diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 72ef5a49..13ac295f 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5093,6 +5093,7 @@ "kem", "ae", "combiner", + "key-wrap", "other", "unknown" ], @@ -5110,6 +5111,7 @@ "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.", "other": "Another primitive type.", "unknown": "The primitive is not known." } @@ -5317,7 +5319,7 @@ }, "nistQuantumSecurityLevel": { "type": "integer", - "title": "NIST security strength category", + "title": "NIST security strength category.", "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", "minimum": 0, "maximum": 6 @@ -5327,56 +5329,62 @@ "certificateProperties": { "type": "object", "title": "Certificate Properties", - "description": "Properties for cryptographic assets of asset type 'certificate'", + "description": "Properties for cryptographic assets of asset type 'certificate'.", "additionalProperties": false, "properties": { + "serialNumber": { + "type": "string", + "title": "Serial Number", + "description": "The serial number is a unique identifier for the certificate issued by a CA." // TODO: add pattern to validate serial number input - is that the same pattern for the all certificate types? + }, "subjectName": { "type": "string", "title": "Subject Name", - "description": "The subject name for the certificate" + "description": "The subject name for the certificate." }, "issuerName": { "type": "string", "title": "Issuer Name", - "description": "The issuer name for the certificate" + "description": "The issuer name for the certificate." }, "notValidBefore": { "type": "string", "format": "date-time", "title": "Not Valid Before", - "description": "The date and time according to ISO-8601 standard from which the certificate is valid" + "description": "The date and time according to ISO-8601 standard from which the certificate is valid." }, "notValidAfter": { "type": "string", "format": "date-time", "title": "Not Valid After", - "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" + "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore." }, "signatureAlgorithmRef": { + "deprecated": true, "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "The bom-ref to signature algorithm used by the certificate" + "description": "[Deprecated] The bom-ref to signature algorithm used by the certificate." }, "subjectPublicKeyRef": { + "deprecated": true, "$ref": "#/definitions/refType", "title": "Key reference", - "description": "The bom-ref to the public key of the subject" + "description": "[Deprecated] The bom-ref to the public key of the subject." }, "certificateFormat": { "type": "string", "title": "Certificate Format", - "description": "The format of the certificate", + "description": "The format of the certificate.", "examples": [ "X.509", - "PEM", - "DER", "CVC" ] }, "certificateExtension": { + "deprecated": true, "type": "string", "title": "Certificate File Extension", - "description": "The file extension of the certificate", + "description": "[Deprecated] The file extension of the certificate.", "examples": [ "crt", "pem", @@ -5384,7 +5392,206 @@ "der", "p12" ] - } + }, + "certificateFileExtension": { + "type": "string", + "title": "Certificate File Extension", + "description": "The file extension of the certificate.", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + }, + "fingerprint": { + "type": "object", + "$ref": "#/definitions/hash", + "title": "Certificate Fingerprint", + "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." + }, + "certificateState": { + "type": "array", + "title": "Certificate Lifecycle State", + "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages", + "items": { + "type": "object", + "title": "State", + "description": "The state of the certificate.", + "oneOf": [ + { + "title": "Pre-Defined State", + "required": [ + "state" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "A pre-defined state in the certificate lifecycle.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "revoked", + "destroyed" + ], + "meta:enum": { + "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", + "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", + "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", + "suspended": "The use of a certifacte may be suspended for several possible reasons.", + "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", + "destroyed": "The certificate has been destroyed." + }, + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + }, + { + "title": "Custom State", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "The name of the certificate lifecycle state." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the certificate lifecycle state." + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + } + ], + } + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the certificate was created or pre-activated." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the certificate was activated." + }, + "deactivationDate": { + "type": "string", + "format": "date-time", + "title": "Deactivation Date", + "description": "The date and time (timestamp) when the related certificate was deactiviated." + }, + "revokationDate": { + "type": "string", + "format": "date-time", + "title": "Revokation Date", + "description": "The date and time (timestamp) when the certificate was revoked." + }, + "destructionDate": { + "type": "string", + "format": "date-time", + "title": "Destruction Date", + "description": "The date and time (timestamp) when the certificate was destroyed." + }, + "certificateExtensions": { + "type": "array", + "title": "Certificate Extensions", + "description": "", + "items": { + "type": "object", + "title": "Extension", + "description": "", + "oneOf": [ + { + "title": "Common Extensions", + "required": [ + "name", + "value" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "name", + "description": "The name of the extention.", + "enum": [ + "basicConstraints", + "keyUsage", + "extendedKeyUsage", + "subjectAlternativeName", + "authorityKeyIdentifier", + "subjectKeyIdentifier", + "authorityInformationAccess", + "certificatePolicies", + "crlDistributionPoints", + "signedCertificateTimestamp" + ], + "meta:enum": { + "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", + "keyUsage": "Specifies the allowed uses of the public key in the certificate.", + "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", + "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", + "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", + "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", + "authorityInformationAccess": "Contains CA issuers and OCSP information.", + "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", + "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", + "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof.", + }, + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the certificate extension." + } + } + }, + { + "title": "Custom Extensions", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name for the custom certificate extension." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The description of the custom certificate extension." + } + } + } + ], + } + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + }, } }, "relatedCryptoMaterialProperties": { @@ -5445,6 +5652,7 @@ "title": "ID", "description": "The optional unique identifier for the related cryptographic material." }, + // TODO: Should we allow adding custom states here too? "state": { "type": "string", "title": "State", @@ -5459,9 +5667,10 @@ ] }, "algorithmRef": { + "deprecated": true, "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "The bom-ref to the algorithm used to generate the related cryptographic material." + "description": "[Deprecated] The bom-ref to the algorithm used to generate the related cryptographic material. Use relatedCryptographicAssets instead." }, "creationDate": { "type": "string", @@ -5506,7 +5715,18 @@ "$ref": "#/definitions/securedBy", "title": "Secured By", "description": "The mechanism by which the cryptographic asset is secured by." - } + }, + "fingerprint": { + "type": "object", + "$ref": "#/definitions/hash", + "title": "Fingerprint", + "description": "The fingerprint is a cryptographic hash of the asset." + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + }, } }, "protocolProperties": { @@ -5566,42 +5786,53 @@ "additionalProperties": false, "properties": { "encr": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Encryption Algorithm (ENCR)", + "type": "array", + "$ref": "#/definitions/ikeV2Enc", + "title": "Encryption Algorithms (ENCR)", "description": "Transform Type 1: encryption algorithms" }, "prf": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Pseudorandom Function (PRF)", + "type": "array", + "$ref": "#/definitions/ikeV2Prf", + "title": "Pseudorandom Functions (PRF)", "description": "Transform Type 2: pseudorandom functions" }, "integ": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Integrity Algorithm (INTEG)", + "type": "array", + "$ref": "#/definitions/ikeV2Integ", + "title": "Integrity Algorithms (INTEG)", "description": "Transform Type 3: integrity algorithms" }, "ke": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Key Exchange Method (KE)", + "type": "array", + "$ref": "#/definitions/ikeV2Ke", + "title": "Key Exchange Methods (KE)", "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." }, "esn": { "type": "boolean", - "title": "Extended Sequence Numbers (ESN)", + "title": "Extended Sequence Number (ESN)", "description": "Specifies if an Extended Sequence Number (ESN) is used." }, "auth": { - "$ref": "#/definitions/cryptoRefArray", - "title": "IKEv2 Authentication method", - "description": "IKEv2 Authentication method" + "type": "array", + "$ref": "#/definitions/ikeV2Auth", + "title": "IKEv2 Authentication methods", + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html)." } } }, "cryptoRefArray": { + "deprecated": true, "$ref": "#/definitions/cryptoRefArray", "title": "Cryptographic References", - "description": "A list of protocol-related cryptographic assets" - } + "description": "[Deprecated] A list of protocol-related cryptographic assets. Use relatedCryptographicAssets instead." + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + }, } }, "oid": { @@ -5651,12 +5882,149 @@ } } }, - "cryptoRefArray" : { + "ikeV2Enc": { + "type": "object", + "title": "Encryption Algorithm (ENCR)", + "description": "Object representing an encryption algorithm (ENCR)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the encryption method.", + "examples": [ + "ENCR_AES_GCM_16" + ] + }, + "keyLength": { + "type": "integer", + "title": "Encryption algorithm key length", + "description": "The key length of the encryption algorithm." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Prf": { + "type": "object", + "title": "Pseudorandom Function (PRF)", + "description": "Object representing a pseudorandom function (PRF)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the pseudorandom function.", + "examples": [ + "PRF_HMAC_SHA2_256" + ] + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Integ": { + "type": "object", + "title": "Integrity Algorithm (INTEG)", + "description": "Object representing an integrity algorithm (INTEG)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the integrity algorithm.", + "examples": [ + "AUTH_HMAC_SHA2_256_128" + ] + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Ke": { + "type": "object", + "title": "Key Exchange Method (KE)", + "description": "Object representing a key exchange method (KE)", + "additionalProperties": false, + "properties": { + "group": { + "type": "integer", + "title": "Group Identifier", + "description": "A group identifier for the key exchange algorithm." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "ikeV2Auth": { + "type": "object", + "title": "IKEv2 Authentication method", + "description": "Object representing a IKEv2 Authentication method", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the authentication method." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + }, + "cryptoRefArray": { + "deprecated": true, "type": "array", "items": { "$ref": "#/definitions/refType" } }, + "relatedCryptographicAssets": { + "type": "array", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + "items": { + "$ref": "#/definitions/relatedCryptographicAsset", + "title": "Related Cryptographic Asset" + } + }, + "relatedCryptographicAsset": { + "type": "object", + "title": "Related Cryptographic Asset", + "description": "A cryptographic assets related to this component.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "publicKey", + "privateKey", + "algorithm" + ] + }, + "ref": { + "$ref": "#/definitions/refType", + "title": "Reference to cryptographic asset", + "description": "The bom-ref to cryptographic asset." + } + } + }, "securedBy": { "type": "object", "title": "Secured By", @@ -5698,4 +6066,4 @@ ] } } -} +} \ No newline at end of file diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json new file mode 100644 index 00000000..c2e6cd4a --- /dev/null +++ b/schema/cryptography-defs.json @@ -0,0 +1,711 @@ +{ + "$schema": "http://cyclonedx.org/schema/cryptography-defs.schema.json", + "lastUpdated": "2025-03-22T00:00:00Z", + "algorithms": [ + { + "family": "RSASSA-PKCS1", + "standard": [ + {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, + {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"} + ], + "variant": [ + { + "pattern": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}", + "primitive": "signature" + } + ] + }, + { + "family": "RSASSA-PSS", + "standard": [ + {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, + {"name": "IEEE1363A", "url": "https://doi.org/10.1109/IEEESTD.2004.94612"} + ], + "variant": [ + { + "pattern": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}", + "primitive": "signature" + } + ] + }, + { + "family": "RSAES-PKCS1", + "standard": [ + {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} + ], + "variant": [ + { + "pattern": "RSA-PKCS1-1.5-{keyLength}", + "primitive": "pke" + } + ] + }, + { + "family": "RSAES-OAEP", + "standard": [ + {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} + ], + "variant": [ + { + "pattern": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}", + "primitive": "pke" + } + ] + }, + { + "family": "EdDSA", + "standard": [ + {"name": "RFC8032", "url": "https://doi.org/10.17487/RFC8032"} + ], + "variant": [ + { + "pattern": "Ed{25519|448}{|ph|ctx}", + "primitive": "signature" + } + ] + }, + { + "family": "ECDSA", + "standard": [ + {"name": "FIPS186-4", "url": "https://doi.org/10.6028/NIST.FIPS.186-4"}, + {"name": "X9.62", "url": "https://standards.globalspec.com/std/1955141/ansi-x9-62"} + ], + "variant": [ + { + "pattern": "ECDSA-{curve}-{hash}", + "primitive": "signature" + } + ] + }, + { + "family": "DSA", + "standard": [ + {"name": "FIPS186-4", "url": "https://doi.org/10.6028/NIST.FIPS.186-4"} + ], + "variant": [ + { + "pattern": "DSA-{length}-{hash}", + "primitive": "signature" + } + ] + }, + { + "family": "ECDH", + "standard": [ + {"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"}, + {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"}, + {"name": "X9.63", "url": "https://webstore.ansi.org/standards/ASCX9/ansix9632011r2017"} + ], + "variant": [ + { + "pattern": "ECDH{E}-{curve}", + "primitive": "key-agree" + } + ] + }, + { + "family": "FFDH", + "standard": [ + {"name": "RFC7919", "url": "https://doi.org/10.17487/RFC7919"}, + {"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"} + ], + "variant": [ + { + "pattern": "FFDH{E}-{named_group}", + "primitive": "key-agree" + } + ] + }, + { + "family": "SHA-1", + "standard": [ + {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} + ], + "variant": [ + { + "pattern": "SHA-1", + "primitive": "hash" + } + ] + }, + { + "family": "SHA-2", + "standard": [ + {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} + ], + "variant": [ + { + "pattern": "SHA-{224|256|384|512|512/224|512/256}", + "primitive": "hash" + } + ] + }, + { + "family": "SHA-3", + "standard": [ + {"name": "FIPS202", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"} + {"name": "SP800-185", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"} + ], + "variant": [ + { + "pattern": "SHA-3-(224|256|384|512)", + "primitive": "hash" + }, + { + "pattern": "SHAKE(128|256)", + "primitive": "xof" + }, + { + "pattern": "cSHAKE(128|256)", + "primitive": "xof" + }, + { + "pattern": "KMAC(128|256)", + "primitive": "mac" + }, + { + "pattern": "HMACXOF(128|256)", + "primitive": "mac" + }, + { + "pattern": "TupleHash(128|256)", + "primitive": "hash" + }, + { + "pattern": "TupleHashXOF(128|256)", + "primitive": "xof" + }, + { + "pattern": "ParallelHash(128|256)", + "primitive": "hash" + }, + { + "pattern": "ParallelHashXOF(128|256)", + "primitive": "xof" + } + ] + }, + { + "family": "AES", + "standard": [ + {"name": "FIPS197", "url": "https://doi.org/10.6028/NIST.FIPS.197-upd1"}, + {"name": "SP800-38{A-G}", "url": "https://doi.org/10.6028/NIST.SP.800-38A"}, + {"name": "RFC 5116", "url": "https://doi.org/10.17487/RFC5116"} + ], + "variant": [ + { + "pattern": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|64|128)|OFB|CTR|XTS|CTS)-(padding)-(ivlen)", + "primitive": "block-cipher" + }, + { + "standard": [ + {"name": "SP800-38D", "url": "https://doi.org/10.6028/NIST.SP.800-38D"}, + {"name": "RFC 3610", "url": "https://doi.org/10.17487/RFC5116"} + ], + "pattern": "AES-{128|192|256}-(GCM|CCM)-(taglen)-(ivlen)", + "primitive": "ae" + }, + { + "standard": [ + {"name": "RFC5649", "url": "https://doi.org/10.17487/RFC5649"} + ], + "pattern": "AES-{128|192|256}-Wrap-(PAD|KWP|PKCS7)", + "primitive": "key-wrap" + }, + { + "pattern": "AES-{128|192|256}-(GMAC|CMAC)", + "primitive": "mac" + }, + { + "pattern": "AES-{128|192|256}-(XCBC_MAC(_96))", + "primitive": "mac" + } + ] + }, + { + "family": "HKDF", + "standard": [ + {"name": "RFC5869", "url": "https://doi.org/10.17487/RFC5869"} + ], + "variant": [ + { + "pattern": "HKDF-{hash}", + "primitive": "kdf" + } + ] + }, + { + "family": "HMAC", + "standard": [ + {"name": "SP800-224", "url": "https://doi.org/10.6028/NIST.SP.800-224.ipd"}, + {"name": "RFC2104", "url": "https://doi.org/10.17487/RFC2104"} + ], + "variant": [ + { + "pattern": "HMAC-{hash}-{length}", + "primitive": "mac" + } + ] + }, + { + "family": "CMAC", + "standard": [ + {"name": "SP800-38B", "url": "https://doi.org/10.6028/NIST.SP.800-38B"} + ], + "variant": [ + { + "pattern": "CMAC-{cipher_algorithm}-{length}", + "primitive": "mac" + } + ] + }, + { + "family": "KMAC", + "standard": [ + {"name": "SP800-108r1", "url": "https://doi.org/10.6028/NIST.SP.800-108r1-upd1"} + ], + "variant": [ + { + "pattern": "KMAC-(128|256)", + "primitive": "mac" + } + ] + }, + { + "family": "ChaCha", + "standard": [ + {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} + ], + "variant": [ + { + "pattern": "ChaCha20-{AES|other}", + "primitive": "stream-cipher" + } + ] + }, + { + "family": "Poly1305", + "standard": [ + {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} + ], + "variant": [ + { + "pattern": "Poly1305", + "primitive": "mac" + } + ] + }, + { + "family": "ChaCha20", + "standard": [ + {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} + ], + "variant": [ + { + "pattern": "ChaCha20", + "primitive": "stream-cipher" + }, + { + "pattern": "ChaCha20-Poly1305", + "primitive": "ae" + } + ] + }, + { + "family": "Salsa20", + "standard": [ + {"name": "The Salsa20 Family of Stream Ciphers", "url": "https://doi.org/10.1007/978-3-540-68351-3_8"} + ], + "variant": [ + { + "pattern": "Salsa20", + "primitive": "stream-cipher" + }, + { + "pattern": "Salsa20-Poly1305", + "primitive": "ae" + } + ] + }, + { + "family": "MD5", + "standard": [ + {"name": "RFC1321", "url": "https://doi.org/10.17487/RFC1321"} + ], + "variant": [ + { + "pattern": "MD5", + "primitive": "hash" + } + ] + }, + { + "family": "MD4", + "standard": [ + {"name": "RFC1320", "url": "https://doi.org/10.17487/RFC1320"} + ], + "pattern": "MD4", + "primitive": "hash" + }, + { + "family": "RC4", + "standard": [ + {"name": "Applied Cryptography: Protocols, Algorithms, and Source Code in C", "url": "https://dl.acm.org/doi/book/10.5555/572932"} + ], + "variant": [ + { + "pattern": "RC4-{length}", + "primitive": "stream-cipher" + } + ] + }, + { + "family": "3DES", + "standard": [ + {"name": "RFC1851", "url": "https://doi.org/10.17487/RFC1851"}, + {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} + ], + "variant": [ + { + "pattern": "3DES-{length}-{mode}", + "primitive": "block-cipher" + } + ] + }, + { + "family": "DES", + "standard": [ + {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"}, + {"name": "ANSI INCITS 92-1981", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} + ], + "variant": [ + { + "pattern": "DES-{length}-{mode}", + "primitive": "block-cipher" + } + ] + }, + { + "family": "IDEA", + "standard": [ + {"name": "A Proposal for a New Block Encryption Standard", "url": "https://doi.org/10.1007%2F3-540-46877-3_35"} + ], + "variant": [ + { + "pattern": "IDEA-{mode}", + "primitive": "block-cipher" + } + ] + }, + { + "family": "RC2", + "standard": [ + {"name": "RFC2268", "url": "https://doi.org/10.17487/RFC2268"} + ], + "variant": [ + { + "pattern": "RC2-{length}-{mode}", + "primitive": "block-cipher" + } + ] + }, + { + "family": "ML-DSA", + "standard": [ + {"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"} + ], + "variant": [ + { + "pattern": "ML-DSA-(44|65|87)", + "primitive": "signature" + } + ] + }, + { + "family": "HashML-DSA", + "standard": [ + {"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"} + ], + "variant": [ + { + "pattern": "HashML-DSA-(44|65|87)-(hash)", + "primitive": "signature" + } + ] + }, + { + "family": "HashSLH-DSA", + "standard": [ + {"name": "FIPS 205", "url": "https://doi.org/10.6028/NIST.FIPS.205"} + ], + "variant": [ + { + "pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)-", + "primitive": "signature" + } + ] + }, + { + "family": "XMSS", + "standard": [ + {"name": "SP800-208", "url": "https://doi.org/10.6028/NIST.SP.800-208"}, + {"name": "RFC8391", "url": "https://doi.org/10.17487/RFC8391"} + ], + "variant": [ + { + "pattern": "XMSS-(SHA2|SHAKE)_(h)_(nbits)", + "primitive": "signature" + }, + { + "pattern": "XMSSMT-(SHA2|SHAKE)_(h)/(d)_(nbits)", + "primitive": "signature" + }, + { + "pattern": "WOTSP-(SHA2|SHAKE)_(nbits)", + "primitive": "signature" + } + ] + }, + { + "family": "LMS", + "standard": [ + {"name": "SP800-208", "url": "https://doi.org/10.6028/NIST.SP.800-208"}, + {"name": "RFC8554", "url": "https://doi.org/10.17487/RFC8554"} + ], + "variant": [ + { + "pattern": "LMS_(hashfun)_M(bytespernode)_H(treeheight)", + "primitive": "signature" + }, + { + "pattern": "LMOTS_(hashfun)_N(bytespernode)_H(treeheight)", + "primitive": "signature" + } + ] + }, + { + "family": "ML-KEM", + "standard": [ + {"name": "FIPS 203", "url": "https://doi.org/10.6028/NIST.FIPS.203"} + ], + "variant": [ + { + "pattern": "ML-KEM-(512|768|1024)", + "primitive": "kem" + } + ] + }, + { + "family": "IKE-PRF", + "standard": [ + {"name": "RFC2409", "url": "https://doi.org/10.17487/RFC2409"}, + {"name": "RFC5996", "url": "https://doi.org/10.17487/RFC5996"} + ], + "variant": [ + { + "pattern": "IKE_PRF_DERIVE", + "primitive": "key-agree" + }, + { + "pattern": "IKE1_(PRF|Extended)_DERIVE", + "primitive": "key-agree" + }, + { + "pattern": "IKE2_PRF_PLUS_DERIVE", + "primitive": "key-agree" + } + ] + }, + { + "family": "GOST", + "variant": [ + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOSTR3410", + "primitive": "signature" + }, + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOSTR3411", + "primitive": "hash" + }, + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOSTR3411_HMAC", + "primitive": "mac" + }, + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOST38147-(mode)-(padding)", + "primitive": "block-cipher" + }, + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOST38147_MAC", + "primitive": "mac" + } + ] + }, + { + "family": "SEED", + "standard": [ + {"name": "RFC4269", "url": "https://doi.org/10.17487/RFC4269"}, + {"name": "RFC5669", "url": "https://doi.org/10.17487/RFC5669"} + ], + "variant": [ + { + "pattern": "SEED-128-(mode)-(padding)", + "primitive": "block-cipher" + }, + { + "pattern": "SEED-128-(mode)-(padding)-HMAC-(hash)-length", + "primitive": "ae" + }, + { + "pattern": "SEED-128-(CCM|GCM)", + "primitive": "ae" + } + ] + }, + { + "family": "ARIA", + "standard": [ + {"name": "RFC5794", "url": "https://doi.org/10.17487/RFC5794"} + ], + "variant": [ + { + "pattern": "ARIA-(128|192|256)-(mode)-(padding)", + "primitive": "block-cipher" + }, + { + "pattern": "ARIA-(128|192|256)-(authmode)-(padding)", + "primitive": "ae" + } + ] + }, + { + "family": "CAMELLIA", + "standard": [ + {"name": "RFC3713", "url": "https://doi.org/10.17487/RFC3713"} + ], + "variant": [ + { + "pattern": "CAMELLIA-(128|192|256)-(mode)-(padding)", + "primitive": "block-cipher" + }, + { + "pattern": "CAMELLIA-(128|192|256)-(authmode)-(padding)", + "primitive": "ae" + } + ] + }, + { + "family": "Twofish", + "standard": [ + {"name": "Twofish: A 128-Bit Block Cipher", "url": "https://www.schneier.com/academic/twofish/"} + ], + "variant": [ + { + "pattern": "Twofish-(128|192|256)-(mode)-(padding)", + "primitive": "block-cipher" + } + ] + }, + { + "family": "Blowfish", + "standard": [ + {"name": "Description of a new variable-length key, 64-bit block cipher (Blowfish)", "url": "https://doi.org/10.1007/3-540-58108-1_24"} + ], + "variant": [ + { + "pattern": "Blowfish-(keylength)-(mode)-(padding)", + "primitive": "block-cipher" + } + ] + }, + { + "family": "SP800-108", + "standard": [ + {"name": "SP800-108", "url": "https://doi.org/10.6028/NIST.SP.800-108r1-upd1"} + ], + "variant": [ + { + "pattern": "SP800_108_(CounterKDF|FeedbackKDF|DoublePipelineKDF)-(prf-function)-(dkmlength)", + "primitive": "key-derive" + } + ] + }, + { + "family": "PKCS12-PBEA", + "variant": [ + { + "pattern": "SHA1-PBE-(2|3)K-3DES-CBC", + "primitive": "block-cipher" + }, + { + "pattern": "SHA1-PBA-SHA1-HMAC", + "primitive": "mac" + } + ] + }, + { + "family": "PKCS5-PBE", + "variant": [ + { + "pattern": "SHA1-PBE-DES(2|3)-EDE-CBC", + "primitive": "block-cipher" + }, + { + "pattern": "SHA1-PBA-SHA1-HMAC", + "primitive": "mac" + }, + { + "pattern": "(hash)-PBE-(block_cipher)", + "primitive": "block-cipher" + }, + { + "pattern": "PBKDF2", + "primitive": "key-derive" + } + ] + }, + { + "family": "BLAKE2b", + "standard": [ + {"name": "RFC7693", "url": "https://doi.org/10.17487/RFC7693"} + ], + "variant": [ + { + "pattern": "BLAKE2b-(160|256|384|512)", + "primitive": "hash" + }, + { + "pattern": "BLAKE2b-(160|256|384|512)-HMAC", + "primitive": "mac" + } + ] + }, + { + "family": "X3DH", + "standard": [ + {"name": "The X3DH Key Agreement Protocol", "url": "https://signal.org/docs/specifications/x3dh/"} + ], + "variant": [ + { + "pattern": "X3DH-(hash)", + "primitive": "key-agree" + } + ] + } + ] +} diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json new file mode 100644 index 00000000..d6f7b623 --- /dev/null +++ b/schema/cryptography-defs.schema.json @@ -0,0 +1,117 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/cryptography-defs.schema.json", + "title": "Cryptographic Algorithm Family Definitions", + "description": "Enumerates cryptographic algorithm families and their specific metadata.", + "type": "object", + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string" + }, + "lastUpdated": { + "type": "string", + "format": "date-time", + "title": "Last Updated", + "description": "The date and time (timestamp) when the data was last updated." + }, + "algorithms": { + "type": "array", + "title": "Algorithm Families", + "description": "An array of cryptographic algorithm family definitions.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Algorithm Family", + "description": "Defines a cryptographic algorithm family and its metadata.", + "additionalProperties": false, + "properties": { + "family": { + "type": "string", + "title": "Algorithm Family", + "description": "The name of the cryptographic algorithm family." + }, + "standard": { + "type": "array", + "title": "Standards", + "description": "List of standards defining or relating to the algorithm family.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Standard Name", + "description": "The name or identifier of the standard." + }, + "url": { + "type": "string", + "format": "iri", + "title": "Standard URL", + "description": "A URL pointing to the standard's official documentation." + } + }, + "required": ["name", "url"] + } + }, + "variant": { + "type": "array", + "title": "Variants", + "description": "Defines algorithm variants by a naming pattern and the corrsponding cryptographic primitive.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "pattern": { + "type": "string", + "title": "Standard Name", + "description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for algorithm-specific properties." + }, + "primitive": { + "type": "string", + "title": "Primitive", + "description": "Type of cryptographic primitive (e.g., signature, encryption, hash)." + }, + "standard": { + "type": "array", + "title": "Standards", + "description": "List of standards defining or relating to the algorithm variant.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Standard Name", + "description": "The name or identifier of the standard." + }, + "url": { + "type": "string", + "format": "iri", + "title": "Standard URL", + "description": "A URL pointing to the standard's official documentation." + } + }, + "required": ["name", "url"] + } + } + }, + "required": ["pattern", "primitive"] + } + } + }, + "required": ["family", "variant"] + } + } + }, + "required": ["lastUpdated", "algorithms"] +} \ No newline at end of file