diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json index c379e714..b4218e7d 100644 --- a/schema/bom-1.7.schema.json +++ b/schema/bom-1.7.schema.json @@ -5474,7 +5474,7 @@ ], "additionalProperties": false, "properties": { - "state": { + "name": { "type": "string", "title": "State", "description": "The name of the certificate lifecycle state." @@ -5536,12 +5536,12 @@ { "title": "Common Extensions", "required": [ - "name", - "value" + "commonExtensionName", + "commonExtensionValue" ], "additionalProperties": false, "properties": { - "name": { + "commonExtensionName": { "type": "string", "title": "name", "description": "The name of the extension.", @@ -5570,7 +5570,7 @@ "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof." } }, - "value": { + "commonExtensionValue": { "type": "string", "title": "Value", "description": "The value of the certificate extension." @@ -5581,16 +5581,16 @@ "title": "Custom Extensions", "description": "Custom extensions may convey application-specific or vendor-specific data not covered by standard extensions. The structure and semantics of custom extensions are typically defined outside of public standards. CycloneDX leverages properties to support this capability.", "required": [ - "name" + "customExtensionName" ], "additionalProperties": false, "properties": { - "name": { + "customExtensionName": { "type": "string", "title": "Name", "description": "The name for the custom certificate extension." }, - "value": { + "customExtensionValue": { "type": "string", "title": "Value", "description": "The description of the custom certificate extension." @@ -5760,6 +5760,11 @@ "wpa", "dtls", "quic", + "eap-aka", + "eap-aka-prime", + "prins", + "5g-aka", + "jose", "other", "unknown" ], @@ -5772,6 +5777,11 @@ "wpa": "Wi-Fi Protected Access", "dtls": "Datagram Transport Layer Security", "quic": "Quick UDP Internet Connections", + "eap-aka": "Extensible Authentication Protocol variant", + "eap-aka-prime": "Enhanced version of EAP-AKA", + "prins": "Protection of Inter-Network Signaling", + "5g-aka": "Authentication and Key Agreement for 5G", + "jose": "JSON Object Signing and Encryption", "other": "Another protocol type", "unknown": "The protocol type is not known" } @@ -5803,27 +5813,39 @@ "properties": { "encr": { "type": "array", - "$ref": "#/definitions/ikeV2Enc", "title": "Encryption Algorithms (ENCR)", - "description": "Transform Type 1: encryption algorithms" - }, + "description": "Transform Type 1: encryption algorithms", + "items": { + "$ref": "#/definitions/ikeV2Enc", + "title": "Encryption Algorithm (ENCR)" + } + }, "prf": { "type": "array", - "$ref": "#/definitions/ikeV2Prf", "title": "Pseudorandom Functions (PRF)", - "description": "Transform Type 2: pseudorandom functions" + "description": "Transform Type 2: pseudorandom functions", + "items": { + "$ref": "#/definitions/ikeV2Prf", + "title": "Pseudorandom Function (PRF)" + } }, "integ": { "type": "array", - "$ref": "#/definitions/ikeV2Integ", "title": "Integrity Algorithms (INTEG)", - "description": "Transform Type 3: integrity algorithms" + "description": "Transform Type 3: integrity algorithms", + "items": { + "$ref": "#/definitions/ikeV2Integ", + "title": "Integrity Algorithm (INTEG)" + } }, "ke": { "type": "array", - "$ref": "#/definitions/ikeV2Ke", "title": "Key Exchange Methods (KE)", - "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)." + "description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H).", + "items": { + "$ref": "#/definitions/ikeV2Ke", + "title": "Key Exchange Method (KE)" + } }, "esn": { "type": "boolean", @@ -5832,9 +5854,12 @@ }, "auth": { "type": "array", - "$ref": "#/definitions/ikeV2Auth", "title": "IKEv2 Authentication methods", - "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html)." + "description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html).", + "items": { + "$ref": "#/definitions/ikeV2Auth", + "title": "IKEv2 Authentication Method" + } } } }, @@ -5895,6 +5920,35 @@ "0x9E" ] } + }, + "tlsGroups": { + "type": "array", + "title": "TLS Groups", + "description": "A list of TLS named groups (formerly known as curves) for this cipher suite. These groups define the parameters for key exchange algorithms like ECDHE.", + "items": { + "type": "string", + "title": "Group Name", + "description": "The name of the TLS group", + "examples": [ + "x25519", + "ffdhe2048" + ] + } + }, + "tlsSignatureSchemes": { + "type": "array", + "title": "TLS Signature Schemes", + "description": "A list of signature schemes supported for cipher suite. These schemes specify the algorithms used for digital signatures in TLS handshakes and certificate verification.", + "items": { + "type": "string", + "title": "Signature Scheme", + "description": "The name of the TLS signature scheme", + "examples": [ + "ecdsa_secp256r1_sha256", + "rsa_pss_rsae_sha256", + "ed25519" + ] + } } } }, diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 1742baad..aa24a47d 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -100,6 +100,10 @@ { "pattern": "ECDH[E][-{ellipticCurve}]", "primitive": "key-agree" + }, + { + "pattern": "x25519|x448", + "primitive": "key-agree" } ] }, @@ -726,6 +730,86 @@ "primitive": "signature" } ] + }, + { + "family": "MILENAGE", + "standard": [ + {"name": "3GPP TS 35.206", "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.206/35206-i00.zip"} + ], + "variant": [ + { + "pattern": "MILENAGE[-MAC]", + "primitive": "mac" + }, + { + "pattern": "MILENAGE[-KDF]", + "primitive": "kdf" + } + ] + }, + { + "family": "TUAK", + "standard": [ + {"name": "SHA-3 based authentication algorithm (3GPP TS 35.231)", "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.231/35231-i00.zip"} + ], + "variant": [ + { + "pattern": "TUAC[-MAC]", + "primitive": "mac" + }, + { + "pattern": "TUAC[-KDF]", + "primitive": "kdf" + } + ] + }, + { + "family": "ZUC", + "standard": [ + {"name": "3GPP TS 35.221", "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.221/35221-i00.zip"} + ], + "variant": [ + { + "pattern": "128-EEA3", + "primitive": "stream-cipher" + }, + { + "pattern": "128-EIA3", + "primitive": "mac" + } + ] + }, + { + "family": "SNOW3G", + "standard": [ + {"name": "3GPP TS 35.216", "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.216/35216-i00.zip"} + ], + "variant": [ + { + "pattern": "128-EEA1", + "primitive": "stream-cipher" + }, + { + "pattern": "128-EIA1", + "primitive": "mac" + } + ] + }, + { + "family": "3GPP-XOR", + "standard": [ + {"name": "Legacy XOR-based AV generation algorithm (3GPP TS 35.201)", "url": "https://www.3gpp.org/ftp/Specs/archive/35_series/35.201/35201-i00.zip"} + ], + "variant": [ + { + "pattern": "3GPP-XOR[-MAC]", + "primitive": "mac" + }, + { + "pattern": "3GPP-XOR[-KDF]", + "primitive": "kdf" + } + ] } ], "ellipticCurves": [ diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json new file mode 100644 index 00000000..ea4d3794 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-1.7.json @@ -0,0 +1,161 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2", + "version": 1, + "metadata": { + "timestamp": "2024-01-09T12:00:00Z", + "component": { + "type": "application", + "name": "my application", + "version": "1.0" + } + }, + "components": [ + { + "name": "google.com", + "type": "cryptographic-asset", + "bom-ref": "c9c7ac91-2115-45e8-ae13-7d0e1dec74be", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "serialNumber": "1234567890ABCDEF", + "subjectName": "CN = www.google.com", + "issuerName": "C = US, O = Google Trust Services LLC, CN = GTS CA 1C3", + "notValidBefore": "2016-11-21T08:00:00Z", + "notValidAfter": "2017-11-22T07:59:59Z", + "certificateFormat": "X.509", + "certificateFileExtension": "crt", + "fingerprint": { + "alg": "SHA-256", + "content": "1e15e0fbd3ce95bde5945633ae96add551341b11e5bae7bba12e98ad84a5beb4" + }, + "certificateState": [ + { + "state": "active", + "reason": "Certificate is currently valid and in use" + } + ], + "creationDate": "2016-11-21T07:30:00Z", + "activationDate": "2016-11-21T08:00:00Z", + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "6b00f384-6c39-420f-91eb-94de0f7be569RR" + }, + { + "type": "publicKey", + "ref": "ceb37320-8239-40e8-ab77-8798dbd98773" + } + ] + }, + "oid": "2.5.4.3" + } + }, + { + "name": "SHA512withRSA", + "type": "cryptographic-asset", + "bom-ref": "6b00f384-6c39-420f-91eb-94de0f7be569", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "signature", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "none" ], + "padding": "pkcs1v15", + "cryptoFunctions": [ "sign", "verify" ] + }, + "oid": "1.2.840.113549.1.1.13" + } + }, + { + "name": "RSA-2048", + "type": "cryptographic-asset", + "bom-ref": "ceb37320-8239-40e8-ab77-8798dbd98773", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "public-key", + "id": "2e9ef09e-dfac-4526-96b4-d02f31af1b22", + "state": "active", + "size": 2048, + "format": "PEM", + "value": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...\n-----END PUBLIC KEY-----", + "creationDate": "2016-11-21T08:00:00Z", + "activationDate": "2016-11-21T08:20:00Z", + "updateDate": "2016-11-21T08:00:00Z", + "expirationDate": "2017-11-22T07:59:59Z", + "securedBy": { + "mechanism": "None" + }, + "fingerprint": { + "alg": "SHA-256", + "content": "a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456" + }, + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "a154af0a-0dca-4ed5-b611-2405a3a6ae47" + } + ] + }, + "oid": "1.2.840.113549.1.1.1" + } + }, + { + "name": "RSA-2048", + "type": "cryptographic-asset", + "bom-ref": "a154af0a-0dca-4ed5-b611-2405a3a6ae47", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "pke", + "algorithmFamily": "RSAES-OAEP", + "parameterSetIdentifier": "2048", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "none" ], + "padding": "oaep", + "cryptoFunctions": [ "encrypt", "decrypt" ] + }, + "oid": "1.2.840.113549.1.1.1" + } + }, + { + "name": "TLS 1.3 Protocol", + "type": "cryptographic-asset", + "bom-ref": "a3553dc1-f376-43d1-89dc-87bb71981c0c", + "cryptoProperties": { + "assetType": "protocol", + "protocolProperties": { + "type": "tls", + "version": "1.3", + "cipherSuites": [ + { + "name": "TLS_AES_256_GCM_SHA384", + "algorithms": [ + "1977d71b-8981-4292-b40d-842a019c2229", + "422fa336-b401-42b7-89b8-8966aa30bca0" + ], + "identifiers": [ + "0x13,0x02" + ] + }, + { + "name": "TLS_CHACHA20_POLY1305_SHA256", + "algorithms": [ + "1af4fc08-5d0d-436e-8058-eeef921983d0", + "6af3066b-ab66-4593-975f-d9ba2c623a89" + ], + "identifiers": [ + "0x13,0x03" + ] + } + ] + }, + "oid": "1.3.6.1.5.5.7.3.1" + } + } + ] +} diff --git a/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.json new file mode 100644 index 00000000..2fe0f660 --- /dev/null +++ b/tools/src/test/resources/1.7/valid-cryptography-certificate-advanced-1.7.json @@ -0,0 +1,279 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.7", + "serialNumber": "urn:uuid:f47ac10b-58cc-4372-a567-0e02b2c3d479", + "version": 1, + "metadata": { + "timestamp": "2024-01-15T14:30:00Z", + "component": { + "type": "application", + "name": "enterprise-security-app", + "version": "2.1.0" + } + }, + "components": [ + { + "name": "revoked-internal-ca.example.com", + "type": "cryptographic-asset", + "bom-ref": "840ADC47-55CD-44C6-A306-B37A9149B066", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "serialNumber": "ABCDEF1234567890FEDCBA", + "subjectName": "CN = internal-ca.example.com, OU = IT Security, O = Example Corp, C = US", + "issuerName": "CN = Example Root CA, O = Example Corp, C = US", + "notValidBefore": "2023-01-01T00:00:00Z", + "notValidAfter": "2025-12-31T23:59:59Z", + "certificateFormat": "X.509", + "certificateFileExtension": "pem", + "fingerprint": { + "alg": "SHA-256", + "content": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + }, + "certificateState": [ + { + "state": "revoked", + "reason": "Certificate was compromised due to private key exposure in security incident #2024-001" + } + ], + "creationDate": "2022-12-15T10:00:00Z", + "activationDate": "2023-01-01T00:00:00Z", + "revocationDate": "2024-01-10T15:45:30Z", + "certificateExtensions": [ + { + "commonExtensionName": "basicConstraints", + "commonExtensionValue": "CA:TRUE, pathlen:2" + }, + { + "commonExtensionName": "keyUsage", + "commonExtensionValue": "Certificate Sign, CRL Sign, Digital Signature" + }, + { + "commonExtensionName": "extendedKeyUsage", + "commonExtensionValue": "TLS Web Server Authentication, TLS Web Client Authentication" + }, + { + "commonExtensionName": "subjectAlternativeName", + "commonExtensionValue": "DNS:internal-ca.example.com, DNS:ca.internal.example.com, IP:192.168.1.100" + }, + { + "commonExtensionName": "authorityKeyIdentifier", + "commonExtensionValue": "keyid:01:02:03:04:05:06:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" + }, + { + "commonExtensionName": "subjectKeyIdentifier", + "commonExtensionValue": "A1:B2:C3:D4:E5:F6:07:08:09:0A:0B:0C:0D:0E:0F:10:11:12:13:14" + }, + { + "commonExtensionName": "crlDistributionPoints", + "commonExtensionValue": "URI:http://crl.example.com/root-ca.crl" + }, + { + "commonExtensionName": "authorityInformationAccess", + "commonExtensionValue": "OCSP - URI:http://ocsp.example.com, CA Issuers - URI:http://certs.example.com/root-ca.crt" + }, + { + "commonExtensionName": "certificatePolicies", + "commonExtensionValue": "Policy: 1.2.3.4.5.6.7.8.1, CPS: http://www.example.com/cps" + }, + { + "customExtensionName": "organizationalSecurityLevel", + "customExtensionValue": "HIGH" + }, + { + "customExtensionName": "incidentTrackingId", + "customExtensionValue": "SEC-2024-001" + }, + { + "customExtensionName": "complianceFramework", + "customExtensionValue": "SOX, PCI-DSS Level 1, ISO 27001" + } + ], + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8" + }, + { + "type": "publicKey", + "ref": "ACCAF8BC-5F73-4869-A3FE-1C64E8D96408" + } + ] + }, + "oid": "2.5.4.3" + } + }, + { + "name": "active-server.example.com", + "type": "cryptographic-asset", + "bom-ref": "4497B977-4D07-4245-9457-C2CF37FF399A", + "cryptoProperties": { + "assetType": "certificate", + "certificateProperties": { + "serialNumber": "1122334455667788AABBCCDD", + "subjectName": "CN = server.example.com, OU = Web Services, O = Example Corp, C = US", + "issuerName": "CN = Example Intermediate CA, O = Example Corp, C = US", + "notValidBefore": "2024-01-01T00:00:00Z", + "notValidAfter": "2025-01-01T23:59:59Z", + "certificateFormat": "X.509", + "certificateFileExtension": "crt", + "fingerprint": { + "alg": "SHA-256", + "content": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + }, + "certificateState": [ + { + "name": "monitored", + "description": "Certificate is under enhanced monitoring due to recent security incidents", + "reason": "Proactive monitoring following organizational security policy updates" + } + ], + "creationDate": "2023-12-20T09:00:00Z", + "activationDate": "2024-01-01T00:00:00Z", + "certificateExtensions": [ + { + "commonExtensionName": "keyUsage", + "commonExtensionValue": "Digital Signature, Key Encipherment" + }, + { + "commonExtensionName": "extendedKeyUsage", + "commonExtensionValue": "TLS Web Server Authentication" + }, + { + "commonExtensionName": "subjectAlternativeName", + "commonExtensionValue": "DNS:server.example.com, DNS:www.server.example.com, DNS:api.server.example.com" + }, + { + "commonExtensionName": "signedCertificateTimestamp", + "commonExtensionValue": "Log ID: ABCD1234..., Timestamp: 2024-01-01T00:00:00Z, Signature: 3045022100..." + }, + { + "customExtensionName": "deploymentEnvironment", + "customExtensionValue": "PRODUCTION" + }, + { + "customExtensionName": "businessCriticality", + "customExtensionValue": "CRITICAL" + }, + { + "customExtensionName": "autoRenewalEnabled", + "customExtensionValue": "true" + } + ], + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "14478B86-9306-45B5-BA2A-1660B723244C" + }, + { + "type": "publicKey", + "ref": "F1F3D902-0A1B-4C0C-9F6A-F36E041B0B7D" + } + ] + }, + "oid": "2.5.4.3" + } + }, + { + "name": "RSA-SHA256", + "type": "cryptographic-asset", + "bom-ref": "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "signature", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "padding": "pkcs1v15", + "cryptoFunctions": ["sign", "verify"] + }, + "oid": "1.2.840.113549.1.1.11" + } + }, + { + "name": "ECDSA-P256", + "type": "cryptographic-asset", + "bom-ref": "14478B86-9306-45B5-BA2A-1660B723244C", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "signature", + "curve": "secp256r1", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": ["fips140-3-l1"], + "cryptoFunctions": ["sign", "verify"] + }, + "oid": "1.2.840.10045.4.3.2" + } + }, + { + "name": "RSA-4096-Revoked-CA-Key", + "type": "cryptographic-asset", + "bom-ref": "ACCAF8BC-5F73-4869-A3FE-1C64E8D96408", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "public-key", + "id": "revoked-ca-key-2024", + "state": "compromised", + "size": 4096, + "format": "PEM", + "value": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA...\n-----END PUBLIC KEY-----", + "creationDate": "2022-12-15T10:00:00Z", + "activationDate": "2023-01-01T00:00:00Z", + "updateDate": "2024-01-10T15:45:30Z", + "securedBy": { + "mechanism": "HSM", + "algorithmRef": "aes-256-gcm-ref" + }, + "fingerprint": { + "alg": "SHA-256", + "content": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + }, + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "2A0DA4D2-BBCA-4515-9BCD-C870A3EA4CE8" + } + ] + }, + "oid": "1.2.840.113549.1.1.1" + } + }, + { + "name": "ECDSA-P256-Server-Key", + "type": "cryptographic-asset", + "bom-ref": "F1F3D902-0A1B-4C0C-9F6A-F36E041B0B7D", + "cryptoProperties": { + "assetType": "related-crypto-material", + "relatedCryptoMaterialProperties": { + "type": "public-key", + "id": "server-key-2024", + "state": "active", + "size": 256, + "format": "PEM", + "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE...\n-----END PUBLIC KEY-----", + "creationDate": "2023-12-20T09:00:00Z", + "activationDate": "2024-01-01T00:00:00Z", + "expirationDate": "2025-01-01T23:59:59Z", + "securedBy": { + "mechanism": "HSM", + "algorithmRef": "aes-256-gcm-ref" + }, + "fingerprint": { + "alg": "SHA-256", + "content": "d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0123456" + }, + "relatedCryptographicAssets": [ + { + "type": "algorithm", + "ref": "14478B86-9306-45B5-BA2A-1660B723244C" + } + ] + }, + "oid": "1.2.840.10045.2.1" + } + } + ] +} diff --git a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.json index adf03047..546691f5 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.json +++ b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.json @@ -12,17 +12,19 @@ "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { - "primitive": "ae", + "primitive": "key-agree", + "algorithmFamily": "ECDH", "parameterSetIdentifier": "128", - "curve": "brainpoolP160r1", + "curve": "brainpool/brainpoolP160r1", + "ellipticCurve": "brainpool/brainpoolP160r1", "executionEnvironment": "software-plain-ram", "implementationPlatform": "x86_64", - "certificationLevel": [ "fips140-1-l4" ], + "certificationLevel": [ "fips140-3-l4" ], "mode": "gcm", "padding": "pkcs5", - "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], - "classicalSecurityLevel": 128, - "nistQuantumSecurityLevel": 1 + "cryptoFunctions": ["keygen", "keyderive"], + "classicalSecurityLevel": 96, + "nistQuantumSecurityLevel": 0 }, "oid": "oid:1.2.3.4.5.6.7.8.9" } @@ -30,26 +32,124 @@ { "type": "cryptographic-asset", "bom-ref": "asset-2", - "name": "Name here", + "name": "Example Certificate with All Properties", "cryptoProperties": { "assetType": "certificate", "certificateProperties": { - "subjectName": "Subject name here", - "issuerName": "Issuer name here", + "serialNumber": "0B:35:82:6D:F5:7A:02:0A:0A:21:8F:BD:F3:91:43:C3", + "subjectName": "CN=example.com, O=Example Corp, C=US", + "issuerName": "CN=Example CA, O=Example Trust Services, C=US", "notValidBefore": "2022-01-01T00:00:00.000Z", "notValidAfter": "2024-01-01T00:00:00.000Z", "signatureAlgorithmRef": "bom-ref-to-algorithm", "subjectPublicKeyRef": "bom-ref-to-public-key", "certificateFormat": "X.509", - "certificateExtension": "crt" + "certificateExtension": "crt", + "certificateFileExtension": "crt", + "fingerprint": { + "alg": "SHA-256", + "content": "3942447fac867ae5cdb3229b658f4d48" + }, + "certificateState": [ + { + "state": "pre-activation", + "reason": "Certificate created but not yet active" + }, + { + "state": "active", + "reason": "Certificate in active use for TLS connections" + }, + { + "state": "suspended", + "reason": "Temporary suspension due to security audit" + }, + { + "state": "deactivated", + "reason": "Replaced by new certificate" + }, + { + "state": "revoked", + "reason": "Private key compromise suspected" + }, + { + "state": "destroyed", + "reason": "Certificate and associated keys securely destroyed" + } + ], + "creationDate": "2022-01-01T00:00:00.000Z", + "activationDate": "2022-01-02T00:00:00.000Z", + "deactivationDate": "2023-12-31T23:59:59.000Z", + "revocationDate": "2024-01-01T00:00:00.000Z", + "destructionDate": "2024-01-02T00:00:00.000Z", + "certificateExtensions": [ + { + "commonExtensionName": "basicConstraints", + "commonExtensionValue": "CA:FALSE, pathlen:0" + }, + { + "commonExtensionName": "keyUsage", + "commonExtensionValue": "digitalSignature, keyEncipherment" + }, + { + "commonExtensionName": "extendedKeyUsage", + "commonExtensionValue": "serverAuth, clientAuth" + }, + { + "commonExtensionName": "subjectAlternativeName", + "commonExtensionValue": "DNS:example.com, DNS:www.example.com" + }, + { + "commonExtensionName": "authorityKeyIdentifier", + "commonExtensionValue": "keyid:12:34:56:78:90:AB:CD:EF" + }, + { + "commonExtensionName": "subjectKeyIdentifier", + "commonExtensionValue": "AA:BB:CC:DD:EE:FF:00:11" + }, + { + "commonExtensionName": "authorityInformationAccess", + "commonExtensionValue": "OCSP - URI:http://ocsp.example.com" + }, + { + "commonExtensionName": "certificatePolicies", + "commonExtensionValue": "Policy: 2.23.140.1.2.1" + }, + { + "commonExtensionName": "crlDistributionPoints", + "commonExtensionValue": "URI:http://crl.example.com/root.crl" + }, + { + "commonExtensionName": "signedCertificateTimestamp", + "commonExtensionValue": "Signed by Example CT log at 2022-01-01T00:00:00Z" + }, + { + "customExtensionName": "someCustomExtension", + "customExtensionValue": "Custom value for this extension" + } + + ], + "relatedCryptographicAssets": [ + { + "type": "publicKey", + "ref": "public-key-ref" + }, + { + "type": "privateKey", + "ref": "private-key-ref" + }, + { + "type": "algorithm", + "ref": "signing-algorithm-ref" + } + ] }, - "oid": "oid:1.2.3.4.5.6.7.8.9" + "oid": "oid:2.5.4.3" } }, { "type": "cryptographic-asset", "bom-ref": "asset-3", - "name": "Name here", + "name": "Example Protocol with All Properties", "cryptoProperties": { "assetType": "protocol", "protocolProperties": { @@ -57,43 +157,134 @@ "version": "1.3", "cipherSuites": [ { - "name": "TLS_DHE_RSA_WITH_AES_128_CCM", + "name": "TLS_AES_128_GCM_SHA256", "algorithms": [ - "bom-ref-to-algorithm" + "aes-128-gcm-ref", + "sha256-ref" ], "identifiers": [ - "0xC0" + "0x1301" + ], + "tlsGroups": [ + "x25519", + "secp256r1", + "secp384r1", + "secp521r1", + "ffdhe2048", + "ffdhe3072" + ], + "tlsSignatureSchemes": [ + "ecdsa_secp256r1_sha256", + "ecdsa_secp384r1_sha384", + "ecdsa_secp521r1_sha512", + "rsa_pss_rsae_sha256", + "rsa_pss_rsae_sha384", + "rsa_pss_rsae_sha512", + "ed25519", + "ed448" + ] + }, + { + "name": "TLS_AES_256_GCM_SHA384", + "algorithms": [ + "aes-256-gcm-ref", + "sha384-ref" + ], + "identifiers": [ + "0x1302" + ] + }, + { + "name": "TLS_CHACHA20_POLY1305_SHA256", + "algorithms": [ + "chacha20-poly1305-ref", + "sha256-ref" + ], + "identifiers": [ + "0x1303" ] } - ] + ], + "ikev2TransformTypes": { + "encr": [ + { + "name": "AES-128-GCM", + "keyLength": 128, + "algorithm": "aes-128-gcm-ref" + } + ], + "prf": [ + { + "name": "SHA-256", + "algorithm": "sha256-ref" + } + ], + "integ": [ + { + "name": "SHA-256", + "algorithm": "sha256-ref" + } + ], + "ke": [ + { + "group": 14, + "algorithm": "diffie-hellman-group14-sha256-ref" + } + ], + "esn": true, + "auth": [ + { + "name": "ECDSA", + "algorithm": "ecdsa_secp256r1_sha256" + } + ] + } }, - "oid": "oid:1.2.3.4.5.6.7.8.9" + "oid": "oid:1.3.6.1.5.5.7.3.1" } }, { "type": "cryptographic-asset", "bom-ref": "asset-4", - "name": "Name here", + "name": "Example Related Crypto Material with All Properties", "cryptoProperties": { "assetType": "related-crypto-material", "relatedCryptoMaterialProperties": { - "type": "private-key", - "id": "12345", + "type": "public-key", + "id": "key-12345-67890", "state": "active", - "algorithmRef": "bom-ref-to-algorithm", + "algorithmRef": "rsa-4096-ref", "creationDate": "2024-01-01T00:00:00.000Z", "activationDate": "2024-01-02T00:00:00.000Z", "updateDate": "2024-01-03T00:00:00.000Z", - "expirationDate": "2024-01-04T00:00:00.000Z", - "value": "Value here", - "size": 1024, - "format": "PEM", + "expirationDate": "2026-01-01T00:00:00.000Z", + "value": "-----BEGIN PUBLIC KEY-----", + "size": 4096, + "format": "PKCS#8", "securedBy": { "mechanism": "HSM", - "algorithmRef": "bom-ref-to-algorithm" - } + "algorithmRef": "aes-256-gcm-ref" + }, + "fingerprint": { + "alg": "SHA-256", + "content": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + }, + "relatedCryptographicAssets": [ + { + "type": "publicKey", + "ref": "corresponding-public-key-ref" + }, + { + "type": "certificate", + "ref": "certificate-using-this-key-ref" + }, + { + "type": "algorithm", + "ref": "rsa-4096-ref" + } + ] }, - "oid": "oid:1.2.3.4.5.6.7.8.9" + "oid": "oid:1.2.840.113549.1.1.1" } } ] diff --git a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.json b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.json index d2499425..cf58acdb 100644 --- a/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.json +++ b/tools/src/test/resources/1.7/valid-cryptography-implementation-1.7.json @@ -1,60 +1,114 @@ { - "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.7", - "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2", "version": 1, "metadata": { + "timestamp": "2025-07-09T12:00:00Z", "component": { "type": "application", - "bom-ref": "acme-application", - "name": "Acme Application", + "name": "my application", "version": "1.0" } }, "components": [ { "type": "cryptographic-asset", - "bom-ref": "aes128gcm", - "name": "AES", + "name": "AES-128-GCM-128-12", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { + "algorithmFamily": "AES", "primitive": "ae", "parameterSetIdentifier": "128", + "mode": "gcm", "executionEnvironment": "software-plain-ram", "implementationPlatform": "x86_64", "certificationLevel": [ "none" ], - "mode": "gcm", - "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"], + "cryptoFunctions": [ "keygen", "encrypt", "decrypt", "tag" ], "classicalSecurityLevel": 128, "nistQuantumSecurityLevel": 1 }, - "oid": "oid:2.16.840.1.101.3.4.1.7" + "oid": "2.16.840.1.101.3.4.1.6" + } + }, + { + "name": "RSA-PKCS1-1.5-SHA512-2048", + "type": "cryptographic-asset", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "algorithmFamily": "RSASSA-PKCS1", + "primitive": "signature", + "parameterSetIdentifier": "512", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "none" ], + "cryptoFunctions": [ "sign", "verify" ], + "nistQuantumSecurityLevel": 0 + }, + "oid": "1.2.840.113549.1.1.13" } }, { - "type": "library", - "bom-ref": "crypto-library", - "name": "Crypto library", - "version": "1.0.0" + "name": "ECDH-secp521r1", + "bom-ref": "ecdhsecp521r1", + "type": "cryptographic-asset", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "algorithmFamily": "ECDH", + "ellipticCurve": "secg/secp521r1", + "primitive": "key-agree", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "none" ], + "cryptoFunctions": [ "keygen", "keyderive" ], + "nistQuantumSecurityLevel": 0 + }, + "oid": "1.3.132.0.35" + } }, { - "type": "library", - "bom-ref": "some-library", - "name": "Some library", - "version": "1.0.0" + "name": "ML-KEM-1024", + "bom-ref": "mlkem1024", + "type": "cryptographic-asset", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "algorithmFamily": "ML-KEM", + "primitive": "kem", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "none" ], + "cryptoFunctions": [ "keygen", "keyderive" ], + "nistQuantumSecurityLevel": 5 + }, + "oid": "2.16.840.1.101.3.4.1.48" + } + }, + { + "name": "draft-ietf-tls-hybrid-design-13", + "bom-ref": "draftietftlshybriddesign13", + "type": "cryptographic-asset", + "cryptoProperties": { + "assetType": "algorithm", + "algorithmProperties": { + "primitive": "combiner", + "executionEnvironment": "software-plain-ram", + "implementationPlatform": "x86_64", + "certificationLevel": [ "none" ], + "cryptoFunctions": [ "keygen", "keyderive" ], + "nistQuantumSecurityLevel": 0 + }, + "oid": "1.3.101.110" + } } ], "dependencies": [ { - "ref": "acme-application", - "dependsOn": ["crypto-library"] - }, - { - "ref": "crypto-library", - "provides": ["aes128gcm"], - "dependsOn": ["some-library"] + "ref": "draftietftlshybriddesign13", + "dependsOn": ["mlkem1024", "ecdhsecp521r1"] } ] }