Skip to content

[WIP ] v1.7 - Cryptography WG #615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 19 commits into from
+1,227 −31
Closed

[WIP ] v1.7 - Cryptography WG #615

Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
1656690
add certificate extensions, rename certificateExtensions to certifica…
n1ckl0sk0rtge Mar 20, 2025
76745f2
Initial checkin of algorithm family support.
stevespringett Mar 22, 2025
02d4ff0
Extending the ikev2TransformTypes property
bhess Mar 27, 2025
4bee78c
Merge pull request #1 from bhess/1.7-dev-cryptography
n1ckl0sk0rtge Mar 27, 2025
dd16654
Revert "Extending the ikev2TransformTypes property"
bhess Mar 27, 2025
3b61bcd
Extending the ikev2TransformTypes property (1.7)
bhess Mar 27, 2025
cb7f83e
Merge pull request #2 from bhess/1.7-dev-cryptography
n1ckl0sk0rtge Mar 27, 2025
b90d54e
IKE: individual algorithms instead of arrays
GeroDittmann Mar 31, 2025
5b8fff6
Update cryptography-defs.json
bhess Apr 10, 2025
391aec5
Merge branch '1.7-dev' into 1.7-dev-cryptography
jkowalleck Apr 14, 2025
7c731a5
Merge branch '1.7-dev-cryptography' into patch-1
jkowalleck Apr 14, 2025
643fca9
Add more algorithms, used by SSLv3, TLS1.0-1.3
bhess Apr 17, 2025
761903f
Update cryptography-defs.json (#622)
stevespringett Apr 17, 2025
723c957
Merge pull request #3 from GeroDittmann/ike-no-arrays
n1ckl0sk0rtge Apr 17, 2025
9f243b0
Revise variants structure
bhess May 9, 2025
d376ff5
- Extends cryptography-defs list by Algorithms from PKCS11
bhess May 14, 2025
b05ba4d
Add missing closing bracket
bhess May 14, 2025
4e9ef89
Extends cryptography-defs.json (#644)
stevespringett May 14, 2025
49abb61
Merge branch 'CycloneDX:1.7-dev-cryptography' into 1.7-dev-cryptography
n1ckl0sk0rtge May 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
430 changes: 399 additions & 31 deletions schema/bom-1.7.schema.json
View file
Original file line number Diff line number Diff line change
@@ -5093,6 +5093,7 @@
"kem",
"ae",
"combiner",
"key-wrap",
"other",
"unknown"
],
@@ -5110,6 +5111,7 @@
"kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.",
"ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.",
"combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.",
"key-wrap": "Key-wrap is a cryptographic technique used to securely encrypt and protect cryptographic keys using algorithms like AES.",
"other": "Another primitive type.",
"unknown": "The primitive is not known."
}
@@ -5317,7 +5319,7 @@
},
"nistQuantumSecurityLevel": {
"type": "integer",
"title": "NIST security strength category",
"title": "NIST security strength category.",
"description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.",
"minimum": 0,
"maximum": 6
@@ -5327,64 +5329,269 @@
"certificateProperties": {
"type": "object",
"title": "Certificate Properties",
"description": "Properties for cryptographic assets of asset type 'certificate'",
"description": "Properties for cryptographic assets of asset type 'certificate'.",
"additionalProperties": false,
"properties": {
"serialNumber": {
"type": "string",
"title": "Serial Number",
"description": "The serial number is a unique identifier for the certificate issued by a CA." // TODO: add pattern to validate serial number input - is that the same pattern for the all certificate types?
},
"subjectName": {
"type": "string",
"title": "Subject Name",
"description": "The subject name for the certificate"
"description": "The subject name for the certificate."
},
"issuerName": {
"type": "string",
"title": "Issuer Name",
"description": "The issuer name for the certificate"
"description": "The issuer name for the certificate."
},
"notValidBefore": {
"type": "string",
"format": "date-time",
"title": "Not Valid Before",
"description": "The date and time according to ISO-8601 standard from which the certificate is valid"
"description": "The date and time according to ISO-8601 standard from which the certificate is valid."
},
"notValidAfter": {
"type": "string",
"format": "date-time",
"title": "Not Valid After",
"description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore"
"description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore."
},
"signatureAlgorithmRef": {
"deprecated": true,
"$ref": "#/definitions/refType",
"title": "Algorithm Reference",
"description": "The bom-ref to signature algorithm used by the certificate"
"description": "[Deprecated] The bom-ref to signature algorithm used by the certificate."
},
"subjectPublicKeyRef": {
"deprecated": true,
"$ref": "#/definitions/refType",
"title": "Key reference",
"description": "The bom-ref to the public key of the subject"
"description": "[Deprecated] The bom-ref to the public key of the subject."
},
"certificateFormat": {
"type": "string",
"title": "Certificate Format",
"description": "The format of the certificate",
"description": "The format of the certificate.",
"examples": [
"X.509",
"PEM",
"DER",
"CVC"
]
},
"certificateExtension": {
"deprecated": true,
"type": "string",
"title": "Certificate File Extension",
"description": "The file extension of the certificate",
"description": "[Deprecated] The file extension of the certificate.",
"examples": [
"crt",
"pem",
"cer",
"der",
"p12"
]
}
},
"certificateFileExtension": {
"type": "string",
"title": "Certificate File Extension",
"description": "The file extension of the certificate.",
"examples": [
"crt",
"pem",
"cer",
"der",
"p12"
]
},
"fingerprint": {
"type": "object",
"$ref": "#/definitions/hash",
"title": "Certificate Fingerprint",
"description": "The fingerprint is a cryptographic hash of the certificate excluding it's signature."
},
"certificateState": {
"type": "array",
"title": "Certificate Lifecycle State",
"description": "The certificate lifecycle is a comprehensive process that manages digital certificates from their initial creation to eventual expiration or revocation. It typically involves several stages",
"items": {
"type": "object",
"title": "State",
"description": "The state of the certificate.",
"oneOf": [
{
"title": "Pre-Defined State",
"required": [
"state"
],
"additionalProperties": false,
"properties": {
"state": {
"type": "string",
"title": "State",
"description": "A pre-defined state in the certificate lifecycle.",
"enum": [
"pre-activation",
"active",
"suspended",
"deactivated",
"revoked",
"destroyed"
],
"meta:enum": {
"pre-activation": "The certificate has been issued by the issuing certificate authority (CA) but has not been authorized for use.",
"active": "The certificate may be used to cryptographically protect information, cryptographically process previously protected information, or both.",
"deactivated": "Certificates in the deactivated state shall not be used to apply cryptographic protection but, in some cases, may be used to process cryptographically protected information.",
"suspended": "The use of a certifacte may be suspended for several possible reasons.",
"revoked": "A revoked certificate is a digital certificate that has been invalidated by the issuing certificate authority (CA) before its scheduled expiration date.",
"destroyed": "The certificate has been destroyed."
},
},
"reason": {
"type": "string",
"title": "Reason",
"description": "A reason for the certificate being in this state."
}
}
},
{
"title": "Custom State",
"required": [
"name"
],
"additionalProperties": false,
"properties": {
"state": {
"type": "string",
"title": "State",
"description": "The name of the certificate lifecycle state."
},
"description": {
"type": "string",
"title": "Description",
"description": "The description of the certificate lifecycle state."
},
"reason": {
"type": "string",
"title": "Reason",
"description": "A reason for the certificate being in this state."
}
}
}
],
}
},
"creationDate": {
"type": "string",
"format": "date-time",
"title": "Creation Date",
"description": "The date and time (timestamp) when the certificate was created or pre-activated."
},
"activationDate": {
"type": "string",
"format": "date-time",
"title": "Activation Date",
"description": "The date and time (timestamp) when the certificate was activated."
},
"deactivationDate": {
"type": "string",
"format": "date-time",
"title": "Deactivation Date",
"description": "The date and time (timestamp) when the related certificate was deactiviated."
},
"revokationDate": {
"type": "string",
"format": "date-time",
"title": "Revokation Date",
"description": "The date and time (timestamp) when the certificate was revoked."
},
"destructionDate": {
"type": "string",
"format": "date-time",
"title": "Destruction Date",
"description": "The date and time (timestamp) when the certificate was destroyed."
},
"certificateExtensions": {
"type": "array",
"title": "Certificate Extensions",
"description": "",
"items": {
"type": "object",
"title": "Extension",
"description": "",
"oneOf": [
{
"title": "Common Extensions",
"required": [
"name",
"value"
],
"additionalProperties": false,
"properties": {
"name": {
"type": "string",
"title": "name",
"description": "The name of the extention.",
"enum": [
"basicConstraints",
"keyUsage",
"extendedKeyUsage",
"subjectAlternativeName",
"authorityKeyIdentifier",
"subjectKeyIdentifier",
"authorityInformationAccess",
"certificatePolicies",
"crlDistributionPoints",
"signedCertificateTimestamp"
],
"meta:enum": {
"basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.",
"keyUsage": "Specifies the allowed uses of the public key in the certificate.",
"extendedKeyUsage": "Specifies additional purposes for which the public key can be used.",
"subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.",
"authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.",
"subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.",
"authorityInformationAccess": "Contains CA issuers and OCSP information.",
"certificatePolicies": "Defines the policies under which the certificate was issued and can be used.",
"crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.",
"signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof.",
},
},
"value": {
"type": "string",
"title": "Value",
"description": "The value of the certificate extension."
}
}
},
{
"title": "Custom Extensions",
"required": [
"name"
],
"additionalProperties": false,
"properties": {
"name": {
"type": "string",
"title": "Name",
"description": "The name for the custom certificate extension."
},
"value": {
"type": "string",
"title": "Value",
"description": "The description of the custom certificate extension."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"description": "The description of the custom certificate extension."
"description": "The value of the custom certificate extension."

#543 (comment)

}
}
}
],
}
},
"relatedCryptographicAssets": {
"$ref": "#/definitions/relatedCryptographicAssets",
"title": "Related Cryptographic Assets",
"description": "A list of cryptographic assets related to this component.",
},
}
},
"relatedCryptoMaterialProperties": {
@@ -5445,6 +5652,7 @@
"title": "ID",
"description": "The optional unique identifier for the related cryptographic material."
},
// TODO: Should we allow adding custom states here too?
"state": {
"type": "string",
"title": "State",
@@ -5459,9 +5667,10 @@
]
},
"algorithmRef": {
"deprecated": true,
"$ref": "#/definitions/refType",
"title": "Algorithm Reference",
"description": "The bom-ref to the algorithm used to generate the related cryptographic material."
"description": "[Deprecated] The bom-ref to the algorithm used to generate the related cryptographic material. Use relatedCryptographicAssets instead."
},
"creationDate": {
"type": "string",
@@ -5506,7 +5715,18 @@
"$ref": "#/definitions/securedBy",
"title": "Secured By",
"description": "The mechanism by which the cryptographic asset is secured by."
}
},
"fingerprint": {
"type": "object",
"$ref": "#/definitions/hash",
"title": "Fingerprint",
"description": "The fingerprint is a cryptographic hash of the asset."
},
"relatedCryptographicAssets": {
"$ref": "#/definitions/relatedCryptographicAssets",
"title": "Related Cryptographic Assets",
"description": "A list of cryptographic assets related to this component.",
},
}
},
"protocolProperties": {
@@ -5566,42 +5786,53 @@
"additionalProperties": false,
"properties": {
"encr": {
"$ref": "#/definitions/cryptoRefArray",
"title": "Encryption Algorithm (ENCR)",
"type": "array",
"$ref": "#/definitions/ikeV2Enc",
"title": "Encryption Algorithms (ENCR)",
"description": "Transform Type 1: encryption algorithms"
},
"prf": {
"$ref": "#/definitions/cryptoRefArray",
"title": "Pseudorandom Function (PRF)",
"type": "array",
"$ref": "#/definitions/ikeV2Prf",
"title": "Pseudorandom Functions (PRF)",
"description": "Transform Type 2: pseudorandom functions"
},
"integ": {
"$ref": "#/definitions/cryptoRefArray",
"title": "Integrity Algorithm (INTEG)",
"type": "array",
"$ref": "#/definitions/ikeV2Integ",
"title": "Integrity Algorithms (INTEG)",
"description": "Transform Type 3: integrity algorithms"
},
"ke": {
"$ref": "#/definitions/cryptoRefArray",
"title": "Key Exchange Method (KE)",
"type": "array",
"$ref": "#/definitions/ikeV2Ke",
"title": "Key Exchange Methods (KE)",
"description": "Transform Type 4: Key Exchange Method (KE) per [RFC 9370](https://www.ietf.org/rfc/rfc9370.html), formerly called Diffie-Hellman Group (D-H)."
},
"esn": {
"type": "boolean",
"title": "Extended Sequence Numbers (ESN)",
"title": "Extended Sequence Number (ESN)",
"description": "Specifies if an Extended Sequence Number (ESN) is used."
},
"auth": {
"$ref": "#/definitions/cryptoRefArray",
"title": "IKEv2 Authentication method",
"description": "IKEv2 Authentication method"
"type": "array",
"$ref": "#/definitions/ikeV2Auth",
"title": "IKEv2 Authentication methods",
"description": "IKEv2 Authentication method per [RFC9593](https://www.ietf.org/rfc/rfc9593.html)."
}
}
},
"cryptoRefArray": {
"deprecated": true,
"$ref": "#/definitions/cryptoRefArray",
"title": "Cryptographic References",
"description": "A list of protocol-related cryptographic assets"
}
"description": "[Deprecated] A list of protocol-related cryptographic assets. Use relatedCryptographicAssets instead."
},
"relatedCryptographicAssets": {
"$ref": "#/definitions/relatedCryptographicAssets",
"title": "Related Cryptographic Assets",
"description": "A list of cryptographic assets related to this component.",
},
}
},
"oid": {
@@ -5651,12 +5882,149 @@
}
}
},
"cryptoRefArray" : {
"ikeV2Enc": {
"type": "object",
"title": "Encryption Algorithm (ENCR)",
"description": "Object representing an encryption algorithm (ENCR)",
"additionalProperties": false,
"properties": {
"name": {
"type": "string",
"title": "Name",
"description": "A name for the encryption method.",
"examples": [
"ENCR_AES_GCM_16"
]
},
"keyLength": {
"type": "integer",
"title": "Encryption algorithm key length",
"description": "The key length of the encryption algorithm."
},
"algorithm": {
"$ref": "#/definitions/refType",
"title": "Algorithm reference",
"description": "The bom-ref to algorithm cryptographic asset."
}
}
},
"ikeV2Prf": {
"type": "object",
"title": "Pseudorandom Function (PRF)",
"description": "Object representing a pseudorandom function (PRF)",
"additionalProperties": false,
"properties": {
"name": {
"type": "string",
"title": "Name",
"description": "A name for the pseudorandom function.",
"examples": [
"PRF_HMAC_SHA2_256"
]
},
"algorithm": {
"$ref": "#/definitions/refType",
"title": "Algorithm reference",
"description": "The bom-ref to algorithm cryptographic asset."
}
}
},
"ikeV2Integ": {
"type": "object",
"title": "Integrity Algorithm (INTEG)",
"description": "Object representing an integrity algorithm (INTEG)",
"additionalProperties": false,
"properties": {
"name": {
"type": "string",
"title": "Name",
"description": "A name for the integrity algorithm.",
"examples": [
"AUTH_HMAC_SHA2_256_128"
]
},
"algorithm": {
"$ref": "#/definitions/refType",
"title": "Algorithm reference",
"description": "The bom-ref to algorithm cryptographic asset."
}
}
},
"ikeV2Ke": {
"type": "object",
"title": "Key Exchange Method (KE)",
"description": "Object representing a key exchange method (KE)",
"additionalProperties": false,
"properties": {
"group": {
"type": "integer",
"title": "Group Identifier",
"description": "A group identifier for the key exchange algorithm."
},
"algorithm": {
"$ref": "#/definitions/refType",
"title": "Algorithm reference",
"description": "The bom-ref to algorithm cryptographic asset."
}
}
},
"ikeV2Auth": {
"type": "object",
"title": "IKEv2 Authentication method",
"description": "Object representing a IKEv2 Authentication method",
"additionalProperties": false,
"properties": {
"name": {
"type": "string",
"title": "Name",
"description": "A name for the authentication method."
},
"algorithm": {
"$ref": "#/definitions/refType",
"title": "Algorithm reference",
"description": "The bom-ref to algorithm cryptographic asset."
}
}
},
"cryptoRefArray": {
"deprecated": true,
"type": "array",
"items": {
"$ref": "#/definitions/refType"
}
},
"relatedCryptographicAssets": {
"type": "array",
"title": "Related Cryptographic Assets",
"description": "A list of cryptographic assets related to this component.",
"items": {
"$ref": "#/definitions/relatedCryptographicAsset",
"title": "Related Cryptographic Asset"
}
},
"relatedCryptographicAsset": {
"type": "object",
"title": "Related Cryptographic Asset",
"description": "A cryptographic assets related to this component.",
"additionalProperties": false,
"properties": {
"type": {
"type": "string",
"title": "Type",
"description": "Specifies the mechanism by which the cryptographic asset is secured by.",
"examples": [
"publicKey",
"privateKey",
"algorithm"
]
},
"ref": {
"$ref": "#/definitions/refType",
"title": "Reference to cryptographic asset",
"description": "The bom-ref to cryptographic asset."
}
}
},
"securedBy": {
"type": "object",
"title": "Secured By",
@@ -5698,4 +6066,4 @@
]
}
}
}
}
711 changes: 711 additions & 0 deletions schema/cryptography-defs.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,711 @@
{
"$schema": "http://cyclonedx.org/schema/cryptography-defs.schema.json",
"lastUpdated": "2025-03-22T00:00:00Z",
"algorithms": [
{
"family": "RSASSA-PKCS1",
"standard": [
{"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"},
{"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"}
],
"variant": [
{
"pattern": "RSA-PKCS1-1.5-{digestAlgorithm}-{keyLength}",
"primitive": "signature"
}
]
},
{
"family": "RSASSA-PSS",
"standard": [
{"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"},
{"name": "IEEE1363A", "url": "https://doi.org/10.1109/IEEESTD.2004.94612"}
],
"variant": [
{
"pattern": "RSA-PSS-{digestAlgorithm}-{saltLength}-{keyLength}",
"primitive": "signature"
}
]
},
{
"family": "RSAES-PKCS1",
"standard": [
{"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}
],
"variant": [
{
"pattern": "RSA-PKCS1-1.5-{keyLength}",
"primitive": "pke"
}
]
},
{
"family": "RSAES-OAEP",
"standard": [
{"name": "RFC8017", "url": "https://doi.org/10.17487/RFC8017"}
],
"variant": [
{
"pattern": "RSA-OAEP-{hashAlgorithm}-{maskGenAlgorithm}-{keyLength}",
"primitive": "pke"
}
]
},
{
"family": "EdDSA",
"standard": [
{"name": "RFC8032", "url": "https://doi.org/10.17487/RFC8032"}
],
"variant": [
{
"pattern": "Ed{25519|448}{|ph|ctx}",
"primitive": "signature"
}
]
},
{
"family": "ECDSA",
"standard": [
{"name": "FIPS186-4", "url": "https://doi.org/10.6028/NIST.FIPS.186-4"},
{"name": "X9.62", "url": "https://standards.globalspec.com/std/1955141/ansi-x9-62"}
],
"variant": [
{
"pattern": "ECDSA-{curve}-{hash}",
"primitive": "signature"
}
]
},
{
"family": "DSA",
"standard": [
{"name": "FIPS186-4", "url": "https://doi.org/10.6028/NIST.FIPS.186-4"}
],
"variant": [
{
"pattern": "DSA-{length}-{hash}",
"primitive": "signature"
}
]
},
{
"family": "ECDH",
"standard": [
{"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"},
{"name": "IEEE1363", "url": "https://doi.org/10.1109/IEEESTD.2000.92290"},
{"name": "X9.63", "url": "https://webstore.ansi.org/standards/ASCX9/ansix9632011r2017"}
],
"variant": [
{
"pattern": "ECDH{E}-{curve}",
"primitive": "key-agree"
}
]
},
{
"family": "FFDH",
"standard": [
{"name": "RFC7919", "url": "https://doi.org/10.17487/RFC7919"},
{"name": "SP800-56A", "url": "https://doi.org/10.6028/NIST.SP.800-56Ar3"}
],
"variant": [
{
"pattern": "FFDH{E}-{named_group}",
"primitive": "key-agree"
}
]
},
{
"family": "SHA-1",
"standard": [
{"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"}
],
"variant": [
{
"pattern": "SHA-1",
"primitive": "hash"
}
]
},
{
"family": "SHA-2",
"standard": [
{"name": "FIPS180-4", "url": "https://doi.org/10.6028/NIST.FIPS.180-4"}
],
"variant": [
{
"pattern": "SHA-{224|256|384|512|512/224|512/256}",
"primitive": "hash"
}
]
},
{
"family": "SHA-3",
"standard": [
{"name": "FIPS202", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"}
{"name": "SP800-185", "url": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf"}
],
"variant": [
{
"pattern": "SHA-3-(224|256|384|512)",
"primitive": "hash"
},
{
"pattern": "SHAKE(128|256)",
"primitive": "xof"
},
{
"pattern": "cSHAKE(128|256)",
"primitive": "xof"
},
{
"pattern": "KMAC(128|256)",
"primitive": "mac"
},
{
"pattern": "HMACXOF(128|256)",
"primitive": "mac"
},
{
"pattern": "TupleHash(128|256)",
"primitive": "hash"
},
{
"pattern": "TupleHashXOF(128|256)",
"primitive": "xof"
},
{
"pattern": "ParallelHash(128|256)",
"primitive": "hash"
},
{
"pattern": "ParallelHashXOF(128|256)",
"primitive": "xof"
}
]
},
{
"family": "AES",
"standard": [
{"name": "FIPS197", "url": "https://doi.org/10.6028/NIST.FIPS.197-upd1"},
{"name": "SP800-38{A-G}", "url": "https://doi.org/10.6028/NIST.SP.800-38A"},
{"name": "RFC 5116", "url": "https://doi.org/10.17487/RFC5116"}
],
"variant": [
{
"pattern": "AES-{128|192|256}-(ECB|CBC|CFB(1|8|64|128)|OFB|CTR|XTS|CTS)-(padding)-(ivlen)",
"primitive": "block-cipher"
},
{
"standard": [
{"name": "SP800-38D", "url": "https://doi.org/10.6028/NIST.SP.800-38D"},
{"name": "RFC 3610", "url": "https://doi.org/10.17487/RFC5116"}
],
"pattern": "AES-{128|192|256}-(GCM|CCM)-(taglen)-(ivlen)",
"primitive": "ae"
},
{
"standard": [
{"name": "RFC5649", "url": "https://doi.org/10.17487/RFC5649"}
],
"pattern": "AES-{128|192|256}-Wrap-(PAD|KWP|PKCS7)",
"primitive": "key-wrap"
},
{
"pattern": "AES-{128|192|256}-(GMAC|CMAC)",
"primitive": "mac"
},
{
"pattern": "AES-{128|192|256}-(XCBC_MAC(_96))",
"primitive": "mac"
}
]
},
{
"family": "HKDF",
"standard": [
{"name": "RFC5869", "url": "https://doi.org/10.17487/RFC5869"}
],
"variant": [
{
"pattern": "HKDF-{hash}",
"primitive": "kdf"
}
]
},
{
"family": "HMAC",
"standard": [
{"name": "SP800-224", "url": "https://doi.org/10.6028/NIST.SP.800-224.ipd"},
{"name": "RFC2104", "url": "https://doi.org/10.17487/RFC2104"}
],
"variant": [
{
"pattern": "HMAC-{hash}-{length}",
"primitive": "mac"
}
]
},
{
"family": "CMAC",
"standard": [
{"name": "SP800-38B", "url": "https://doi.org/10.6028/NIST.SP.800-38B"}
],
"variant": [
{
"pattern": "CMAC-{cipher_algorithm}-{length}",
"primitive": "mac"
}
]
},
{
"family": "KMAC",
"standard": [
{"name": "SP800-108r1", "url": "https://doi.org/10.6028/NIST.SP.800-108r1-upd1"}
],
"variant": [
{
"pattern": "KMAC-(128|256)",
"primitive": "mac"
}
]
},
{
"family": "ChaCha",
"standard": [
{"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"}
],
"variant": [
{
"pattern": "ChaCha20-{AES|other}",
"primitive": "stream-cipher"
}
]
},
{
"family": "Poly1305",
"standard": [
{"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"}
],
"variant": [
{
"pattern": "Poly1305",
"primitive": "mac"
}
]
},
{
"family": "ChaCha20",
"standard": [
{"name": "RFC8439", "url": "https://doi.org/10.17487/RFC8439"}
],
"variant": [
{
"pattern": "ChaCha20",
"primitive": "stream-cipher"
},
{
"pattern": "ChaCha20-Poly1305",
"primitive": "ae"
}
]
},
{
"family": "Salsa20",
"standard": [
{"name": "The Salsa20 Family of Stream Ciphers", "url": "https://doi.org/10.1007/978-3-540-68351-3_8"}
],
"variant": [
{
"pattern": "Salsa20",
"primitive": "stream-cipher"
},
{
"pattern": "Salsa20-Poly1305",
"primitive": "ae"
}
]
},
{
"family": "MD5",
"standard": [
{"name": "RFC1321", "url": "https://doi.org/10.17487/RFC1321"}
],
"variant": [
{
"pattern": "MD5",
"primitive": "hash"
}
]
},
{
"family": "MD4",
"standard": [
{"name": "RFC1320", "url": "https://doi.org/10.17487/RFC1320"}
],
"pattern": "MD4",
"primitive": "hash"
},
{
"family": "RC4",
"standard": [
{"name": "Applied Cryptography: Protocols, Algorithms, and Source Code in C", "url": "https://dl.acm.org/doi/book/10.5555/572932"}
],
"variant": [
{
"pattern": "RC4-{length}",
"primitive": "stream-cipher"
}
]
},
{
"family": "3DES",
"standard": [
{"name": "RFC1851", "url": "https://doi.org/10.17487/RFC1851"},
{"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"}
],
"variant": [
{
"pattern": "3DES-{length}-{mode}",
"primitive": "block-cipher"
}
]
},
{
"family": "DES",
"standard": [
{"name": "FIPS PUB 46-3", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"},
{"name": "ANSI INCITS 92-1981", "url": "https://csrc.nist.gov/pubs/fips/46-3/final"}
],
"variant": [
{
"pattern": "DES-{length}-{mode}",
"primitive": "block-cipher"
}
]
},
{
"family": "IDEA",
"standard": [
{"name": "A Proposal for a New Block Encryption Standard", "url": "https://doi.org/10.1007%2F3-540-46877-3_35"}
],
"variant": [
{
"pattern": "IDEA-{mode}",
"primitive": "block-cipher"
}
]
},
{
"family": "RC2",
"standard": [
{"name": "RFC2268", "url": "https://doi.org/10.17487/RFC2268"}
],
"variant": [
{
"pattern": "RC2-{length}-{mode}",
"primitive": "block-cipher"
}
]
},
{
"family": "ML-DSA",
"standard": [
{"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"}
],
"variant": [
{
"pattern": "ML-DSA-(44|65|87)",
"primitive": "signature"
}
]
},
{
"family": "HashML-DSA",
"standard": [
{"name": "FIPS 204", "url": "https://doi.org/10.6028/NIST.FIPS.204"}
],
"variant": [
{
"pattern": "HashML-DSA-(44|65|87)-(hash)",
"primitive": "signature"
}
]
},
{
"family": "HashSLH-DSA",
"standard": [
{"name": "FIPS 205", "url": "https://doi.org/10.6028/NIST.FIPS.205"}
],
"variant": [
{
"pattern": "HashSLH-DSA-(SHA2|SHAKE)-(128s|128f|192s|192f|256s|256f)-",
"primitive": "signature"
}
]
},
{
"family": "XMSS",
"standard": [
{"name": "SP800-208", "url": "https://doi.org/10.6028/NIST.SP.800-208"},
{"name": "RFC8391", "url": "https://doi.org/10.17487/RFC8391"}
],
"variant": [
{
"pattern": "XMSS-(SHA2|SHAKE)_(h)_(nbits)",
"primitive": "signature"
},
{
"pattern": "XMSSMT-(SHA2|SHAKE)_(h)/(d)_(nbits)",
"primitive": "signature"
},
{
"pattern": "WOTSP-(SHA2|SHAKE)_(nbits)",
"primitive": "signature"
}
]
},
{
"family": "LMS",
"standard": [
{"name": "SP800-208", "url": "https://doi.org/10.6028/NIST.SP.800-208"},
{"name": "RFC8554", "url": "https://doi.org/10.17487/RFC8554"}
],
"variant": [
{
"pattern": "LMS_(hashfun)_M(bytespernode)_H(treeheight)",
"primitive": "signature"
},
{
"pattern": "LMOTS_(hashfun)_N(bytespernode)_H(treeheight)",
"primitive": "signature"
}
]
},
{
"family": "ML-KEM",
"standard": [
{"name": "FIPS 203", "url": "https://doi.org/10.6028/NIST.FIPS.203"}
],
"variant": [
{
"pattern": "ML-KEM-(512|768|1024)",
"primitive": "kem"
}
]
},
{
"family": "IKE-PRF",
"standard": [
{"name": "RFC2409", "url": "https://doi.org/10.17487/RFC2409"},
{"name": "RFC5996", "url": "https://doi.org/10.17487/RFC5996"}
],
"variant": [
{
"pattern": "IKE_PRF_DERIVE",
"primitive": "key-agree"
},
{
"pattern": "IKE1_(PRF|Extended)_DERIVE",
"primitive": "key-agree"
},
{
"pattern": "IKE2_PRF_PLUS_DERIVE",
"primitive": "key-agree"
}
]
},
{
"family": "GOST",
"variant": [
{
"standard": [
{"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"}
],
"pattern": "GOSTR3410",
"primitive": "signature"
},
{
"standard": [
{"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"}
],
"pattern": "GOSTR3411",
"primitive": "hash"
},
{
"standard": [
{"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"}
],
"pattern": "GOSTR3411_HMAC",
"primitive": "mac"
},
{
"standard": [
{"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"}
],
"pattern": "GOST38147-(mode)-(padding)",
"primitive": "block-cipher"
},
{
"standard": [
{"name": "RFC4357", "url": "https://doi.org/10.17487/RFC4357"}
],
"pattern": "GOST38147_MAC",
"primitive": "mac"
}
]
},
{
"family": "SEED",
"standard": [
{"name": "RFC4269", "url": "https://doi.org/10.17487/RFC4269"},
{"name": "RFC5669", "url": "https://doi.org/10.17487/RFC5669"}
],
"variant": [
{
"pattern": "SEED-128-(mode)-(padding)",
"primitive": "block-cipher"
},
{
"pattern": "SEED-128-(mode)-(padding)-HMAC-(hash)-length",
"primitive": "ae"
},
{
"pattern": "SEED-128-(CCM|GCM)",
"primitive": "ae"
}
]
},
{
"family": "ARIA",
"standard": [
{"name": "RFC5794", "url": "https://doi.org/10.17487/RFC5794"}
],
"variant": [
{
"pattern": "ARIA-(128|192|256)-(mode)-(padding)",
"primitive": "block-cipher"
},
{
"pattern": "ARIA-(128|192|256)-(authmode)-(padding)",
"primitive": "ae"
}
]
},
{
"family": "CAMELLIA",
"standard": [
{"name": "RFC3713", "url": "https://doi.org/10.17487/RFC3713"}
],
"variant": [
{
"pattern": "CAMELLIA-(128|192|256)-(mode)-(padding)",
"primitive": "block-cipher"
},
{
"pattern": "CAMELLIA-(128|192|256)-(authmode)-(padding)",
"primitive": "ae"
}
]
},
{
"family": "Twofish",
"standard": [
{"name": "Twofish: A 128-Bit Block Cipher", "url": "https://www.schneier.com/academic/twofish/"}
],
"variant": [
{
"pattern": "Twofish-(128|192|256)-(mode)-(padding)",
"primitive": "block-cipher"
}
]
},
{
"family": "Blowfish",
"standard": [
{"name": "Description of a new variable-length key, 64-bit block cipher (Blowfish)", "url": "https://doi.org/10.1007/3-540-58108-1_24"}
],
"variant": [
{
"pattern": "Blowfish-(keylength)-(mode)-(padding)",
"primitive": "block-cipher"
}
]
},
{
"family": "SP800-108",
"standard": [
{"name": "SP800-108", "url": "https://doi.org/10.6028/NIST.SP.800-108r1-upd1"}
],
"variant": [
{
"pattern": "SP800_108_(CounterKDF|FeedbackKDF|DoublePipelineKDF)-(prf-function)-(dkmlength)",
"primitive": "key-derive"
}
]
},
{
"family": "PKCS12-PBEA",
"variant": [
{
"pattern": "SHA1-PBE-(2|3)K-3DES-CBC",
"primitive": "block-cipher"
},
{
"pattern": "SHA1-PBA-SHA1-HMAC",
"primitive": "mac"
}
]
},
{
"family": "PKCS5-PBE",
"variant": [
{
"pattern": "SHA1-PBE-DES(2|3)-EDE-CBC",
"primitive": "block-cipher"
},
{
"pattern": "SHA1-PBA-SHA1-HMAC",
"primitive": "mac"
},
{
"pattern": "(hash)-PBE-(block_cipher)",
"primitive": "block-cipher"
},
{
"pattern": "PBKDF2",
"primitive": "key-derive"
}
]
},
{
"family": "BLAKE2b",
"standard": [
{"name": "RFC7693", "url": "https://doi.org/10.17487/RFC7693"}
],
"variant": [
{
"pattern": "BLAKE2b-(160|256|384|512)",
"primitive": "hash"
},
{
"pattern": "BLAKE2b-(160|256|384|512)-HMAC",
"primitive": "mac"
}
]
},
{
"family": "X3DH",
"standard": [
{"name": "The X3DH Key Agreement Protocol", "url": "https://signal.org/docs/specifications/x3dh/"}
],
"variant": [
{
"pattern": "X3DH-(hash)",
"primitive": "key-agree"
}
]
}
]
}
117 changes: 117 additions & 0 deletions schema/cryptography-defs.schema.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "http://cyclonedx.org/schema/cryptography-defs.schema.json",
"title": "Cryptographic Algorithm Family Definitions",
"description": "Enumerates cryptographic algorithm families and their specific metadata.",
"type": "object",
"additionalProperties": false,
"properties": {
"$schema": {
"type": "string"
},
"lastUpdated": {
"type": "string",
"format": "date-time",
"title": "Last Updated",
"description": "The date and time (timestamp) when the data was last updated."
},
"algorithms": {
"type": "array",
"title": "Algorithm Families",
"description": "An array of cryptographic algorithm family definitions.",
"additionalItems": false,
"items": {
"type": "object",
"title": "Algorithm Family",
"description": "Defines a cryptographic algorithm family and its metadata.",
"additionalProperties": false,
"properties": {
"family": {
"type": "string",
"title": "Algorithm Family",
"description": "The name of the cryptographic algorithm family."
},
"standard": {
"type": "array",
"title": "Standards",
"description": "List of standards defining or relating to the algorithm family.",
"additionalItems": false,
"items": {
"type": "object",
"title": "Standard Reference",
"description": "Reference to a standard, including its name and URL.",
"additionalProperties": false,
"properties": {
"name": {
"type": "string",
"title": "Standard Name",
"description": "The name or identifier of the standard."
},
"url": {
"type": "string",
"format": "iri",
"title": "Standard URL",
"description": "A URL pointing to the standard's official documentation."
}
},
"required": ["name", "url"]
}
},
"variant": {
"type": "array",
"title": "Variants",
"description": "Defines algorithm variants by a naming pattern and the corrsponding cryptographic primitive.",
"additionalItems": false,
"items": {
"type": "object",
"title": "Standard Reference",
"description": "Reference to a standard, including its name and URL.",
"additionalProperties": false,
"properties": {
"pattern": {
"type": "string",
"title": "Standard Name",
"description": "Defines the pattern used to construct the complete algorithm name. Placeholders are defined by {} for algorithm-specific properties."
},
"primitive": {
"type": "string",
"title": "Primitive",
"description": "Type of cryptographic primitive (e.g., signature, encryption, hash)."
},
"standard": {
"type": "array",
"title": "Standards",
"description": "List of standards defining or relating to the algorithm variant.",
"additionalItems": false,
"items": {
"type": "object",
"title": "Standard Reference",
"description": "Reference to a standard, including its name and URL.",
"additionalProperties": false,
"properties": {
"name": {
"type": "string",
"title": "Standard Name",
"description": "The name or identifier of the standard."
},
"url": {
"type": "string",
"format": "iri",
"title": "Standard URL",
"description": "A URL pointing to the standard's official documentation."
}
},
"required": ["name", "url"]
}
}
},
"required": ["pattern", "primitive"]
}
}
},
"required": ["family", "variant"]
}
}
},
"required": ["lastUpdated", "algorithms"]
}