diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto
index f7c04a68..511e7c34 100644
--- a/schema/bom-1.6.proto
+++ b/schema/bom-1.6.proto
@@ -71,6 +71,8 @@ enum Classification {
CLASSIFICATION_MACHINE_LEARNING_MODEL = 11;
// A collection of discrete values that convey information.
CLASSIFICATION_DATA = 12;
+ // Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.
+ CLASSIFICATION_CRYPTOGRAPHIC_ASSET = 13;
}
message Commit {
@@ -137,6 +139,8 @@ message Component {
optional ModelCard modelCard = 25;
// This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types.
optional ComponentData data = 26;
+ // Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.
+ optional CryptoProperties cryptoProperties = 27;
}
// Specifies the data flow.
@@ -169,7 +173,10 @@ enum DataFlowDirection {
message Dependency {
// References a component or service by the its bom-ref attribute
string ref = 1;
+ // The bom-ref identifiers of the components or services that are dependencies of this dependency object.
repeated Dependency dependencies = 2;
+ // The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.
+ repeated string provides = 3;
}
message Diff {
@@ -715,6 +722,14 @@ message EvidenceOccurrences {
optional string bom_ref = 1;
// The location or path to where the component was found.
string location = 2;
+ // The line number where the component was found.
+ optional int32 line = 3;
+ // The offset where the component was found.
+ optional int32 offset = 4;
+ // The symbol name that was found associated with the component.
+ optional string symbol = 5;
+ // Any additional context of the detected component (e.g. a code snippet).
+ optional string additionalContext = 6;
}
enum EvidenceFieldType {
@@ -1685,3 +1700,245 @@ message Definition {
}
repeated Standard standards = 1;
}
+
+message CryptoProperties {
+ enum CryptoAssetType {
+ CRYPTO_ASSET_TYPE_ALGORITHM = 0;
+ CRYPTO_ASSET_TYPE_CERTIFICATE = 1;
+ CRYPTO_ASSET_TYPE_PROTOCOL = 2;
+ CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL = 3;
+ }
+ message AlgorithmProperties {
+ enum CryptoPrimitive {
+ CRYPTO_PRIMITIVE_DRBG = 0;
+ CRYPTO_PRIMITIVE_MAC = 1;
+ CRYPTO_PRIMITIVE_BLOCK_CIPHER = 2;
+ CRYPTO_PRIMITIVE_STREAM_CIPHER = 3;
+ CRYPTO_PRIMITIVE_SIGNATURE = 4;
+ CRYPTO_PRIMITIVE_HASH = 5;
+ CRYPTO_PRIMITIVE_PKE = 6;
+ CRYPTO_PRIMITIVE_XOF = 7;
+ CRYPTO_PRIMITIVE_KDF = 8;
+ CRYPTO_PRIMITIVE_KEY_AGREE = 9;
+ CRYPTO_PRIMITIVE_KEM = 10;
+ CRYPTO_PRIMITIVE_AE = 11;
+ CRYPTO_PRIMITIVE_COMBINER = 12;
+ CRYPTO_PRIMITIVE_OTHER = 13;
+ CRYPTO_PRIMITIVE_UNKNOWN = 14;
+ }
+ enum CryptoExecutionEnvironment {
+ CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM = 0;
+ CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_ENCRYPTED_RAM = 1;
+ CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_TEE = 2;
+ CRYPTO_EXECUTION_ENVIRONMENT_HARDWARE = 3;
+ CRYPTO_EXECUTION_ENVIRONMENT_OTHER = 4;
+ CRYPTO_EXECUTION_ENVIRONMENT_UNKNOWN = 5;
+ }
+ enum CryptoImplementationPlatform {
+ CRYPTO_IMPLEMENTATION_PLATFORM_GENERIC = 0;
+ CRYPTO_IMPLEMENTATION_PLATFORM_X86_32 = 1;
+ CRYPTO_IMPLEMENTATION_PLATFORM_X86_64 = 2;
+ CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7A = 3;
+ CRYPTO_IMPLEMENTATION_PLATFORM_ARMV7M = 4;
+ CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8A = 5;
+ CRYPTO_IMPLEMENTATION_PLATFORM_ARMV8M = 6;
+ CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9A = 7;
+ CRYPTO_IMPLEMENTATION_PLATFORM_ARMV9M = 8;
+ CRYPTO_IMPLEMENTATION_PLATFORM_X390X = 9;
+ CRYPTO_IMPLEMENTATION_PLATFORM_PPC64 = 10;
+ CRYPTO_IMPLEMENTATION_PLATFORM_PPC64LE = 11;
+ CRYPTO_IMPLEMENTATION_PLATFORM_OTHER = 12;
+ CRYPTO_IMPLEMENTATION_PLATFORM_UNKNOWN = 13;
+ }
+ enum CryptoAlgorithmMode {
+ CRYPTO_ALGORITHM_MODE_CBC = 0;
+ CRYPTO_ALGORITHM_MODE_ECB = 1;
+ CRYPTO_ALGORITHM_MODE_CCM = 2;
+ CRYPTO_ALGORITHM_MODE_GCM = 3;
+ CRYPTO_ALGORITHM_MODE_CFB = 4;
+ CRYPTO_ALGORITHM_MODE_OFB = 5;
+ CRYPTO_ALGORITHM_MODE_CTR = 6;
+ CRYPTO_ALGORITHM_MODE_OTHER = 7;
+ CRYPTO_ALGORITHM_MODE_UNKNOWN = 8;
+ }
+ enum CryptoAlgorithmPadding {
+ CRYPTO_ALGORITHM_PADDING_PKCS5 = 0;
+ CRYPTO_ALGORITHM_PADDING_PKCS7 = 1;
+ CRYPTO_ALGORITHM_PADDING_PKCS1V15 = 2;
+ CRYPTO_ALGORITHM_PADDING_OAEP = 3;
+ CRYPTO_ALGORITHM_PADDING_RAW = 4;
+ CRYPTO_ALGORITHM_PADDING_OTHER = 5;
+ CRYPTO_ALGORITHM_PADDING_UNKNOWN = 6;
+ }
+ enum CryptoAlgorithmFunction {
+ CRYPTO_ALGORITHM_FUNCTION_GENERATE = 0;
+ CRYPTO_ALGORITHM_FUNCTION_KEYGEN = 1;
+ CRYPTO_ALGORITHM_FUNCTION_ENCRYPT = 2;
+ CRYPTO_ALGORITHM_FUNCTION_DECRYPT = 3;
+ CRYPTO_ALGORITHM_FUNCTION_DIGEST = 4;
+ CRYPTO_ALGORITHM_FUNCTION_TAG = 5;
+ CRYPTO_ALGORITHM_FUNCTION_KEYDERIVE = 6;
+ CRYPTO_ALGORITHM_FUNCTION_SIGN = 7;
+ CRYPTO_ALGORITHM_FUNCTION_VERIFY = 8;
+ CRYPTO_ALGORITHM_FUNCTION_ENCAPSULATE = 9;
+ CRYPTO_ALGORITHM_FUNCTION_DECAPSULATE = 10;
+ CRYPTO_ALGORITHM_FUNCTION_OTHER = 11;
+ CRYPTO_ALGORITHM_FUNCTION_UNKNOWN = 12;
+ }
+ // Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).
+ optional CryptoPrimitive primitive = 1;
+ // An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205).
+ optional string parameterSetIdentifier = 2;
+ // The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves).
+ optional string curve = 3;
+ // The target and execution environment in which the algorithm is implemented in.
+ optional CryptoExecutionEnvironment executionEnvironment = 4;
+ // The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.
+ optional CryptoImplementationPlatform implementationPlatform = 5;
+ // The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).
+ repeated string certificationLevel = 6;
+ // The mode of operation in which the cryptographic algorithm (block cipher) is used.
+ optional CryptoAlgorithmMode mode = 7;
+ // The padding scheme that is used for the cryptographic algorithm.
+ optional CryptoAlgorithmPadding padding = 8;
+ // The cryptographic functions implemented by the cryptographic algorithm.
+ repeated CryptoAlgorithmFunction cryptoFunctions = 9;
+ // The classical security level that a cryptographic algorithm provides (in bits).
+ optional int32 classicalSecurityLevel = 10;
+ // The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.
+ optional int32 nistQuantumSecurityLevel = 11;
+ } // end of AlgorithmProperties
+ message CertificateProperties {
+ // The subject name for the certificate
+ optional string subjectName = 1;
+ // The issuer name for the certificate
+ optional string issuerName = 2;
+ // The date and time according to ISO-8601 standard from which the certificate is valid
+ optional google.protobuf.Timestamp notValidBefore = 3;
+ // The date and time according to ISO-8601 standard from which the certificate is not valid anymore
+ optional google.protobuf.Timestamp notValidAfter = 4;
+ // The bom-ref to signature algorithm used by the certificate
+ optional string signatureAlgorithmRef = 5;
+ // The bom-ref to the public key of the subject
+ optional string subjectPublicKeyRef = 6;
+ // The format of the certificate. Examples include X.509, PEM, DER, and CVC.
+ optional string certificateFormat = 7;
+ // The file extension of the certificate. Examples include crt, pem, cer, der, and p12.
+ optional string certificateExtension = 8;
+ } // end of CertificateProperties
+ message RelatedCryptoMaterialProperties {
+ enum CryptoRelatedType {
+ CRYPTO_RELATED_TYPE_PRIVATE_KEY = 0;
+ CRYPTO_RELATED_TYPE_PUBLIC_KEY = 1;
+ CRYPTO_RELATED_TYPE_SECRET_KEY = 2;
+ CRYPTO_RELATED_TYPE_KEY = 3;
+ CRYPTO_RELATED_TYPE_CIPHERTEXT = 4;
+ CRYPTO_RELATED_TYPE_SIGNATURE = 5;
+ CRYPTO_RELATED_TYPE_DIGEST = 6;
+ CRYPTO_RELATED_TYPE_INITIALIZATION_VECTOR = 7;
+ CRYPTO_RELATED_TYPE_NONCE = 8;
+ CRYPTO_RELATED_TYPE_SEED = 9;
+ CRYPTO_RELATED_TYPE_SALT = 10;
+ CRYPTO_RELATED_TYPE_SHARED_SECRET = 11;
+ CRYPTO_RELATED_TYPE_TAG = 12;
+ CRYPTO_RELATED_TYPE_ADDITIONAL_DATA = 13;
+ CRYPTO_RELATED_TYPE_PASSWORD = 14;
+ CRYPTO_RELATED_TYPE_CREDENTIAL = 15;
+ CRYPTO_RELATED_TYPE_TOKEN = 16;
+ CRYPTO_RELATED_TYPE_OTHER = 17;
+ CRYPTO_RELATED_TYPE_UNKNOWN = 18;
+ }
+ enum CryptoRelatedState {
+ CRYPTO_RELATED_STATE_PRE_ACTIVATION = 0;
+ CRYPTO_RELATED_STATE_ACTIVE = 1;
+ CRYPTO_RELATED_STATE_SUSPENDED = 2;
+ CRYPTO_RELATED_STATE_DEACTIVATED = 3;
+ CRYPTO_RELATED_STATE_COMPROMISED = 4;
+ CRYPTO_RELATED_STATE_DESTROYED = 5;
+ }
+ message CryptoRelatedSecuredBy {
+ // Specifies the mechanism by which the cryptographic asset is secured by. Examples include HSM, TPM, SGX, Software, and None
+ optional string mechanism = 1;
+ // The bom-ref to the algorithm.
+ optional string algorithmRef = 2;
+ }
+ // The type for the related cryptographic material
+ optional CryptoRelatedType type = 1;
+ // The optional unique identifier for the related cryptographic material.
+ optional string id = 2;
+ // The key state as defined by NIST SP 800-57.
+ optional CryptoRelatedState state = 3;
+ // The bom-ref to the algorithm used to generate the related cryptographic material.
+ optional string algorithmRef = 4;
+ // The date and time (timestamp) when the related cryptographic material was created.
+ optional google.protobuf.Timestamp creationDate = 5;
+ // The date and time (timestamp) when the related cryptographic material was activated.
+ optional google.protobuf.Timestamp activationDate = 6;
+ // The date and time (timestamp) when the related cryptographic material was updated.
+ optional google.protobuf.Timestamp updateDate = 7;
+ // The date and time (timestamp) when the related cryptographic material expires.
+ optional google.protobuf.Timestamp expirationDate = 8;
+ // The associated value of the cryptographic material.
+ optional string value = 9;
+ // The size of the cryptographic asset (in bits).
+ optional int64 size = 10;
+ // The format of the related cryptographic material (e.g. P8, PEM, DER).
+ optional string format = 11;
+ // The mechanism by which the cryptographic asset is secured by.
+ optional CryptoRelatedSecuredBy securedBy = 12;
+ } // end of RelatedCryptoMaterialProperties
+ message ProtocolProperties {
+ enum CryptoProtocolType {
+ CRYPTO_PROTOCOL_TYPE_TLS = 0;
+ CRYPTO_PROTOCOL_TYPE_SSH = 1;
+ CRYPTO_PROTOCOL_TYPE_IPSEC = 2;
+ CRYPTO_PROTOCOL_TYPE_IKE = 3;
+ CRYPTO_PROTOCOL_TYPE_SSTP = 4;
+ CRYPTO_PROTOCOL_TYPE_WPA = 5;
+ CRYPTO_PROTOCOL_TYPE_OTHER = 6;
+ CRYPTO_PROTOCOL_TYPE_UNKNOWN = 7;
+ }
+ message CryptoProtocolCipherSuite {
+ // A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM
+ optional string name = 1;
+ // A list of algorithms related to the cipher suite. Use the bom-ref to the algorithm cryptographic asset.
+ repeated string algorithms = 2;
+ // A list of common identifiers for the cipher suite. For example: 0xC0 and 0x9E
+ repeated string identifiers = 3;
+ }
+ message Ikev2TransformTypes {
+ // Transform Type 1: encryption algorithms
+ repeated string encr = 1;
+ // Transform Type 2: pseudorandom functions
+ repeated string prf = 2;
+ // Transform Type 3: integrity algorithms
+ repeated string integ = 3;
+ // Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H)
+ repeated string ke = 4;
+ // Specifies if an Extended Sequence Number (ESN) is used.
+ optional bool esn = 5;
+ // IKEv2 Authentication method
+ repeated string auth = 6;
+ }
+ // The concrete protocol type.
+ optional CryptoProtocolType type = 1;
+ // The version of the protocol. Examples include 1.0, 1.2, and 1.99.
+ optional string version = 2;
+ // A list of cipher suites related to the protocol.
+ repeated CryptoProtocolCipherSuite cipherSuites = 3;
+ // The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties.
+ optional Ikev2TransformTypes ikev2TransformTypes = 4;
+ } // end of ProtocolProperties
+ // Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may however also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.
+ optional CryptoAssetType assetType = 1;
+ // Additional properties specific to a cryptographic algorithm.
+ optional AlgorithmProperties algorithmProperties = 2;
+ // Properties for cryptographic assets of asset type 'certificate'
+ optional CertificateProperties certificateProperties = 3;
+ // Properties for cryptographic assets of asset type: `related-crypto-material`
+ optional RelatedCryptoMaterialProperties relatedCryptoMaterialProperties = 4;
+ // Properties specific to cryptographic assets of type: `protocol`.
+ optional ProtocolProperties protocolProperties = 5;
+ // The object identifier (OID) of the cryptographic asset.
+ optional string oid = 6;
+}
diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
index a25cf5d5..4ecc4ae5 100644
--- a/schema/bom-1.6.schema.json
+++ b/schema/bom-1.6.schema.json
@@ -826,7 +826,8 @@
"firmware",
"file",
"machine-learning-model",
- "data"
+ "data",
+ "cryptographic-asset"
],
"meta:enum": {
"application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.",
@@ -840,7 +841,8 @@
"firmware": "A special type of software that provides low-level control over a devices hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).",
"file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.",
"machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.",
- "data": "A collection of discrete values that convey information."
+ "data": "A collection of discrete values that convey information.",
+ "cryptographic-asset": "Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."
},
"title": "Component Type",
"description": "Specifies the type of component. For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.",
@@ -1026,6 +1028,10 @@
"title": "Data",
"description": "This object SHOULD be specified for any component of type `data` and MUST NOT be specified for other component types."
},
+ "cryptoProperties": {
+ "$ref": "#/definitions/cryptoProperties",
+ "title": "Cryptographic Properties"
+ },
"properties": {
"type": "array",
"title": "Properties",
@@ -1759,6 +1765,15 @@
},
"title": "Depends On",
"description": "The bom-ref identifiers of the components or services that are dependencies of this dependency object."
+ },
+ "provides": {
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "$ref": "#/definitions/refLinkType"
+ },
+ "title": "Provides",
+ "description": "The bom-ref identifiers of the components or services that define a given specification or standard, which are provided or implemented by this dependency object.\nFor example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use."
}
}
},
@@ -2015,6 +2030,28 @@
"type": "string",
"title": "Location",
"description": "The location or path to where the component was found."
+ },
+ "line": {
+ "type": "integer",
+ "minimum": 0,
+ "title": "Line Number",
+ "description": "The line number where the component was found."
+ },
+ "offset": {
+ "type": "integer",
+ "minimum": 0,
+ "title": "Offset",
+ "description": "The offset where the component was found."
+ },
+ "symbol": {
+ "type": "string",
+ "title": "Symbol",
+ "description": "The symbol name that was found associated with the component."
+ },
+ "additionalContext": {
+ "type": "string",
+ "title": "Additional Context",
+ "description": "Any additional context of the detected component (e.g. a code snippet)."
}
}
}
@@ -4566,6 +4603,615 @@
"$ref": "jsf-0.82.schema.json#/definitions/signature",
"title": "Signature",
"description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
+ },
+ "cryptoProperties": {
+ "type": "object",
+ "title": "Cryptographic Properties",
+ "description": "Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.",
+ "additionalProperties": false,
+ "properties": {
+ "assetType": {
+ "type": "string",
+ "title": "Asset Type",
+ "description": "Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may however also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets or passwords are other cryptographic assets to be modelled.",
+ "enum": [
+ "algorithm",
+ "certificate",
+ "protocol",
+ "related-crypto-material"
+ ],
+ "meta:enum": {
+ "algorithm": "Mathematical function commonly used for data encryption, authentication, and digital signatures.",
+ "certificate": "An electronic document that is used to provide the identity or validate a public key.",
+ "protocol": "A set of rules and guidelines that govern the behavior and communication with each other.",
+ "related-crypto-material": "Other cryptographic assets that are related to algorithms, certificate, and protocols such as keys and tokens."
+ }
+ },
+ "algorithmProperties": {
+ "type": "object",
+ "title": "Algorithm Properties",
+ "description": "Additional properties specific to a cryptographic algorithm.",
+ "additionalProperties": false,
+ "properties": {
+ "primitive": {
+ "type": "string",
+ "title": "primitive",
+ "description": "Cryptographic building blocks used in higher-level cryptographic systems and protocols. Primitives represent different cryptographic routines: deterministic random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES), streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256), public-key encryption schemes (pke, e.g. RSA), extended output functions (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms (combiner, e.g. SP800-56Cr2).",
+ "enum": [
+ "drbg",
+ "mac",
+ "block-cipher",
+ "stream-cipher",
+ "signature",
+ "hash",
+ "pke",
+ "xof",
+ "kdf",
+ "key-agree",
+ "kem",
+ "ae",
+ "combiner",
+ "other",
+ "unknown"
+ ],
+ "meta:enum": {
+ "drbg": "Deterministic Random Bit Generator (DRBG) is a type of pseudorandom number generator designed to produce a sequence of bits from an initial seed value. DRBGs are commonly used in cryptographic applications where reproducibility of random values is important.",
+ "mac": "In cryptography, a Message Authentication Code (MAC) is information used for authenticating and integrity-checking a message.",
+ "block-cipher": "A block cipher is a symmetric key algorithm that operates on fixed-size blocks of data. It encrypts or decrypts the data in block units, providing confidentiality. Block ciphers are widely used in various cryptographic modes and protocols for secure data transmission.",
+ "stream-cipher": "A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).",
+ "signature": "In cryptography, a signature is a digital representation of a message or data that proves its origin, identity, and integrity. Digital signatures are generated using cryptographic algorithms and are widely used for authentication and verification in secure communication.",
+ "hash": "A hash function is a mathematical algorithm that takes an input (or 'message') and produces a fixed-size string of characters, which is typically a hash value. Hash functions are commonly used in various cryptographic applications, including data integrity verification and password hashing.",
+ "pke": "Public Key Encryption (PKE) is a type of encryption that uses a pair of public and private keys for secure communication. The public key is used for encryption, while the private key is used for decryption. PKE is a fundamental component of public-key cryptography.",
+ "xof": "An XOF is an extendable output function that can take arbitrary input and creates a stream of output, up to a limit determined by the size of the internal state of the hash function that underlies the XOF.",
+ "kdf": "A Key Derivation Function (KDF) derives key material from another source of entropy while preserving the entropy of the input.",
+ "key-agree": "In cryptography, a key-agreement is a protocol whereby two or more parties agree on a cryptographic key in such a way that both influence the outcome.",
+ "kem": "A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for transporting random keying material to a recipient using the recipient's public key.",
+ "ae": "Authenticated Encryption (AE) is a cryptographic process that provides both confidentiality and data integrity. It ensures that the encrypted data has not been tampered with and comes from a legitimate source. AE is commonly used in secure communication protocols.",
+ "combiner": "A combiner aggregates many candidates for a cryptographic primitive and generates a new candidate for the same primitive.",
+ "other": "Another primitive type.",
+ "unknown": "The primitive is not known."
+ }
+ },
+ "parameterSetIdentifier": {
+ "type": "string",
+ "title": "Parameter Set Identifier",
+ "description": "An identifier for the parameter set of the cryptographic algorithm. Examples: in AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the digest length, '128' in SHAKE128 identifies its maximum security level in bits, and 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205)."
+ },
+ "curve": {
+ "type": "string",
+ "title": "Elliptic Curve",
+ "description": "The specific underlying Elliptic Curve (EC) definition employed which is an indicator of the level of security strength, performance and complexity. Absent an authoritative source of curve names, CycloneDX recommends use of curve names as defined at [https://neuromancer.sk/std/](https://neuromancer.sk/std/), the source from which can be found at [https://github.com/J08nY/std-curves](https://github.com/J08nY/std-curves)."
+ },
+ "executionEnvironment": {
+ "type": "string",
+ "title": "Execution Environment",
+ "description": "The target and execution environment in which the algorithm is implemented in.",
+ "enum": [
+ "software-plain-ram",
+ "software-encrypted-ram",
+ "software-tee",
+ "hardware",
+ "other",
+ "unknown"
+ ],
+ "meta:enum": {
+ "software-plain-ram": "A software implementation running in plain unencrypted RAM.",
+ "software-encrypted-ram": "A software implementation running in encrypted RAM.",
+ "software-tee": "A software implementation running in a trusted execution environment.",
+ "hardware": "A hardware implementation.",
+ "other": "Another implementation environment.",
+ "unknown": "The execution environment is not known."
+ }
+ },
+ "implementationPlatform": {
+ "type": "string",
+ "title": "implementation platform",
+ "description": "The target platform for which the algorithm is implemented. The implementation can be 'generic', running on any platform or for a specific platform.",
+ "enum": [
+ "generic",
+ "x86_32",
+ "x86_64",
+ "armv7-a",
+ "armv7-m",
+ "armv8-a",
+ "armv8-m",
+ "armv9-a",
+ "armv9-m",
+ "s390x",
+ "ppc64",
+ "ppc64le",
+ "other",
+ "unknown"
+ ]
+ },
+ "certificationLevel": {
+ "type": "array",
+ "title": "Certification Level",
+ "description": "The certification that the implementation of the cryptographic algorithm has received, if any. Certifications include revisions and levels of FIPS 140 or Common Criteria of different Extended Assurance Levels (CC-EAL).",
+ "items": {
+ "type": "string",
+ "enum": [
+ "none",
+ "fips140-1-l1",
+ "fips140-1-l2",
+ "fips140-1-l3",
+ "fips140-1-l4",
+ "fips140-2-l1",
+ "fips140-2-l2",
+ "fips140-2-l3",
+ "fips140-2-l4",
+ "fips140-3-l1",
+ "fips140-3-l2",
+ "fips140-3-l3",
+ "fips140-3-l4",
+ "cc-eal1",
+ "cc-eal1+",
+ "cc-eal2",
+ "cc-eal2+",
+ "cc-eal3",
+ "cc-eal3+",
+ "cc-eal4",
+ "cc-eal4+",
+ "cc-eal5",
+ "cc-eal5+",
+ "cc-eal6",
+ "cc-eal6+",
+ "cc-eal7",
+ "cc-eal7+",
+ "other",
+ "unknown"
+ ],
+ "meta:enum": {
+ "none": "No certification obtained",
+ "fips140-1-l1": "FIPS 140-1 Level 1",
+ "fips140-1-l2": "FIPS 140-1 Level 2",
+ "fips140-1-l3": "FIPS 140-1 Level 3",
+ "fips140-1-l4": "FIPS 140-1 Level 4",
+ "fips140-2-l1": "FIPS 140-2 Level 1",
+ "fips140-2-l2": "FIPS 140-2 Level 2",
+ "fips140-2-l3": "FIPS 140-2 Level 3",
+ "fips140-2-l4": "FIPS 140-2 Level 4",
+ "fips140-3-l1": "FIPS 140-3 Level 1",
+ "fips140-3-l2": "FIPS 140-3 Level 2",
+ "fips140-3-l3": "FIPS 140-3 Level 3",
+ "fips140-3-l4": "FIPS 140-3 Level 4",
+ "cc-eal1": "Common Criteria - Evaluation Assurance Level 1",
+ "cc-eal1+": "Common Criteria - Evaluation Assurance Level 1 (Augmented)",
+ "cc-eal2": "Common Criteria - Evaluation Assurance Level 2",
+ "cc-eal2+": "Common Criteria - Evaluation Assurance Level 2 (Augmented)",
+ "cc-eal3": "Common Criteria - Evaluation Assurance Level 3",
+ "cc-eal3+": "Common Criteria - Evaluation Assurance Level 3 (Augmented)",
+ "cc-eal4": "Common Criteria - Evaluation Assurance Level 4",
+ "cc-eal4+": "Common Criteria - Evaluation Assurance Level 4 (Augmented)",
+ "cc-eal5": "Common Criteria - Evaluation Assurance Level 5",
+ "cc-eal5+": "Common Criteria - Evaluation Assurance Level 5 (Augmented)",
+ "cc-eal6": "Common Criteria - Evaluation Assurance Level 6",
+ "cc-eal6+": "Common Criteria - Evaluation Assurance Level 6 (Augmented)",
+ "cc-eal7": "Common Criteria - Evaluation Assurance Level 7",
+ "cc-eal7+": "Common Criteria - Evaluation Assurance Level 7 (Augmented)",
+ "other": "Another certification",
+ "unknown": "The certification level is not known"
+ }
+ }
+ },
+ "mode": {
+ "type": "string",
+ "title": "Mode",
+ "description": "The mode of operation in which the cryptographic algorithm (block cipher) is used.",
+ "enum": [
+ "cbc",
+ "ecb",
+ "ccm",
+ "gcm",
+ "cfb",
+ "ofb",
+ "ctr",
+ "other",
+ "unknown"
+ ],
+ "meta:enum": {
+ "cbc": "Cipher block chaining",
+ "ecb": "Electronic codebook",
+ "ccm": "Counter with cipher block chaining message authentication code",
+ "gcm": "Galois/counter",
+ "cfb": "Cipher feedback",
+ "ofb": "Output feedback",
+ "ctr": "Counter",
+ "other": "Another mode of operation",
+ "unknown": "The mode of operation is not known"
+ }
+ },
+ "padding": {
+ "type": "string",
+ "title": "Padding",
+ "description": "The padding scheme that is used for the cryptographic algorithm.",
+ "enum": [
+ "pkcs5",
+ "pkcs7",
+ "pkcs1v15",
+ "oaep",
+ "raw",
+ "other",
+ "unknown"
+ ],
+ "meta:enum": {
+ "pkcs5": "Public Key Cryptography Standard: Password-Based Cryptography",
+ "pkcs7": "Public Key Cryptography Standard: Cryptographic Message Syntax",
+ "pkcs1v15": "Public Key Cryptography Standard: RSA Cryptography v1.5",
+ "oaep": "Optimal asymmetric encryption padding",
+ "raw": "Raw",
+ "other": "Another padding scheme",
+ "unknown": "The padding scheme is not known"
+ }
+ },
+ "cryptoFunctions": {
+ "type": "array",
+ "title": "Cryptographic functions",
+ "description": "The cryptographic functions implemented by the cryptographic algorithm.",
+ "items": {
+ "type": "string",
+ "enum": [
+ "generate",
+ "keygen",
+ "encrypt",
+ "decrypt",
+ "digest",
+ "tag",
+ "keyderive",
+ "sign",
+ "verify",
+ "encapsulate",
+ "decapsulate",
+ "other",
+ "unknown"
+ ]
+ }
+ },
+ "classicalSecurityLevel": {
+ "type": "integer",
+ "title": "classical security level",
+ "description": "The classical security level that a cryptographic algorithm provides (in bits).",
+ "minimum": 0
+ },
+ "nistQuantumSecurityLevel": {
+ "type": "integer",
+ "title": "NIST security strength category",
+ "description": "The NIST security strength category as defined in https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria). A value of 0 indicates that none of the categories are met.",
+ "minimum": 0,
+ "maximum": 6
+ }
+ }
+ },
+ "certificateProperties": {
+ "type": "object",
+ "title": "Certificate Properties",
+ "description": "Properties for cryptographic assets of asset type 'certificate'",
+ "additionalProperties": false,
+ "properties": {
+ "subjectName": {
+ "type": "string",
+ "title": "Subject Name",
+ "description": "The subject name for the certificate"
+ },
+ "issuerName": {
+ "type": "string",
+ "title": "Issuer Name",
+ "description": "The issuer name for the certificate"
+ },
+ "notValidBefore": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Not Valid Before",
+ "description": "The date and time according to ISO-8601 standard from which the certificate is valid"
+ },
+ "notValidAfter": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Not Valid After",
+ "description": "The date and time according to ISO-8601 standard from which the certificate is not valid anymore"
+ },
+ "signatureAlgorithmRef": {
+ "$ref": "#/definitions/refType",
+ "title": "Algorithm Reference",
+ "description": "The bom-ref to signature algorithm used by the certificate"
+ },
+ "subjectPublicKeyRef": {
+ "$ref": "#/definitions/refType",
+ "title": "Key reference",
+ "description": "The bom-ref to the public key of the subject"
+ },
+ "certificateFormat": {
+ "type": "string",
+ "title": "Certificate Format",
+ "description": "The format of the certificate",
+ "examples": [
+ "X.509",
+ "PEM",
+ "DER",
+ "CVC"
+ ]
+ },
+ "certificateExtension": {
+ "type": "string",
+ "title": "Certificate File Extension",
+ "description": "The file extension of the certificate",
+ "examples": [
+ "crt",
+ "pem",
+ "cer",
+ "der",
+ "p12"
+ ]
+ }
+ }
+ },
+ "relatedCryptoMaterialProperties": {
+ "type": "object",
+ "title": "Related Cryptographic Material Properties",
+ "description": "Properties for cryptographic assets of asset type: `related-crypto-material`",
+ "additionalProperties": false,
+ "properties": {
+ "type": {
+ "type": "string",
+ "title": "relatedCryptoMaterialType",
+ "description": "The type for the related cryptographic material",
+ "enum": [
+ "private-key",
+ "public-key",
+ "secret-key",
+ "key",
+ "ciphertext",
+ "signature",
+ "digest",
+ "initialization-vector",
+ "nonce",
+ "seed",
+ "salt",
+ "shared-secret",
+ "tag",
+ "additional-data",
+ "password",
+ "credential",
+ "token",
+ "other",
+ "unknown"
+ ]
+ },
+ "id": {
+ "type": "string",
+ "title": "ID",
+ "description": "The optional unique identifier for the related cryptographic material."
+ },
+ "state": {
+ "type": "string",
+ "title": "State",
+ "description": "The key state as defined by NIST SP 800-57.",
+ "enum": [
+ "pre-activation",
+ "active",
+ "suspended",
+ "deactivated",
+ "compromised",
+ "destroyed"
+ ]
+ },
+ "algorithmRef": {
+ "$ref": "#/definitions/refType",
+ "title": "Algorithm Reference",
+ "description": "The bom-ref to the algorithm used to generate the related cryptographic material."
+ },
+ "creationDate": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Creation Date",
+ "description": "The date and time (timestamp) when the related cryptographic material was created."
+ },
+ "activationDate": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Activation Date",
+ "description": "The date and time (timestamp) when the related cryptographic material was activated."
+ },
+ "updateDate": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Update Date",
+ "description": "The date and time (timestamp) when the related cryptographic material was updated."
+ },
+ "expirationDate": {
+ "type": "string",
+ "format": "date-time",
+ "title": "Expiration Date",
+ "description": "The date and time (timestamp) when the related cryptographic material expires."
+ },
+ "value": {
+ "type": "string",
+ "title": "Value",
+ "description": "The associated value of the cryptographic material."
+ },
+ "size": {
+ "type": "integer",
+ "title":"Size",
+ "description": "The size of the cryptographic asset (in bits)."
+ },
+ "format": {
+ "type": "string",
+ "title": "Format",
+ "description": "The format of the related cryptographic material (e.g. P8, PEM, DER)."
+ },
+ "securedBy": {
+ "$ref": "#/definitions/securedBy",
+ "title": "Secured By",
+ "description": "The mechanism by which the cryptographic asset is secured by."
+ }
+ }
+ },
+ "protocolProperties": {
+ "type": "object",
+ "title": "Protocol Properties",
+ "description": "Properties specific to cryptographic assets of type: `protocol`.",
+ "additionalProperties": false,
+ "properties": {
+ "type": {
+ "type": "string",
+ "title": "Type",
+ "description": "The concrete protocol type.",
+ "enum": [
+ "tls",
+ "ssh",
+ "ipsec",
+ "ike",
+ "sstp",
+ "wpa",
+ "other",
+ "unknown"
+ ],
+ "meta:enum": {
+ "tls": "Transport Layer Security",
+ "ssh": "Secure Shell",
+ "ipsec": "Internet Protocol Security",
+ "ike": "Internet Key Exchange",
+ "sstp": "Secure Socket Tunneling Protocol",
+ "wpa": "Wi-Fi Protected Access",
+ "other": "Another protocol type",
+ "unknown": "The protocol type is not known"
+ }
+ },
+ "version": {
+ "type": "string",
+ "title": "Protocol Version",
+ "description": "The version of the protocol.",
+ "examples": [
+ "1.0",
+ "1.2",
+ "1.99"
+ ]
+ },
+ "cipherSuites": {
+ "type": "array",
+ "title": "Cipher Suites",
+ "description": "A list of cipher suites related to the protocol.",
+ "items": {
+ "$ref": "#/definitions/cipherSuite",
+ "title": "Cipher Suite"
+ }
+ },
+ "ikev2TransformTypes": {
+ "type": "object",
+ "title": "IKEv2 Transform Types",
+ "description": "The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties.",
+ "additionalProperties": false,
+ "properties": {
+ "encr": {
+ "$ref": "#/definitions/cryptoRefArray",
+ "description": "Transform Type 1: encryption algorithms"
+ },
+ "prf": {
+ "$ref": "#/definitions/cryptoRefArray",
+ "description": "Transform Type 2: pseudorandom functions"
+ },
+ "integ": {
+ "$ref": "#/definitions/cryptoRefArray",
+ "description": "Transform Type 3: integrity algorithms"
+ },
+ "ke": {
+ "$ref": "#/definitions/cryptoRefArray",
+ "description": "Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H)"
+ },
+ "esn": {
+ "type": "boolean",
+ "description": "Specifies if an Extended Sequence Number (ESN) is used."
+ },
+ "auth": {
+ "$ref": "#/definitions/cryptoRefArray",
+ "description": "IKEv2 Authentication method"
+ }
+ }
+ },
+ "cryptoRefArray": {
+ "$ref": "#/definitions/cryptoRefArray",
+ "title": "Cryptographic References",
+ "description": "A list of protocol-related cryptographic assets"
+ }
+ }
+ },
+ "oid": {
+ "type": "string",
+ "title": "OID",
+ "description": "The object identifier (OID) of the cryptographic asset."
+ }
+ }
+ },
+ "cipherSuite": {
+ "type": "object",
+ "title": "Cipher Suite",
+ "description": "Object representing a cipher suite",
+ "additionalProperties": false,
+ "properties": {
+ "name": {
+ "type": "string",
+ "title": "Common Name",
+ "description": "A common name for the cipher suite.",
+ "examples": [
+ "TLS_DHE_RSA_WITH_AES_128_CCM"
+ ]
+ },
+ "algorithms": {
+ "type": "array",
+ "title": "Related Algorithms",
+ "description": "A list of algorithms related to the cipher suite.",
+ "items": {
+ "$ref": "#/definitions/refType",
+ "title": "Algorithm reference",
+ "description": "The bom-ref to algorithm cryptographic asset."
+ }
+ },
+ "identifiers": {
+ "type": "array",
+ "title": "Cipher Suite Identifiers",
+ "description": "A list of common identifiers for the cipher suite.",
+ "items": {
+ "type": "string",
+ "title": "identifier",
+ "description": "Cipher suite identifier",
+ "examples": [
+ "0xC0",
+ "0x9E"
+ ]
+ }
+ }
+ }
+ },
+ "cryptoRefArray" : {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/refType"
+ }
+ },
+ "securedBy": {
+ "type": "object",
+ "title": "Secured By",
+ "description": "Specifies the mechanism by which the cryptographic asset is secured by",
+ "additionalProperties": false,
+ "properties": {
+ "mechanism": {
+ "type": "string",
+ "title": "Mechanism",
+ "description": "Specifies the mechanism by which the cryptographic asset is secured by.",
+ "examples": [
+ "HSM",
+ "TPM",
+ "SGX",
+ "Software",
+ "None"
+ ]
+ },
+ "algorithmRef": {
+ "$ref": "#/definitions/refType",
+ "title": "Algorithm Reference",
+ "description": "The bom-ref to the algorithm."
+ }
+ }
}
}
}
diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
index e500f8e8..12731aa6 100644
--- a/schema/bom-1.6.xsd
+++ b/schema/bom-1.6.xsd
@@ -634,6 +634,18 @@ limitations under the License.
specified for other component types.
+
+
+
+ Cryptographic assets have properties that uniquely define them and that make them actionable
+ for further reasoning. As an example, it makes a difference if one knows the algorithm family
+ (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the
+ security level and the algorithm primitive (authenticated encryption) is only defined by the
+ definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1
+ vs. HMAC-SHA1 also makes a difference.
+
+
+
@@ -997,6 +1009,11 @@ limitations under the License.
A collection of discrete values that convey information.
+
+
+ Cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets.
+
+
@@ -1834,7 +1851,26 @@ limitations under the License.
-
+
+
+ The component or service that is a dependency of this dependency object.
+
+
+
+
+
+ The component or service that define a given specification or standard, which is provided or implemented by this dependency object.
+ For example, a cryptographic library which implements a cryptographic algorithm. A component which implements another component does not imply that the implementation is in use.
+
+
+
+
+
+ References a component or service by its bom-ref attribute
+
+
+
+
@@ -2323,11 +2359,32 @@ limitations under the License.
-
+
The location or path to where the component was found.
+
+
+ The line number where the component was found.
+
+
+
+
+ The offset where the component was found.
+
+
+
+
+ The symbol name that was found associated with the component.
+
+
+
+
+ Any additional context of the detected component (e.g. a code snippet).
+
+
+
@@ -5474,6 +5531,1152 @@ limitations under the License.
+
+
+
+ Cryptographic assets have properties that uniquely define them and that make them actionable for
+ further reasoning. As an example, it makes a difference if one knows the algorithm family (e.g. AES)
+ or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the
+ algorithm primitive (authenticated encryption) is only defined by the definition of the algorithm variant.
+ The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference.
+
+
+
+
+
+
+ Cryptographic assets occur in several forms. Algorithms and protocols are most commonly
+ implemented in specialized cryptographic libraries. They may however also be 'hardcoded'
+ in software components. Certificates and related cryptographic material like keys, tokens,
+ secrets or passwords are other cryptographic assets to be modelled.
+
+
+
+
+
+
+
+ Mathematical function commonly used for data encryption, authentication, and
+ digital signatures.
+
+
+
+
+
+
+ An electronic document that is used to provide the identity or validate a public key.
+
+
+
+
+
+
+ A set of rules and guidelines that govern the behavior and communication with each other.
+
+
+
+
+
+
+ Other cryptographic assets that are related to algorithms, certificate, and protocols
+ such as keys and tokens.
+
+
+
+
+
+
+
+
+
+ Additional properties specific to a cryptographic algorithm.
+
+
+
+
+
+
+
+ Cryptographic building blocks used in higher-level cryptographic systems and
+ protocols. Primitives represent different cryptographic routines: deterministic
+ random bit generators (drbg, e.g. CTR_DRBG from NIST SP800-90A-r1), message
+ authentication codes (mac, e.g. HMAC-SHA-256), blockciphers (e.g. AES),
+ streamciphers (e.g. Salsa20), signatures (e.g. ECDSA), hash functions (e.g. SHA-256),
+ public-key encryption schemes (pke, e.g. RSA), extended output functions
+ (xof, e.g. SHAKE256), key derivation functions (e.g. pbkdf2), key agreement
+ algorithms (e.g. ECDH), key encapsulation mechanisms (e.g. ML-KEM), authenticated
+ encryption (ae, e.g. AES-GCM) and the combination of multiple algorithms
+ (combiner, e.g. SP800-56Cr2).
+
+
+
+
+
+
+
+ Deterministic Random Bit Generator (DRBG) is a type of pseudorandom
+ number generator designed to produce a sequence of bits from an initial
+ seed value. DRBGs are commonly used in cryptographic applications where
+ reproducibility of random values is important.
+
+
+
+
+
+
+ In cryptography, a Message Authentication Code (MAC) is information
+ used for authenticating and integrity-checking a message.
+
+
+
+
+
+
+ A block cipher is a symmetric key algorithm that operates on fixed-size
+ blocks of data. It encrypts or decrypts the data in block units,
+ providing confidentiality. Block ciphers are widely used in various
+ cryptographic modes and protocols for secure data transmission.
+
+
+
+
+
+
+ A stream cipher is a symmetric key cipher where plaintext digits are
+ combined with a pseudorandom cipher digit stream (keystream).
+
+
+
+
+
+
+ In cryptography, a signature is a digital representation of a message
+ or data that proves its origin, identity, and integrity. Digital
+ signatures are generated using cryptographic algorithms and are widely
+ used for authentication and verification in secure communication.
+
+
+
+
+
+
+ A hash function is a mathematical algorithm that takes an input
+ (or 'message') and produces a fixed-size string of characters, which is
+ typically a hash value. Hash functions are commonly used in various
+ cryptographic applications, including data integrity verification and
+ password hashing.
+
+
+
+
+
+
+ Public Key Encryption (PKE) is a type of encryption that uses a pair of
+ public and private keys for secure communication. The public key is used
+ for encryption, while the private key is used for decryption. PKE is a
+ fundamental component of public-key cryptography.
+
+
+
+
+
+
+ An XOF is an extendable output function that can take arbitrary input
+ and creates a stream of output, up to a limit determined by the size of
+ the internal state of the hash function that underlies the XOF.
+
+
+
+
+
+
+ A Key Derivation Function (KDF) derives key material from another source
+ of entropy while preserving the entropy of the input.
+
+
+
+
+
+
+ In cryptography, a key-agreement is a protocol whereby two or more
+ parties agree on a cryptographic key in such a way that both influence
+ the outcome.
+
+
+
+
+
+
+ A Key Encapsulation Mechanism (KEM) algorithm is a mechanism for
+ transporting random keying material to a recipient using the recipient's
+ public key.
+
+
+
+
+
+
+ Authenticated Encryption (AE) is a cryptographic process that provides
+ both confidentiality and data integrity. It ensures that the encrypted
+ data has not been tampered with and comes from a legitimate source.
+ AE is commonly used in secure communication protocols.
+
+
+
+
+
+
+ A combiner aggregates many candidates for a cryptographic primitive and
+ generates a new candidate for the same primitive.
+
+
+
+
+
+
+ Another primitive type.
+
+
+
+
+
+
+ The primitive is not known.
+
+
+
+
+
+
+
+
+
+ An identifier for the parameter set of the cryptographic algorithm. Examples: in
+ AES128, '128' identifies the key length in bits, in SHA256, '256' identifies the
+ digest length, '128' in SHAKE128 identifies its maximum security level in bits, and
+ 'SHA2-128s' identifies a parameter set used in SLH-DSA (FIPS205).
+
+
+
+
+
+
+ The specific underlying Elliptic Curve (EC) definition employed which is an indicator
+ of the level of security strength, performance and complexity. Absent an
+ authoritative source of curve names, CycloneDX recommends use of curve names as
+ defined at https://neuromancer.sk/std/, the source from which can be found at
+ https://github.com/J08nY/std-curves.
+
+
+
+
+
+
+ The target and execution environment in which the algorithm is implemented in.
+
+
+
+
+
+
+
+ A software implementation running in plain unencrypted RAM.
+
+
+
+
+
+
+ A software implementation running in encrypted RAM.
+
+
+
+
+
+ A software implementation running in a trusted execution environment.
+
+
+
+
+
+ A hardware implementation.
+
+
+
+
+
+ Another implementation environment.
+
+
+
+
+
+ The execution environment is not known.
+
+
+
+
+
+
+
+
+
+ The target platform for which the algorithm is implemented. The implementation can
+ be 'generic', running on any platform or for a specific platform.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The certification that the implementation of the cryptographic algorithm has
+ received, if any. Certifications include revisions and levels of FIPS 140 or
+ Common Criteria of different Extended Assurance Levels (CC-EAL).
+
+
+
+
+
+
+
+ No certification obtained
+
+
+
+
+
+
+ FIPS 140-1 Level 1
+
+
+
+
+
+
+ FIPS 140-1 Level 2
+
+
+
+
+
+
+ FIPS 140-1 Level 3
+
+
+
+
+
+
+ FIPS 140-1 Level 4
+
+
+
+
+
+
+ FIPS 140-2 Level 1
+
+
+
+
+
+
+ FIPS 140-2 Level 2
+
+
+
+
+
+
+ FIPS 140-2 Level 3
+
+
+
+
+
+
+ FIPS 140-2 Level 4
+
+
+
+
+
+
+ FIPS 140-3 Level 1
+
+
+
+
+
+
+ FIPS 140-3 Level 2
+
+
+
+
+
+
+ FIPS 140-3 Level 3
+
+
+
+
+
+
+ FIPS 140-3 Level 4
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 1
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 1 (Augmented)
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 2
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 2 (Augmented)
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 3
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 3 (Augmented)
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 4
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 4 (Augmented)
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 5
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 5 (Augmented)
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 6
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 6 (Augmented)
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 7
+
+
+
+
+
+
+ Common Criteria - Evaluation Assurance Level 7 (Augmented)
+
+
+
+
+
+
+ Another certification
+
+
+
+
+
+
+ The certification level is not known
+
+
+
+
+
+
+
+
+
+ The mode of operation in which the cryptographic algorithm (block cipher) is used.
+
+
+
+
+
+
+
+ Cipher block chaining
+
+
+
+
+
+
+ Electronic codebook
+
+
+
+
+
+
+ Counter with cipher block chaining message authentication code
+
+
+
+
+
+
+ Galois/counter
+
+
+
+
+
+
+ Cipher feedback
+
+
+
+
+
+
+ Output feedback
+
+
+
+
+
+
+ Counter
+
+
+
+
+
+
+ Another mode of operation
+
+
+
+
+
+
+ The mode of operation is not known
+
+
+
+
+
+
+
+
+
+ The padding scheme that is used for the cryptographic algorithm.
+
+
+
+
+
+
+
+ Password-Based Cryptography Specification #5
+
+
+
+
+
+
+ Public Key Cryptography Standard: Cryptographic Message Syntax
+
+
+
+
+
+
+ Public Key Cryptography Standard: RSA Cryptography v1.5
+
+
+
+
+
+
+ Optimal asymmetric encryption padding
+
+
+
+
+
+
+ Raw
+
+
+
+
+
+
+ Another padding scheme
+
+
+
+
+
+
+ The padding scheme is not known
+
+
+
+
+
+
+
+
+
+ The cryptographic functions implemented by the cryptographic algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The classical security level that a cryptographic algorithm provides (in bits).
+
+
+
+
+
+
+
+
+
+
+
+ The NIST security strength category as defined in
+ https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/evaluation-criteria/security-(evaluation-criteria).
+ A value of 0 indicates that none of the categories are met.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Properties for cryptographic assets of asset type 'certificate'
+
+
+
+
+
+
+
+ The subject name for the certificate
+
+
+
+
+
+
+ The issuer name for the certificate
+
+
+
+
+
+
+ The date and time according to ISO-8601 standard from which the certificate is valid
+
+
+
+
+
+
+ The date and time according to ISO-8601 standard from which the certificate is not valid anymore
+
+
+
+
+
+
+ The bom-ref to signature algorithm used by the certificate
+
+
+
+
+
+
+ The bom-ref to the public key of the subject
+
+
+
+
+
+
+ The format of the certificate. Examples include X.509, PEM, DER, and CVC
+
+
+
+
+
+
+ The file extension of the certificate. Examples include crt, pem, cer, der, and p12.
+
+
+
+
+
+
+
+
+
+ Properties for cryptographic assets of asset type 'relatedCryptoMaterial'
+
+
+
+
+
+
+
+ The type for the related cryptographic material
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The optional unique identifier for the related cryptographic material.
+
+
+
+
+
+
+ The key state as defined by NIST SP 800-57.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The bom-ref to the algorithm used to generate the related cryptographic material.
+
+
+
+
+
+
+ The date and time (timestamp) when the related cryptographic material was created.
+
+
+
+
+
+
+ The date and time (timestamp) when the related cryptographic material was activated.
+
+
+
+
+
+
+ The date and time (timestamp) when the related cryptographic material was updated.
+
+
+
+
+
+
+ The date and time (timestamp) when the related cryptographic material expires.
+
+
+
+
+
+
+ The associated value of the cryptographic material.
+
+
+
+
+
+
+ The size of the cryptographic asset (in bits).
+
+
+
+
+
+
+ The format of the related cryptographic material (e.g. P8, PEM, DER).
+
+
+
+
+
+
+ The mechanism by which the cryptographic asset is secured by.
+
+
+
+
+
+
+
+ Specifies the mechanism by which the cryptographic asset is secured by.
+ Examples include HSM, TPM, XGX, Software, and None.
+
+
+
+
+
+
+ The bom-ref to the algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+ Properties specific to cryptographic assets of type: 'protocol'.
+
+
+
+
+
+
+
+ The concrete protocol type.
+
+
+
+
+
+
+
+ Transport Layer Security
+
+
+
+
+
+
+ Secure Shell
+
+
+
+
+
+
+ Internet Protocol Security
+
+
+
+
+
+
+ Internet Key Exchange
+
+
+
+
+
+
+ Secure Socket Tunneling Protocol
+
+
+
+
+
+
+ Wi-Fi Protected Access
+
+
+
+
+
+
+ Another protocol type
+
+
+
+
+
+
+ The protocol type is not known
+
+
+
+
+
+
+
+
+
+ The version of the protocol. Examples include 1.0, 1.2, and 1.99.
+
+
+
+
+
+
+ A list of cipher suites related to the protocol.
+
+
+
+
+
+
+
+
+
+
+ A common name for the cipher suite. For example: TLS_DHE_RSA_WITH_AES_128_CCM
+
+
+
+
+
+
+ A list of algorithms related to the cipher suite.
+
+
+
+
+
+
+
+ The bom-ref to algorithm cryptographic asset.
+
+
+
+
+
+
+
+
+
+ A list of common identifiers for the cipher suite.
+
+
+
+
+
+
+
+ Cipher suite identifier. Examples include 0xC0 and 0x9E.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2,
+ and additional properties.
+
+
+
+
+
+
+
+ Transform Type 1: encryption algorithms
+
+
+
+
+
+
+ Transform Type 2: pseudorandom functions
+
+
+
+
+
+
+ Transform Type 3: integrity algorithms
+
+
+
+
+
+
+ Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H)
+
+
+
+
+
+
+ Specifies if an Extended Sequence Number (ESN) is used.
+
+
+
+
+
+
+ IKEv2 Authentication method
+
+
+
+
+
+
+
+
+
+
+
+
+ The object identifier (OID) of the cryptographic asset.
+
+
+
+
+
+
diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json
new file mode 100644
index 00000000..e25d4dd9
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.json
@@ -0,0 +1,99 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "components": [
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "asset-1",
+ "name": "Name here",
+ "cryptoProperties": {
+ "assetType": "algorithm",
+ "algorithmProperties": {
+ "primitive": "ae",
+ "parameterSetIdentifier": "128",
+ "curve": "brainpoolP160r1",
+ "executionEnvironment": "software-plain-ram",
+ "implementationPlatform": "x86_64",
+ "certificationLevel": [ "fips140-1-l4" ],
+ "mode": "gcm",
+ "padding": "pkcs5",
+ "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"],
+ "classicalSecurityLevel": 128,
+ "nistQuantumSecurityLevel": 1
+ },
+ "oid": "oid:1.2.3.4.5.6.7.8.9"
+ }
+ },
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "asset-2",
+ "name": "Name here",
+ "cryptoProperties": {
+ "assetType": "certificate",
+ "certificateProperties": {
+ "subjectName": "Subject name here",
+ "issuerName": "Issuer name here",
+ "notValidBefore": "2022-01-01T00:00:00.000Z",
+ "notValidAfter": "2024-01-01T00:00:00.000Z",
+ "signatureAlgorithmRef": "bom-ref-to-algorithm",
+ "subjectPublicKeyRef": "bom-ref-to-public-key",
+ "certificateFormat": "X.509",
+ "certificateExtension": "crt"
+ },
+ "oid": "oid:1.2.3.4.5.6.7.8.9"
+ }
+ },
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "asset-3",
+ "name": "Name here",
+ "cryptoProperties": {
+ "assetType": "protocol",
+ "protocolProperties": {
+ "type": "tls",
+ "version": "1.3",
+ "cipherSuites": [
+ {
+ "name": "TLS_DHE_RSA_WITH_AES_128_CCM",
+ "algorithms": [
+ "bom-ref-to-algorithm"
+ ],
+ "identifiers": [
+ "0xC0"
+ ]
+ }
+ ]
+ },
+ "oid": "oid:1.2.3.4.5.6.7.8.9"
+ }
+ },
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "asset-4",
+ "name": "Name here",
+ "cryptoProperties": {
+ "assetType": "related-crypto-material",
+ "relatedCryptoMaterialProperties": {
+ "type": "private-key",
+ "id": "12345",
+ "state": "active",
+ "algorithmRef": "bom-ref-to-algorithm",
+ "creationDate": "2024-01-01T00:00:00.000Z",
+ "activationDate": "2024-01-02T00:00:00.000Z",
+ "updateDate": "2024-01-03T00:00:00.000Z",
+ "expirationDate": "2024-01-04T00:00:00.000Z",
+ "value": "Value here",
+ "size": 1024,
+ "format": "PEM",
+ "securedBy": {
+ "mechanism": "HSM",
+ "algorithmRef": "bom-ref-to-algorithm"
+ }
+ },
+ "oid": "oid:1.2.3.4.5.6.7.8.9"
+ }
+ }
+ ]
+}
diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto
new file mode 100644
index 00000000..a135dc63
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.textproto
@@ -0,0 +1,119 @@
+spec_version: "1.6"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+components: [
+ {
+ type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET
+ bom_ref: "asset-1"
+ name: "Name here"
+ cryptoProperties: {
+ assetType: CRYPTO_ASSET_TYPE_ALGORITHM
+ algorithmProperties: {
+ primitive: CRYPTO_PRIMITIVE_AE
+ parameterSetIdentifier: "128"
+ curve: "brainpoolP160r1"
+ executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM
+ implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64
+ certificationLevel: [ "fips140-1-l4" ]
+ mode: CRYPTO_ALGORITHM_MODE_GCM
+ padding: CRYPTO_ALGORITHM_PADDING_PKCS5
+ cryptoFunctions: [
+ CRYPTO_ALGORITHM_FUNCTION_KEYGEN,
+ CRYPTO_ALGORITHM_FUNCTION_ENCRYPT,
+ CRYPTO_ALGORITHM_FUNCTION_DECRYPT,
+ CRYPTO_ALGORITHM_FUNCTION_TAG
+ ]
+ classicalSecurityLevel: 128
+ nistQuantumSecurityLevel: 1
+ },
+ oid: "oid:1.2.3.4.5.6.7.8.9"
+ }
+ },
+ {
+ type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET
+ bom_ref: "asset-2"
+ name: "Name here"
+ cryptoProperties: {
+ assetType: CRYPTO_ASSET_TYPE_CERTIFICATE
+ certificateProperties: {
+ subjectName: "Subject name here"
+ issuerName: "Issuer name here"
+ notValidBefore {
+ seconds: 3173618478
+ nanos: 3
+ }
+ notValidAfter {
+ seconds: 3173618478
+ nanos: 3
+ }
+ signatureAlgorithmRef: "bom-ref-to-algorithm"
+ subjectPublicKeyRef: "bom-ref-to-public-key"
+ certificateFormat: "X.509"
+ certificateExtension: "crt"
+ }
+ oid: "oid:1.2.3.4.5.6.7.8.9"
+ }
+ },
+ {
+ type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET
+ bom_ref: "asset-3"
+ name: "Name here"
+ cryptoProperties: {
+ assetType: CRYPTO_ASSET_TYPE_PROTOCOL
+ protocolProperties: {
+ type: CRYPTO_PROTOCOL_TYPE_TLS
+ version: "1.3"
+ cipherSuites: [
+ {
+ name: "TLS_DHE_RSA_WITH_AES_128_CCM"
+ algorithms: [
+ "bom-ref-to-algorithm"
+ ]
+ identifiers: [
+ "0xC0"
+ ]
+ }
+ ]
+ }
+ oid: "oid:1.2.3.4.5.6.7.8.9"
+ }
+ },
+ {
+ type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET
+ bom_ref: "asset-4"
+ name: "Name here"
+ cryptoProperties: {
+ assetType: CRYPTO_ASSET_TYPE_RELATED_CRYPTO_MATERIAL
+ relatedCryptoMaterialProperties: {
+ type: CRYPTO_RELATED_TYPE_PRIVATE_KEY
+ id: "12345"
+ state: CRYPTO_RELATED_STATE_ACTIVE
+ algorithmRef: "bom-ref-to-algorithm"
+ creationDate {
+ seconds: 3173618478
+ nanos: 3
+ }
+ activationDate {
+ seconds: 3173618478
+ nanos: 3
+ }
+ updateDate {
+ seconds: 3173618478
+ nanos: 3
+ }
+ expirationDate {
+ seconds: 3173618478
+ nanos: 3
+ }
+ value: "Value here"
+ size: 1024
+ format: "PEM"
+ securedBy: {
+ mechanism: "HSM"
+ algorithmRef: "bom-ref-to-algorithm"
+ }
+ }
+ oid: "oid:1.2.3.4.5.6.7.8.9"
+ }
+ }
+]
diff --git a/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml
new file mode 100644
index 00000000..0e151a34
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-cryptography-full-1.6.xml
@@ -0,0 +1,93 @@
+
+
+
+
+ Name here
+
+ algorithm
+
+ ae
+ 128
+ brainpoolP160r1
+ software-plain-ram
+ x86_64
+ fips140-1-l4
+ gcm
+ pkcs5
+
+ keygen
+ encrypt
+ decrypt
+ tag
+
+ 128
+ 1
+
+ oid:1.2.3.4.5.6.7.8.9
+
+
+
+ Name here
+
+ certificate
+
+ Subject name here
+ Issuer name here
+ 2022-01-01T00:00:00.000Z
+ 2024-01-01T00:00:00.000Z
+ bom-ref-to-algorithm
+ bom-ref-to-public-key
+ X.509
+ crt
+
+ oid:1.2.3.4.5.6.7.8.9
+
+
+
+ Name here
+
+ protocol
+
+ tls
+ 1.3
+
+
+ TLS_DHE_RSA_WITH_AES_128_CCM
+
+ bom-ref-to-algorithm
+
+
+ 0xC0
+
+
+
+
+ oid:1.2.3.4.5.6.7.8.9
+
+
+
+ Name here
+
+ related-crypto-material
+
+ private-key
+ 12345
+ active
+ bom-ref-to-algorithm
+ 2024-01-01T00:00:00.000Z
+ 2024-01-02T00:00:00.000Z
+ 2024-01-03T00:00:00.000Z
+ 2024-01-04T00:00:00.000Z
+ Value here
+ 1024
+ PEM
+
+ HSM
+ bom-ref-to-algorithm
+
+
+ oid:1.2.3.4.5.6.7.8.9
+
+
+
+
diff --git a/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.json b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.json
new file mode 100644
index 00000000..3bff0945
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.json
@@ -0,0 +1,59 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+ "version": 1,
+ "metadata": {
+ "component": {
+ "type": "application",
+ "bom-ref": "acme-application",
+ "name": "Acme Application",
+ "version": "1.0"
+ }
+ },
+ "components": [
+ {
+ "type": "cryptographic-asset",
+ "bom-ref": "aes128gcm",
+ "name": "AES",
+ "cryptoProperties": {
+ "assetType": "algorithm",
+ "algorithmProperties": {
+ "primitive": "ae",
+ "parameterSetIdentifier": "128",
+ "executionEnvironment": "software-plain-ram",
+ "implementationPlatform": "x86_64",
+ "certificationLevel": [ "none" ],
+ "mode": "gcm",
+ "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"],
+ "classicalSecurityLevel": 128,
+ "nistQuantumSecurityLevel": 1
+ },
+ "oid": "oid:2.16.840.1.101.3.4.1.6"
+ }
+ },
+ {
+ "type": "library",
+ "bom-ref": "crypto-library",
+ "name": "Crypto library",
+ "version": "1.0.0"
+ },
+ {
+ "type": "library",
+ "bom-ref": "some-library",
+ "name": "Some library",
+ "version": "1.0.0"
+ }
+ ],
+ "dependencies": [
+ {
+ "ref": "acme-application",
+ "dependsOn": ["crypto-library"]
+ },
+ {
+ "ref": "crypto-library",
+ "provides": ["aes128gcm"],
+ "dependsOn": ["some-library"]
+ }
+ ]
+}
diff --git a/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.textproto b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.textproto
new file mode 100644
index 00000000..a7b1a0be
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.textproto
@@ -0,0 +1,68 @@
+# proto-file: schema/bom-1.6.proto
+# proto-message:
+
+spec_version: "1.6"
+version: 1
+serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
+metadata: {
+ component: {
+ type: CLASSIFICATION_APPLICATION
+ bom_ref: "acme-application"
+ name: "Acme Application"
+ version: "1.0"
+ }
+}
+components: [
+ {
+ type: CLASSIFICATION_CRYPTOGRAPHIC_ASSET
+ bom_ref: "aes128gcm"
+ name: "AES"
+ cryptoProperties: {
+ assetType: CRYPTO_ASSET_TYPE_ALGORITHM
+ algorithmProperties: {
+ primitive: CRYPTO_PRIMITIVE_AE
+ parameterSetIdentifier: "128"
+ executionEnvironment: CRYPTO_EXECUTION_ENVIRONMENT_SOFTWARE_PLAIN_RAM
+ implementationPlatform: CRYPTO_IMPLEMENTATION_PLATFORM_X86_64
+ certificationLevel: [ "none" ],
+ mode: CRYPTO_ALGORITHM_MODE_GCM
+ cryptoFunctions: [
+ CRYPTO_ALGORITHM_FUNCTION_KEYGEN,
+ CRYPTO_ALGORITHM_FUNCTION_ENCRYPT,
+ CRYPTO_ALGORITHM_FUNCTION_DECRYPT,
+ CRYPTO_ALGORITHM_FUNCTION_TAG
+ ]
+ classicalSecurityLevel: 128
+ nistQuantumSecurityLevel: 1
+ },
+ oid: "oid:2.16.840.1.101.3.4.1.6"
+ }
+ },
+ {
+ type: CLASSIFICATION_LIBRARY
+ bom_ref: "crypto-library"
+ name: "Crypto library"
+ version: "1.0.0"
+ },
+ {
+ type: CLASSIFICATION_LIBRARY
+ bom_ref: "some-library"
+ name: "Some library"
+ version: "1.0.0"
+ }
+],
+dependencies: [
+ {
+ ref: "acme-application"
+ dependencies {
+ ref: "crypto-library"
+ }
+ },
+ {
+ ref: "crypto-library"
+ provides: [ "aes128gcm" ]
+ dependencies {
+ ref: "some-library"
+ }
+ }
+]
diff --git a/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.xml b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.xml
new file mode 100644
index 00000000..d9c97fee
--- /dev/null
+++ b/tools/src/test/resources/1.6/valid-cryptography-implementation-1.6.xml
@@ -0,0 +1,51 @@
+
+
+
+
+ Acme Application
+ 1.0
+
+
+
+
+ AES
+
+ algorithm
+
+ ae
+ 128
+ software-plain-ram
+ x86_64
+ none
+ gcm
+
+ keygen
+ encrypt
+ decrypt
+ tag
+
+ 128
+ 1
+
+ oid:2.16.840.1.101.3.4.1.6
+
+
+
+ Crypto Library
+ 1.0.0
+
+
+ Some Library
+ 1.0.0
+
+
+
+
+
+
+
+
+
+
+
+