From 165669016cb2f8bdd91d410e7d560e0985be37ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicklas=20K=C3=B6rtge?= Date: Thu, 20 Mar 2025 15:09:57 +0100 Subject: [PATCH 01/11] add certificate extensions, rename certificateExtensions to certificateFileExtensions, fix relatedCryptographicAssets, add reason for certificate lifecycle MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Nicklas Körtge --- schema/bom-1.7.schema.json | 295 ++++++++++++++++++++++++++++++++++--- 1 file changed, 276 insertions(+), 19 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 72ef5a49..9257255d 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5317,7 +5317,7 @@ }, "nistQuantumSecurityLevel": { "type": "integer", - "title": "NIST security strength category", + "title": "NIST security strength category.", "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.", "minimum": 0, "maximum": 6 @@ -5327,56 +5327,62 @@ "certificateProperties": { "type": "object", "title": "Certificate Properties", - "description": "Properties for cryptographic assets of asset type 'certificate'", + "description": "Properties for cryptographic assets of asset type 'certificate'.", "additionalProperties": false, "properties": { + "serialNumber": { + "type": "string", + "title": "Serial Number", + "description": "The serial number is a unique identifier for the certificate issued by a CA." // TODO: add pattern to validate serial number input - is that the same pattern for the all certificate types? + }, "subjectName": { "type": "string", "title": "Subject Name", - "description": "The subject name for the certificate" + "description": "The subject name for the certificate." }, "issuerName": { "type": "string", "title": "Issuer Name", - "description": "The issuer name for the certificate" + "description": "The issuer name for the certificate." }, "notValidBefore": { "type": "string", "format": "date-time", "title": "Not Valid Before", - "description": "The date and time according to ISO-8601 standard from which the certificate is valid" + "description": "The date and time according to ISO-8601 standard from which the certificate is valid." }, "notValidAfter": { "type": "string", "format": "date-time", "title": "Not Valid After", - "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore" + "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore." }, "signatureAlgorithmRef": { + "deprecated": true, "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "The bom-ref to signature algorithm used by the certificate" + "description": "[Deprecated] The bom-ref to signature algorithm used by the certificate." }, "subjectPublicKeyRef": { + "deprecated": true, "$ref": "#/definitions/refType", "title": "Key reference", - "description": "The bom-ref to the public key of the subject" + "description": "[Deprecated] The bom-ref to the public key of the subject." }, "certificateFormat": { "type": "string", "title": "Certificate Format", - "description": "The format of the certificate", + "description": "The format of the certificate.", "examples": [ "X.509", - "PEM", - "DER", "CVC" ] }, "certificateExtension": { + "deprecated": true, "type": "string", "title": "Certificate File Extension", - "description": "The file extension of the certificate", + "description": "[Deprecated] The file extension of the certificate.", "examples": [ "crt", "pem", @@ -5384,7 +5390,206 @@ "der", "p12" ] - } + }, + "certificateFileExtension": { + "type": "string", + "title": "Certificate File Extension", + "description": "The file extension of the certificate.", + "examples": [ + "crt", + "pem", + "cer", + "der", + "p12" + ] + }, + "fingerprint": { + "type": "object", + "$ref": "#/definitions/hash", + "title": "Certificate Fingerprint", + "description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature." + }, + "certificateState": { + "type": "array", + "title": "Certificate Lifecycle State", + "description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages", + "items": { + "type": "object", + "title": "State", + "description": "The state of the certificate.", + "oneOf": [ + { + "title": "Pre-Defined State", + "required": [ + "state" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "A pre-defined state in the certificate lifecycle.", + "enum": [ + "pre-activation", + "active", + "suspended", + "deactivated", + "revoked", + "destroyed" + ], + "meta:enum": { + "pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.", + "active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.", + "deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.", + "suspended": "The use of a certifacte may be suspended for several possible reasons.", + "revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.", + "destroyed": "The certificate has been destroyed." + }, + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + }, + { + "title": "Custom State", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "state": { + "type": "string", + "title": "State", + "description": "The name of the certificate lifecycle state." + }, + "description": { + "type": "string", + "title": "Description", + "description": "The description of the certificate lifecycle state." + }, + "reason": { + "type": "string", + "title": "Reason", + "description": "A reason for the certificate being in this state." + } + } + } + ], + } + }, + "creationDate": { + "type": "string", + "format": "date-time", + "title": "Creation Date", + "description": "The date and time (timestamp) when the certificate was created or pre-activated." + }, + "activationDate": { + "type": "string", + "format": "date-time", + "title": "Activation Date", + "description": "The date and time (timestamp) when the certificate was activated." + }, + "deactivationDate": { + "type": "string", + "format": "date-time", + "title": "Deactivation Date", + "description": "The date and time (timestamp) when the related certificate was deactiviated." + }, + "revokationDate": { + "type": "string", + "format": "date-time", + "title": "Revokation Date", + "description": "The date and time (timestamp) when the certificate was revoked." + }, + "destructionDate": { + "type": "string", + "format": "date-time", + "title": "Destruction Date", + "description": "The date and time (timestamp) when the certificate was destroyed." + }, + "certificateExtensions": { + "type": "array", + "title": "Certificate Extensions", + "description": "", + "items": { + "type": "object", + "title": "Extension", + "description": "", + "oneOf": [ + { + "title": "Common Extensions", + "required": [ + "name", + "value" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "name", + "description": "The name of the extention.", + "enum": [ + "basicConstraints", + "keyUsage", + "extendedKeyUsage", + "subjectAlternativeName", + "authorityKeyIdentifier", + "subjectKeyIdentifier", + "authorityInformationAccess", + "certificatePolicies", + "crlDistributionPoints", + "signedCertificateTimestamp" + ], + "meta:enum": { + "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.", + "keyUsage": "Specifies the allowed uses of the public key in the certificate.", + "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.", + "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.", + "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.", + "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.", + "authorityInformationAccess": "Contains CA issuers and OCSP information.", + "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.", + "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.", + "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof.", + }, + }, + "value": { + "type": "string", + "title": "Value", + "description": "The value of the certificate extension." + } + } + }, + { + "title": "Custom Extensions", + "required": [ + "name" + ], + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "The name for the custom certificate extension." + }, + "value": { + "type": "string", + "title": "Value", + "description": "The description of the custom certificate extension." + } + } + } + ], + } + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + }, } }, "relatedCryptoMaterialProperties": { @@ -5445,6 +5650,7 @@ "title": "ID", "description": "The optional unique identifier for the related cryptographic material." }, + // TODO: Should we allow adding custom states here too? "state": { "type": "string", "title": "State", @@ -5459,9 +5665,10 @@ ] }, "algorithmRef": { + "deprecated": true, "$ref": "#/definitions/refType", "title": "Algorithm Reference", - "description": "The bom-ref to the algorithm used to generate the related cryptographic material." + "description": "[Deprecated] The bom-ref to the algorithm used to generate the related cryptographic material. Use relatedCryptographicAssets instead." }, "creationDate": { "type": "string", @@ -5506,7 +5713,18 @@ "$ref": "#/definitions/securedBy", "title": "Secured By", "description": "The mechanism by which the cryptographic asset is secured by." - } + }, + "fingerprint": { + "type": "object", + "$ref": "#/definitions/hash", + "title": "Fingerprint", + "description": "The fingerprint is a cryptographic hash of the asset." + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + }, } }, "protocolProperties": { @@ -5598,10 +5816,16 @@ } }, "cryptoRefArray": { + "deprecated": true, "$ref": "#/definitions/cryptoRefArray", "title": "Cryptographic References", - "description": "A list of protocol-related cryptographic assets" - } + "description": "[Deprecated] A list of protocol-related cryptographic assets. Use relatedCryptographicAssets instead." + }, + "relatedCryptographicAssets": { + "$ref": "#/definitions/relatedCryptographicAssets", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + }, } }, "oid": { @@ -5651,12 +5875,45 @@ } } }, - "cryptoRefArray" : { + "cryptoRefArray": { + "deprecated": true, "type": "array", "items": { "$ref": "#/definitions/refType" } }, + "relatedCryptographicAssets": { + "type": "array", + "title": "Related Cryptographic Assets", + "description": "A list of cryptographic assets related to this component.", + "items": { + "$ref": "#/definitions/relatedCryptographicAsset", + "title": "Related Cryptographic Asset" + } + }, + "relatedCryptographicAsset": { + "type": "object", + "title": "Related Cryptographic Asset", + "description": "A cryptographic assets related to this component.", + "additionalProperties": false, + "properties": { + "type": { + "type": "string", + "title": "Type", + "description": "Specifies the mechanism by which the cryptographic asset is secured by.", + "examples": [ + "publicKey", + "privateKey", + "algorithm" + ] + }, + "ref": { + "$ref": "#/definitions/refType", + "title": "Reference to cryptographic asset", + "description": "The bom-ref to cryptographic asset." + } + } + }, "securedBy": { "type": "object", "title": "Secured By", @@ -5698,4 +5955,4 @@ ] } } -} +} \ No newline at end of file From 76745f22c352e21f7b62abe50379a207269018e2 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Fri, 21 Mar 2025 22:07:39 -0500 Subject: [PATCH 02/11] Initial checkin of algorithm family support. Signed-off-by: Steve Springett --- schema/cryptography-defs.json | 92 ++++++++++++++++++++++++++++ schema/cryptography-defs.schema.json | 76 +++++++++++++++++++++++ 2 files changed, 168 insertions(+) create mode 100644 schema/cryptography-defs.json create mode 100644 schema/cryptography-defs.schema.json diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json new file mode 100644 index 00000000..b466767f --- /dev/null +++ b/schema/cryptography-defs.json @@ -0,0 +1,92 @@ +{ + "$schema": "http://cyclonedx.org/schema/cryptography-defs.schema.json", + "lastUpdated": "2025-03-22T00:00:00Z", + "algorithms": [ + { + "family": "RSASSA-PKCS1", + "standard": [ + {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"}, + {"name": "IEEE1363", "url": "https://standards.ieee.org/ieee/1363/"} + ], + "variant": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}", + "primitive": "signature" + }, + { + "family": "RSASSA-PSS", + "standard": [ + {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"}, + {"name": "IEEE1363A", "url": "https://standards.ieee.org/ieee/1363a/"} + ], + "variant": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}", + "primitive": "signature" + }, + { + "family": "RSAES-PKCS1", + "standard": [ + {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"} + ], + "variant": "RSA-PKCS1-1.5-{keyLength}", + "primitive": "pke" + }, + { + "family": "RSAES-OAEP", + "standard": [ + {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"} + ], + "variant": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}", + "primitive": "pke" + }, + { + "family": "EdDSA", + "standard": [ + {"name": "RFC8032", "url": "https://datatracker.ietf.org/doc/html/rfc8032"} + ], + "variant": "Ed{25519|448}{|ph|ctx}", + "primitive": "signature" + }, + { + "family": "ECDSA", + "standard": [ + {"name": "FIPS186-4", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf"}, + {"name": "X9.62", "url": "https://x9.org/standards/x9-62/"} + ], + "variant": "ECDSA-{curve}-{hash}", + "primitive": "signature" + }, + { + "family": "ECDH", + "standard": [ + {"name": "SP800-56A", "url": "https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final"}, + {"name": "IEEE1363", "url": "https://standards.ieee.org/ieee/1363/"}, + {"name": "X9.63", "url": "https://x9.org/standards/x9-63/"} + ], + "variant": "ECDH-{curve}", + "primitive": "key-agree" + }, + { + "family": "FFDH", + "standard": [ + {"name": "RFC7919", "url": "https://datatracker.ietf.org/doc/html/rfc7919"}, + {"name": "SP800-56A", "url": "https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final"} + ], + "variant": "FFDH-{named_group}", + "primitive": "key-agree" + }, + { + "family": "SHA-1", + "standard": [ + {"name": "FIPS180-4", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf"} + ], + "variant": "SHA-1", + "primitive": "hash" + }, + { + "family": "SHA-2", + "standard": [ + {"name": "FIPS180-4", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf"} + ], + "variant": "SHA-{224|256|384|512|512/224|512/256}", + "primitive": "hash" + } + ] +} \ No newline at end of file diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json new file mode 100644 index 00000000..7c6aeedb --- /dev/null +++ b/schema/cryptography-defs.schema.json @@ -0,0 +1,76 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://cyclonedx.org/schema/cryptography-defs.schema.json", + "title": "Cryptographic Algorithm Family Definitions", + "description": "Enumerates cryptographic algorithm families and their specific metadata.", + "type": "object", + "additionalProperties": false, + "properties": { + "$schema": { + "type": "string" + }, + "lastUpdated": { + "type": "string", + "format": "date-time", + "title": "Last Updated", + "description": "The date and time (timestamp) when the data was last updated." + }, + "algorithms": { + "type": "array", + "title": "Algorithm Families", + "description": "An array of cryptographic algorithm family definitions.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Algorithm Family", + "description": "Defines a cryptographic algorithm family and its metadata.", + "additionalProperties": false, + "properties": { + "family": { + "type": "string", + "title": "Algorithm Family", + "description": "The name of the cryptographic algorithm family." + }, + "standard": { + "type": "array", + "title": "Standards", + "description": "List of standards defining or relating to the algorithm family.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Standard Name", + "description": "The name or identifier of the standard." + }, + "url": { + "type": "string", + "format": "iri", + "title": "Standard URL", + "description": "A URL pointing to the standard's official documentation." + } + }, + "required": ["name", "url"] + } + }, + "variant": { + "type": "string", + "title": "Variant", + "description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for algorithm-specific properties." + }, + "primitive": { + "type": "string", + "title": "Primitive", + "description": "Type of cryptographic primitive (e.g., signature, encryption, hash)." + } + }, + "required": ["family", "variant", "primitive"] + } + } + }, + "required": ["lastUpdated", "algorithms"] +} \ No newline at end of file From 02d4ff04580c27e25db41568c2e7169a6b62d374 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 27 Mar 2025 13:34:26 +0100 Subject: [PATCH 03/11] Extending the ikev2TransformTypes property Signed-off-by: Basil Hess --- schema/bom-1.6.schema.json | 158 ++++++++++++++++++++++++++++++++++--- 1 file changed, 146 insertions(+), 12 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 2c3917a4..65824574 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -5564,34 +5564,39 @@ "additionalProperties": false, "properties": { "encr": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Encryption Algorithm (ENCR)", + "type": "array", + "$ref": "#/definitions/ikeV2Enc", + "title": "Encryption Algorithms (ENCR)", "description": "Transform Type 1: encryption algorithms" }, "prf": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Pseudorandom Function (PRF)", + "type": "array", + "$ref": "#/definitions/ikeV2Prf", + "title": "Pseudorandom Functions (PRF)", "description": "Transform Type 2: pseudorandom functions" }, "integ": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Integrity Algorithm (INTEG)", + "type": "array", + "$ref": "#/definitions/ikeV2Integ", + "title": "Integrity Algorithms (INTEG)", "description": "Transform Type 3: integrity algorithms" }, "ke": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Key Exchange Method (KE)", + "type": "array", + "$ref": "#/definitions/ikeV2Ke", + "title": "Key Exchange Methods (KE)", "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." }, "esn": { "type": "boolean", - "title": "Extended Sequence Numbers (ESN)", + "title": "Extended Sequence Number (ESN)", "description": "Specifies if an Extended Sequence Number (ESN) is used." }, "auth": { - "$ref": "#/definitions/cryptoRefArray", - "title": "IKEv2 Authentication method", - "description": "IKEv2 Authentication method" + "type": "array", + "$ref": "#/definitions/ikeV2Auth", + "title": "IKEv2 Authentication methods", + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html)." } } }, @@ -5649,6 +5654,135 @@ } } }, + "ikeV2Enc": { + "type": "object", + "title": "Encryption Algorithm (ENCR)", + "description": "Object representing an encryption algorithm (ENCR)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the encryption method.", + "examples": [ + "ENCR_AES_GCM_16" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the cipher suite.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + }, + "keyLength": { + "type": "integer", + "title": "Encryption algorithm key length", + "description": "The key length of the encryption algorithm." + } + } + }, + "ikeV2Prf": { + "type": "object", + "title": "Pseudorandom Function (PRF)", + "description": "Object representing a pseudorandom function (PRF)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the pseudorandom function.", + "examples": [ + "PRF_HMAC_SHA2_256" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the pseudorandom function.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + } + }, + "ikeV2Integ": { + "type": "object", + "title": "Integrity Algorithm (INTEG)", + "description": "Object representing a Integrity Algorithm (INTEG)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the Integrity Algorithm.", + "examples": [ + "AUTH_HMAC_SHA2_256_128" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the Integrity Algorithm.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + } + }, + "ikeV2Ke": { + "type": "object", + "title": "Key Exchange Method (KE)", + "description": "Object representing a Key Exchange Method (KE)", + "additionalProperties": false, + "properties": { + "group": { + "type": "integer", + "title": "Group Identifier", + "description": "A group identifier for the Key exchange algorithm." + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the Key Exchange Method.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + } + }, + "ikeV2Auth": { + "type": "object", + "title": "IKEv2 Authentication method", + "description": "Object representing a IKEv2 Authentication method", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the Authentication method." + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the IKEv2 Authentication method.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + } + }, "cryptoRefArray" : { "type": "array", "items": { From dd166549a706117fe39e2e65769987bf030a4eb4 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 27 Mar 2025 14:26:05 +0100 Subject: [PATCH 04/11] Revert "Extending the ikev2TransformTypes property" This reverts commit 02d4ff04580c27e25db41568c2e7169a6b62d374. --- schema/bom-1.6.schema.json | 158 +++---------------------------------- 1 file changed, 12 insertions(+), 146 deletions(-) diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 65824574..2c3917a4 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -5564,39 +5564,34 @@ "additionalProperties": false, "properties": { "encr": { - "type": "array", - "$ref": "#/definitions/ikeV2Enc", - "title": "Encryption Algorithms (ENCR)", + "$ref": "#/definitions/cryptoRefArray", + "title": "Encryption Algorithm (ENCR)", "description": "Transform Type 1: encryption algorithms" }, "prf": { - "type": "array", - "$ref": "#/definitions/ikeV2Prf", - "title": "Pseudorandom Functions (PRF)", + "$ref": "#/definitions/cryptoRefArray", + "title": "Pseudorandom Function (PRF)", "description": "Transform Type 2: pseudorandom functions" }, "integ": { - "type": "array", - "$ref": "#/definitions/ikeV2Integ", - "title": "Integrity Algorithms (INTEG)", + "$ref": "#/definitions/cryptoRefArray", + "title": "Integrity Algorithm (INTEG)", "description": "Transform Type 3: integrity algorithms" }, "ke": { - "type": "array", - "$ref": "#/definitions/ikeV2Ke", - "title": "Key Exchange Methods (KE)", + "$ref": "#/definitions/cryptoRefArray", + "title": "Key Exchange Method (KE)", "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." }, "esn": { "type": "boolean", - "title": "Extended Sequence Number (ESN)", + "title": "Extended Sequence Numbers (ESN)", "description": "Specifies if an Extended Sequence Number (ESN) is used." }, "auth": { - "type": "array", - "$ref": "#/definitions/ikeV2Auth", - "title": "IKEv2 Authentication methods", - "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html)." + "$ref": "#/definitions/cryptoRefArray", + "title": "IKEv2 Authentication method", + "description": "IKEv2 Authentication method" } } }, @@ -5654,135 +5649,6 @@ } } }, - "ikeV2Enc": { - "type": "object", - "title": "Encryption Algorithm (ENCR)", - "description": "Object representing an encryption algorithm (ENCR)", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "A name for the encryption method.", - "examples": [ - "ENCR_AES_GCM_16" - ] - }, - "algorithms": { - "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the cipher suite.", - "items": { - "$ref": "#/definitions/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - }, - "keyLength": { - "type": "integer", - "title": "Encryption algorithm key length", - "description": "The key length of the encryption algorithm." - } - } - }, - "ikeV2Prf": { - "type": "object", - "title": "Pseudorandom Function (PRF)", - "description": "Object representing a pseudorandom function (PRF)", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "A name for the pseudorandom function.", - "examples": [ - "PRF_HMAC_SHA2_256" - ] - }, - "algorithms": { - "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the pseudorandom function.", - "items": { - "$ref": "#/definitions/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - } - } - }, - "ikeV2Integ": { - "type": "object", - "title": "Integrity Algorithm (INTEG)", - "description": "Object representing a Integrity Algorithm (INTEG)", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "A name for the Integrity Algorithm.", - "examples": [ - "AUTH_HMAC_SHA2_256_128" - ] - }, - "algorithms": { - "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the Integrity Algorithm.", - "items": { - "$ref": "#/definitions/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - } - } - }, - "ikeV2Ke": { - "type": "object", - "title": "Key Exchange Method (KE)", - "description": "Object representing a Key Exchange Method (KE)", - "additionalProperties": false, - "properties": { - "group": { - "type": "integer", - "title": "Group Identifier", - "description": "A group identifier for the Key exchange algorithm." - }, - "algorithms": { - "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the Key Exchange Method.", - "items": { - "$ref": "#/definitions/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - } - } - }, - "ikeV2Auth": { - "type": "object", - "title": "IKEv2 Authentication method", - "description": "Object representing a IKEv2 Authentication method", - "additionalProperties": false, - "properties": { - "name": { - "type": "string", - "title": "Name", - "description": "A name for the Authentication method." - }, - "algorithms": { - "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the IKEv2 Authentication method.", - "items": { - "$ref": "#/definitions/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - } - } - }, "cryptoRefArray" : { "type": "array", "items": { From 3b61bcd98bb0fcd1910a98e7691e356badf8946b Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 27 Mar 2025 14:31:44 +0100 Subject: [PATCH 05/11] Extending the ikev2TransformTypes property (1.7) Signed-off-by: Basil Hess --- schema/bom-1.7.schema.json | 158 ++++++++++++++++++++++++++++++++++--- 1 file changed, 146 insertions(+), 12 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 9257255d..00ecb3e3 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5784,34 +5784,39 @@ "additionalProperties": false, "properties": { "encr": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Encryption Algorithm (ENCR)", + "type": "array", + "$ref": "#/definitions/ikeV2Enc", + "title": "Encryption Algorithms (ENCR)", "description": "Transform Type 1: encryption algorithms" }, "prf": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Pseudorandom Function (PRF)", + "type": "array", + "$ref": "#/definitions/ikeV2Prf", + "title": "Pseudorandom Functions (PRF)", "description": "Transform Type 2: pseudorandom functions" }, "integ": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Integrity Algorithm (INTEG)", + "type": "array", + "$ref": "#/definitions/ikeV2Integ", + "title": "Integrity Algorithms (INTEG)", "description": "Transform Type 3: integrity algorithms" }, "ke": { - "$ref": "#/definitions/cryptoRefArray", - "title": "Key Exchange Method (KE)", + "type": "array", + "$ref": "#/definitions/ikeV2Ke", + "title": "Key Exchange Methods (KE)", "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." }, "esn": { "type": "boolean", - "title": "Extended Sequence Numbers (ESN)", + "title": "Extended Sequence Number (ESN)", "description": "Specifies if an Extended Sequence Number (ESN) is used." }, "auth": { - "$ref": "#/definitions/cryptoRefArray", - "title": "IKEv2 Authentication method", - "description": "IKEv2 Authentication method" + "type": "array", + "$ref": "#/definitions/ikeV2Auth", + "title": "IKEv2 Authentication methods", + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html)." } } }, @@ -5875,6 +5880,135 @@ } } }, + "ikeV2Enc": { + "type": "object", + "title": "Encryption Algorithm (ENCR)", + "description": "Object representing an encryption algorithm (ENCR)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the encryption method.", + "examples": [ + "ENCR_AES_GCM_16" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the cipher suite.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + }, + "keyLength": { + "type": "integer", + "title": "Encryption algorithm key length", + "description": "The key length of the encryption algorithm." + } + } + }, + "ikeV2Prf": { + "type": "object", + "title": "Pseudorandom Function (PRF)", + "description": "Object representing a pseudorandom function (PRF)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the pseudorandom function.", + "examples": [ + "PRF_HMAC_SHA2_256" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the pseudorandom function.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + } + }, + "ikeV2Integ": { + "type": "object", + "title": "Integrity Algorithm (INTEG)", + "description": "Object representing a Integrity Algorithm (INTEG)", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the Integrity Algorithm.", + "examples": [ + "AUTH_HMAC_SHA2_256_128" + ] + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the Integrity Algorithm.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + } + }, + "ikeV2Ke": { + "type": "object", + "title": "Key Exchange Method (KE)", + "description": "Object representing a Key Exchange Method (KE)", + "additionalProperties": false, + "properties": { + "group": { + "type": "integer", + "title": "Group Identifier", + "description": "A group identifier for the Key exchange algorithm." + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the Key Exchange Method.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + } + }, + "ikeV2Auth": { + "type": "object", + "title": "IKEv2 Authentication method", + "description": "Object representing a IKEv2 Authentication method", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Name", + "description": "A name for the Authentication method." + }, + "algorithms": { + "type": "array", + "title": "Related Algorithms", + "description": "A list of algorithms related to the IKEv2 Authentication method.", + "items": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." + } + } + } + }, "cryptoRefArray": { "deprecated": true, "type": "array", From b90d54edb2aa8d6137102de99f9241aeca9bed4a Mon Sep 17 00:00:00 2001 From: Gero Dittmann Date: Mon, 31 Mar 2025 18:38:24 +0200 Subject: [PATCH 06/11] IKE: individual algorithms instead of arrays --- schema/bom-1.7.schema.json | 77 +++++++++++++------------------------- 1 file changed, 26 insertions(+), 51 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index 00ecb3e3..dda789cf 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5894,20 +5894,15 @@ "ENCR_AES_GCM_16" ] }, - "algorithms": { - "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the cipher suite.", - "items": { - "$ref": "#/definitions/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } - }, "keyLength": { "type": "integer", "title": "Encryption algorithm key length", "description": "The key length of the encryption algorithm." + }, + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." } } }, @@ -5925,64 +5920,49 @@ "PRF_HMAC_SHA2_256" ] }, - "algorithms": { - "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the pseudorandom function.", - "items": { - "$ref": "#/definitions/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." } } }, "ikeV2Integ": { "type": "object", "title": "Integrity Algorithm (INTEG)", - "description": "Object representing a Integrity Algorithm (INTEG)", + "description": "Object representing an integrity algorithm (INTEG)", "additionalProperties": false, "properties": { "name": { "type": "string", "title": "Name", - "description": "A name for the Integrity Algorithm.", + "description": "A name for the integrity algorithm.", "examples": [ "AUTH_HMAC_SHA2_256_128" ] }, - "algorithms": { - "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the Integrity Algorithm.", - "items": { - "$ref": "#/definitions/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." } } }, "ikeV2Ke": { "type": "object", "title": "Key Exchange Method (KE)", - "description": "Object representing a Key Exchange Method (KE)", + "description": "Object representing a key exchange method (KE)", "additionalProperties": false, "properties": { "group": { "type": "integer", "title": "Group Identifier", - "description": "A group identifier for the Key exchange algorithm." + "description": "A group identifier for the key exchange algorithm." }, - "algorithms": { - "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the Key Exchange Method.", - "items": { - "$ref": "#/definitions/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." } } }, @@ -5995,17 +5975,12 @@ "name": { "type": "string", "title": "Name", - "description": "A name for the Authentication method." + "description": "A name for the authentication method." }, - "algorithms": { - "type": "array", - "title": "Related Algorithms", - "description": "A list of algorithms related to the IKEv2 Authentication method.", - "items": { - "$ref": "#/definitions/refType", - "title": "Algorithm reference", - "description": "The bom-ref to algorithm cryptographic asset." - } + "algorithm": { + "$ref": "#/definitions/refType", + "title": "Algorithm reference", + "description": "The bom-ref to algorithm cryptographic asset." } } }, From 5b8fff68db87d35c03bdaf7a092ddf58003fa5bc Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 10 Apr 2025 15:50:58 +0200 Subject: [PATCH 07/11] Update cryptography-defs.json - Adds a few more algorithm - Converts urls to standards to doi links, where available. - Checks if urls work Signed-off-by: Basil Hess --- schema/cryptography-defs.json | 87 +++++++++++++++++++++++++++-------- 1 file changed, 69 insertions(+), 18 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index b466767f..2b17d88b 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -5,8 +5,8 @@ { "family": "RSASSA-PKCS1", "standard": [ - {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"}, - {"name": "IEEE1363", "url": "https://standards.ieee.org/ieee/1363/"} + {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, + {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"} ], "variant": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}", "primitive": "signature" @@ -14,8 +14,8 @@ { "family": "RSASSA-PSS", "standard": [ - {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"}, - {"name": "IEEE1363A", "url": "https://standards.ieee.org/ieee/1363a/"} + {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, + {"name": "IEEE1363A", "url": "https://doi.org/10.1109/IEEESTD.2004.94612"} ], "variant": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}", "primitive": "signature" @@ -23,7 +23,7 @@ { "family": "RSAES-PKCS1", "standard": [ - {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"} + {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} ], "variant": "RSA-PKCS1-1.5-{keyLength}", "primitive": "pke" @@ -31,7 +31,7 @@ { "family": "RSAES-OAEP", "standard": [ - {"name": "RFC8017", "url": "https://datatracker.ietf.org/doc/html/rfc8017"} + {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} ], "variant": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}", "primitive": "pke" @@ -39,7 +39,7 @@ { "family": "EdDSA", "standard": [ - {"name": "RFC8032", "url": "https://datatracker.ietf.org/doc/html/rfc8032"} + {"name": "RFC8032", "url": "https://doi.org/10.17487/RFC8032"} ], "variant": "Ed{25519|448}{|ph|ctx}", "primitive": "signature" @@ -47,8 +47,8 @@ { "family": "ECDSA", "standard": [ - {"name": "FIPS186-4", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf"}, - {"name": "X9.62", "url": "https://x9.org/standards/x9-62/"} + {"name": "FIPS186-4", "url": "https://doi.org/10.6028/NIST.FIPS.186-4"}, + {"name": "X9.62", "url": "https://standards.globalspec.com/std/1955141/ansi-x9-62"} ], "variant": "ECDSA-{curve}-{hash}", "primitive": "signature" @@ -56,9 +56,9 @@ { "family": "ECDH", "standard": [ - {"name": "SP800-56A", "url": "https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final"}, - {"name": "IEEE1363", "url": "https://standards.ieee.org/ieee/1363/"}, - {"name": "X9.63", "url": "https://x9.org/standards/x9-63/"} + {"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"}, + {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"}, + {"name": "X9.63", "url": "https://webstore.ansi.org/standards/ASCX9/ansix9632011r2017"} ], "variant": "ECDH-{curve}", "primitive": "key-agree" @@ -66,8 +66,8 @@ { "family": "FFDH", "standard": [ - {"name": "RFC7919", "url": "https://datatracker.ietf.org/doc/html/rfc7919"}, - {"name": "SP800-56A", "url": "https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final"} + {"name": "RFC7919", "url": "https://doi.org/10.17487/RFC7919"}, + {"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"} ], "variant": "FFDH-{named_group}", "primitive": "key-agree" @@ -75,7 +75,7 @@ { "family": "SHA-1", "standard": [ - {"name": "FIPS180-4", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf"} + {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} ], "variant": "SHA-1", "primitive": "hash" @@ -83,10 +83,61 @@ { "family": "SHA-2", "standard": [ - {"name": "FIPS180-4", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf"} + {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} ], "variant": "SHA-{224|256|384|512|512/224|512/256}", "primitive": "hash" - } + }, + { + "family": "AES", + "standard": [ + {"name": "FIPS197", "url": "https://doi.org/10.6028/NIST.FIPS.197-upd1"}, + {"name": "SP800-38{A-G}", "url": "https://doi.org/10.6028/NIST.SP.800-38A"}, + {"name": "RFC 5116", "url": "https://doi.org/10.17487/RFC5116"} + ], + "variant": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|128)|OFB|CTR|)", + "primitive": "block-cipher" + }, + { + "family": "HKDF", + "standard": [ + {"name": "RFC5869", "url": "https://doi.org/10.17487/RFC5869"} + ], + "variant": "HKDF-{hash}", + "primitive": "kdf" + }, + { + "family": "HMAC", + "standard": [ + {"name": "SP800-224", "url": "https://doi.org/10.6028/NIST.SP.800-224.ipd"}, + {"name": "RFC2104", "url": "https://doi.org/10.17487/RFC2104"} + ], + "variant": "HMAC-{hash}-{length}", + "primitive": "mac" + }, + { + "family": "ChaCha", + "standard": [ + {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} + ], + "variant": "ChaCha20-{AES|other}", + "primitive": "stream-cipher" + }, + { + "family": "Poly1305", + "standard": [ + {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} + ], + "variant": "Poly1305", + "primitive": "mac" + }, + { + "family": "ChaCha20-Poly1305", + "standard": [ + {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} + ], + "variant": "ChaCha20-Poly1305", + "primitive": "ae" + } ] -} \ No newline at end of file +} From 643fca9c392581be87e62d1dbe252e263584fd6a Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Thu, 17 Apr 2025 14:52:11 +0200 Subject: [PATCH 08/11] Add more algorithms, used by SSLv3, TLS1.0-1.3 Signed-off-by: Basil Hess --- schema/cryptography-defs.json | 64 +++++++++++++++++++++++++++++++++-- 1 file changed, 61 insertions(+), 3 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 2b17d88b..7d0640f8 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -60,7 +60,7 @@ {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"}, {"name": "X9.63", "url": "https://webstore.ansi.org/standards/ASCX9/ansix9632011r2017"} ], - "variant": "ECDH-{curve}", + "variant": "ECDH{E}-{curve}", "primitive": "key-agree" }, { @@ -69,7 +69,7 @@ {"name": "RFC7919", "url": "https://doi.org/10.17487/RFC7919"}, {"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"} ], - "variant": "FFDH-{named_group}", + "variant": "FFDH{E}-{named_group}", "primitive": "key-agree" }, { @@ -138,6 +138,64 @@ ], "variant": "ChaCha20-Poly1305", "primitive": "ae" - } + }, + { + "family": "MD5", + "standard": [ + {"name": "RFC1321", "url": "https://doi.org/10.17487/RFC1321"} + ], + "variant": "MD5", + "primitive": "hash" + }, + { + "family": "MD4", + "standard": [ + {"name": "RFC1320", "url": "https://doi.org/10.17487/RFC1320"} + ], + "variant": "MD4", + "primitive": "hash" + }, + { + "family": "RC4", + "standard": [ + {"name": "Applied Cryptography: Protocols, Algorithms, and Source Code in C", "url": "https://dl.acm.org/doi/book/10.5555/572932"} + ], + "variant": "RC4-{length}", + "primitive": "stream-cipher" + }, + { + "family": "3DES", + "standard": [ + {"name": "RFC1851", "url": "https://doi.org/10.17487/RFC1851"}, + {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} + ], + "variant": "3DES-{length}-{mode}", + "primitive": "block-cipher" + }, + { + "family": "DES", + "standard": [ + {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"}, + {"name": "ANSI INCITS 92-1981", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} + ], + "variant": "DES-{length}-{mode}", + "primitive": "block-cipher" + }, + { + "family": "IDEA", + "standard": [ + {"name": "A Proposal for a New Block Encryption Standard", "url": "https://doi.org/10.1007%2F3-540-46877-3_35"} + ], + "variant": "IDEA-{mode}", + "primitive": "block-cipher" + }, + { + "family": "RC2", + "standard": [ + {"name": "RFC2268", "url": "https://doi.org/10.17487/RFC2268"} + ], + "variant": "RC2-{length}-{mode}", + "primitive": "block-cipher" + } ] } From 9f243b0018d1c2b98859cba8db9112ea20a7d62a Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Fri, 9 May 2025 16:04:20 +0200 Subject: [PATCH 09/11] Revise variants structure Signed-off-by: Basil Hess --- schema/cryptography-defs.json | 222 +++++++++++++++++++++++++++------- 1 file changed, 177 insertions(+), 45 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 7d0640f8..e6bf90bf 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -8,8 +8,12 @@ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"} ], - "variant": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}", - "primitive": "signature" + "variants": [ + { + "pattern": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}", + "primitive": "signature" + } + ] }, { "family": "RSASSA-PSS", @@ -17,32 +21,48 @@ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, {"name": "IEEE1363A", "url": "https://doi.org/10.1109/IEEESTD.2004.94612"} ], - "variant": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}", - "primitive": "signature" + "variants": [ + { + "pattern": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}", + "primitive": "signature" + } + ] }, { "family": "RSAES-PKCS1", "standard": [ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} ], - "variant": "RSA-PKCS1-1.5-{keyLength}", - "primitive": "pke" + "variants": [ + { + "pattern": "RSA-PKCS1-1.5-{keyLength}", + "primitive": "pke" + } + ] }, { "family": "RSAES-OAEP", "standard": [ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} ], - "variant": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}", - "primitive": "pke" + "variants": [ + { + "pattern": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}", + "primitive": "pke" + } + ] }, { "family": "EdDSA", "standard": [ {"name": "RFC8032", "url": "https://doi.org/10.17487/RFC8032"} ], - "variant": "Ed{25519|448}{|ph|ctx}", - "primitive": "signature" + "variants": [ + { + "pattern": "Ed{25519|448}{|ph|ctx}", + "primitive": "signature" + } + ] }, { "family": "ECDSA", @@ -50,8 +70,12 @@ {"name": "FIPS186-4", "url": "https://doi.org/10.6028/NIST.FIPS.186-4"}, {"name": "X9.62", "url": "https://standards.globalspec.com/std/1955141/ansi-x9-62"} ], - "variant": "ECDSA-{curve}-{hash}", - "primitive": "signature" + "variants": [ + { + "pattern": "ECDSA-{curve}-{hash}", + "primitive": "signature" + } + ] }, { "family": "ECDH", @@ -60,8 +84,12 @@ {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"}, {"name": "X9.63", "url": "https://webstore.ansi.org/standards/ASCX9/ansix9632011r2017"} ], - "variant": "ECDH{E}-{curve}", - "primitive": "key-agree" + "variants": [ + { + "pattern": "ECDH{E}-{curve}", + "primitive": "key-agree" + } + ] }, { "family": "FFDH", @@ -69,24 +97,36 @@ {"name": "RFC7919", "url": "https://doi.org/10.17487/RFC7919"}, {"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"} ], - "variant": "FFDH{E}-{named_group}", - "primitive": "key-agree" + "variants": [ + { + "pattern": "FFDH{E}-{named_group}", + "primitive": "key-agree" + } + ] }, { "family": "SHA-1", "standard": [ {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} ], - "variant": "SHA-1", - "primitive": "hash" + "variants": [ + { + "pattern": "SHA-1", + "primitive": "hash" + } + ] }, { "family": "SHA-2", "standard": [ {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} ], - "variant": "SHA-{224|256|384|512|512/224|512/256}", - "primitive": "hash" + "variants": [ + { + "pattern": "SHA-{224|256|384|512|512/224|512/256}", + "primitive": "hash" + } + ] }, { "family": "AES", @@ -95,16 +135,32 @@ {"name": "SP800-38{A-G}", "url": "https://doi.org/10.6028/NIST.SP.800-38A"}, {"name": "RFC 5116", "url": "https://doi.org/10.17487/RFC5116"} ], - "variant": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|128)|OFB|CTR|)", - "primitive": "block-cipher" + "variants": [ + { + "pattern": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|128)|OFB|CTR|)-(ivlen)", + "primitive": "block-cipher" + }, + { + "standard": [ + {"name": "SP800-38D", "url": "https://doi.org/10.6028/NIST.SP.800-38D"}, + {"name": "RFC 3610", "url": "https://doi.org/10.17487/RFC5116"} + ], + "pattern": "AES-{128|192|256}-(GCM|CCM)-(taglen)-(ivlen)", + "primitive": "ae" + } + ] }, { "family": "HKDF", "standard": [ {"name": "RFC5869", "url": "https://doi.org/10.17487/RFC5869"} ], - "variant": "HKDF-{hash}", - "primitive": "kdf" + "variants": [ + { + "pattern": "HKDF-{hash}", + "primitive": "kdf" + } + ] }, { "family": "HMAC", @@ -112,47 +168,67 @@ {"name": "SP800-224", "url": "https://doi.org/10.6028/NIST.SP.800-224.ipd"}, {"name": "RFC2104", "url": "https://doi.org/10.17487/RFC2104"} ], - "variant": "HMAC-{hash}-{length}", - "primitive": "mac" + "variants": [ + { + "pattern": "HMAC-{hash}-{length}", + "primitive": "mac" + } + ] }, { "family": "ChaCha", "standard": [ {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} ], - "variant": "ChaCha20-{AES|other}", - "primitive": "stream-cipher" + "variants": [ + { + "pattern": "ChaCha20-{AES|other}", + "primitive": "stream-cipher" + } + ] }, { "family": "Poly1305", "standard": [ {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} ], - "variant": "Poly1305", - "primitive": "mac" + "variants": [ + { + "pattern": "Poly1305", + "primitive": "mac" + } + ] }, { "family": "ChaCha20-Poly1305", "standard": [ {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} ], - "variant": "ChaCha20-Poly1305", - "primitive": "ae" + "variants": [ + { + "pattern": "ChaCha20-Poly1305", + "primitive": "ae" + } + ] }, { "family": "MD5", "standard": [ {"name": "RFC1321", "url": "https://doi.org/10.17487/RFC1321"} ], - "variant": "MD5", - "primitive": "hash" + "variants": [ + { + "pattern": "MD5", + "primitive": "hash" + } + ] }, { "family": "MD4", "standard": [ {"name": "RFC1320", "url": "https://doi.org/10.17487/RFC1320"} ], - "variant": "MD4", + "pattern": "MD4", "primitive": "hash" }, { @@ -160,8 +236,12 @@ "standard": [ {"name": "Applied Cryptography: Protocols, Algorithms, and Source Code in C", "url": "https://dl.acm.org/doi/book/10.5555/572932"} ], - "variant": "RC4-{length}", - "primitive": "stream-cipher" + "variants": [ + { + "pattern": "RC4-{length}", + "primitive": "stream-cipher" + } + ] }, { "family": "3DES", @@ -169,8 +249,12 @@ {"name": "RFC1851", "url": "https://doi.org/10.17487/RFC1851"}, {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} ], - "variant": "3DES-{length}-{mode}", - "primitive": "block-cipher" + "variants": [ + { + "pattern": "3DES-{length}-{mode}", + "primitive": "block-cipher" + } + ] }, { "family": "DES", @@ -178,24 +262,72 @@ {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"}, {"name": "ANSI INCITS 92-1981", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} ], - "variant": "DES-{length}-{mode}", - "primitive": "block-cipher" + "variants": [ + { + "pattern": "DES-{length}-{mode}", + "primitive": "block-cipher" + } + ] }, { "family": "IDEA", "standard": [ {"name": "A Proposal for a New Block Encryption Standard", "url": "https://doi.org/10.1007%2F3-540-46877-3_35"} ], - "variant": "IDEA-{mode}", - "primitive": "block-cipher" + "variants": [ + { + "pattern": "IDEA-{mode}", + "primitive": "block-cipher" + } + ] }, { "family": "RC2", "standard": [ {"name": "RFC2268", "url": "https://doi.org/10.17487/RFC2268"} ], - "variant": "RC2-{length}-{mode}", - "primitive": "block-cipher" + "variants": [ + { + "pattern": "RC2-{length}-{mode}", + "primitive": "block-cipher" + } + ] + }, + { + "family": "ML-DSA", + "standard": [ + {"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"} + ], + "variants": [ + { + "pattern": "ML-DSA-(44|65|87)", + "primitive": "signature" + } + ] + }, + { + "family": "HashML-DSA", + "standard": [ + {"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"} + ], + "variants": [ + { + "pattern": "HashML-DSA-(44|65|87)-(hash)", + "primitive": "signature" + } + ] + }, + { + "family": "HashSLH-DSA", + "standard": [ + {"name": "FIPS 205", "url": "https://doi.org/10.6028/NIST.FIPS.205"} + ], + "variants": [ + { + "pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)-", + "primitive": "signature" + } + ] } ] } From d376ff5db7d44b35ff0a14770ada5a56282f691e Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 14 May 2025 11:11:31 +0200 Subject: [PATCH 10/11] - Extends cryptography-defs list by Algorithms from PKCS11 - Changes schma for crypto-defs to allow different variant patterns corresponding to different primitives - Adds "key-wrap" as a new primitive Signed-off-by: Basil Hess --- schema/bom-1.7.schema.json | 2 + schema/cryptography-defs.json | 432 +++++++++++++++++++++++++-- schema/cryptography-defs.schema.json | 58 +++- 3 files changed, 456 insertions(+), 36 deletions(-) diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index e1dd5b1d..3ab604b5 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5091,6 +5091,7 @@ "kem", "ae", "combiner", + "key-wrap", "other", "unknown" ], @@ -5108,6 +5109,7 @@ "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.", "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.", "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.", + "key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.", "other": "Another primitive type.", "unknown": "The primitive is not known." } diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index e6bf90bf..c2e6cd4a 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -8,7 +8,7 @@ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"} ], - "variants": [ + "variant": [ { "pattern": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}", "primitive": "signature" @@ -21,7 +21,7 @@ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}, {"name": "IEEE1363A", "url": "https://doi.org/10.1109/IEEESTD.2004.94612"} ], - "variants": [ + "variant": [ { "pattern": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}", "primitive": "signature" @@ -33,7 +33,7 @@ "standard": [ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} ], - "variants": [ + "variant": [ { "pattern": "RSA-PKCS1-1.5-{keyLength}", "primitive": "pke" @@ -45,7 +45,7 @@ "standard": [ {"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"} ], - "variants": [ + "variant": [ { "pattern": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}", "primitive": "pke" @@ -57,7 +57,7 @@ "standard": [ {"name": "RFC8032", "url": "https://doi.org/10.17487/RFC8032"} ], - "variants": [ + "variant": [ { "pattern": "Ed{25519|448}{|ph|ctx}", "primitive": "signature" @@ -70,13 +70,25 @@ {"name": "FIPS186-4", "url": "https://doi.org/10.6028/NIST.FIPS.186-4"}, {"name": "X9.62", "url": "https://standards.globalspec.com/std/1955141/ansi-x9-62"} ], - "variants": [ + "variant": [ { "pattern": "ECDSA-{curve}-{hash}", "primitive": "signature" } ] }, + { + "family": "DSA", + "standard": [ + {"name": "FIPS186-4", "url": "https://doi.org/10.6028/NIST.FIPS.186-4"} + ], + "variant": [ + { + "pattern": "DSA-{length}-{hash}", + "primitive": "signature" + } + ] + }, { "family": "ECDH", "standard": [ @@ -84,7 +96,7 @@ {"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"}, {"name": "X9.63", "url": "https://webstore.ansi.org/standards/ASCX9/ansix9632011r2017"} ], - "variants": [ + "variant": [ { "pattern": "ECDH{E}-{curve}", "primitive": "key-agree" @@ -97,7 +109,7 @@ {"name": "RFC7919", "url": "https://doi.org/10.17487/RFC7919"}, {"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"} ], - "variants": [ + "variant": [ { "pattern": "FFDH{E}-{named_group}", "primitive": "key-agree" @@ -109,7 +121,7 @@ "standard": [ {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} ], - "variants": [ + "variant": [ { "pattern": "SHA-1", "primitive": "hash" @@ -121,13 +133,58 @@ "standard": [ {"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"} ], - "variants": [ + "variant": [ { "pattern": "SHA-{224|256|384|512|512/224|512/256}", "primitive": "hash" } ] }, + { + "family": "SHA-3", + "standard": [ + {"name": "FIPS202", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"} + {"name": "SP800-185", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"} + ], + "variant": [ + { + "pattern": "SHA-3-(224|256|384|512)", + "primitive": "hash" + }, + { + "pattern": "SHAKE(128|256)", + "primitive": "xof" + }, + { + "pattern": "cSHAKE(128|256)", + "primitive": "xof" + }, + { + "pattern": "KMAC(128|256)", + "primitive": "mac" + }, + { + "pattern": "HMACXOF(128|256)", + "primitive": "mac" + }, + { + "pattern": "TupleHash(128|256)", + "primitive": "hash" + }, + { + "pattern": "TupleHashXOF(128|256)", + "primitive": "xof" + }, + { + "pattern": "ParallelHash(128|256)", + "primitive": "hash" + }, + { + "pattern": "ParallelHashXOF(128|256)", + "primitive": "xof" + } + ] + }, { "family": "AES", "standard": [ @@ -135,9 +192,9 @@ {"name": "SP800-38{A-G}", "url": "https://doi.org/10.6028/NIST.SP.800-38A"}, {"name": "RFC 5116", "url": "https://doi.org/10.17487/RFC5116"} ], - "variants": [ + "variant": [ { - "pattern": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|128)|OFB|CTR|)-(ivlen)", + "pattern": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|64|128)|OFB|CTR|XTS|CTS)-(padding)-(ivlen)", "primitive": "block-cipher" }, { @@ -147,6 +204,21 @@ ], "pattern": "AES-{128|192|256}-(GCM|CCM)-(taglen)-(ivlen)", "primitive": "ae" + }, + { + "standard": [ + {"name": "RFC5649", "url": "https://doi.org/10.17487/RFC5649"} + ], + "pattern": "AES-{128|192|256}-Wrap-(PAD|KWP|PKCS7)", + "primitive": "key-wrap" + }, + { + "pattern": "AES-{128|192|256}-(GMAC|CMAC)", + "primitive": "mac" + }, + { + "pattern": "AES-{128|192|256}-(XCBC_MAC(_96))", + "primitive": "mac" } ] }, @@ -155,7 +227,7 @@ "standard": [ {"name": "RFC5869", "url": "https://doi.org/10.17487/RFC5869"} ], - "variants": [ + "variant": [ { "pattern": "HKDF-{hash}", "primitive": "kdf" @@ -168,19 +240,43 @@ {"name": "SP800-224", "url": "https://doi.org/10.6028/NIST.SP.800-224.ipd"}, {"name": "RFC2104", "url": "https://doi.org/10.17487/RFC2104"} ], - "variants": [ + "variant": [ { "pattern": "HMAC-{hash}-{length}", "primitive": "mac" } ] }, + { + "family": "CMAC", + "standard": [ + {"name": "SP800-38B", "url": "https://doi.org/10.6028/NIST.SP.800-38B"} + ], + "variant": [ + { + "pattern": "CMAC-{cipher_algorithm}-{length}", + "primitive": "mac" + } + ] + }, + { + "family": "KMAC", + "standard": [ + {"name": "SP800-108r1", "url": "https://doi.org/10.6028/NIST.SP.800-108r1-upd1"} + ], + "variant": [ + { + "pattern": "KMAC-(128|256)", + "primitive": "mac" + } + ] + }, { "family": "ChaCha", "standard": [ {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} ], - "variants": [ + "variant": [ { "pattern": "ChaCha20-{AES|other}", "primitive": "stream-cipher" @@ -192,7 +288,7 @@ "standard": [ {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} ], - "variants": [ + "variant": [ { "pattern": "Poly1305", "primitive": "mac" @@ -200,23 +296,43 @@ ] }, { - "family": "ChaCha20-Poly1305", + "family": "ChaCha20", "standard": [ {"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"} ], - "variants": [ + "variant": [ + { + "pattern": "ChaCha20", + "primitive": "stream-cipher" + }, { "pattern": "ChaCha20-Poly1305", "primitive": "ae" } ] }, + { + "family": "Salsa20", + "standard": [ + {"name": "The Salsa20 Family of Stream Ciphers", "url": "https://doi.org/10.1007/978-3-540-68351-3_8"} + ], + "variant": [ + { + "pattern": "Salsa20", + "primitive": "stream-cipher" + }, + { + "pattern": "Salsa20-Poly1305", + "primitive": "ae" + } + ] + }, { "family": "MD5", "standard": [ {"name": "RFC1321", "url": "https://doi.org/10.17487/RFC1321"} ], - "variants": [ + "variant": [ { "pattern": "MD5", "primitive": "hash" @@ -236,7 +352,7 @@ "standard": [ {"name": "Applied Cryptography: Protocols, Algorithms, and Source Code in C", "url": "https://dl.acm.org/doi/book/10.5555/572932"} ], - "variants": [ + "variant": [ { "pattern": "RC4-{length}", "primitive": "stream-cipher" @@ -249,7 +365,7 @@ {"name": "RFC1851", "url": "https://doi.org/10.17487/RFC1851"}, {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} ], - "variants": [ + "variant": [ { "pattern": "3DES-{length}-{mode}", "primitive": "block-cipher" @@ -262,7 +378,7 @@ {"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"}, {"name": "ANSI INCITS 92-1981", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"} ], - "variants": [ + "variant": [ { "pattern": "DES-{length}-{mode}", "primitive": "block-cipher" @@ -274,7 +390,7 @@ "standard": [ {"name": "A Proposal for a New Block Encryption Standard", "url": "https://doi.org/10.1007%2F3-540-46877-3_35"} ], - "variants": [ + "variant": [ { "pattern": "IDEA-{mode}", "primitive": "block-cipher" @@ -286,7 +402,7 @@ "standard": [ {"name": "RFC2268", "url": "https://doi.org/10.17487/RFC2268"} ], - "variants": [ + "variant": [ { "pattern": "RC2-{length}-{mode}", "primitive": "block-cipher" @@ -298,7 +414,7 @@ "standard": [ {"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"} ], - "variants": [ + "variant": [ { "pattern": "ML-DSA-(44|65|87)", "primitive": "signature" @@ -310,7 +426,7 @@ "standard": [ {"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"} ], - "variants": [ + "variant": [ { "pattern": "HashML-DSA-(44|65|87)-(hash)", "primitive": "signature" @@ -322,12 +438,274 @@ "standard": [ {"name": "FIPS 205", "url": "https://doi.org/10.6028/NIST.FIPS.205"} ], - "variants": [ + "variant": [ { "pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)-", "primitive": "signature" } ] + }, + { + "family": "XMSS", + "standard": [ + {"name": "SP800-208", "url": "https://doi.org/10.6028/NIST.SP.800-208"}, + {"name": "RFC8391", "url": "https://doi.org/10.17487/RFC8391"} + ], + "variant": [ + { + "pattern": "XMSS-(SHA2|SHAKE)_(h)_(nbits)", + "primitive": "signature" + }, + { + "pattern": "XMSSMT-(SHA2|SHAKE)_(h)/(d)_(nbits)", + "primitive": "signature" + }, + { + "pattern": "WOTSP-(SHA2|SHAKE)_(nbits)", + "primitive": "signature" + } + ] + }, + { + "family": "LMS", + "standard": [ + {"name": "SP800-208", "url": "https://doi.org/10.6028/NIST.SP.800-208"}, + {"name": "RFC8554", "url": "https://doi.org/10.17487/RFC8554"} + ], + "variant": [ + { + "pattern": "LMS_(hashfun)_M(bytespernode)_H(treeheight)", + "primitive": "signature" + }, + { + "pattern": "LMOTS_(hashfun)_N(bytespernode)_H(treeheight)", + "primitive": "signature" + } + ] + }, + { + "family": "ML-KEM", + "standard": [ + {"name": "FIPS 203", "url": "https://doi.org/10.6028/NIST.FIPS.203"} + ], + "variant": [ + { + "pattern": "ML-KEM-(512|768|1024)", + "primitive": "kem" + } + ] + }, + { + "family": "IKE-PRF", + "standard": [ + {"name": "RFC2409", "url": "https://doi.org/10.17487/RFC2409"}, + {"name": "RFC5996", "url": "https://doi.org/10.17487/RFC5996"} + ], + "variant": [ + { + "pattern": "IKE_PRF_DERIVE", + "primitive": "key-agree" + }, + { + "pattern": "IKE1_(PRF|Extended)_DERIVE", + "primitive": "key-agree" + }, + { + "pattern": "IKE2_PRF_PLUS_DERIVE", + "primitive": "key-agree" + } + ] + }, + { + "family": "GOST", + "variant": [ + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOSTR3410", + "primitive": "signature" + }, + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOSTR3411", + "primitive": "hash" + }, + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOSTR3411_HMAC", + "primitive": "mac" + }, + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOST38147-(mode)-(padding)", + "primitive": "block-cipher" + }, + { + "standard": [ + {"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"} + ], + "pattern": "GOST38147_MAC", + "primitive": "mac" + } + ] + }, + { + "family": "SEED", + "standard": [ + {"name": "RFC4269", "url": "https://doi.org/10.17487/RFC4269"}, + {"name": "RFC5669", "url": "https://doi.org/10.17487/RFC5669"} + ], + "variant": [ + { + "pattern": "SEED-128-(mode)-(padding)", + "primitive": "block-cipher" + }, + { + "pattern": "SEED-128-(mode)-(padding)-HMAC-(hash)-length", + "primitive": "ae" + }, + { + "pattern": "SEED-128-(CCM|GCM)", + "primitive": "ae" + } + ] + }, + { + "family": "ARIA", + "standard": [ + {"name": "RFC5794", "url": "https://doi.org/10.17487/RFC5794"} + ], + "variant": [ + { + "pattern": "ARIA-(128|192|256)-(mode)-(padding)", + "primitive": "block-cipher" + }, + { + "pattern": "ARIA-(128|192|256)-(authmode)-(padding)", + "primitive": "ae" + } + ] + }, + { + "family": "CAMELLIA", + "standard": [ + {"name": "RFC3713", "url": "https://doi.org/10.17487/RFC3713"} + ], + "variant": [ + { + "pattern": "CAMELLIA-(128|192|256)-(mode)-(padding)", + "primitive": "block-cipher" + }, + { + "pattern": "CAMELLIA-(128|192|256)-(authmode)-(padding)", + "primitive": "ae" + } + ] + }, + { + "family": "Twofish", + "standard": [ + {"name": "Twofish: A 128-Bit Block Cipher", "url": "https://www.schneier.com/academic/twofish/"} + ], + "variant": [ + { + "pattern": "Twofish-(128|192|256)-(mode)-(padding)", + "primitive": "block-cipher" + } + ] + }, + { + "family": "Blowfish", + "standard": [ + {"name": "Description of a new variable-length key, 64-bit block cipher (Blowfish)", "url": "https://doi.org/10.1007/3-540-58108-1_24"} + ], + "variant": [ + { + "pattern": "Blowfish-(keylength)-(mode)-(padding)", + "primitive": "block-cipher" + } + ] + }, + { + "family": "SP800-108", + "standard": [ + {"name": "SP800-108", "url": "https://doi.org/10.6028/NIST.SP.800-108r1-upd1"} + ], + "variant": [ + { + "pattern": "SP800_108_(CounterKDF|FeedbackKDF|DoublePipelineKDF)-(prf-function)-(dkmlength)", + "primitive": "key-derive" + } + ] + }, + { + "family": "PKCS12-PBEA", + "variant": [ + { + "pattern": "SHA1-PBE-(2|3)K-3DES-CBC", + "primitive": "block-cipher" + }, + { + "pattern": "SHA1-PBA-SHA1-HMAC", + "primitive": "mac" + } + ] + }, + { + "family": "PKCS5-PBE", + "variant": [ + { + "pattern": "SHA1-PBE-DES(2|3)-EDE-CBC", + "primitive": "block-cipher" + }, + { + "pattern": "SHA1-PBA-SHA1-HMAC", + "primitive": "mac" + }, + { + "pattern": "(hash)-PBE-(block_cipher)", + "primitive": "block-cipher" + }, + { + "pattern": "PBKDF2", + "primitive": "key-derive" + } + ] + }, + { + "family": "BLAKE2b", + "standard": [ + {"name": "RFC7693", "url": "https://doi.org/10.17487/RFC7693"} + ], + "variant": [ + { + "pattern": "BLAKE2b-(160|256|384|512)", + "primitive": "hash" + }, + { + "pattern": "BLAKE2b-(160|256|384|512)-HMAC", + "primitive": "mac" + } + ] + }, + { + "family": "X3DH", + "standard": [ + {"name": "The X3DH Key Agreement Protocol", "url": "https://signal.org/docs/specifications/x3dh/"} + ], + "variant": [ + { + "pattern": "X3DH-(hash)", + "primitive": "key-agree" + } + ] } ] } diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json index 7c6aeedb..4964b6a1 100644 --- a/schema/cryptography-defs.schema.json +++ b/schema/cryptography-defs.schema.json @@ -58,17 +58,57 @@ } }, "variant": { - "type": "string", - "title": "Variant", - "description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for algorithm-specific properties." - }, - "primitive": { - "type": "string", - "title": "Primitive", - "description": "Type of cryptographic primitive (e.g., signature, encryption, hash)." + "type": "array", + "title": "Variants", + "description": "Defines algorithm variants by a naming pattern and the corrsponding cryptographic primitive.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "pattern": { + "type": "string", + "title": "Standard Name", + "description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for algorithm-specific properties." + }, + "primitive": { + "type": "string", + "title": "Primitive", + "description": "Type of cryptographic primitive (e.g., signature, encryption, hash)." + }, + "standard": { + "type": "array", + "title": "Standards", + "description": "List of standards defining or relating to the algorithm variant.", + "additionalItems": false, + "items": { + "type": "object", + "title": "Standard Reference", + "description": "Reference to a standard, including its name and URL.", + "additionalProperties": false, + "properties": { + "name": { + "type": "string", + "title": "Standard Name", + "description": "The name or identifier of the standard." + }, + "url": { + "type": "string", + "format": "iri", + "title": "Standard URL", + "description": "A URL pointing to the standard's official documentation." + } + }, + "required": ["name", "url"] + } + }, + "required": ["pattern", "primitive"] + } } }, - "required": ["family", "variant", "primitive"] + "required": ["family", "variant"] } } }, From b05ba4d095ebd711e5a8f45ab3cc7d2c5bd91b10 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 14 May 2025 12:55:00 +0200 Subject: [PATCH 11/11] Add missing closing bracket Signed-off-by: Basil Hess --- schema/cryptography-defs.schema.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema/cryptography-defs.schema.json b/schema/cryptography-defs.schema.json index 4964b6a1..d6f7b623 100644 --- a/schema/cryptography-defs.schema.json +++ b/schema/cryptography-defs.schema.json @@ -103,6 +103,7 @@ }, "required": ["name", "url"] } + } }, "required": ["pattern", "primitive"] }