[1.7] - Updates from CBOM working group - remove any BREAKING CHANGES for ProtoBuf (#677)

removed breaking changes in Protocol Buffer schema regarding CBOM
changes


caused by
#657 (comment)

Author: jkowalleck

schema/bom-1.7.proto

@@ -2223,7 +2223,7 @@ message CryptoProperties {
 
   // Certificate State
   message CertificateState {
-    
+
     // Pre-defined certificate states
     enum PredefinedState {
       // ProtoBuff's default value
@@ -2488,62 +2488,80 @@ message CryptoProperties {
       repeated string tlsSignatureSchemes = 5;
     }
 
-    // Encryption Algorithm (ENCR)
-    message IkeV2Enc {
-      // A name for the encryption method
-      optional string name = 1;
-      // The key length of the encryption algorithm
-      optional int32 keyLength = 2;
-      // The bom-ref to algorithm cryptographic asset
-      optional string algorithm = 3;
-    }
 
-    // Pseudorandom Function (PRF)
-    message IkeV2Prf {
-      // A name for the pseudorandom function
-      optional string name = 1;
-      // The bom-ref to algorithm cryptographic asset
-      optional string algorithm = 2;
+    // DEPRECATED - DO NOT USE - This will be removed in a future version.
+    // IKEv2 Transform Types
+    message Ikev2TransformTypes {
+      // Transform Type 1: encryption algorithms
+      repeated string encr = 1;
+      // Transform Type 2: pseudorandom functions
+      repeated string prf = 2;
+      // Transform Type 3: integrity algorithms
+      repeated string integ = 3;
+      // Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H)
+      repeated string ke = 4;
+      // Specifies if an Extended Sequence Number (ESN) is used.
+      optional bool esn = 5;
+      // IKEv2 Authentication method
+      repeated string auth = 6;
     }
 
-    // Integrity Algorithm (INTEG)
-    message IkeV2Integ {
-      // A name for the integrity algorithm
-      optional string name = 1;
-      // The bom-ref to algorithm cryptographic asset
-      optional string algorithm = 2;
-    }
+    // IKEv2 Transform Types Detailed
+    message Ikev2TransformTypesDetailed {
+      // IKEv2 Encryption Algorithm (ENCR)
+      message Encr {
+        // A name for the encryption method
+        optional string name = 1;
+        // The key length of the encryption algorithm
+        optional int32 keyLength = 2;
+        // The bom-ref to algorithm cryptographic asset
+        optional string algorithm = 3;
+      }
 
-    // Key Exchange Method (KE)
-    message IkeV2Ke {
-      // A group identifier for the key exchange algorithm
-      optional int32 group = 1;
-      // The bom-ref to algorithm cryptographic asset
-      optional string algorithm = 2;
-    }
+      // IKEv2 Pseudorandom Function (PRF)
+      message Prf {
+        // A name for the pseudorandom function
+        optional string name = 1;
+        // The bom-ref to algorithm cryptographic asset
+        optional string algorithm = 2;
+      }
 
-    // IKEv2 Authentication method
-    message IkeV2Auth {
-      // A name for the authentication method
-      optional string name = 1;
-      // The bom-ref to algorithm cryptographic asset
-      optional string algorithm = 2;
-    }
+      // IKEv2 Integrity Algorithm (INTEG)
+      message Integ {
+        // A name for the integrity algorithm
+        optional string name = 1;
+        // The bom-ref to algorithm cryptographic asset
+        optional string algorithm = 2;
+      }
+
+      // IKEv2 Key Exchange Method (KE)
+      message Ke {
+        // A group identifier for the key exchange algorithm
+        optional int32 group = 1;
+        // The bom-ref to algorithm cryptographic asset
+        optional string algorithm = 2;
+      }
+
+      // IKEv2 Authentication method
+      message Auth {
+        // A name for the authentication method
+        optional string name = 1;
+        // The bom-ref to algorithm cryptographic asset
+        optional string algorithm = 2;
+      }
 
-    // IKEv2 Transform Types
-    message Ikev2TransformTypes {
       // Transform Type 1: encryption algorithms
-      repeated IkeV2Enc encr = 1;
+      repeated Encr encr = 1;
       // Transform Type 2: pseudorandom functions
-      repeated IkeV2Prf prf = 2;
+      repeated Prf prf = 2;
       // Transform Type 3: integrity algorithms
-      repeated IkeV2Integ integ = 3;
+      repeated Integ integ = 3;
       // Transform Type 4: Key Exchange Method (KE) per RFC9370, formerly called Diffie-Hellman Group (D-H)
-      repeated IkeV2Ke ke = 4;
+      repeated Ke ke = 4;
       // Specifies if an Extended Sequence Number (ESN) is used.
       optional bool esn = 5;
       // IKEv2 Authentication method
-      repeated IkeV2Auth auth = 6;
+      repeated Auth auth = 6;
     }
 
     // The concrete protocol type.
@@ -2552,8 +2570,12 @@ message CryptoProperties {
     optional string version = 2;
     // A list of cipher suites related to the protocol.
     repeated CryptoProtocolCipherSuite cipherSuites = 3;
+    // DEPRECATED - DO NOT USE - This will be removed in a future version - Use `.ikev2TransformTypesDetailed` Instead.
+    // The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties.
+    optional Ikev2TransformTypes ikev2TransformTypes = 4 [deprecated = true];
     // The IKEv2 transform types supported (types 1-4), defined in RFC7296 section 3.3.2, and additional properties.
-    optional Ikev2TransformTypes ikev2TransformTypes = 4;
+    // If this field is present, the deprecated field `.ikev2TransformTypes` MUST be ignored.
+    optional Ikev2TransformTypesDetailed ikev2TransformTypesDetailed = 7;
     // The bom-ref(s) to protocol-related cryptographic assets
     repeated string cryptoRef = 5;
     // A list of cryptographic assets related to this component.

tools/src/test/proto/test.sh

@@ -54,7 +54,7 @@ function schema-breaking-version () {
     NEW_NP="$(mktemp)"
     OLD_NP="$(mktemp)"
 
-    # remove package identifier -> so that the comparisson works as expected
+    # remove package identifier -> so that the comparison works as expected
     sed 's/^package .*//' "${ROOT_PATH}/${SCHEMA_DIR}/${NEW}" > "$NEW_NP"
     sed 's/^package .*//' "${ROOT_PATH}/${SCHEMA_DIR}/${OLD}" > "$OLD_NP"
 

tools/src/test/resources/1.7/valid-cryptography-full-1.7.textproto

@@ -207,7 +207,7 @@ components {
         algorithms: "sha256-ref"
         identifiers: "0x1303"
       }
-      ikev2TransformTypes {
+      ikev2TransformTypesDetailed {
         encr {
           name: "AES-128-GCM"
           keyLength: 128