[FEATURE]: Add ShangMi (SM2/SM3/SM4/SM9) algorithm families to cryptography definitions #811
Description
Describe the feature
ShangMi (SM) cryptographic algorithms are mandated in multiple regulated environments in China, including TLS deployments, PKI infrastructures, and government systems.
Currently, CycloneDX does not define SM2, SM3, SM4, or SM9 in cryptography-defs.json. This prevents SBOM producers from accurately expressing ShangMi-based cryptographic implementations, limiting interoperability for software distributed into these environments.
Adding these families enables CycloneDX BOMs to represent widely deployed cryptographic stacks used in Chinese compliance contexts.
Possible solutions
Add the following algorithm families to cryptography-defs.json and algorithmFamiliesEnum:
- SM2 — signature / public-key encryption / key agreement
- SM3 — cryptographic hash
- SM4 — block cipher
- SM9 — identity-based cryptography
References are provided using:
- ISO standards (SM2/SM3/SM4)
- RFC 8998 (TLS integration of ShangMi algorithms)
- Public GM/T mirrors for SM9
A PR implementing this proposal is prepared.
Alternatives
If preferred, SM9 could initially be represented as a single composite family (primitive: other) and further refined later based on usage patterns.
Additional context
RFC 8998 documents production usage of SM2/SM3/SM4 in TLS 1.3 deployments.
SM4 is also standardized internationally via ISO/IEC 18033-3.
This addition aligns CycloneDX cryptography definitions with existing national and international cryptographic ecosystems.