Add certificate serial number to certificateProperties

Santandersecurityresearch / cryptoinventory.datamodel

A Data Model Poc for Crypto Inventory for the Europol Quantum Safe Financial Forum (QSFF)

2 stars 0 forks source link

Add certificate serial number to certificateProperties #6

Open chris-giblin opened 1 month ago

chris-giblin commented 1 month ago

Inspired by the CBOM Comments regarding serial number:

Instead of using the serialNumber field in the metadata object, add a new field to the CBOM certificateProperties object. In the near term this can be added using CycloneDX properties, longer term, there should be a serial number field in the cert properties. This way, the format of the field will suit certificates, which is not the case for metadata's serialNumber field.

capri-san commented 1 month ago

Thanks for your comment Chris. In fact that would be very useful, but it is not possible: CBOM does not permit to define aditional properties at that level. If you try to validate an object with aditional properties in the "certificateProperties" level we get the error:

instancePath: '/metadata/component/cryptoProperties/certificateProperties',
    schemaPath: '#/properties/certificateProperties/additionalProperties',
    keyword: 'additionalProperties',
    params: { additionalProperty: 'properties' },
    message: 'must NOT have additional properties',
    schema: false

This is why we defined that piece of information in the component level.

chris-giblin commented 1 month ago

I see your point about missing a means for specifying properties for certificates. I created issue https://github.com/Santandersecurityresearch/cryptoinventory.datamodel/issues/8