Added CBOM examples

stevespringett · stevespringett · commit cd36928b851c · 2024-02-03T14:52:21.000-06:00
diff --git a/CBOM/Algorithm/README.md b/CBOM/Algorithm/README.md
@@ -0,0 +1,4 @@
+# CBOM Algorithm Example
+
+A cryptographic algorithm is added in the components array of the BOM. This example lists the algorithm
+AES-128-GCM and SHA512withRSA.
diff --git a/CBOM/Algorithm/bom.json b/CBOM/Algorithm/bom.json
@@ -0,0 +1,52 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2024-01-09T12:00:00Z",
+    "component": {
+      "type": "application",
+      "name": "my application",
+      "version": "1.0"
+    }
+  },
+  "components": [
+    {
+      "type": "cryptographic-asset",
+      "name": "AES-128-GCM",
+      "cryptoProperties": {
+        "assetType": "algorithm",
+        "algorithmProperties": {
+          "primitive": "ae",
+          "parameterSetIdentifier": "128",
+          "mode": "gcm",
+          "executionEnvironment": "software-plain-ram",
+          "implementationPlatform": "x86_64",
+          "certificationLevel": [ "none" ],
+          "cryptoFunctions": [ "keygen", "encrypt", "decrypt", "tag" ],
+          "classicalSecurityLevel": 128,
+          "nistQuantumSecurityLevel": 1
+        },
+        "oid": "2.16.840.1.101.3.4.1.6"
+      }
+    },
+    {
+      "name": "SHA512withRSA",
+      "type": "cryptographic-asset",
+      "cryptoProperties": {
+        "assetType": "algorithm",
+        "algorithmProperties": {
+          "primitive": "signature",
+          "parameterSetIdentifier": "512",
+          "executionEnvironment": "software-plain-ram",
+          "implementationPlatform": "x86_64",
+          "certificationLevel": [ "none" ],
+          "cryptoFunctions": [ "sign", "verify" ],
+          "nistQuantumSecurityLevel": 0
+        },
+        "oid": "1.2.840.113549.1.1.13"
+      }
+    }
+  ]
+}
diff --git a/CBOM/Certificate/README.md b/CBOM/Certificate/README.md
@@ -0,0 +1,2 @@
+# Certificate Example
+This example details an X.509 certificate in a CBOM.
diff --git a/CBOM/Certificate/bom.json b/CBOM/Certificate/bom.json
@@ -0,0 +1,88 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2024-01-09T12:00:00Z",
+    "component": {
+      "type": "application",
+      "name": "my application",
+      "version": "1.0"
+    }
+  },
+  "components": [
+    {
+      "name": "google.com",
+      "type": "cryptographic-asset",
+      "bom-ref": "crypto/certificate/google.com@sha256:1e15e0fbd3ce95bde5945633ae96add551341b11e5bae7bba12e98ad84a5beb4",
+      "cryptoProperties": {
+        "assetType": "certificate",
+        "certificateProperties": {
+          "subjectName": "CN = www.google.com",
+          "issuerName": "C = US, O = Google Trust Services LLC, CN = GTS CA 1C3",
+          "notValidBefore": "2016-11-21T08:00:00Z",
+          "notValidAfter": "2017-11-22T07:59:59Z",
+          "signatureAlgorithmRef": "crypto/algorithm/sha-512-rsa@1.2.840.113549.1.1.13",
+          "subjectPublicKeyRef": "crypto/key/rsa-2048@1.2.840.113549.1.1.1",
+          "certificateFormat": "X.509",
+          "certificateExtension": "crt"
+        }
+      }
+    },
+    {
+      "name": "SHA512withRSA",
+      "type": "cryptographic-asset",
+      "bom-ref": "crypto/algorithm/sha-512-rsa@1.2.840.113549.1.1.13",
+      "cryptoProperties": {
+        "assetType": "algorithm",
+        "algorithmProperties": {
+          "parameterSetIdentifier": "512",
+          "executionEnvironment": "software-plain-ram",
+          "implementationPlatform": "x86_64",
+          "certificationLevel": [ "none" ],
+          "cryptoFunctions": [ "digest" ],
+          "nistQuantumSecurityLevel": 0
+        },
+        "oid": "1.2.840.113549.1.1.13"
+      }
+    },
+    {
+      "name": "RSA-2048",
+      "type": "cryptographic-asset",
+      "bom-ref": "crypto/key/rsa-2048@1.2.840.113549.1.1.1",
+      "cryptoProperties": {
+        "assetType": "related-crypto-material",
+        "relatedCryptoMaterialProperties": {
+          "type": "public-key",
+          "id": "2e9ef09e-dfac-4526-96b4-d02f31af1b22",
+          "state": "active",
+          "size": 2048,
+          "algorithmRef": "crypto/algorithm/rsa-2048@1.2.840.113549.1.1.1",
+          "securedBy": {
+            "mechanism": "None"
+          },
+          "creationDate": "2016-11-21T08:00:00Z",
+          "activationDate": "2016-11-21T08:20:00Z"
+        },
+        "oid": "1.2.840.113549.1.1.1"
+      }
+    },
+    {
+      "name": "RSA-2048",
+      "type": "cryptographic-asset",
+      "bom-ref": "crypto/algorithm/rsa-2048@1.2.840.113549.1.1.1",
+      "cryptoProperties": {
+        "assetType": "algorithm",
+        "algorithmProperties": {
+          "parameterSetIdentifier": "2048",
+          "executionEnvironment": "software-plain-ram",
+          "implementationPlatform": "x86_64",
+          "certificationLevel": [ "none" ],
+          "cryptoFunctions": [ "encapsulate", "decapsulate" ]
+        },
+        "oid": "1.2.840.113549.1.1.1"
+      }
+    }
+  ]
+}
diff --git a/CBOM/Example-With-Dependencies/bom.json b/CBOM/Example-With-Dependencies/bom.json
@@ -0,0 +1,59 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "component": {
+      "type": "application",
+      "bom-ref": "acme-application",
+      "name": "Acme Application",
+      "version": "1.0"
+    }
+  },
+  "components": [
+    {
+      "type": "cryptographic-asset",
+      "bom-ref": "aes128gcm",
+      "name": "AES",
+      "cryptoProperties": {
+        "assetType": "algorithm",
+        "algorithmProperties": {
+          "primitive": "ae",
+          "parameterSetIdentifier": "128",
+          "executionEnvironment": "software-plain-ram",
+          "implementationPlatform": "x86_64",
+          "certificationLevel": [ "none" ],
+          "mode": "gcm",
+          "cryptoFunctions": ["keygen", "encrypt", "decrypt", "tag"],
+          "classicalSecurityLevel": 128,
+          "nistQuantumSecurityLevel": 1
+        },
+        "oid": "2.16.840.1.101.3.4.1.6"
+      }
+    },
+    {
+      "type": "library",
+      "bom-ref": "crypto-library",
+      "name": "Crypto library",
+      "version": "1.0.0"
+    },
+    {
+      "type": "library",
+      "bom-ref": "some-library",
+      "name": "Some library",
+      "version": "1.0.0"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "acme-application",
+      "dependsOn": ["crypto-library"]
+    },
+    {
+      "ref": "crypto-library",
+      "provides": ["aes128gcm"],
+      "dependsOn": ["some-library"]
+    }
+  ]
+}
diff --git a/CBOM/Key/README.md b/CBOM/Key/README.md
@@ -0,0 +1,2 @@
+# Key Example
+The following example demonstrates how an RSA-2048 public key can be included in a CBOM.
diff --git a/CBOM/Key/bom.json b/CBOM/Key/bom.json
@@ -0,0 +1,72 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:e8c355aa-2142-4084-a8c7-6d42c8610ba2",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2024-01-09T12:00:00Z",
+    "component": {
+      "type": "application",
+      "name": "my application",
+      "version": "1.0"
+    }
+  },
+  "components": [
+    {
+      "name": "RSA-2048",
+      "type": "cryptographic-asset",
+      "bom-ref": "crypto/key/rsa-2048@1.2.840.113549.1.1.1",
+      "cryptoProperties": {
+        "assetType": "related-crypto-material",
+        "relatedCryptoMaterialProperties": {
+          "type": "public-key",
+          "id": "2e9ef09e-dfac-4526-96b4-d02f31af1b22",
+          "state": "active",
+          "size": 2048,
+          "algorithmRef": "crypto/algorithm/rsa-2048@1.2.840.113549.1.1.1",
+          "securedBy": {
+            "mechanism": "Software",
+            "algorithmRef": "crypto/algorithm/aes-128-gcm@2.16.840.1.101.3.4.1.6"
+          },
+          "creationDate": "2016-11-21T08:00:00Z",
+          "activationDate": "2016-11-21T08:20:00Z"
+        },
+        "oid": "1.2.840.113549.1.1.1"
+      }
+    },
+    {
+      "name": "RSA-2048",
+      "type": "cryptographic-asset",
+      "bom-ref": "crypto/algorithm/rsa-2048@1.2.840.113549.1.1.1",
+      "cryptoProperties": {
+        "assetType": "algorithm",
+        "algorithmProperties": {
+          "parameterSetIdentifier": "2048",
+          "executionEnvironment": "software-plain-ram",
+          "implementationPlatform": "x86_64",
+          "cryptoFunctions": [ "encapsulate", "decapsulate" ]
+        },
+        "oid": "1.2.840.113549.1.1.1"
+      }
+    },
+    {
+      "name": "AES-128-GCM",
+      "type": "cryptographic-asset",
+      "bom-ref": "crypto/algorithm/aes-128-gcm@2.16.840.1.101.3.4.1.6",
+      "cryptoProperties": {
+        "assetType": "algorithm",
+        "algorithmProperties": {
+          "parameterSetIdentifier": "128",
+          "primitive": "ae",
+          "mode": "gcm",
+          "executionEnvironment": "software-plain-ram",
+          "implementationPlatform": "x86_64",
+          "cryptoFunctions": [ "keygen", "encrypt", "decrypt" ],
+          "classicalSecurityLevel": 128,
+          "nistQuantumSecurityLevel": 1
+        },
+        "oid": "2.16.840.1.101.3.4.1.6"
+      }
+    }
+  ]
+}
diff --git a/CBOM/Protocol/README.md b/CBOM/Protocol/README.md
@@ -0,0 +1,3 @@
+# Protocol Example
+A cryptographic protocol is added to the components array of the BOM. This example lists an instance of the 
+protocol TLS v1.2 with a number of TLS cipher suites.
diff --git a/CBOM/Protocol/bom.json b/CBOM/Protocol/bom.json
diff --git a/CBOM/README.md b/CBOM/README.md
diff --git a/README.md b/README.md

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Certificate Example`
	`2`	`+This example details an X.509 certificate in a CBOM.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Key Example`
	`2`	`+The following example demonstrates how an RSA-2048 public key can be included in a CBOM.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Protocol Example`
	`2`	`+A cryptographic protocol is added to the components array of the BOM. This example lists an instance of the`
	`3`	`+protocol TLS v1.2 with a number of TLS cipher suites.`
-Original file line number
+Diff line change
 +# Cryptography Bill of Materials (CBOM)
++
 +A Cryptography Bill of Materials (CBOM) is an object model to describe cryptographic assets and their dependencies.
 +Support for CBOM is included in CycloneDX v1.6 and higher. Discovering, managing, and reporting on cryptographic assets
 +is necessary as the first step on the migration journey to quantum-safe systems and applications.
++
 +- As of v1.6, CycloneDX supports `cryptographic-asset` as a first-class component type
++
 +## CBOM Design
 +The overall design goal of CBOM is to provide an abstraction that allows modeling and representing crypto assets in a
 +structured object format. This comprises the following points.
++
 +1. Modelling cryptographic assets
 +   Cryptographic assets occur in several forms. Algorithms and protocols are most commonly implemented in specialized cryptographic libraries. They may, however, also be 'hardcoded' in software components. Certificates and related cryptographic material like keys, tokens, secrets, or passwords are other cryptographic assets to be modeled.
++
 +2. Capturing cryptographic asset properties
 +   Cryptographic assets have properties that uniquely define them and that make them actionable for further reasoning. For example, it makes a difference if one knows the algorithm family (e.g. AES) or the specific variant or instantiation (e.g. AES-128-GCM). This is because the security level and the algorithm primitive (authenticated encryption) are only defined by the definition of the algorithm variant. The presence of a weak cryptographic algorithm like SHA1 vs. HMAC-SHA1 also makes a difference. Therefore, the goal of CBOM is to capture relevant cryptographic asset properties.
++
 +3. Capturing crypto asset dependencies
 +   To understand the impact of a cryptographic asset, it is important to capture its dependencies. Cryptographic libraries 'implement' certain algorithms and protocols, but their implementation alone does not reflect their usage by applications. CBOM, therefore, differentiates between 'implements' and 'uses' dependencies. It is possible to model algorithms or protocols that use other algorithms (e.g., TLS 1.3 uses ECDH/secp256r1), libraries that implement algorithms, and applications that 'use' algorithms from a library.
++
 +4. Applicability to various software components
 +   CycloneDX supports various components such as applications, frameworks, libraries, containers, operating systems, devices, firmware, and files. CBOM extends this model and can communicate a component's dependency on cryptographic assets.
++
 +5. High compatibility to CycloneDX SBOM and related tooling
 +   CBOM is native to the CycloneDX standard. It integrates cryptographic assets as an additional component type in the CycloneDX schema and further extends dependencies with the ability to specify dependency usage and implementation details. CBOM data can be present in existing SBOMs or externalized into dedicated CBOMs, thus creating modularity, which may optionally have varying authentication and authorization requirements.
++
 +6. Enable automatic reasoning
 +   CBOM enables tooling to reason about cryptographic assets and their dependencies automatically. This allows checking for compliance with policies that apply to cryptographic use and implementation.
++
++
 +## High Level Object Model
 +![CycloneDX Object Model Swimlane](https://cyclonedx.org/theme/assets/images/CycloneDX-Object-Model-Swimlane.svg)
-Original file line number
+Diff line change
 | BOM Type           | Description                             |
 |--------------------|-----------------------------------------|
 +| [CBOM](CBOM)       | Cryptography Bill of Materials          |
 | [HBOM](HBOM)       | Hardware Bill of Materials              |
 | [OBOM](OBOM)       | Operations Bill of Materials            |
 | [SaaSBOM](SaaSBOM) | Software-as-a-Service Bill of Materials |