{ "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "metadata": { "component": { "type": "application", "name": "pverify", "version": "0.7.0", "description": "Signature-verification tool (CAdES/PAdES/XAdES). Verification-only; holds no signing keys." }, "properties": [ { "name": "pverify:cbom:scope", "value": "Enumerates every cryptographic algorithm pverify can DISPATCH at verification time (verify-only). Updated in the same PR as any new algorithm; drift-gated by `cargo xtask cbom-check` (FR-006/FR-007/FR-008)." } ] }, "components": [ { "bom-ref": "pverify-crypto-rsa-sha1", "type": "cryptographic-asset", "name": "RSA PKCS#1 v1.5 / SHA-1", "description": "RSASSA-PKCS1-v1_5 over SHA-1, verify-only. SHA-1 is recognised but flagged WEAK (pverify does not reject it).", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "RSA", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 0 }, "oid": "1.2.840.113549.1.1.5" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" }, { "name": "pverify:weak", "value": "true" } ] }, { "bom-ref": "pverify-crypto-rsa-sha256", "type": "cryptographic-asset", "name": "RSA PKCS#1 v1.5 / SHA-256", "description": "RSASSA-PKCS1-v1_5 over SHA-256, verify-only (certificate / CRL / signer / TSA signature verification).", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "RSA", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 0 }, "oid": "1.2.840.113549.1.1.11" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" } ] }, { "bom-ref": "pverify-crypto-rsa-sha384", "type": "cryptographic-asset", "name": "RSA PKCS#1 v1.5 / SHA-384", "description": "RSASSA-PKCS1-v1_5 over SHA-384, verify-only.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "RSA", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 0 }, "oid": "1.2.840.113549.1.1.12" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" } ] }, { "bom-ref": "pverify-crypto-rsa-sha512", "type": "cryptographic-asset", "name": "RSA PKCS#1 v1.5 / SHA-512", "description": "RSASSA-PKCS1-v1_5 over SHA-512, verify-only.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "RSA", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 0 }, "oid": "1.2.840.113549.1.1.13" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" } ] }, { "bom-ref": "pverify-crypto-rsa-pss", "type": "cryptographic-asset", "name": "RSA-PSS (MGF1)", "description": "RSASSA-PSS with MGF1, verify-only. Reached via the XAdES XML-DSIG algorithm-URI path (011-xades-bb-core), NOT the CMS signatureAlgorithm OID table.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "RSA", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 0 }, "oid": "1.2.840.113549.1.1.10" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" }, { "name": "pverify:dispatch", "value": "xades-xmldsig" } ] }, { "bom-ref": "pverify-crypto-ecdsa-sha1", "type": "cryptographic-asset", "name": "ECDSA / SHA-1", "description": "ECDSA over NIST P-256 or P-384 (curve resolved from SPKI) with SHA-1, verify-only. SHA-1 is recognised but flagged WEAK.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "P-256/P-384", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 0 }, "oid": "1.2.840.10045.4.1" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" }, { "name": "pverify:weak", "value": "true" } ] }, { "bom-ref": "pverify-crypto-ecdsa-sha256", "type": "cryptographic-asset", "name": "ECDSA / SHA-256", "description": "ECDSA over NIST P-256 or P-384 (curve resolved from SPKI) with SHA-256, verify-only.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "P-256/P-384", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 0 }, "oid": "1.2.840.10045.4.3.2" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" } ] }, { "bom-ref": "pverify-crypto-ecdsa-sha384", "type": "cryptographic-asset", "name": "ECDSA / SHA-384", "description": "ECDSA over NIST P-256 or P-384 (curve resolved from SPKI) with SHA-384, verify-only.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "P-256/P-384", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 0 }, "oid": "1.2.840.10045.4.3.3" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" } ] }, { "bom-ref": "pverify-crypto-ecdsa-sha512", "type": "cryptographic-asset", "name": "ECDSA / SHA-512", "description": "ECDSA over NIST P-256 or P-384 (curve resolved from SPKI) with SHA-512, verify-only.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "P-256/P-384", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 0 }, "oid": "1.2.840.10045.4.3.4" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" } ] }, { "bom-ref": "pverify-crypto-ed25519", "type": "cryptographic-asset", "name": "Ed25519", "description": "Ed25519 (RFC 8032 pure), verify-only. Digest is internal to the scheme.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "Ed25519", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 0 }, "oid": "1.3.101.112" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" } ] }, { "bom-ref": "pverify-crypto-ml-dsa-44", "type": "cryptographic-asset", "name": "ML-DSA-44", "description": "ML-DSA-44 (FIPS 204), verify-only. Post-quantum lattice signature; digest internal to the scheme.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "ML-DSA-44", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 2 }, "oid": "2.16.840.1.101.3.4.3.17" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" } ] }, { "bom-ref": "pverify-crypto-ml-dsa-65", "type": "cryptographic-asset", "name": "ML-DSA-65", "description": "ML-DSA-65 (FIPS 204), verify-only. Post-quantum lattice signature; digest internal to the scheme.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "ML-DSA-65", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 3 }, "oid": "2.16.840.1.101.3.4.3.18" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" } ] }, { "bom-ref": "pverify-crypto-ml-dsa-87", "type": "cryptographic-asset", "name": "ML-DSA-87", "description": "ML-DSA-87 (FIPS 204), verify-only. The FPKI BRAWL PQC root parameter set; digest internal to the scheme.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "signature", "parameterSetIdentifier": "ML-DSA-87", "cryptoFunctions": [ "verify" ], "nistQuantumSecurityLevel": 5 }, "oid": "2.16.840.1.101.3.4.3.19" }, "properties": [ { "name": "pverify:role", "value": "signature-verify" } ] }, { "bom-ref": "pverify-crypto-sha1", "type": "cryptographic-asset", "name": "SHA-1", "description": "SHA-1 digest. Recognised but flagged WEAK — pverify does NOT reject SHA-1 (recognise-and-flag policy across CAdES/PAdES/XAdES).", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "hash", "nistQuantumSecurityLevel": 0 }, "oid": "1.3.14.3.2.26" }, "properties": [ { "name": "pverify:role", "value": "digest" }, { "name": "pverify:weak", "value": "true" } ] }, { "bom-ref": "pverify-crypto-sha256", "type": "cryptographic-asset", "name": "SHA-256", "description": "SHA-256 digest, used for message-digest / signed-attributes / imprint verification.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "hash", "nistQuantumSecurityLevel": 0 }, "oid": "2.16.840.1.101.3.4.2.1" }, "properties": [ { "name": "pverify:role", "value": "digest" } ] }, { "bom-ref": "pverify-crypto-sha384", "type": "cryptographic-asset", "name": "SHA-384", "description": "SHA-384 digest.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "hash", "nistQuantumSecurityLevel": 0 }, "oid": "2.16.840.1.101.3.4.2.2" }, "properties": [ { "name": "pverify:role", "value": "digest" } ] }, { "bom-ref": "pverify-crypto-sha512", "type": "cryptographic-asset", "name": "SHA-512", "description": "SHA-512 digest.", "cryptoProperties": { "assetType": "algorithm", "algorithmProperties": { "primitive": "hash", "nistQuantumSecurityLevel": 0 }, "oid": "2.16.840.1.101.3.4.2.3" }, "properties": [ { "name": "pverify:role", "value": "digest" } ] } ] }