From 92a0604525ecbebc9b975f091c94e22088df2445 Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Wed, 3 Jun 2026 15:02:13 +0200 Subject: [PATCH 1/2] feat(cryptography): add cryptographic agility plane to CBOM Optional cryptoProperties.agility (configurationSource, configurationRef, changeMechanism) plus certificate renewal and key rotation objects backed by a shared lifecycleAutomation enum. Signed-off-by: Basil Hess --- .../cyclonedx-cryptography-2.0.schema.json | 133 ++++++++++++++++++ 1 file changed, 133 insertions(+) diff --git a/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json b/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json index 4792c4ed..512eecfd 100644 --- a/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json @@ -31,6 +31,67 @@ "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." } }, + "agility": { + "type": "object", + "title": "Cryptographic Agility", + "description": "Properties describing how the cryptographic configuration of this asset was determined and how a change to it can be applied. These properties support cryptographic-agility and post-quantum migration assessment.", + "additionalProperties": false, + "properties": { + "configurationSource": { + "type": "string", + "title": "Configuration Source", + "description": "Describes how the cryptographic configuration was determined for this asset, ordered from least to most agile.", + "enum": [ + "hardcoded", + "product-default", + "administrator-configured", + "policy-managed", + "negotiated", + "other", + "unknown" + ], + "meta:enum": { + "hardcoded": "The configuration is fixed in code or firmware and is not intended to be changed.", + "product-default": "The configuration is inherited from product or vendor defaults and can typically be overridden.", + "administrator-configured": "The configuration is explicitly set by an administrator through external configuration.", + "policy-managed": "The configuration is determined by a policy or governance engine.", + "negotiated": "The configuration is agreed at runtime with a peer, such as during a protocol handshake.", + "other": "Another configuration source applies.", + "unknown": "The configuration source is not known." + } + }, + "configurationRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Configuration Reference", + "description": "The bom-ref of the configuration that determines this cryptographic configuration. Typically points to a component of type 'data' whose data type is 'configuration'." + }, + "changeMechanism": { + "type": "string", + "title": "Change Mechanism", + "description": "Describes how a change to this cryptographic configuration is applied, ordered from least to most agile.", + "enum": [ + "not-possible", + "hardware-replacement", + "firmware-update", + "software-update", + "restart-required", + "runtime-config", + "other", + "unknown" + ], + "meta:enum": { + "not-possible": "The configuration cannot be changed through any supported means.", + "hardware-replacement": "The change requires replacing or adding hardware.", + "firmware-update": "The change requires a firmware update.", + "software-update": "The change requires a software or package update.", + "restart-required": "The change can be applied through configuration but requires restarting software or service processes.", + "runtime-config": "The change can be applied at runtime without a restart.", + "other": "Another change mechanism applies.", + "unknown": "The change mechanism is not known." + } + } + } + }, "algorithmProperties": { "type": "object", "title": "Algorithm Properties", @@ -521,6 +582,31 @@ "title": "Destruction Date", "description": "The date and time (timestamp) when the certificate was destroyed." }, + "renewal": { + "type": "object", + "title": "Certificate Renewal", + "description": "How this certificate is renewed or re-enrolled.", + "additionalProperties": false, + "properties": { + "automation": { + "$ref": "#/$defs/lifecycleAutomation", + "title": "Renewal Automation", + "description": "The degree of automation with which this certificate is renewed." + }, + "mechanism": { + "type": "string", + "title": "Renewal Mechanism", + "description": "The mechanism used to renew or re-enroll this certificate, such as the ACME (RFC 8555), EST (RFC 7030), SCEP (RFC 8894), CMP (RFC 4210), or CMC (RFC 5272) protocols.", + "examples": [ + "ACME", + "EST", + "SCEP", + "CMP", + "CMC" + ] + } + } + }, "certificateExtensions": { "type": "array", "title": "Certificate Extensions", @@ -673,6 +759,32 @@ "destroyed" ] }, + "rotation": { + "type": "object", + "title": "Key Rotation", + "description": "How this cryptographic material is rotated under the same algorithm.", + "additionalProperties": false, + "properties": { + "automation": { + "$ref": "#/$defs/lifecycleAutomation", + "title": "Rotation Automation", + "description": "The degree of automation with which this cryptographic material is rotated under the same algorithm." + }, + "mechanism": { + "type": "string", + "title": "Rotation Mechanism", + "description": "The mechanism, system, or interface used to rotate this cryptographic material, such as KMIP, PKCS#11, or a cloud key-management service.", + "examples": [ + "KMIP", + "PKCS#11", + "AWS KMS", + "Google Cloud KMS", + "Azure Key Vault", + "HashiCorp Vault Transit" + ] + } + } + }, "creationDate": { "type": "string", "format": "date-time", @@ -1088,6 +1200,27 @@ "unknown": "The cryptographic function is not known." } }, + "lifecycleAutomation": { + "type": "string", + "title": "Lifecycle Automation", + "description": "The degree of automation for a cryptographic lifecycle operation, ordered from least to most agile.", + "enum": [ + "not-supported", + "manual", + "on-demand", + "automatic", + "other", + "unknown" + ], + "meta:enum": { + "not-supported": "The operation is not supported.", + "manual": "The operation is initiated and executed manually.", + "on-demand": "The operation can be triggered on demand, for example through an API call.", + "automatic": "The operation is performed automatically based on policy or schedule.", + "other": "Another mechanism applies.", + "unknown": "The mechanism is not known." + } + }, "relatedCryptographicAssets": { "type": "array", "title": "Related Cryptographic Assets", From 92c9827dff9968c873596c5a37d3805d56667c3e Mon Sep 17 00:00:00 2001 From: Basil Hess Date: Fri, 5 Jun 2026 14:39:43 +0200 Subject: [PATCH 2/2] Move agility to component level, unify rotation and renewal object Signed-off-by: Basil Hess --- .../model/cyclonedx-component-2.0.schema.json | 64 +++++++ .../cyclonedx-cryptography-2.0.schema.json | 171 +++++------------- 2 files changed, 110 insertions(+), 125 deletions(-) diff --git a/schema/2.0/model/cyclonedx-component-2.0.schema.json b/schema/2.0/model/cyclonedx-component-2.0.schema.json index b7d540e0..e5c085d7 100644 --- a/schema/2.0/model/cyclonedx-component-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-component-2.0.schema.json @@ -264,6 +264,9 @@ "$ref": "cyclonedx-cryptography-2.0.schema.json#/$defs/cryptoProperties", "title": "Cryptographic Properties" }, + "agility": { + "$ref": "#/$defs/agility" + }, "tags": { "$ref": "cyclonedx-common-2.0.schema.json#/$defs/tags", "title": "Tags" @@ -733,6 +736,67 @@ "$ref": "cyclonedx-data-2.0.schema.json#/$defs/dataGovernance" } } + }, + "agility": { + "type": "object", + "title": "Agility", + "description": "Properties describing how this component's configuration was determined and how a change to it can be applied. These properties support change management and, for cryptographic assets, cryptographic-agility.", + "additionalProperties": false, + "properties": { + "configurationSource": { + "type": "string", + "title": "Configuration Source", + "description": "Describes how this component's configuration was determined, ordered from least to most agile.", + "enum": [ + "hardcoded", + "product-default", + "administrator-configured", + "policy-managed", + "negotiated", + "other", + "unknown" + ], + "meta:enum": { + "hardcoded": "The configuration is fixed in code or firmware and is not intended to be changed.", + "product-default": "The configuration is inherited from product or vendor defaults and can typically be overridden.", + "administrator-configured": "The configuration is explicitly set by an administrator through external configuration.", + "policy-managed": "The configuration is determined by a policy or governance engine.", + "negotiated": "The configuration is agreed at runtime with a peer, such as during a protocol handshake.", + "other": "Another configuration source applies.", + "unknown": "The configuration source is not known." + } + }, + "configurationRef": { + "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", + "title": "Configuration Reference", + "description": "The bom-ref of the configuration that determines this component's configuration. Typically points to a component of type 'data' whose data type is 'configuration'." + }, + "changeMechanism": { + "type": "string", + "title": "Change Mechanism", + "description": "Describes how a change to this component's configuration is applied, ordered from least to most agile.", + "enum": [ + "not-possible", + "hardware-replacement", + "firmware-update", + "software-update", + "restart-required", + "runtime-config", + "other", + "unknown" + ], + "meta:enum": { + "not-possible": "The configuration cannot be changed through any supported means.", + "hardware-replacement": "The change requires replacing or adding hardware.", + "firmware-update": "The change requires a firmware update.", + "software-update": "The change requires a software or package update.", + "restart-required": "The change can be applied through configuration but requires restarting software or service processes.", + "runtime-config": "The change can be applied at runtime without a restart.", + "other": "Another change mechanism applies.", + "unknown": "The change mechanism is not known." + } + } + } } } } diff --git a/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json b/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json index 512eecfd..1a824c5a 100644 --- a/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json +++ b/schema/2.0/model/cyclonedx-cryptography-2.0.schema.json @@ -31,67 +31,6 @@ "related-crypto-material": "Other cryptographic assets related to algorithms, certificates, and protocols such as keys and tokens." } }, - "agility": { - "type": "object", - "title": "Cryptographic Agility", - "description": "Properties describing how the cryptographic configuration of this asset was determined and how a change to it can be applied. These properties support cryptographic-agility and post-quantum migration assessment.", - "additionalProperties": false, - "properties": { - "configurationSource": { - "type": "string", - "title": "Configuration Source", - "description": "Describes how the cryptographic configuration was determined for this asset, ordered from least to most agile.", - "enum": [ - "hardcoded", - "product-default", - "administrator-configured", - "policy-managed", - "negotiated", - "other", - "unknown" - ], - "meta:enum": { - "hardcoded": "The configuration is fixed in code or firmware and is not intended to be changed.", - "product-default": "The configuration is inherited from product or vendor defaults and can typically be overridden.", - "administrator-configured": "The configuration is explicitly set by an administrator through external configuration.", - "policy-managed": "The configuration is determined by a policy or governance engine.", - "negotiated": "The configuration is agreed at runtime with a peer, such as during a protocol handshake.", - "other": "Another configuration source applies.", - "unknown": "The configuration source is not known." - } - }, - "configurationRef": { - "$ref": "cyclonedx-common-2.0.schema.json#/$defs/refLinkType", - "title": "Configuration Reference", - "description": "The bom-ref of the configuration that determines this cryptographic configuration. Typically points to a component of type 'data' whose data type is 'configuration'." - }, - "changeMechanism": { - "type": "string", - "title": "Change Mechanism", - "description": "Describes how a change to this cryptographic configuration is applied, ordered from least to most agile.", - "enum": [ - "not-possible", - "hardware-replacement", - "firmware-update", - "software-update", - "restart-required", - "runtime-config", - "other", - "unknown" - ], - "meta:enum": { - "not-possible": "The configuration cannot be changed through any supported means.", - "hardware-replacement": "The change requires replacing or adding hardware.", - "firmware-update": "The change requires a firmware update.", - "software-update": "The change requires a software or package update.", - "restart-required": "The change can be applied through configuration but requires restarting software or service processes.", - "runtime-config": "The change can be applied at runtime without a restart.", - "other": "Another change mechanism applies.", - "unknown": "The change mechanism is not known." - } - } - } - }, "algorithmProperties": { "type": "object", "title": "Algorithm Properties", @@ -583,29 +522,9 @@ "description": "The date and time (timestamp) when the certificate was destroyed." }, "renewal": { - "type": "object", + "$ref": "#/$defs/lifecycleControl", "title": "Certificate Renewal", - "description": "How this certificate is renewed or re-enrolled.", - "additionalProperties": false, - "properties": { - "automation": { - "$ref": "#/$defs/lifecycleAutomation", - "title": "Renewal Automation", - "description": "The degree of automation with which this certificate is renewed." - }, - "mechanism": { - "type": "string", - "title": "Renewal Mechanism", - "description": "The mechanism used to renew or re-enroll this certificate, such as the ACME (RFC 8555), EST (RFC 7030), SCEP (RFC 8894), CMP (RFC 4210), or CMC (RFC 5272) protocols.", - "examples": [ - "ACME", - "EST", - "SCEP", - "CMP", - "CMC" - ] - } - } + "description": "How this certificate is renewed or re-enrolled." }, "certificateExtensions": { "type": "array", @@ -760,30 +679,9 @@ ] }, "rotation": { - "type": "object", + "$ref": "#/$defs/lifecycleControl", "title": "Key Rotation", - "description": "How this cryptographic material is rotated under the same algorithm.", - "additionalProperties": false, - "properties": { - "automation": { - "$ref": "#/$defs/lifecycleAutomation", - "title": "Rotation Automation", - "description": "The degree of automation with which this cryptographic material is rotated under the same algorithm." - }, - "mechanism": { - "type": "string", - "title": "Rotation Mechanism", - "description": "The mechanism, system, or interface used to rotate this cryptographic material, such as KMIP, PKCS#11, or a cloud key-management service.", - "examples": [ - "KMIP", - "PKCS#11", - "AWS KMS", - "Google Cloud KMS", - "Azure Key Vault", - "HashiCorp Vault Transit" - ] - } - } + "description": "How this cryptographic material is rotated under the same algorithm." }, "creationDate": { "type": "string", @@ -1200,25 +1098,48 @@ "unknown": "The cryptographic function is not known." } }, - "lifecycleAutomation": { - "type": "string", - "title": "Lifecycle Automation", - "description": "The degree of automation for a cryptographic lifecycle operation, ordered from least to most agile.", - "enum": [ - "not-supported", - "manual", - "on-demand", - "automatic", - "other", - "unknown" - ], - "meta:enum": { - "not-supported": "The operation is not supported.", - "manual": "The operation is initiated and executed manually.", - "on-demand": "The operation can be triggered on demand, for example through an API call.", - "automatic": "The operation is performed automatically based on policy or schedule.", - "other": "Another mechanism applies.", - "unknown": "The mechanism is not known." + "lifecycleControl": { + "type": "object", + "title": "Lifecycle Control", + "description": "How a cryptographic lifecycle operation, such as key rotation or certificate renewal, is performed.", + "additionalProperties": false, + "properties": { + "automation": { + "type": "string", + "title": "Automation", + "description": "The degree of automation with which the operation is performed, ordered from least to most agile.", + "enum": [ + "not-supported", + "manual", + "on-demand", + "automatic", + "other", + "unknown" + ], + "meta:enum": { + "not-supported": "The operation is not supported.", + "manual": "The operation is initiated and executed manually.", + "on-demand": "The operation can be triggered on demand, for example through an API call.", + "automatic": "The operation is performed automatically based on policy or schedule.", + "other": "Another mechanism applies.", + "unknown": "The mechanism is not known." + } + }, + "mechanism": { + "type": "string", + "title": "Lifecycle Mechanism", + "description": "The protocol, system, or interface used to perform the operation, such as the ACME (RFC 8555), EST (RFC 7030), SCEP (RFC 8894), CMP (RFC 4210), or CMC (RFC 5272) certificate protocols, or KMIP, PKCS#11, and cloud key-management services for key rotation.", + "examples": [ + "ACME", + "EST", + "SCEP", + "CMP", + "CMC", + "KMIP", + "PKCS#11", + "HashiCorp Vault Transit" + ] + } } }, "relatedCryptographicAssets": {