[WIP ] v1.7 - Cryptography WG #615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Closed

n1ckl0sk0rtge wants to merge 19 commits into CycloneDX:1.7-dev from n1ckl0sk0rtge:1.7-dev-cryptography

Contributor

n1ckl0sk0rtge commented Mar 20, 2025

2024-10-17

add serial number to certificateProperties
add fingerPrint to certificateProperties and relatedCryptoMaterialProperties

TODO/DONE


          add certificate extensions, rename certificateExtensions to certifica…

…teFileExtensions, fix relatedCryptographicAssets, add reason for certificate lifecycle

Signed-off-by: Nicklas Körtge <nicklas.koertge1@ibm.com>

jkowalleck reviewed

View reviewed changes

schema/bom-1.7.schema.json

    
                                    "value": {

                                      "type": "string",

                                      "title": "Value",

                                      "description": "The description of the custom certificate extension."

Member

jkowalleck Mar 21, 2025

Suggested change

      
                                    "description": "The description of the custom certificate extension."
          
                                    "description": "The value of the custom certificate extension."

jkowalleck added this to the 1.7 milestone

jkowalleck added the proposed core enhancement label

stevespringett and others added 13 commits

March 21, 2025 22:07


          Initial checkin of algorithm family support.

76745f2

Signed-off-by: Steve Springett <steve@springett.us>


          Extending the ikev2TransformTypes property

02d4ff0

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>


          Merge pull request #1 from bhess/1.7-dev-cryptography

4bee78c

Extending the ikev2TransformTypes property


          Revert "Extending the ikev2TransformTypes property"

dd16654

This reverts commit 02d4ff0.


          Extending the ikev2TransformTypes property (1.7)

3b61bcd

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>


          Merge pull request #2 from bhess/1.7-dev-cryptography

cb7f83e

Ikev2 transform types extension (2)


          IKE: individual algorithms instead of arrays

b90d54e


          Update cryptography-defs.json

5b8fff6

- Adds a few more algorithm
- Converts urls to standards to doi links, where available.
- Checks if urls work

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>


          Merge branch '1.7-dev' into 1.7-dev-cryptography

391aec5


          Merge branch '1.7-dev-cryptography' into patch-1

7c731a5


          Add more algorithms, used by SSLv3, TLS1.0-1.3

643fca9

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>


          Update cryptography-defs.json (CycloneDX#622)

761903f

- Adds a few more algorithm
- Converts urls to standards to doi links, where available.
- Checks if urls work

----

TODO / progress
- [x] JSON schema
- [ ] XML schema
- [ ] ProtoBugf schema

<!-- 
Thank you for taking the time to develop and contribute a core
enhancement or fix for a defect!

We kindly request that you create pull requests only for things that
have been discussed in a ticket first; exceptions may be made for
spelling or grammar fixes.
Read more about the process here:
https://cyclonedx.org/participate/standardization-process/#working-model

Please have the related ticket/issue ID ready. 
If there is none, feel free to create a new ticket:
https://github.com/CycloneDX/specification/issues/new/choose

-->

<!-- 

Please provide a brief description of what this pull request intends to
do and which ticket it fixes/closes.
Example: 
> As discussed in ticket CycloneDX#485, this PR adds Streebog to the hash
algorithm enum.
>
> fixes CycloneDX#485 

In case this is for a spelling or grammar improvement, please provide a
brief description.
Example:
> Fixe typo: color(AE) -> colour(BE)

-->


          Merge pull request #3 from GeroDittmann/ike-no-arrays

723c957

IKE transform types: Only one algorithm per parameter

jkowalleck self-requested a review

April 18, 2025 08:00

bhess and others added 5 commits

May 14, 2025 12:59


          Revise variants structure

9f243b0

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>


          - Extends cryptography-defs list by Algorithms from PKCS11

d376ff5

- Changes schma for crypto-defs to allow different variant patterns corresponding to different primitives
- Adds "key-wrap" as a new primitive

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>


          Add missing closing bracket

b05ba4d

Signed-off-by: Basil Hess <bhe@zurich.ibm.com>


          Extends cryptography-defs.json (CycloneDX#644)

4e9ef89

- Extends cryptography-defs.json list with algorithms from PKCS11
- Changes schma for crypto-defs to allow different variant patterns
corresponding to different primitives
- Adds "key-wrap" as a new primitive


          Merge branch 'CycloneDX:1.7-dev-cryptography' into 1.7-dev-cryptography

49abb61

n1ckl0sk0rtge closed this

n1ckl0sk0rtge deleted the 1.7-dev-cryptography branch

May 22, 2025 13:23

JoeyLupo commented Jun 25, 2025

Were these proposed changes abandoned @n1ckl0sk0rtge? This looked like a major improvement from v1.6, especially in the certificate modeling.

Contributor Author

n1ckl0sk0rtge commented Jun 26, 2025

Hi @JoeyLupo, I ran into some issues with this PR/branch during the rebase process, so I decided to close it and open a new one. All the previous changes, along with some additional updates, can now be found here.

JoeyLupo commented Jun 26, 2025

Hmm, the new branch seems to not include the certificateExtensions field from https://github.com/n1ckl0sk0rtge/specification/blob/49abb613d21b8e6a2f8c69b444ba6523ca1362b1/schema/bom-1.7.schema.json#L5515:

                        "meta:enum": {
                          "basicConstraints": "Specifies whether a certificate can be used as a CA certificate or not.",
                          "keyUsage": "Specifies the allowed uses of the public key in the certificate.",
                          "extendedKeyUsage": "Specifies additional purposes for which the public key can be used.",
                          "subjectAlternativeName": "Allows inclusion of additional names to identify the entity associated with the certificate.",
                          "authorityKeyIdentifier": "Identifies the public key of the CA that issued the certificate.",
                          "subjectKeyIdentifier": "Identifies the public key associated with the entity the certificate was issued to.",
                          "authorityInformationAccess": "Contains CA issuers and OCSP information.",
                          "certificatePolicies": "Defines the policies under which the certificate was issued and can be used.",
                          "crlDistributionPoints": "Contains one or more URLs where a Certificate Revocation List (CRL) can be obtained.",
                          "signedCertificateTimestamp": "Shows that the certificate has been publicly logged, which helps prevent the issuance of rogue certificates by a CA. Log ID, timestamp and signature as proof.",
                        },

I think the inclusion of these fields is a major improvement over v1.6 and should certainly be included in v1.7.

Contributor Author

n1ckl0sk0rtge commented Jul 1, 2025

@JoeyLupo, you are right! Thanks for pointing out! I will double check for other properties, and will add the certificateExtension.

Contributor Author

n1ckl0sk0rtge commented Jul 1, 2025

@JoeyLupo: Here is the PR with all the changes, that were missing #658. Thanks again!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

proposed core enhancement