From 2a8c082428a2892386b1e417b78cc896233a0c41 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Tue, 2 Sep 2025 11:24:58 +0200
Subject: [PATCH 1/2] [1.7] - Updates from CBOM working group - remove any
 BREAKING CHANGES

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 schema/bom-1.7.proto                          | 102 +++++++++++-------
 tools/src/test/proto/test.sh                  |   2 +-
 .../1.7/valid-cryptography-full-1.7.textproto |   2 +-
 3 files changed, 64 insertions(+), 42 deletions(-)

diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto
index 8d21b3dc..e5998ee1 100644
--- a/schema/bom-1.7.proto
+++ b/schema/bom-1.7.proto
@@ -2223,7 +2223,7 @@ message CryptoProperties {
 
   // Certificate State
   message CertificateState {
-    
+
     // Pre-defined certificate states
     enum PredefinedState {
       // ProtoBuff's default value
@@ -2488,50 +2488,68 @@ message CryptoProperties {
       repeated string tlsSignatureSchemes = 5;
     }
 
-    // Encryption Algorithm (ENCR)
-    message IkeV2Enc {
-      // A name for the encryption method
-      optional string name = 1;
-      // The key length of the encryption algorithm
-      optional int32 keyLength = 2;
-      // The bom-ref to algorithm cryptographic asset
-      optional string algorithm = 3;
-    }
 
-    // Pseudorandom Function (PRF)
-    message IkeV2Prf {
-      // A name for the pseudorandom function
-      optional string name = 1;
-      // The bom-ref to algorithm cryptographic asset
-      optional string algorithm = 2;
+    // DEPRECATED - DO NOT USE - This will be removed in a future version.
+    // IKEv2 Transform Types
+    message Ikev2TransformTypes {
+      // Transform Type 1: encryption algorithms
+      repeated string encr = 1;
+      // Transform Type 2: pseudorandom functions
+      repeated string prf = 2;
+      // Transform Type 3: integrity algorithms
+      repeated string integ = 3;
+      // Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H)
+      repeated string ke = 4;
+      // Specifies if an Extended Sequence Number (ESN) is used.
+      optional bool esn = 5;
+      // IKEv2 Authentication method
+      repeated string auth = 6;
     }
 
-    // Integrity Algorithm (INTEG)
-    message IkeV2Integ {
-      // A name for the integrity algorithm
-      optional string name = 1;
-      // The bom-ref to algorithm cryptographic asset
-      optional string algorithm = 2;
-    }
+    // IKEv2 Transform Types Detailed
+    message Ikev2TransformTypesDetailed {
+      // Encryption Algorithm (ENCR)
+      message IkeV2Enc {
+        // A name for the encryption method
+        optional string name = 1;
+        // The key length of the encryption algorithm
+        optional int32 keyLength = 2;
+        // The bom-ref to algorithm cryptographic asset
+        optional string algorithm = 3;
+      }
 
-    // Key Exchange Method (KE)
-    message IkeV2Ke {
-      // A group identifier for the key exchange algorithm
-      optional int32 group = 1;
-      // The bom-ref to algorithm cryptographic asset
-      optional string algorithm = 2;
-    }
+      // Pseudorandom Function (PRF)
+      message IkeV2Prf {
+        // A name for the pseudorandom function
+        optional string name = 1;
+        // The bom-ref to algorithm cryptographic asset
+        optional string algorithm = 2;
+      }
 
-    // IKEv2 Authentication method
-    message IkeV2Auth {
-      // A name for the authentication method
-      optional string name = 1;
-      // The bom-ref to algorithm cryptographic asset
-      optional string algorithm = 2;
-    }
+      // Integrity Algorithm (INTEG)
+      message IkeV2Integ {
+        // A name for the integrity algorithm
+        optional string name = 1;
+        // The bom-ref to algorithm cryptographic asset
+        optional string algorithm = 2;
+      }
+
+      // Key Exchange Method (KE)
+      message IkeV2Ke {
+        // A group identifier for the key exchange algorithm
+        optional int32 group = 1;
+        // The bom-ref to algorithm cryptographic asset
+        optional string algorithm = 2;
+      }
+
+      // IKEv2 Authentication method
+      message IkeV2Auth {
+        // A name for the authentication method
+        optional string name = 1;
+        // The bom-ref to algorithm cryptographic asset
+        optional string algorithm = 2;
+      }
 
-    // IKEv2 Transform Types
-    message Ikev2TransformTypes {
       // Transform Type 1: encryption algorithms
       repeated IkeV2Enc encr = 1;
       // Transform Type 2: pseudorandom functions
@@ -2552,8 +2570,12 @@ message CryptoProperties {
     optional string version = 2;
     // A list of cipher suites related to the protocol.
     repeated CryptoProtocolCipherSuite cipherSuites = 3;
+    // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.ikev2TransformTypesDetailed` Instead.
+    // The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties.
+    optional Ikev2TransformTypes ikev2TransformTypes = 4 [deprecated = true];
     // The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties.
-    optional Ikev2TransformTypes ikev2TransformTypes = 4;
+    // If this field is present, the deprecated field `.ikev2TransformTypes` MUST be ignored.
+    optional Ikev2TransformTypesDetailed ikev2TransformTypesDetailed = 7;
     // The bom-ref(s) to protocol-related cryptographic assets
     repeated string cryptoRef = 5;
     // A list of cryptographic assets related to this component.
diff --git a/tools/src/test/proto/test.sh b/tools/src/test/proto/test.sh
index 1d0da89c..779a7a5c 100755
--- a/tools/src/test/proto/test.sh
+++ b/tools/src/test/proto/test.sh
@@ -54,7 +54,7 @@ function schema-breaking-version () {
     NEW_NP="$(mktemp)"
     OLD_NP="$(mktemp)"
 
-    # remove package identifier -> so that the comparisson works as expected
+    # remove package identifier -> so that the comparison works as expected
     sed 's/^package .*//' "${ROOT_PATH}/${SCHEMA_DIR}/${NEW}" > "$NEW_NP"
     sed 's/^package .*//' "${ROOT_PATH}/${SCHEMA_DIR}/${OLD}" > "$OLD_NP"
 
diff --git a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto
index 9620c974..9ec7264d 100644
--- a/tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto
+++ b/tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto
@@ -207,7 +207,7 @@ components {
         algorithms: "sha256-ref"
         identifiers: "0x1303"
       }
-      ikev2TransformTypes {
+      ikev2TransformTypesDetailed {
         encr {
           name: "AES-128-GCM"
           keyLength: 128

From ed35e782bd7e0fd743535e92ee512b7b08c1bba3 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Tue, 2 Sep 2025 11:41:30 +0200
Subject: [PATCH 2/2] simplified nested message names of
 `Ikev2TransformTypesDetailed`

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 schema/bom-1.7.proto | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto
index e5998ee1..2cdd01da 100644
--- a/schema/bom-1.7.proto
+++ b/schema/bom-1.7.proto
@@ -2508,8 +2508,8 @@ message CryptoProperties {
 
     // IKEv2 Transform Types Detailed
     message Ikev2TransformTypesDetailed {
-      // Encryption Algorithm (ENCR)
-      message IkeV2Enc {
+      // IKEv2 Encryption Algorithm (ENCR)
+      message Encr {
         // A name for the encryption method
         optional string name = 1;
         // The key length of the encryption algorithm
@@ -2518,24 +2518,24 @@ message CryptoProperties {
         optional string algorithm = 3;
       }
 
-      // Pseudorandom Function (PRF)
-      message IkeV2Prf {
+      // IKEv2 Pseudorandom Function (PRF)
+      message Prf {
         // A name for the pseudorandom function
         optional string name = 1;
         // The bom-ref to algorithm cryptographic asset
         optional string algorithm = 2;
       }
 
-      // Integrity Algorithm (INTEG)
-      message IkeV2Integ {
+      // IKEv2 Integrity Algorithm (INTEG)
+      message Integ {
         // A name for the integrity algorithm
         optional string name = 1;
         // The bom-ref to algorithm cryptographic asset
         optional string algorithm = 2;
       }
 
-      // Key Exchange Method (KE)
-      message IkeV2Ke {
+      // IKEv2 Key Exchange Method (KE)
+      message Ke {
         // A group identifier for the key exchange algorithm
         optional int32 group = 1;
         // The bom-ref to algorithm cryptographic asset
@@ -2543,7 +2543,7 @@ message CryptoProperties {
       }
 
       // IKEv2 Authentication method
-      message IkeV2Auth {
+      message Auth {
         // A name for the authentication method
         optional string name = 1;
         // The bom-ref to algorithm cryptographic asset
@@ -2551,17 +2551,17 @@ message CryptoProperties {
       }
 
       // Transform Type 1: encryption algorithms
-      repeated IkeV2Enc encr = 1;
+      repeated Encr encr = 1;
       // Transform Type 2: pseudorandom functions
-      repeated IkeV2Prf prf = 2;
+      repeated Prf prf = 2;
       // Transform Type 3: integrity algorithms
-      repeated IkeV2Integ integ = 3;
+      repeated Integ integ = 3;
       // Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H)
-      repeated IkeV2Ke ke = 4;
+      repeated Ke ke = 4;
       // Specifies if an Extended Sequence Number (ESN) is used.
       optional bool esn = 5;
       // IKEv2 Authentication method
-      repeated IkeV2Auth auth = 6;
+      repeated Auth auth = 6;
     }
 
     // The concrete protocol type.