Adds support for post-quantum ML-DSA & ML-KEM algorithms #675
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
…ycloneDX#485) Signed-off-by: Dmitry Volk <volk.dmitry@gmail.com>
Signed-off-by: Dmitry Volk <volk.dmitry@gmail.com>
…but a name. Signed-off-by: Dmitry Volk <volk.dmitry@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
1. enabled test runner for schema 1.7 1. copied all test cases from 1.6 to 1.7 1. renamed the files from `*.1.6.*` to `*.1.7.*` 1. migrated the test cases from schema 1.6 to schema 1.7 see the diff/delta of each individual commit for details java tests are expected to fail, as long as CycloneDX#256 is not done
… named/spdx licenses Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
We often only need the latest docs, while developing a new version. Therefore, the latest version's docs are generated first.
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
as discussed in CycloneDX#233 we need to tell which component type to use for just-in-time compilers and interpreters. This PR adds the information to the spec. - fixes CycloneDX#233
…o or process (or both) are required. Added invalid JSON test case. Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
As discussed in ticket CycloneDX#454, this PR adds the following abilities: - have multiple license expressions - have a mix of license expressions, SPDX license IDs, and named licenses Please read the original ticket and see the provided example data for use-cases. fixes CycloneDX#454
…ter. Updated formulation description. Updated test cases. Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
on top of CycloneDX#630 changes: - ADDED: citation's "attributedTo" may also link to tools -- yes, we have "processes", which are basically tools, but this way it might get more convenient to use citations for BOM generators. - DOCS: streamlined documentation - REFACTOR: reworked the ProtoBuf structures to match some constraints in the the spec -- `choice`/`oneOf` ... - TESTS: practical examples for `citation.expressions`
## Changed - Formulations may be used to describe how any referencable object within the BOM came together, including components, services, metadata, declarations, or the BOM itself. Before, it was restricted to components and services. ## Added - Citations - describe how certain information in the BOM came together, or were sourced from, or are asserted. ----- TODO/DONE - [x] JSON schema modified - [x] XML schema modified - [x] ProtoBuf schema modified - [x] JSON examples/test data crafted - [x] XML examples/test data crafted - [x] ProtoBuf examples/test data crafted
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
prabhu
changed the title
bhess
reviewed
Sep 4, 2025
| "ML-DSA-44", | ||
| "ML-DSA-65", | ||
| "ML-DSA-87", | ||
| "ML-KEM-512", |
There was a problem hiding this comment.
ML-KEM are KEM (similar to public-key encryption) algorithms and not signature algorithms. Is it on purpose to list them here?
There was a problem hiding this comment.
It's a good question. This was added in the last commit. I am happy to revert this if we can merge based on only the signature algorithms alone.
|
this PR is based on please create all the needed changes based on |
|
Created #682 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #674
With inspiration from the Node.js PRs and this, this pull request adds three new post-quantum algorithms: "ML-DSA-44", "ML-DSA-65", and "ML-DSA-87" and three new key encapsulation mechanisms: "ML-KEM-512", "ML-KEM-768", "ML-KEM-1024" to better future-proof BOM signature validity. The hypothetical but real threat this addresses is that traditional signatures with RSA/ECDSA may become invalid when quantum computers break them.
Following alternative ideas could be considered:
"algorithm": "urn:nist.gov:fips204:ml-dsa-44"instead of simple upper case enum strings. This however is a significant breaking change to replace all existing identifiers in use.signerdefinitionSignature object support
signeras one of the types. A new type calledpostQuantumSignercould be created to extendsignerto capture additional attributes related to PQ algorithms and also to support a broad range of PQ algorithms.Currently, additional properties are disabled for signer. To increase flexibility, this could be enabled.
This PR proposes a simple enhancement to the enum, key type indicators, and validation, making this feature >= 1.7 only without any possibility for backports.
TBD:
Enhancing CBOM to support the corresponding OID values.