F73-4869-A3FE-1C64E8D96408" + type: "publicKey" + } + } + } + oid: "2.5.4.3" + } +} +components { + name: "active-server.example.com" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "4497B977-4D07-4245-9457-C2CF37FF399A" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_CERTIFICATE + certificateProperties: { + serialNumber: "1122334455667788AABBCCDD" + subjectName: "CN = server.example.com, OU = Web Services, O = Example Corp, C = US" + issuerName: "CN = Example Intermediate CA, O = Example Corp, C = US" + notValidBefore { seconds: 1704067200 } + notValidAfter: { seconds: 1735775999 } + certificateFormat: "X.509" + certificateFileExtension: "crt" + fingerprint: { + alg: HASH_ALG_SHA_256 + value: "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + } + certificateState { + name: "monitored" + description: "Certificate is under enhanced monitoring due to recent security incidents" + reason: "Proactive monitoring following organizational security policy updates" + } + creationDate: { seconds: 1703062800 } + activationDate: { seconds: 1704067200 } + certificateExtensions { + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_KEY_USAGE + value: "Digital Signature, Key Encipherment" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_EXTENDED_KEY_USAGE + value: "TLS Web Server Authentication" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME + value: "DNS:server.example.com, DNS:www.server.example.com, DNS:api.server.example.com" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_SIGNED_CERTIFICATE_TIMESTAMP + value: "Log ID: ABCD1234..., Timestamp: 2024-01-01T00:00:00Z, Signature: 3045022100..." + } + } + extensions { + customExtension { + name: "deploymentEnvironment" + value: "PRODUCTION" + } + } + extensions { + customExtension { + name: "businessCriticality" + value: "CRITICAL" + } + } + extensions { + customExtension { + name: "autoRenewalEnabled" + value: "true" + } + } + } + relatedCryptographicAssets { + assets { + type: "algorithm" + ref: "14478B86-9306-45B5-BA2A-1660B723244C" + } + assets { + type: "publicKey" + ref: "F1F3D902-0A1B-4C0C-9F6A-F36E041B0B7D" + } + } + } + oid: "2.5.4.3" + } +} +components { + name: "RSA-SHA256" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties: { + primitive: CRYPTO_PRIMITIVE_SIGNATURE + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + padding: CRYPTO_ALGORITHM_PADDING_PKCS1V15 + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_SIGN + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_VERIFY + } + oid: "1.2.840.113549.1.1.11" + } +} +components { + name: "ECDSA-P256" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "14478B86-9306-45B5-BA2A-1660B723244C" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties: { + primitive: CRYPTO_PRIMITIVE_SIGNATURE + curve: "secp256r1" + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "fips140-3-l1" + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_SIGN + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_VERIFY + } + oid: "1.2.840.10045.4.3.2" + } +} +components { + name: "RSA-4096-Revoked-CA-Key" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "ACCAF8BC-5F73-4869-A3FE-1C64E8D96408" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL + relatedCryptoMaterialProperties: { + type: CRYPTO_RELATED_TYPE_PUBLIC_KEY + id: "revoked-ca-key-2024" + state: CRYPTO_RELATED_STATE_COMPROMISED + size: 4096 + format: "PEM" + value: "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA...\n-----END PUBLIC KEY-----" + creationDate: { seconds: 1671098400 } + activationDate: { seconds: 1672531200 } + updateDate: { seconds: 1704901530 } + securedBy: { + mechanism: "HSM" + algorithmRef: "aes-256-gcm-ref" + } + fingerprint: { + alg: HASH_ALG_SHA_256 + value: "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + } + relatedCryptographicAssets{ + assets { + type: "algorithm" + ref: "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8" } } - oid: "2.5.4.3" } - }, - { - type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET - bom_ref: "4497B977-4D07-4245-9457-C2CF37FF399A" - name: "active-server.example.com" - cryptoProperties: { - assetType: CRYPTO_ASSET_TYPE_CERTIFICATE - certificateProperties: { - serialNumber: "1122334455667788AABBCCDD" - subjectName: "CN = server.example.com, OU = Web Services, O = Example Corp, C = US" - issuerName: "CN = Example Intermediate CA, O = Example Corp, C = US" - notValidBefore { - seconds: 1704067200 # 2024-01-01T00:00:00Z - } - notValidAfter { - seconds: 1735689599 # 2025-01-01T23:59:59Z - } - certificateFormat: "X.509" - certificateFileExtension: "crt" - fingerprint { - alg: HASH_ALG_SHA_256 - value: "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" - } - certificateState: [ - { - name: "monitored" - description: "Certificate is under enhanced monitoring due to recent security incidents" - reason: "Proactive monitoring following organizational security policy updates" - } - ] - creationDate { - seconds: 1703059200 # 2023-12-20T09:00:00Z - } - activationDate { - seconds: 1704067200 # 2024-01-01T00:00:00Z - } - certificateExtensions { - extensions: [ - { - commonExtension { - name: COMMON_EXTENSION_NAME_KEY_USAGE - value: "Digital Signature, Key Encipherment" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_EXTENDED_KEY_USAGE - value: "TLS Web Server Authentication" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME - value: "DNS:server.example.com, DNS:www.server.example.com, DNS:api.server.example.com" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_SIGNED_CERTIFICATE_TIMESTAMP - value: "Log ID: ABCD1234..., Timestamp: 2024-01-01T00:00:00Z, Signature: 3045022100..." - } - } - ] + oid: "1.2.840.113549.1.1.1" + } +} +components { + name: "ECDSA-P256-Server-Key" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "F1F3D902-0A1B-4C0C-9F6A-F36E041B0B7D" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL + relatedCryptoMaterialProperties: { + type: CRYPTO_RELATED_TYPE_PUBLIC_KEY + id: "server-key-2024" + state: CRYPTO_RELATED_STATE_ACTIVE + size: 256 + format: "PEM" + value: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE...\n-----END PUBLIC KEY-----" + creationDate: { seconds: 1703062800 } + activationDate: { seconds: 1704067200 } + expirationDate: { seconds: 1735775999 } + securedBy: { + mechanism: "HSM" + algorithmRef: "aes-256-gcm-ref" + } + fingerprint: { + alg: HASH_ALG_SHA_256 + value: "d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0123456" + } + relatedCryptographicAssets { + assets { + type: "algorithm" + ref: "14478B86-9306-45B5-BA2A-1660B723244C" } } } + oid: "1.2.840.10045.2.1" } -] \ No newline at end of file +} From a396a1254539c99f8a0a8f5883ee26e895511b86 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Aug 2025 12:04:09 +0200 Subject: [PATCH 38/54] tests: streamline test data Signed-off-by: Jan Kowalleck --- ...ography-certificate-advanced-1.7.textproto | 66 +-- .../1.7/valid-cryptography-full-1.7.json | 1 - .../1.7/valid-cryptography-full-1.7.textproto | 496 ++++++++++-------- .../1.7/valid-cryptography-full-1.7.xml | 11 +- 4 files changed, 310 insertions(+), 264 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.textproto b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.textproto index 55156668..f339386d 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.textproto @@ -18,17 +18,17 @@ components { name: "revoked-internal-ca.example.com" type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET bom_ref: "840ADC47-55CD-44C6-A306-B37A9149B066" - cryptoProperties: { + cryptoProperties { assetType: CRYPTO_ASSET_TYPE_CERTIFICATE - certificateProperties: { + certificateProperties { serialNumber: "ABCDEF1234567890FEDCBA" subjectName: "CN = internal-ca.example.com, OU = IT Security, O = Example Corp, C = US" issuerName: "CN = Example Root CA, O = Example Corp, C = US" - notValidBefore: { seconds: 1672531200 } - notValidAfter: { seconds: 1767225599 } + notValidBefore { seconds: 1672531200 } + notValidAfter { seconds: 1767225599 } certificateFormat: "X.509" certificateFileExtension: "pem" - fingerprint: { + fingerprint { alg: HASH_ALG_SHA_256 value: "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" } @@ -36,10 +36,10 @@ components { predefined_state: PREDEFINED_STATE_REVOKED reason: "Certificate was compromised due to private key exposure in security incident #2024-001" } - creationDate: { seconds: 1671098400 } - activationDate: { seconds: 1672531200 } - revocationDate: { seconds: 1704901530 } - certificateExtensions: { + creationDate { seconds: 1671098400 } + activationDate { seconds: 1672531200 } + revocationDate { seconds: 1704901530 } + certificateExtensions { extensions { commonExtension { name: COMMON_EXTENSION_NAME_BASIC_CONSTRAINTS @@ -131,17 +131,17 @@ components { name: "active-server.example.com" type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET bom_ref: "4497B977-4D07-4245-9457-C2CF37FF399A" - cryptoProperties: { + cryptoProperties { assetType: CRYPTO_ASSET_TYPE_CERTIFICATE - certificateProperties: { + certificateProperties { serialNumber: "1122334455667788AABBCCDD" subjectName: "CN = server.example.com, OU = Web Services, O = Example Corp, C = US" issuerName: "CN = Example Intermediate CA, O = Example Corp, C = US" notValidBefore { seconds: 1704067200 } - notValidAfter: { seconds: 1735775999 } + notValidAfter { seconds: 1735775999 } certificateFormat: "X.509" certificateFileExtension: "crt" - fingerprint: { + fingerprint { alg: HASH_ALG_SHA_256 value: "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" } @@ -150,8 +150,8 @@ components { description: "Certificate is under enhanced monitoring due to recent security incidents" reason: "Proactive monitoring following organizational security policy updates" } - creationDate: { seconds: 1703062800 } - activationDate: { seconds: 1704067200 } + creationDate { seconds: 1703062800 } + activationDate { seconds: 1704067200 } certificateExtensions { extensions { commonExtension { @@ -214,9 +214,9 @@ components { name: "RSA-SHA256" type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET bom_ref: "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8" - cryptoProperties: { + cryptoProperties { assetType: CRYPTO_ASSET_TYPE_ALGORITHM - algorithmProperties: { + algorithmProperties { primitive: CRYPTO_PRIMITIVE_SIGNATURE executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 @@ -231,9 +231,9 @@ components { name: "ECDSA-P256" type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET bom_ref: "14478B86-9306-45B5-BA2A-1660B723244C" - cryptoProperties: { + cryptoProperties { assetType: CRYPTO_ASSET_TYPE_ALGORITHM - algorithmProperties: { + algorithmProperties { primitive: CRYPTO_PRIMITIVE_SIGNATURE curve: "secp256r1" executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM @@ -249,23 +249,23 @@ components { name: "RSA-4096-Revoked-CA-Key" type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET bom_ref: "ACCAF8BC-5F73-4869-A3FE-1C64E8D96408" - cryptoProperties: { + cryptoProperties { assetType: CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL - relatedCryptoMaterialProperties: { + relatedCryptoMaterialProperties { type: CRYPTO_RELATED_TYPE_PUBLIC_KEY id: "revoked-ca-key-2024" state: CRYPTO_RELATED_STATE_COMPROMISED size: 4096 format: "PEM" value: "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA...\n-----END PUBLIC KEY-----" - creationDate: { seconds: 1671098400 } - activationDate: { seconds: 1672531200 } - updateDate: { seconds: 1704901530 } - securedBy: { + creationDate { seconds: 1671098400 } + activationDate { seconds: 1672531200 } + updateDate { seconds: 1704901530 } + securedBy { mechanism: "HSM" algorithmRef: "aes-256-gcm-ref" } - fingerprint: { + fingerprint { alg: HASH_ALG_SHA_256 value: "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" } @@ -283,23 +283,23 @@ components { name: "ECDSA-P256-Server-Key" type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET bom_ref: "F1F3D902-0A1B-4C0C-9F6A-F36E041B0B7D" - cryptoProperties: { + cryptoProperties { assetType: CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL - relatedCryptoMaterialProperties: { + relatedCryptoMaterialProperties { type: CRYPTO_RELATED_TYPE_PUBLIC_KEY id: "server-key-2024" state: CRYPTO_RELATED_STATE_ACTIVE size: 256 format: "PEM" value: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE...\n-----END PUBLIC KEY-----" - creationDate: { seconds: 1703062800 } - activationDate: { seconds: 1704067200 } - expirationDate: { seconds: 1735775999 } - securedBy: { + creationDate { seconds: 1703062800 } + activationDate { seconds: 1704067200 } + expirationDate { seconds: 1735775999 } + securedBy { mechanism: "HSM" algorithmRef: "aes-256-gcm-ref" } - fingerprint: { + fingerprint { alg: HASH_ALG_SHA_256 value: "d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0123456" } diff --git a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.json index 546691f5..51997cc9 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.json +++ b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.json @@ -15,7 +15,6 @@ "primitive": "key-agree", "algorithmFamily": "ECDH", "parameterSetIdentifier": "128", - "curve": "brainpool/brainpoolP160r1", "ellipticCurve": "brainpool/brainpoolP160r1", "executionEnvironment": "software-plain-ram", "implementationPlatform": "x86_64", diff --git a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto index 30f0567d..9620c974 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto @@ -4,234 +4,278 @@ spec_version: "1.7" version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" -components: [ - { - type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET - bom_ref: "asset-1" - name: "Name here" - cryptoProperties: { - assetType: CRYPTO_ASSET_TYPE_ALGORITHM - algorithmProperties: { - primitive: CRYPTO_PRIMITIVE_KEY_AGREE - parameterSetIdentifier: "128" - curve: "brainpool/brainpoolP160r1" - executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM - implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 - certificationLevel: [ "fips140-3-l4" ] - mode: CRYPTO_ALGORITHM_MODE_GCM - padding: CRYPTO_ALGORITHM_PADDING_PKCS5 - cryptoFunctions: [ - CRYPTO_ALGORITHM_FUNCTION_KEYGEN, - CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE - ] - classicalSecurityLevel: 96 - nistQuantumSecurityLevel: 0 - } - oid: "oid:1.2.3.4.5.6.7.8.9" - } - }, - { - type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET - bom_ref: "asset-2" - name: "Example Certificate with All Properties" - cryptoProperties: { - assetType: CRYPTO_ASSET_TYPE_CERTIFICATE - certificateProperties: { - subjectName: "CN=example.com, O=Example Corp, C=US" - issuerName: "CN=Example CA, O=Example Trust Services, C=US" - notValidBefore { - seconds: 1640995200 - } - notValidAfter { - seconds: 1704067200 - } - signatureAlgorithmRef: "bom-ref-to-algorithm" - subjectPublicKeyRef: "bom-ref-to-public-key" - certificateFormat: "X.509" - certificateFileExtension: "crt" - certificateExtensions { - extensions: [ - { - commonExtension { - name: COMMON_EXTENSION_NAME_BASIC_CONSTRAINTS - value: "CA:FALSE" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_KEY_USAGE - value: "Digital Signature, Key Encipherment" - } - }, - { - commonExtension { - name: COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME - value: "DNS:example.com, DNS:www.example.com" - } - } - ] - } - relatedCryptographicAssets { - assets: [ - { - type: "algorithm" - ref: "asset-1" - }, - { - type: "publicKey" - ref: "asset-4" - } - ] - } - } - oid: "oid:2.5.4.3" + +components { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-1" + name: "Name here" + cryptoProperties { + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties { + primitive: CRYPTO_PRIMITIVE_KEY_AGREE + algorithmFamily: "ECDH" + parameterSetIdentifier: "128" + curve: "brainpool/brainpoolP160r1" + ellipticCurve: "brainpool/brainpoolP160r1" + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "fips140-3-l4" + mode: CRYPTO_ALGORITHM_MODE_GCM + padding: CRYPTO_ALGORITHM_PADDING_PKCS5 + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_KEYGEN + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE + classicalSecurityLevel: 96 + nistQuantumSecurityLevel: 0 } - }, - { - type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET - bom_ref: "asset-3" - name: "Example Protocol with All Properties" - cryptoProperties: { - assetType: CRYPTO_ASSET_TYPE_PROTOCOL - protocolProperties: { - type: CRYPTO_PROTOCOL_TYPE_TLS - version: "1.3" - cipherSuites: [ - { - name: "TLS_AES_128_GCM_SHA256" - algorithms: [ - "aes-128-gcm-ref", - "sha256-ref" - ] - identifiers: [ - "0x1301" - ] - tlsGroups: [ - "x25519", - "secp256r1", - "secp384r1", - "secp521r1", - "ffdhe2048", - "ffdhe3072" - ] - tlsSignatureSchemes: [ - "ecdsa_secp256r1_sha256", - "ecdsa_secp384r1_sha384", - "ecdsa_secp521r1_sha512", - "rsa_pss_rsae_sha256", - "rsa_pss_rsae_sha384", - "rsa_pss_rsae_sha512", - "ed25519", - "ed448" - ] - }, - { - name: "TLS_AES_256_GCM_SHA384" - algorithms: [ - "aes-256-gcm-ref", - "sha384-ref" - ] - identifiers: [ - "0x1302" - ] - }, - { - name: "TLS_CHACHA20_POLY1305_SHA256" - algorithms: [ - "chacha20-poly1305-ref", - "sha256-ref" - ] - identifiers: [ - "0x1303" - ] + oid: "oid:1.2.3.4.5.6.7.8.9" + } +} +components { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-2" + name: "Example Certificate with All Properties" + cryptoProperties { + assetType: CRYPTO_ASSET_TYPE_CERTIFICATE + certificateProperties { + serialNumber: "0B:35:82:6D:F5:7A:02:0A:0A:21:8F:BD:F3:91:43:C3" + subjectName: "CN=example.com, O=Example Corp, C=US" + issuerName: "CN=Example CA, O=Example Trust Services, C=US" + notValidBefore { seconds: 1640995200 } + notValidAfter { seconds: 1704067200 } + signatureAlgorithmRef: "bom_ref-to-algorithm" + subjectPublicKeyRef: "bom_ref-to-public-key" + certificateFormat: "X.509" + certificateExtension: "crt" + certificateFileExtension: "crt" + fingerprint { + alg: HASH_ALG_SHA_256 + value: "3942447fac867ae5cdb3229b658f4d48" + } + certificateState { + predefined_state: PREDEFINED_STATE_PRE_ACTIVATION + reason: "Certificate created but not yet active" + } + certificateState { + predefined_state: PREDEFINED_STATE_ACTIVE + reason: "Certificate in active use for TLS connections" + } + certificateState { + predefined_state: PREDEFINED_STATE_SUSPENDED + reason: "Temporary suspension due to security audit" + } + certificateState { + predefined_state: PREDEFINED_STATE_DEACTIVATED + reason: "Replaced by new certificate" + } + certificateState { + predefined_state: PREDEFINED_STATE_REVOKED + reason: "Private key compromise suspected" + } + certificateState { + predefined_state: PREDEFINED_STATE_DESTROYED + reason: "Certificate and associated keys securely destroyed" + } + creationDate { seconds: 1640995200 } + activationDate { seconds: 1641081600 } + deactivationDate { seconds: 1704067199 } + revocationDate { seconds: 1704067200 } + destructionDate { seconds: 1704153600 } + certificateExtensions { + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_BASIC_CONSTRAINTS + value: "CA:FALSE, pathlen:0" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_KEY_USAGE + value: "digitalSignature, keyEncipherment" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_EXTENDED_KEY_USAGE + value: "serverAuth, clientAuth" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_SUBJECT_ALTERNATIVE_NAME + value: "DNS:example.com, DNS:www.example.com" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_AUTHORITY_KEY_IDENTIFIER + value: "keyid:12:34:56:78:90:AB:CD:EF" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_SUBJECT_KEY_IDENTIFIER + value: "AA:BB:CC:DD:EE:FF:00:11" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_AUTHORITY_INFORMATION_ACCESS + value: "OCSP - URI:http://ocsp.example.com" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_CERTIFICATE_POLICIES + value: "Policy: 2.23.140.1.2.1" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_CRL_DISTRIBUTION_POINTS + value: "URI:http://crl.example.com/root.crl" + } + } + extensions { + commonExtension { + name: COMMON_EXTENSION_NAME_SIGNED_CERTIFICATE_TIMESTAMP + value: "Signed by Example CT log at 2022-01-01T00:00:00Z" + } + } + extensions { + customExtension { + name: "someCustomExtension" + value: "Custom value for this extension" } - ] - ikev2TransformTypes: { - encr: [ - { - name: "ENCR_AES_GCM_16" - keyLength: 128 - algorithm: "aes-128-gcm-ref" - } - ] - prf: [ - { - name: "PRF_HMAC_SHA2_256" - algorithm: "sha256-ref" - } - ] - integ: [ - { - name: "AUTH_HMAC_SHA2_256_128" - algorithm: "sha256-ref" - } - ] - ke: [ - { - group: 14 - algorithm: "dh-2048-ref" - } - ] - esn: true - auth: [ - { - name: "ECDSA" - algorithm: "ecdsa-ref" - } - ] - } - relatedCryptographicAssets { - assets: [ - { - type: "algorithm" - ref: "asset-1" - } - ] - } - } - oid: "oid:1.3.6.1.5.5.7.3.1" + } + } + relatedCryptographicAssets { + assets { + type: "publicKey" + ref: "public-key-ref" + } + assets { + type: "privateKey" + ref: "private-key-ref" + } + assets { + type: "algorithm" + ref: "signing-algorithm-ref" + } + } } - }, - { - type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET - bom_ref: "asset-4" - name: "Example Related Crypto Material with All Properties" - cryptoProperties: { - assetType: CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL - relatedCryptoMaterialProperties: { - type: CRYPTO_RELATED_TYPE_PUBLIC_KEY - id: "key-12345-67890" - state: CRYPTO_RELATED_STATE_ACTIVE - algorithmRef: "rsa-4096-ref" - creationDate { - seconds: 1704067200 - } - activationDate { - seconds: 1704153600 - } - updateDate { - seconds: 1704240000 - } - expirationDate { - seconds: 1767225600 - } - value: "-----BEGIN PUBLIC KEY-----" - size: 4096 - format: "PKCS#8" - securedBy: { - mechanism: "HSM" - algorithmRef: "aes-256-gcm-ref" - } - relatedCryptographicAssets { - assets: [ - { - type: "algorithm" - ref: "asset-1" - } - ] - } - } - oid: "oid:1.2.840.113549.1.1.1" + oid: "oid:2.5.4.3" + } +} +components { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-3" + name: "Example Protocol with All Properties" + cryptoProperties { + assetType: CRYPTO_ASSET_TYPE_PROTOCOL + protocolProperties { + type: CRYPTO_PROTOCOL_TYPE_TLS + version: "1.3" + cipherSuites { + name: "TLS_AES_128_GCM_SHA256" + algorithms: "aes-128-gcm-ref" + algorithms: "sha256-ref" + identifiers: "0x1301" + tlsGroups: "x25519" + tlsGroups: "secp256r1" + tlsGroups: "secp384r1" + tlsGroups: "secp521r1" + tlsGroups: "ffdhe2048" + tlsGroups: "ffdhe3072" + tlsSignatureSchemes: "ecdsa_secp256r1_sha256" + tlsSignatureSchemes: "ecdsa_secp384r1_sha384" + tlsSignatureSchemes: "ecdsa_secp521r1_sha512" + tlsSignatureSchemes: "rsa_pss_rsae_sha256" + tlsSignatureSchemes: "rsa_pss_rsae_sha384" + tlsSignatureSchemes: "rsa_pss_rsae_sha512" + tlsSignatureSchemes: "ed25519" + tlsSignatureSchemes: "ed448" + } + cipherSuites { + name: "TLS_AES_256_GCM_SHA384" + algorithms: "aes-256-gcm-ref" + algorithms: "sha384-ref" + identifiers: "0x1302" + } + cipherSuites { + name: "TLS_CHACHA20_POLY1305_SHA256" + algorithms: "chacha20-poly1305-ref" + algorithms: "sha256-ref" + identifiers: "0x1303" + } + ikev2TransformTypes { + encr { + name: "AES-128-GCM" + keyLength: 128 + algorithm: "aes-128-gcm-ref" + } + prf { + name: "SHA-256" + algorithm: "sha256-ref" + } + integ { + name: "SHA-256" + algorithm: "sha256-ref" + } + ke { + group: 14 + algorithm: "diffie-hellman-group14-sha256-ref" + } + esn: true + auth { + name: "ECDSA" + algorithm: "ecdsa_secp256r1_sha256" + } + } + } + oid: "oid:1.3.6.1.5.5.7.3.1" + } +} +components { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-4" + name: "Example Related Crypto Material with All Properties" + cryptoProperties { + assetType: CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL + relatedCryptoMaterialProperties { + type: CRYPTO_RELATED_TYPE_PUBLIC_KEY + id: "key-12345-67890" + state: CRYPTO_RELATED_STATE_ACTIVE + algorithmRef: "rsa-4096-ref" + creationDate { seconds: 1704067200 } + activationDate { seconds: 1704153600 } + updateDate { seconds: 1704240000 } + expirationDate { seconds: 1767225600 } + value: "-----BEGIN PUBLIC KEY-----" + size: 4096 + format: "PKCS#8" + securedBy { + mechanism: "HSM" + algorithmRef: "aes-256-gcm-ref" + } + fingerprint { + alg: HASH_ALG_SHA_256 + value: "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + } + relatedCryptographicAssets { + assets { + type: "publicKey" + ref: "corresponding-public-key-ref" + } + assets { + type: "certificate" + ref: "certificate-using-this-key-ref" + } + assets { + type: "algorithm" + ref: "rsa-4096-ref" + } + } } + oid: "oid:1.2.840.113549.1.1.1" } -] +} diff --git a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.xml b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.xml index 0f9c667e..ea6a721c 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.xml +++ b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.xml @@ -1,5 +1,6 @@ - + Name here @@ -110,7 +111,8 @@ signedCertificateTimestamp - Signed by Example CT log at 2022-01-01T00:00:00Z + Signed by Example CT log at 2022-01-01T00:00:00Z + someCustomExtension @@ -240,7 +242,8 @@ HSM aes-256-gcm-ref - e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + publicKey @@ -260,4 +263,4 @@ - \ No newline at end of file + From d60ff1dab3c318b3b49eda0dc4b88457bfc304f6 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Aug 2025 12:04:56 +0200 Subject: [PATCH 39/54] fix: streamline schema Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 5622ba53..3e5892cb 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -2195,8 +2195,12 @@ message CryptoProperties { optional string algorithmFamily = 2; // An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). optional string parameterSetIdentifier = 3; - // The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves). + // [DEPRECATED] The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves). optional string curve = 4; + // The specific underlying Elliptic Curve (EC) definition employed which is an indicator + // of the level of security strength, performance and complexity. Curves are defined in + // the cryptography-defs.json subschema. A corresponding schema for ProtoBuf is not available. + optional string ellipticCurve = 13; // The target and execution environment in which the algorithm is implemented in. optional CryptoExecutionEnvironment executionEnvironment = 5; // The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform. From 20e189c6027516925f984d7881bb45e1373d1cee Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Aug 2025 15:00:02 +0200 Subject: [PATCH 40/54] tests: streamline test data Signed-off-by: Jan Kowalleck --- ...-cryptography-implementation-1.7.textproto | 157 ++++++++++++------ .../valid-cryptography-implementation-1.7.xml | 4 +- 2 files changed, 106 insertions(+), 55 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.textproto b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.textproto index 8e7f928e..68b7bb38 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.textproto @@ -1,71 +1,120 @@ # proto-file: schema/bom-1.7.proto # proto-message: Bom -# proto-file: schema/bom-1.7.proto -# proto-message: - spec_version: "1.7" version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" -metadata: { - component: { + +metadata { + component{ type: CLASSIFICATION_APPLICATION bom_ref: "acme-application" name: "Acme Application" version: "1.0" } } -components: [ - { - type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET - bom_ref: "aes128gcm" - name: "AES" - cryptoProperties: { - assetType: CRYPTO_ASSET_TYPE_ALGORITHM - algorithmProperties: { - primitive: CRYPTO_PRIMITIVE_AE - parameterSetIdentifier: "128" - executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM - implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 - certificationLevel: [ "none" ], - mode: CRYPTO_ALGORITHM_MODE_GCM - cryptoFunctions: [ - CRYPTO_ALGORITHM_FUNCTION_KEYGEN, - CRYPTO_ALGORITHM_FUNCTION_ENCRYPT, - CRYPTO_ALGORITHM_FUNCTION_DECRYPT, - CRYPTO_ALGORITHM_FUNCTION_TAG - ] - classicalSecurityLevel: 128 - nistQuantumSecurityLevel: 1 - }, - oid: "oid:2.16.840.1.101.3.4.1.7" + +components { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + name: "AES-128-GCM-128-12" + cryptoProperties{ + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties{ + algorithmFamily: "AES" + primitive: CRYPTO_PRIMITIVE_AE + parameterSetIdentifier: "128" + mode: CRYPTO_ALGORITHM_MODE_GCM + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "none" + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_KEYGEN + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_ENCRYPT + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_DECRYPT + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_TAG + classicalSecurityLevel: 128 + nistQuantumSecurityLevel: 1 + } + oid: "2.16.840.1.101.3.4.1.6" + } +} +components { + name: "RSA-PKCS1-1.5-SHA512-2048" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + cryptoProperties{ + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties{ + algorithmFamily: "RSASSA-PKCS1" + primitive: CRYPTO_PRIMITIVE_SIGNATURE + parameterSetIdentifier: "512" + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "none" + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_SIGN + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_VERIFY + nistQuantumSecurityLevel: 0 + } + oid: "1.2.840.113549.1.1.13" + } +} +components { + name: "ECDH-secp521r1" + bom_ref: "ecdhsecp521r1" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + cryptoProperties{ + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties{ + algorithmFamily: "ECDH" + ellipticCurve: "secg/secp521r1" + primitive: CRYPTO_PRIMITIVE_KEY_AGREE + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "none" + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_KEYGEN + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE + nistQuantumSecurityLevel: 0 } - }, - { - type: CLASSIFICATION_LIBRARY - bom_ref: "crypto-library" - name: "Crypto library" - version: "1.0.0" - }, - { - type: CLASSIFICATION_LIBRARY - bom_ref: "some-library" - name: "Some library" - version: "1.0.0" + oid: "1.3.132.0.35" } -], -dependencies: [ - { - ref: "acme-application" - dependencies { - ref: "crypto-library" +} +components { + name: "ML-KEM-1024" + bom_ref: "mlkem1024" + type: "cryptographic-asset" + cryptoProperties{ + assetType: "algorithm" + algorithmProperties{ + algorithmFamily: "ML-KEM" + primitive: "kem" + executionEnvironment: "software-plain-ram" + implementationPlatform: "x86_64" + certificationLevel: ["none"] + cryptoFunctions: ["keygen", "keyderive"] + nistQuantumSecurityLevel: 5 } - }, - { - ref: "crypto-library" - provides: [ "aes128gcm" ] - dependencies { - ref: "some-library" + oid: "2.16.840.1.101.3.4.1.48" + } +} +components { + name: "draft-ietf-tls-hybrid-design-13" + bom_ref: "draftietftlshybriddesign13" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + cryptoProperties{ + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties{ + primitive: CRYPTO_PRIMITIVE_COMBINER + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "none" + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_KEYGEN + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE + nistQuantumSecurityLevel: 0 } + oid: "1.3.101.110" } -] +} + +dependencies { + ref: "draftietftlshybriddesign13" + dependencies { ref: "mlkem1024" } + dependencies { ref: "ecdhsecp521r1" } +} diff --git a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.xml b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.xml index b81d4982..924d53c3 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.xml +++ b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.xml @@ -1,5 +1,7 @@ - + Acme Application From 145061e2827988f0787ccc78efdd2897732098ea Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Aug 2025 15:03:20 +0200 Subject: [PATCH 41/54] tests: streamline test data Signed-off-by: Jan Kowalleck --- .../resources/1.7/valid-cryptography-implementation-1.7.json | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.json index cf58acdb..6ba2aec0 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.json +++ b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.json @@ -1,4 +1,5 @@ { + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.7", "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2", From 0d870352d91f3500f04f5032fa01f5b687be427d Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Aug 2025 15:05:55 +0200 Subject: [PATCH 42/54] tests: streamline test data Signed-off-by: Jan Kowalleck --- ...alid-cryptography-implementation-1.7.textproto | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.textproto b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.textproto index 68b7bb38..adfd793d 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.textproto +++ b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.textproto @@ -79,16 +79,17 @@ components { components { name: "ML-KEM-1024" bom_ref: "mlkem1024" - type: "cryptographic-asset" + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET cryptoProperties{ - assetType: "algorithm" + assetType: CRYPTO_ASSET_TYPE_ALGORITHM algorithmProperties{ algorithmFamily: "ML-KEM" - primitive: "kem" - executionEnvironment: "software-plain-ram" - implementationPlatform: "x86_64" - certificationLevel: ["none"] - cryptoFunctions: ["keygen", "keyderive"] + primitive: CRYPTO_PRIMITIVE_KEM + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: "none" + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_KEYGEN + cryptoFunctions: CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE nistQuantumSecurityLevel: 5 } oid: "2.16.840.1.101.3.4.1.48" From d673e8e3921d1fa9543104cb25932961c07388b5 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Aug 2025 15:10:28 +0200 Subject: [PATCH 43/54] tests Signed-off-by: Jan Kowalleck --- tools/src/test/js/json-schema-functional-tests.js | 4 ++-- tools/src/test/js/json-schema-lint-tests.js | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/src/test/js/json-schema-functional-tests.js b/tools/src/test/js/json-schema-functional-tests.js index 81970498..9dc1625c 100644 --- a/tools/src/test/js/json-schema-functional-tests.js +++ b/tools/src/test/js/json-schema-functional-tests.js @@ -59,7 +59,7 @@ const ajv = new Ajv({ schemas: { 'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema, 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema, - 'http://cyclonedx.org/schema/cryptography-defs.schema.json': cryptoDefsSchema + 'http://cyclonedx.org/schema/cryptography-defs.schema.json': cryptoDefsSchema, } }); addFormats(ajv) @@ -115,4 +115,4 @@ for (const file of globSync(join(testdataDir, 'invalid-*.json'))) { // Exit statuses should be in the range 0 to 254. // The status 0 is used to terminate the program successfully. -process.exitCode = Math.min(errCnt, 254) \ No newline at end of file +process.exitCode = Math.min(errCnt, 254) diff --git a/tools/src/test/js/json-schema-lint-tests.js b/tools/src/test/js/json-schema-lint-tests.js index df692dae..b8411fcd 100644 --- a/tools/src/test/js/json-schema-lint-tests.js +++ b/tools/src/test/js/json-schema-lint-tests.js @@ -55,7 +55,7 @@ function getAjv(strict) { schemas: { 'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema, 'http://cyclonedx.org/schema/jsf-0.82.schema.json': jsfSchema, - 'http://cyclonedx.org/schema/cryptography-defs.schema.json': cryptoDefsSchema + 'http://cyclonedx.org/schema/cryptography-defs.schema.json': cryptoDefsSchema, } }); addFormats(ajv) @@ -114,4 +114,4 @@ for (const bomSchemaFile of bomSchemas) { // Exit statuses should be in the range 0 to 254. // The status 0 is used to terminate the program successfully. -process.exitCode = Math.min(errCnt, 254) \ No newline at end of file +process.exitCode = Math.min(errCnt, 254) From 070e355e46b473f872b35cb6c49e4de2dd273340 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Aug 2025 16:21:19 +0200 Subject: [PATCH 44/54] streamline docs Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 25 +++++++++++++------------ schema/bom-1.7.schema.json | 16 ++++++++-------- schema/bom-1.7.xsd | 8 ++++---- 3 files changed, 25 insertions(+), 24 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 3e5892cb..35c0e0a8 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -2195,8 +2195,9 @@ message CryptoProperties { optional string algorithmFamily = 2; // An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). optional string parameterSetIdentifier = 3; - // [DEPRECATED] The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves). - optional string curve = 4; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.ellipticCurve` Instead. + // The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves). + optional string curve = 4 [deprecated = true]; // The specific underlying Elliptic Curve (EC) definition employed which is an indicator // of the level of security strength, performance and complexity. Curves are defined in // the cryptography-defs.json subschema. A corresponding schema for ProtoBuf is not available. @@ -2264,14 +2265,16 @@ message CryptoProperties { optional google.protobuf.Timestamp notValidBefore = 3; // The date and time according to ISO-8601 standard from which the certificate is not valid anymore optional google.protobuf.Timestamp notValidAfter = 4; - // [DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to signature algorithm used by the certificate - optional string signatureAlgorithmRef = 5; - // [DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to the public key of the subject - optional string subjectPublicKeyRef = 6; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.relatedCryptographicAssets` instead. The bom-ref to signature algorithm used by the certificate + optional string signatureAlgorithmRef = 5 [deprecated = true]; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.relatedCryptographicAssets` instead. The bom-ref to the public key of the subject + optional string subjectPublicKeyRef = 6 [deprecated = true]; // The format of the certificate. Examples include X.509, PEM, DER, and CVC. optional string certificateFormat = 7; - // [DEPRECATED] Use certificateFileExtension instead. The file extension of the certificate. Examples include crt, pem, cer, der, and p12. - optional string certificateExtension = 8; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.certificateFileExtension` instead. The file extension of the certificate. Examples include crt, pem, cer, der, and p12. + optional string certificateExtension = 8 [deprecated = true]; + // A certificate extension is an optional field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields. + optional CertificateExtensions certificateExtensions = 18; // The serial number is a unique identifier for the certificate issued by a CA. optional string serialNumber = 9; // The file extension of the certificate. Examples include crt, pem, cer, der, and p12. @@ -2290,8 +2293,6 @@ message CryptoProperties { optional google.protobuf.Timestamp revocationDate = 16; // The date and time (timestamp) when the certificate was destroyed. optional google.protobuf.Timestamp destructionDate = 17; - // A certificate extension is an optional field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields. - optional CertificateExtensions certificateExtensions = 18; // A list of cryptographic assets related to this component. optional RelatedCryptographicAssets relatedCryptographicAssets = 19; } // end of CertificateProperties @@ -2414,8 +2415,8 @@ message CryptoProperties { optional string id = 2; // The key state as defined by NIST SP 800-57. optional CryptoRelatedState state = 3; - // [DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to the algorithm used to generate the related cryptographic material. - optional string algorithmRef = 4; + // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.relatedCryptographicAssets` instead. The bom-ref to the algorithm used to generate the related cryptographic material. + optional string algorithmRef = 4 [deprecated = true]; // The date and time (timestamp) when the related cryptographic material was created. optional google.protobuf.Timestamp creationDate = 5; // The date and time (timestamp) when the related cryptographic material was activated. diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 35356b1f..128ae259 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5126,10 +5126,10 @@ "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)." }, "curve": { + "deprecated": true, "type": "string", "title": "Elliptic Curve", - "description": "[Deprecated] The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends using curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source of which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves).", - "deprecated": true + "description": "[Deprecated] This will be removed in a future version. Use `@.ellipticCurve` instead.\nThe specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends using curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source of which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves)." }, "ellipticCurve": { "$ref": "cryptography-defs.schema.json#/definitions/ellipticCurvesEnum", @@ -5373,13 +5373,13 @@ "deprecated": true, "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "[DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to signature algorithm used by the certificate" + "description": "[DEPRECATED] This will be removed in a future version. Use `@.relatedCryptographicAssets` instead.\nThe bom-ref to signature algorithm used by the certificate" }, "subjectPublicKeyRef": { "deprecated": true, "$ref": "#/definitions/refType", "title": "Key reference", - "description": "[DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to the public key of the subject" + "description": "[DEPRECATED] This will be removed in a future version. Use `@.relatedCryptographicAssets` instead. The bom-ref to the public key of the subject" }, "certificateFormat": { "type": "string", @@ -5396,7 +5396,7 @@ "deprecated": true, "type": "string", "title": "Certificate File Extension", - "description": "[DEPRECATED] Use certificateFileExtension instead. The file extension of the certificate", + "description": "[DEPRECATED] This will be removed in a future version. Use `@.certificateFileExtension` instead.\nThe file extension of the certificate", "examples": [ "crt", "pem", @@ -5682,7 +5682,7 @@ "deprecated": true, "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "[DEPRECATED] Use relatedCryptographicAssets instead. The bom-ref to the algorithm used to generate the related cryptographic material." + "description": "[DEPRECATED] Use `relatedCryptographicAssets` instead.\nThe bom-ref to the algorithm used to generate the related cryptographic material." }, "creationDate": { "type": "string", @@ -5819,7 +5819,7 @@ "$ref": "#/definitions/ikeV2Enc", "title": "Encryption Algorithm (ENCR)" } - }, + }, "prf": { "type": "array", "title": "Pseudorandom Functions (PRF)", @@ -5867,7 +5867,7 @@ "deprecated": true, "$ref": "#/definitions/cryptoRefArray", "title": "Cryptographic References", - "description": "[DEPRECATED] Use relatedCryptographicAssets instead. A list of protocol-related cryptographic assets" + "description": "[DEPRECATED] Use `r`elatedCryptographicAssets` instead. A list of protocol-related cryptographic assets" }, "relatedCryptographicAssets": { "$ref": "#/definitions/relatedCryptographicAssets", diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index aca1b279..b7f67201 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -6546,7 +6546,7 @@ limitations under the License. - DEPRECATED. Use ellipticCurve instead. + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./ellipticCurve` instead. The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as @@ -7095,7 +7095,7 @@ limitations under the License. - DEPRECATED] Use relatedCryptographicAssets instead. + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./relatedCryptographicAssets` instead. The bom-ref to signature algorithm used by the certificate @@ -7103,7 +7103,7 @@ limitations under the License. - DEPRECATED] Use relatedCryptographicAssets instead. + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./relatedCryptographicAssets` instead. The bom-ref to the public key of the subject @@ -7118,7 +7118,7 @@ limitations under the License. - [DEPRECATED] Use certificateFileExtension instead. + DEPRECATED - DO NOT USE. This will be removed in a future version. Use `./certificateFileExtension` instead. The file extension of the certificate. Examples include crt, pem, cer, der, and p12. From 95b691abcecc637140944357b9c45f9203eea79e Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Aug 2025 17:06:46 +0200 Subject: [PATCH 45/54] streamline docs Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 35c0e0a8..693ca3b1 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -2257,6 +2257,8 @@ message CryptoProperties { // Certificate Properties message CertificateProperties { + // The serial number is a unique identifier for the certificate issued by a CA. + optional string serialNumber = 9; // The subject name for the certificate optional string subjectName = 1; // The issuer name for the certificate @@ -2273,10 +2275,6 @@ message CryptoProperties { optional string certificateFormat = 7; // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.certificateFileExtension` instead. The file extension of the certificate. Examples include crt, pem, cer, der, and p12. optional string certificateExtension = 8 [deprecated = true]; - // A certificate extension is an optional field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields. - optional CertificateExtensions certificateExtensions = 18; - // The serial number is a unique identifier for the certificate issued by a CA. - optional string serialNumber = 9; // The file extension of the certificate. Examples include crt, pem, cer, der, and p12. optional string certificateFileExtension = 10; // The fingerprint is a cryptographic hash of the certificate excluding it's signature. @@ -2293,6 +2291,8 @@ message CryptoProperties { optional google.protobuf.Timestamp revocationDate = 16; // The date and time (timestamp) when the certificate was destroyed. optional google.protobuf.Timestamp destructionDate = 17; + // A certificate extension is an optional field that provides additional information about the certificate or its use. Extensions are used to convey additional information beyond the standard fields. + optional CertificateExtensions certificateExtensions = 18; // A list of cryptographic assets related to this component. optional RelatedCryptographicAssets relatedCryptographicAssets = 19; } // end of CertificateProperties From 7d76dfd0687675cc84f63fb3e8df6a41048ca27e Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 11 Aug 2025 17:10:45 +0200 Subject: [PATCH 46/54] revert unintende whitespace changes Signed-off-by: Jan Kowalleck --- schema/xmlcatalog.xml | 2 -- 1 file changed, 2 deletions(-) diff --git a/schema/xmlcatalog.xml b/schema/xmlcatalog.xml index f0374eca..e250aa74 100644 --- a/schema/xmlcatalog.xml +++ b/schema/xmlcatalog.xml @@ -26,8 +26,6 @@ limitations under the License. - - From 9270cd1057fb12d8a5c59d385f61bad434791255 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 14 Aug 2025 10:40:51 +0200 Subject: [PATCH 47/54] Extend crypto definitions --- schema/cryptography-defs.json | 214 ++++++++++++++++++++++++++++++++-- 1 file changed, 202 insertions(+), 12 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index aa24a47d..ca74598c 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -426,15 +426,7 @@ { "pattern": "ML-DSA-(44|65|87)", "primitive": "signature" - } - ] - }, - { - "family": "HashML-DSA", - "standard": [ - {"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"} - ], - "variant": [ + }, { "pattern": "HashML-DSA-(44|65|87)[-{hashFunction}]", "primitive": "signature" @@ -442,13 +434,17 @@ ] }, { - "family": "HashSLH-DSA", + "family": "SLH-DSA", "standard": [ {"name": "FIPS 205", "url": "https://doi.org/10.6028/NIST.FIPS.205"} ], "variant": [ { - "pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)", + "pattern": "SLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)", + "primitive": "signature" + }, + { + "pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)[-{hashFunction}]", "primitive": "signature" } ] @@ -688,7 +684,7 @@ ] }, { - "family": "BLAKE2b", + "family": "BLAKE2", "standard": [ {"name": "RFC7693", "url": "https://doi.org/10.17487/RFC7693"} ], @@ -697,12 +693,32 @@ "pattern": "BLAKE2b-(160|256|384|512)", "primitive": "hash" }, + { + "pattern": "BLAKE2b-(160|256|384|512)-HMAC", + "primitive": "mac" + }, + { + "pattern": "BLAKE2s-(160|256)", + "primitive": "hash" + }, { "pattern": "BLAKE2b-(160|256|384|512)-HMAC", "primitive": "mac" } ] }, + { + "family": "BLAKE3", + "standard": [ + {"name": "BLAKE3 Spec", "url": "https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf"} + ], + "variant": [ + { + "pattern": "BLAKE3[-{outputLength}]", + "primitive": "hash" + } + ] + }, { "family": "X3DH", "standard": [ @@ -810,6 +826,180 @@ "primitive": "kdf" } ] + }, + { + "family": "MD2", + "standard": [ + {"name": "RFC1319", "url": "https://doi.org/10.17487/RFC1319"} + ], + "variant": [ + { + "pattern": "MD2", + "primitive": "hash" + } + ] + }, + { + "family": "MD4", + "standard": [ + {"name": "RFC1320", "url": "https://doi.org/10.17487/RFC1320"} + ], + "variant": [ + { + "pattern": "MD4", + "primitive": "hash" + } + ] + }, + { + "family": "MD5", + "standard": [ + {"name": "RFC1321", "url": "https://doi.org/10.17487/RFC1321"} + ], + "variant": [ + { + "pattern": "MD5", + "primitive": "hash" + } + ] + }, + { + "family": "RIPEMD", + "standard": [ + {"name": "ISO10118-3", "url": "https://www.iso.org/standard/67116.html"} + ], + "variant": [ + { + "pattern": "RIPEMD-(128|160|256|320)", + "primitive": "hash" + } + ] + }, + { + "family": "Whirlpool", + "standard": [ + {"name": "ISO10118-3", "url": "https://www.iso.org/standard/67116.html"}, + {"name": "NESSIE", "url": "https://www.cosic.esat.kuleuven.be/nessie/"} + ], + "variant": [ + { + "pattern": "Whirlpool", + "primitive": "hash" + } + ] + }, + { + "family": "Serpent", + "standard": [ + {"name": "AES Finalist", "url": "https://www.cl.cam.ac.uk/~rja14/serpent.html"} + ], + "variant": [ + { + "pattern": "Serpent-(128|192|256)[-{mode}][-{padding}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "CAST5", + "standard": [ + {"name": "RFC2144", "url": "https://doi.org/10.17487/RFC2144"} + ], + "variant": [ + { + "pattern": "CAST5[-{keyLength}][-{mode}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "CAST6", + "standard": [ + {"name": "RFC2612", "url": "https://doi.org/10.17487/RFC2612"} + ], + "variant": [ + { + "pattern": "CAST6[-{keyLength}][-{mode}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "RC5", + "standard": [ + {"name": "RFC2040", "url": "https://doi.org/10.17487/RFC2040"} + ], + "variant": [ + { + "pattern": "RC5[-{keyLength}][-{mode}]", + "primitive": "block-cipher" + } + ] + }, + { + "family": "HC", + "standard": [ + {"name": "eSTREAM", "url": "https://www.ecrypt.eu.org/stream/"} + ], + "variant": [ + { + "pattern": "HC-128", + "primitive": "stream-cipher" + }, + { + "pattern": "HC-256", + "primitive": "stream-cipher" + } + ] + }, + { + "family": "RABBIT", + "standard": [ + {"name": "RFC4503", "url": "https://doi.org/10.17487/RFC4503"}, + {"name": "eSTREAM", "url": "https://www.ecrypt.eu.org/stream/"} + ], + "variant": [ + { + "pattern": "RABBIT", + "primitive": "stream-cipher" + } + ] + }, + { + "family": "Ascon", + "standard": [ + {"name": "NIST SP 800-232", "url": "https://doi.org/10.6028/NIST.SP.800-232"} + ], + "variant": [ + { + "pattern": "Ascon-AEAD128", + "primitive": "ae" + }, + { + "pattern": "Ascon-Hash256", + "primitive": "hash" + }, + { + "pattern": "Ascon-XOF128", + "primitive": "xof" + }, + { + "pattern": "Ascon-CXOF128", + "primitive": "xof" + } + ] + }, + { + "family": "SipHash", + "standard": [ + {"name": "SipHash Spec", "url": "https://131002.net/siphash/"} + ], + "variant": [ + { + "pattern": "SipHash[-{compressionRounds}-{finalizationRounds}]", + "primitive": "hash" + } + ] } ], "ellipticCurves": [ From 3db7d684cb0ea40cd6164e3eb4c6d36a5c3f4209 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 14 Aug 2025 15:52:17 +0200 Subject: [PATCH 48/54] Update schema/cryptography-defs.schema.json Signed-off-by: Jan Kowalleck --- schema/cryptography-defs.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json index fb5696f1..58f4247f 100644 --- a/schema/cryptography-defs.schema.json +++ b/schema/cryptography-defs.schema.json @@ -62,7 +62,7 @@ "variant": { "type": "array", "title": "Variants", - "description": "Defines algorithm variants by a naming pattern and the corrsponding cryptographic primitive.", + "description": "Defines algorithm variants by a naming pattern and the corresponding cryptographic primitive.", "items": { "type": "object", "title": "Standard Reference", From 31042b8803b9405a7b0304fe0b5f7f98fdfece7a Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Thu, 14 Aug 2025 16:35:06 +0200 Subject: [PATCH 49/54] PB: fixes and reverts Signed-off-by: Jan Kowalleck --- schema/bom-1.7.proto | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 693ca3b1..99641b3f 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -2044,6 +2044,7 @@ message CryptoProperties { // Algorithm Propertie message AlgorithmProperties { + // Primitive enum CryptoPrimitive { // ProtoBuff's default value -- it differs from "unknown" @@ -2192,36 +2193,37 @@ message CryptoProperties { // A valid algorithm family identifier. If specified, this value must be one of the // enumeration of valid algorithm Family identifiers defined in the // cryptography-defs.json subschema. A corresponding schema for ProtoBuf is not available. - optional string algorithmFamily = 2; + optional string algorithmFamily = 12; // An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205). - optional string parameterSetIdentifier = 3; + optional string parameterSetIdentifier = 2; // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.ellipticCurve` Instead. // The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves). - optional string curve = 4 [deprecated = true]; + optional string curve = 3 [deprecated = true]; // The specific underlying Elliptic Curve (EC) definition employed which is an indicator // of the level of security strength, performance and complexity. Curves are defined in // the cryptography-defs.json subschema. A corresponding schema for ProtoBuf is not available. optional string ellipticCurve = 13; // The target and execution environment in which the algorithm is implemented in. - optional CryptoExecutionEnvironment executionEnvironment = 5; + optional CryptoExecutionEnvironment executionEnvironment = 4; // The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform. - optional CryptoImplementationPlatform implementationPlatform = 6; + optional CryptoImplementationPlatform implementationPlatform = 5; // The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL). - repeated string certificationLevel = 7; + repeated string certificationLevel = 6; // The mode of operation in which the cryptographic algorithm (block cipher) is used. - optional CryptoAlgorithmMode mode = 8; + optional CryptoAlgorithmMode mode = 7; // The padding scheme that is used for the cryptographic algorithm. - optional CryptoAlgorithmPadding padding = 9; + optional CryptoAlgorithmPadding padding = 8; // The cryptographic functions implemented by the cryptographic algorithm. - repeated CryptoAlgorithmFunction cryptoFunctions = 10; + repeated CryptoAlgorithmFunction cryptoFunctions = 9; // The classical security level that a cryptographic algorithm provides (in bits). - optional int32 classicalSecurityLevel = 11; + optional int32 classicalSecurityLevel = 10; // The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met. - optional int32 nistQuantumSecurityLevel = 12; + optional int32 nistQuantumSecurityLevel = 11; } // end of AlgorithmProperties // Certificate State message CertificateState { + // Pre-defined certificate states enum PredefinedState { // ProtoBuff's default value @@ -2242,7 +2244,6 @@ message CryptoProperties { // A reason for the certificate being in this state. optional string reason = 1; - // The state can be either a predefined state or a custom state oneof state { // A pre-defined state in the certificate lifecycle. @@ -2250,10 +2251,9 @@ message CryptoProperties { // The name of the certificate lifecycle state for custom states. string name = 3; } - // The description of the certificate lifecycle state (only used with custom states). optional string description = 4; - } + } // end of CertificateState // Certificate Properties message CertificateProperties { From 2155fb049c1d0310b346dc405d4a8533533e8d76 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 21 Aug 2025 09:27:37 -0500 Subject: [PATCH 50/54] Removing JOSE from protocol - as it technically doesn't fit the definition of one. Each JOSE component (tokens, algorithms, etc) can be represented as individual components within the CBOM. Signed-off-by: Steve Springett --- schema/bom-1.7.schema.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 128ae259..0b19f435 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5764,7 +5764,6 @@ "eap-aka-prime", "prins", "5g-aka", - "jose", "other", "unknown" ], @@ -5781,7 +5780,6 @@ "eap-aka-prime": "Enhanced version of EAP-AKA", "prins": "Protection of Inter-Network Signaling", "5g-aka": "Authentication and Key Agreement for 5G", - "jose": "JSON Object Signing and Encryption", "other": "Another protocol type", "unknown": "The protocol type is not known" } From 1ce2c8f47e6a71f0b00cab5d7c69e6533d72966f Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Thu, 21 Aug 2025 09:28:33 -0500 Subject: [PATCH 51/54] Removing JOSE from protocol - as it technically doesn't fit the definition of one. Each JOSE component (tokens, algorithms, etc) can be represented as individual components within the CBOM. Signed-off-by: Steve Springett --- schema/bom-1.7.proto | 2 -- schema/bom-1.7.xsd | 7 ------- 2 files changed, 9 deletions(-) diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto index 99641b3f..8d21b3dc 100644 --- a/schema/bom-1.7.proto +++ b/schema/bom-1.7.proto @@ -2472,8 +2472,6 @@ message CryptoProperties { CRYPTO_PROTOCOL_TYPE_PRINS = 13; // Authentication and Key Agreement for 5G CRYPTO_PROTOCOL_TYPE_5G_AKA = 14; - // JSON Object Signing and Encryption - CRYPTO_PROTOCOL_TYPE_JOSE = 15; } // Object representing a cipher suite diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index b7f67201..3216c280 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -7745,13 +7745,6 @@ limitations under the License. - - - - JSON Object Signing and Encryption - - - From 1a6ae860903f5f22f074f02e2cc3f106fcdd2a27 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Wed, 27 Aug 2025 21:26:42 -0500 Subject: [PATCH 52/54] Added back in broken ikev2 behavior for XML and JSON Signed-off-by: Steve Springett --- schema/bom-1.7.schema.json | 95 +++++++++++----- schema/bom-1.7.xsd | 215 ++++++++++++++++++------------------- 2 files changed, 175 insertions(+), 135 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 0b19f435..b33ac134 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5810,40 +5810,76 @@ "additionalProperties": false, "properties": { "encr": { - "type": "array", "title": "Encryption Algorithms (ENCR)", "description": "Transform Type 1: encryption algorithms", - "items": { - "$ref": "#/definitions/ikeV2Enc", - "title": "Encryption Algorithm (ENCR)" - } + "anyOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ikeV2Enc", + "title": "Encryption Algorithm (ENCR)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version. Transform Type 1: encryption algorithms" + } + ] }, "prf": { - "type": "array", "title": "Pseudorandom Functions (PRF)", "description": "Transform Type 2: pseudorandom functions", - "items": { - "$ref": "#/definitions/ikeV2Prf", - "title": "Pseudorandom Function (PRF)" - } + "anyOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ikeV2Prf", + "title": "Pseudorandom Function (PRF)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version. Transform Type 2: pseudorandom functions" + } + ] }, "integ": { - "type": "array", "title": "Integrity Algorithms (INTEG)", "description": "Transform Type 3: integrity algorithms", - "items": { - "$ref": "#/definitions/ikeV2Integ", - "title": "Integrity Algorithm (INTEG)" - } + "anyOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ikeV2Integ", + "title": "Integrity Algorithm (INTEG)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version. Transform Type 3: integrity algorithms" + } + ] }, "ke": { - "type": "array", "title": "Key Exchange Methods (KE)", "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", - "items": { - "$ref": "#/definitions/ikeV2Ke", - "title": "Key Exchange Method (KE)" - } + "anyOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ikeV2Ke", + "title": "Key Exchange Method (KE)" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version. Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." + } + ] }, "esn": { "type": "boolean", @@ -5851,13 +5887,22 @@ "description": "Specifies if an Extended Sequence Number (ESN) is used." }, "auth": { - "type": "array", "title": "IKEv2 Authentication methods", "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", - "items": { - "$ref": "#/definitions/ikeV2Auth", - "title": "IKEv2 Authentication Method" - } + "anyOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/ikeV2Auth", + "title": "IKEv2 Authentication Method" + } + }, + { + "deprecated": true, + "$ref": "#/definitions/cryptoRefArray", + "description": "[DEPRECATED] This will be removed in a future version. IKEv2 Authentication method" + } + ] } } }, diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index 3216c280..ee11cf31 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -7880,33 +7880,115 @@ limitations under the License. - + Transform Type 1: encryption algorithms + + + + + + A name for the encryption method. + Example: ENCR_AES_GCM_16 + + + + + + + The key length of the encryption algorithm. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + - + Transform Type 2: pseudorandom functions + + + + + + A name for the pseudorandom function. + Example: PRF_HMAC_SHA2_256 + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + - + Transform Type 3: integrity algorithms + + + + + + A name for the integrity algorithm. + Example: AUTH_HMAC_SHA2_256_128 + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + - + Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + + + + + + A group identifier for the key exchange algorithm. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + @@ -7915,12 +7997,30 @@ limitations under the License. - + IKEv2 Authentication method + + + + + + A name for the authentication method. + + + + + + + The bom-ref to algorithm cryptographic asset. + + + + + @@ -7943,111 +8043,6 @@ limitations under the License. - - - - - - A name for the encryption method. - Example: ENCR_AES_GCM_16 - - - - - - - The key length of the encryption algorithm. - - - - - - - The bom-ref to algorithm cryptographic asset. - - - - - - - - - - - - A name for the pseudorandom function. - Example: PRF_HMAC_SHA2_256 - - - - - - - The bom-ref to algorithm cryptographic asset. - - - - - - - - - - - - A name for the integrity algorithm. - Example: AUTH_HMAC_SHA2_256_128 - - - - - - - The bom-ref to algorithm cryptographic asset. - - - - - - - - - - - - A group identifier for the key exchange algorithm. - - - - - - - The bom-ref to algorithm cryptographic asset. - - - - - - - - - - - - A name for the authentication method. - - - - - - - The bom-ref to algorithm cryptographic asset. - - - - - - From 14136a65704dcea3e0b2b6d98a455ce1c77e1273 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 1 Sep 2025 20:58:17 +0200 Subject: [PATCH 53/54] test data Signed-off-by: Jan Kowalleck --- schema/bom-1.7.schema.json | 2 +- .../1.6/valid-cryptography-full-1.6.json | 11 +- .../1.6/valid-cryptography-full-1.6.textproto | 13 +- .../1.6/valid-cryptography-full-1.6.xml | 24 ++++ ...alid-cryptography-full-deprecated-1.7.json | 109 +++++++++++++++ ...cryptography-full-deprecated-1.7.textproto | 131 ++++++++++++++++++ ...valid-cryptography-full-deprecated-1.7.xml | 119 ++++++++++++++++ 7 files changed, 405 insertions(+), 4 deletions(-) create mode 100644 tools/src/test/resources/1.7/valid-cryptography-full-deprecated-1.7.json create mode 100644 tools/src/test/resources/1.7/valid-cryptography-full-deprecated-1.7.textproto create mode 100644 tools/src/test/resources/1.7/valid-cryptography-full-deprecated-1.7.xml diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index b33ac134..fcb84422 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5910,7 +5910,7 @@ "deprecated": true, "$ref": "#/definitions/cryptoRefArray", "title": "Cryptographic References", - "description": "[DEPRECATED] Use `r`elatedCryptographicAssets` instead. A list of protocol-related cryptographic assets" + "description": "[DEPRECATED] Use `relatedCryptographicAssets` instead. A list of protocol-related cryptographic assets" }, "relatedCryptographicAssets": { "$ref": "#/definitions/relatedCryptographicAssets", diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json index ac134465..40e97a20 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json @@ -65,7 +65,16 @@ "0xC0" ] } - ] + ], + "ikev2TransformTypes": { + "encr": ["bom-ref-to-encr"], + "prf": ["bom-ref-to-prf"], + "integ": ["bom-ref-to-integ"], + "ke": ["bom-ref-to-ke"], + "esn": true, + "auth": ["bom-ref-to-auth"] + }, + "cryptoRefArray": ["asset-4"] }, "oid": "oid:1.2.3.4.5.6.7.8.9" } diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto index 9af87b05..c2f31f8b 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto @@ -17,7 +17,7 @@ components: [ curve: "brainpoolP160r1" executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 - certificationLevel: [ "fips140-1-l4" ] + certificationLevel: ["fips140-1-l4"] mode: CRYPTO_ALGORITHM_MODE_GCM padding: CRYPTO_ALGORITHM_PADDING_PKCS5 cryptoFunctions: [ @@ -54,7 +54,7 @@ components: [ certificateFormat: "X.509" certificateExtension: "crt" } - oid: "oid:1.2.3.4.5.6.7.8.9" + oid: "oid:1.2.3.4.5.6.7.8.9" } }, { @@ -77,6 +77,15 @@ components: [ ] } ] + ikev2TransformTypes: { + encr: "bom-ref-to-encr" + prf: "bom-ref-to-prf" + integ: "bom-ref-to-integ" + ke: "bom-ref-to-ke" + esn: true + auth: "bom-ref-to-auth" + } + cryptoRef: "asset-4" } oid: "oid:1.2.3.4.5.6.7.8.9" } diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml index 0e151a34..624e228e 100644 --- a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml +++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml @@ -40,6 +40,30 @@ X.509 crt + + tls + 1.3 + + + TLS_DHE_RSA_WITH_AES_128_CCM + + bom-ref-to-algorithm + + + 0xC0 + + + + + bom-ref-to-encr + bom-ref-to-prf + bom-ref-to-integ + bom-ref-to-ke + true + bom-ref-to-auth + + asset-4 + oid:1.2.3.4.5.6.7.8.9 diff --git a/tools/src/test/resources/1.7/valid-cryptography-full-deprecated-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-full-deprecated-1.7.json new file mode 100644 index 00000000..847ca57d --- /dev/null +++ b/tools/src/test/resources/1.7/valid-cryptography-full-deprecated-1.7.json @@ -0,0 +1,109 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "components": [ + { + "type": "cryptographic-asset", + "bom-ref": "asset-1", + "name": "Name here", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "ae", + "parameterSetIdentifier": "128", + "curve": "brainpoolP160r1", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "fips140-1-l4" ], + "mode": "gcm", + "padding": "pkcs5", + "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], + "classicalSecurityLevel": 128, + "nistQuantumSecurityLevel": 1 + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-2", + "name": "Name here", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "subjectName": "Subject name here", + "issuerName": "Issuer name here", + "notValidBefore": "2022-01-01T00:00:00.000Z", + "notValidAfter": "2024-01-01T00:00:00.000Z", + "signatureAlgorithmRef": "bom-ref-to-algorithm", + "subjectPublicKeyRef": "bom-ref-to-public-key", + "certificateFormat": "X.509", + "certificateExtension": "crt" + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-3", + "name": "Name here", + "cryptoProperties": { + "assetType": "protocol", + "protocolProperties": { + "type": "tls", + "version": "1.3", + "cipherSuites": [ + { + "name": "TLS_DHE_RSA_WITH_AES_128_CCM", + "algorithms": [ + "bom-ref-to-algorithm" + ], + "identifiers": [ + "0xC0" + ] + } + ], + "ikev2TransformTypes": { + "encr": ["bom-ref-to-encr"], + "prf": ["bom-ref-to-prf"], + "integ": ["bom-ref-to-integ"], + "ke": ["bom-ref-to-ke"], + "esn": true, + "auth": ["bom-ref-to-auth"] + }, + "cryptoRefArray": ["asset-4"] + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + "type": "cryptographic-asset", + "bom-ref": "asset-4", + "name": "Name here", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "private-key", + "id": "12345", + "state": "active", + "algorithmRef": "bom-ref-to-algorithm", + "creationDate": "2024-01-01T00:00:00.000Z", + "activationDate": "2024-01-02T00:00:00.000Z", + "updateDate": "2024-01-03T00:00:00.000Z", + "expirationDate": "2024-01-04T00:00:00.000Z", + "value": "Value here", + "size": 1024, + "format": "PEM", + "securedBy": { + "mechanism": "HSM", + "algorithmRef": "bom-ref-to-algorithm" + } + }, + "oid": "oid:1.2.3.4.5.6.7.8.9" + } + } + ] +} diff --git a/tools/src/test/resources/1.7/valid-cryptography-full-deprecated-1.7.textproto b/tools/src/test/resources/1.7/valid-cryptography-full-deprecated-1.7.textproto new file mode 100644 index 00000000..365b0cf7 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-cryptography-full-deprecated-1.7.textproto @@ -0,0 +1,131 @@ +# proto-file: schema/bom-1.7.proto +# proto-message: Bom + +spec_version: "1.6" +version: 1 +serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" +components: [ + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-1" + name: "Name here" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_ALGORITHM + algorithmProperties: { + primitive: CRYPTO_PRIMITIVE_AE + parameterSetIdentifier: "128" + curve: "brainpoolP160r1" + executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM + implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 + certificationLevel: ["fips140-1-l4"] + mode: CRYPTO_ALGORITHM_MODE_GCM + padding: CRYPTO_ALGORITHM_PADDING_PKCS5 + cryptoFunctions: [ + CRYPTO_ALGORITHM_FUNCTION_KEYGEN, + CRYPTO_ALGORITHM_FUNCTION_ENCRYPT, + CRYPTO_ALGORITHM_FUNCTION_DECRYPT, + CRYPTO_ALGORITHM_FUNCTION_TAG + ] + classicalSecurityLevel: 128 + nistQuantumSecurityLevel: 1 + }, + oid: "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-2" + name: "Name here" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_CERTIFICATE + certificateProperties: { + subjectName: "Subject name here" + issuerName: "Issuer name here" + notValidBefore { + seconds: 1640995200 + nanos: 0 + } + notValidAfter { + seconds: 1704067200 + nanos: 0 + } + signatureAlgorithmRef: "bom-ref-to-algorithm" + subjectPublicKeyRef: "bom-ref-to-public-key" + certificateFormat: "X.509" + certificateExtension: "crt" + } + oid: "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-3" + name: "Name here" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_PROTOCOL + protocolProperties: { + type: CRYPTO_PROTOCOL_TYPE_TLS + version: "1.3" + cipherSuites: [ + { + name: "TLS_DHE_RSA_WITH_AES_128_CCM" + algorithms: [ + "bom-ref-to-algorithm" + ] + identifiers: [ + "0xC0" + ] + } + ] + ikev2TransformTypes: { + encr: "bom-ref-to-encr" + prf: "bom-ref-to-prf" + integ: "bom-ref-to-integ" + ke: "bom-ref-to-ke" + esn: true + auth: "bom-ref-to-auth" + } + cryptoRef: "asset-4" + } + oid: "oid:1.2.3.4.5.6.7.8.9" + } + }, + { + type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET + bom_ref: "asset-4" + name: "Name here" + cryptoProperties: { + assetType: CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL + relatedCryptoMaterialProperties: { + type: CRYPTO_RELATED_TYPE_PRIVATE_KEY + id: "12345" + state: CRYPTO_RELATED_STATE_ACTIVE + algorithmRef: "bom-ref-to-algorithm" + creationDate { + seconds: 1704067200 + nanos: 0 + } + activationDate { + seconds: 1704153600 + nanos: 0 + } + updateDate { + seconds: 1704240000 + nanos: 0 + } + expirationDate { + seconds: 1704326400 + nanos: 0 + } + value: "Value here" + size: 1024 + format: "PEM" + securedBy: { + mechanism: "HSM" + algorithmRef: "bom-ref-to-algorithm" + } + } + oid: "oid:1.2.3.4.5.6.7.8.9" + } + } +] diff --git a/tools/src/test/resources/1.7/valid-cryptography-full-deprecated-1.7.xml b/tools/src/test/resources/1.7/valid-cryptography-full-deprecated-1.7.xml new file mode 100644 index 00000000..25060347 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-cryptography-full-deprecated-1.7.xml @@ -0,0 +1,119 @@ + + + + + Name here + + algorithm + + ae + 128 + brainpoolP160r1 + software-plain-ram + x86_64 + fips140-1-l4 + gcm + pkcs5 + + keygen + encrypt + decrypt + tag + + 128 + 1 + + oid:1.2.3.4.5.6.7.8.9 + + + + Name here + + certificate + + Subject name here + Issuer name here + 2022-01-01T00:00:00.000Z + 2024-01-01T00:00:00.000Z + bom-ref-to-algorithm + bom-ref-to-public-key + X.509 + crt + + + tls + 1.3 + + + TLS_DHE_RSA_WITH_AES_128_CCM + + bom-ref-to-algorithm + + + 0xC0 + + + + + bom-ref-to-encr + bom-ref-to-prf + bom-ref-to-integ + bom-ref-to-ke + true + bom-ref-to-auth + + asset-4 + + oid:1.2.3.4.5.6.7.8.9 + + + + Name here + + protocol + + tls + 1.3 + + + TLS_DHE_RSA_WITH_AES_128_CCM + + bom-ref-to-algorithm + + + 0xC0 + + + + + oid:1.2.3.4.5.6.7.8.9 + + + + Name here + + related-crypto-material + + private-key + 12345 + active + bom-ref-to-algorithm + 2024-01-01T00:00:00.000Z + 2024-01-02T00:00:00.000Z + 2024-01-03T00:00:00.000Z + 2024-01-04T00:00:00.000Z + Value here + 1024 + PEM + + HSM + bom-ref-to-algorithm + + + oid:1.2.3.4.5.6.7.8.9 + + + + From b9423d7755fbf7c9012c4b0c3059bb14df5fd507 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 2 Sep 2025 10:59:27 +0200 Subject: [PATCH 54/54] docs Signed-off-by: Jan Kowalleck --- schema/bom-1.7.xsd | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd index ee11cf31..68ba9b22 100644 --- a/schema/bom-1.7.xsd +++ b/schema/bom-1.7.xsd @@ -7884,6 +7884,9 @@ limitations under the License. Transform Type 1: encryption algorithms + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) @@ -7917,6 +7920,9 @@ limitations under the License. Transform Type 2: pseudorandom functions + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) @@ -7943,6 +7949,9 @@ limitations under the License. Transform Type 3: integrity algorithms + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) @@ -7969,6 +7978,9 @@ limitations under the License. Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H) + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.) @@ -8001,6 +8013,9 @@ limitations under the License. IKEv2 Authentication method + + EITHER a detailed description (PREFERRED) + OR a single string representing a "bom:refType" (DEPRECATED This will be removed in a future version.)