CBOM Output Format - TYCHON Quantum Readiness Documentation

Overview

The CBOM (Cryptographic Bill of Materials) format follows the CycloneDX specification and IBM CBOM 1.0 standards. It provides a comprehensive inventory of all cryptographic assets discovered during scanning.

Standards Compliance

• CycloneDX BOM Format
• IBM CBOM 1.0 Schema
• JSON Schema Draft-07
• UUID Serial Numbers

Usage

.\certscanner-windows-amd64.exe -host example.com `
  -outputformat cbom `
  -output compliance.cbom.json

./certscanner-linux-x64 -host example.com \
  -outputformat cbom \
  -output compliance.cbom.json

# Intel Macs
./certscanner-darwin-amd64 -host example.com \
  -outputformat cbom \
  -output compliance.cbom.json

# Apple Silicon Macs
./certscanner-darwin-arm64 -host example.com \
  -outputformat cbom \
  -output compliance.cbom.json

CBOM Schema Structure

Required Top-Level Fields

Field	Type	Description	Example
bomFormat	String	Must be "CycloneDX"	"CycloneDX"
specVersion	String	CBOM specification version	"1.4-cbom-1.0"
serialNumber	String	Unique UUID for this BOM	"urn:uuid:..."
version	Integer	BOM version number	1
metadata	Object	Scan metadata and tool info	See below
components	Array	Cryptographic components	See below
services	Array	Network services discovered	Optional

Component Types

Component Type	Asset Type	Description
cryptographic-asset	algorithm	TLS cipher suites and crypto algorithms
cryptographic-asset	certificate	X.509 certificates (network & filesystem)
cryptographic-asset	relatedCryptoMaterial	SSH host keys and crypto keys
library	-	Cryptographic libraries in memory
file	-	Outlook archives and crypto files
application	-	VPN client applications with PQC assessments NEW
cryptographic-asset	protocol	IPSec tunnel configurations and protocols NEW
cryptographic-asset	certificate	Keystore certificates (PKCS12, JKS, System Stores) NEW
file	-	Keystore files and certificate containers NEW

Crypto Properties Schema

Property Type	Key Fields	Use Case
algorithmProperties	primitive, parameterSetIdentifier, curve, executionEnvironment, mode, padding, classicalSecurityLevel, nistQuantumSecurityLevel	Cipher suites, crypto algorithms
certificateProperties	subjectName, issuerName, notValidBefore, notValidAfter, certificateFormat, certificateExtension	X.509 certificates
protocolProperties	type, version, cipherSuites, supportedDHGroups, supportedEncryptions, supportedHashes, supportedAuthentications	TLS/SSH/IPSec protocols
relatedCryptoMaterialProperties	type, algorithm, size, format, state, creationDate, activationDate, expirationDate	SSH keys, crypto material

Complete Schema Reference

algorithmProperties

primitive: Fundamental cryptographic operation (e.g., "cipher-suite", "encryption", "hash", "signature")

parameterSetIdentifier: Specific algorithm name (e.g., "TLS_AES_256_GCM_SHA384", "RSA-2048")

curve: Elliptic curve name (e.g., "secp256r1", "curve25519")

executionEnvironment: Where algorithm runs (e.g., "tls-connection", "software", "hardware")

implementationPlatform: Platform details (e.g., "OpenSSL 3.0", "Windows CNG")

certificationLevel: Certification standards (e.g., ["FIPS 140-2 Level 1"])

mode: Block cipher mode (e.g., "CBC", "GCM", "CTR")

padding: Padding scheme (e.g., "PKCS7", "OAEP")

cryptoFunctions: Supported functions (e.g., ["encrypt", "decrypt", "sign"])

classicalSecurityLevel: Bits of classical security (e.g., 128, 256)

nistQuantumSecurityLevel: NIST PQC security level 1-5

certificateProperties

subjectName: Certificate subject DN (e.g., "CN=example.com,O=Example Corp")

issuerName: Certificate issuer DN

notValidBefore: Validity start date (RFC3339 format)

notValidAfter: Validity end date (RFC3339 format)

signatureAlgorithmRef: Reference to signature algorithm component

subjectPublicKeyRef: Reference to public key component

certificateFormat: Format standard (e.g., "X.509", "PGP")

certificateExtension: File format (e.g., "DER/PEM", "P7B", "PFX")

protocolProperties

type: Protocol name (e.g., "TLS", "SSH", "IPSec")

version: Protocol version (e.g., "1.3", "IKEv2")

cipherSuites: List of supported cipher suites

ikevVersion: IKE version for IPSec (e.g., "IKEv1", "IKEv2")

supportedDHGroups: Diffie-Hellman groups (e.g., ["group14", "group19"])

supportedEncryptions: Encryption algorithms (e.g., ["AES-256-GCM", "ChaCha20-Poly1305"])

supportedHashes: Hash/integrity algorithms (e.g., ["SHA256", "SHA384"])

supportedAuthentications: Authentication methods (e.g., ["PSK", "RSA", "ECDSA"])

relatedCryptoMaterialProperties

type: Material type (e.g., "public-key", "private-key", "symmetric-key", "password")

id: Unique identifier for the material

algorithm: Key algorithm (e.g., "RSA", "ECDSA", "ssh-rsa")

size: Key size in bits (e.g., 2048, 256)

format: Key format (e.g., "SSH", "PEM", "DER", "JWK")

state: Key state (e.g., "active", "pre-active", "compromised", "destroyed")

creationDate: When key was created (RFC3339)

activationDate: When key became active (RFC3339)

expirationDate: When key expires (RFC3339)

value: Key material (if appropriate to include)

securedBy: How key is protected (e.g., "HSM", "TPM", "password")

Custom Properties Reference

Cipher Suite Properties

cipher:openssl-name

cipher:key-length

cipher:is-preferred

cipher:negotiated-group

cipher:intel:security_level

Certificate Custom Properties

cert:serial-number

cert:signature-algorithm

cert:public-key-algorithm

cert:public-key-size

cert:is-self-signed

cert:is-ca

cert:source-file

cert:keystore-path

cert:keystore-type

cert:alias

cert:has-private-key

cert:key-usage

cert:ext-key-usage

VPN Client Properties

application:vendor

application:install-path

application:config-path

application:active

application:status

detection:method

detection:confidence

pqc:is-ready

pqc:quantum-resistance

pqc:migration-status

pqc:supported-algorithms

process:pid

IPSec Tunnel Properties

ipsec:implementation

ipsec:status

ipsec:active

ipsec:local-subnet

ipsec:remote-subnet

ipsec:encryption-algorithm

ipsec:integrity-algorithm

ipsec:dh-group

detection:method

detection:confidence

Keystore Properties

file:path

file:size

file:owner

file:permissions

file:last-modified

keystore:type

keystore:cert-count

keystore:accessible

keystore:requires-auth

keystore:error

Crypto Library Properties

library:path

library:crypto-type

library:product-name

library:company-name

library:crypto-features

process:pid

process:name

vulnerability:is-vulnerable

vulnerability:risk-level

vulnerability:risk-reason

vulnerability:cve-list

vulnerability:fixed-in-version

Sample CBOM Output

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4-cbom-1.0",
  "serialNumber": "urn:uuid:68b6ea62-252b-252b-252b-78adf023bc59",
  "version": 1,
  "metadata": {
    "timestamp": "2025-09-02T09:00:17-04:00",
    "tools": [
      {
        "vendor": "Tychon LLC",
        "name": "TYCHON Quantum Readiness",
        "version": "1.0.82"
      }
    ],
    "properties": [
      {
        "name": "scan:type",
        "value": "remote"
      },
      {
        "name": "scan:target",
        "value": "example.com:443"
      },
      {
        "name": "observer:hostname",
        "value": "scanner-host"
      }
    ]
  },
  "components": [
    {
      "type": "cryptographic-asset",
      "bom-ref": "cipher:example.com:443:TLS_AES_256_GCM_SHA384",
      "name": "TLS_AES_256_GCM_SHA384",
      "version": "TLSv1.3",
      "description": "TLS cipher suite TLS_AES_256_GCM_SHA384 on example.com:443",
      "cryptoProperties": {
        "assetType": "algorithm",
        "algorithmProperties": {
          "primitive": "cipher-suite",
          "parameterSetIdentifier": "TLS_AES_256_GCM_SHA384",
          "executionEnvironment": "tls-connection"
        }
      },
      "properties": [
        {
          "name": "cipher:openssl-name",
          "value": "ECDHE-RSA-AES256-GCM-SHA384"
        },
        {
          "name": "cipher:key-length",
          "value": "256"
        },
        {
          "name": "cipher:is-preferred",
          "value": "true"
        },
        {
          "name": "cipher:intel:security_level",
          "value": "high"
        }
      ]
    },
    {
      "type": "cryptographic-asset",
      "bom-ref": "cert:example.com:443:123456789012345678901234567890",
      "name": "example.com",
      "description": "X.509 certificate (network-certificate) for example.com:443",
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "ab:cd:ef:12:34:56:78:90:..."
        }
      ],
      "cryptoProperties": {
        "assetType": "certificate",
        "certificateProperties": {
          "subjectName": "CN=example.com,O=Example Corp,C=US",
          "issuerName": "CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US",
          "notValidBefore": "2024-03-01T00:00:00Z",
          "notValidAfter": "2025-03-01T23:59:59Z",
          "certificateFormat": "X.509",
          "certificateExtension": "DER/PEM"
        }
      },
      "properties": [
        {
          "name": "cert:serial-number",
          "value": "123456789012345678901234567890"
        },
        {
          "name": "cert:signature-algorithm",
          "value": "SHA256-RSA"
        },
        {
          "name": "cert:public-key-algorithm",
          "value": "RSA"
        },
        {
          "name": "cert:public-key-size",
          "value": "2048"
        }
      ]
    }
  ],
  "services": [
    {
      "bom-ref": "service:example.com:443",
      "name": "example.com:443",
      "description": "Network service on example.com port 443",
      "endpoints": ["example.com:443"],
      "properties": [
        {
          "name": "port",
          "value": "443"
        },
        {
          "name": "status",
          "value": "open"
        },
        {
          "name": "protocol",
          "value": "TLS"
        }
      ]
    }
  ],
  "additionalComponents": [
    {
      "type": "application",
      "bom-ref": "vpn-client:Cloudflare WARP:2024.6.415",
      "name": "Cloudflare WARP",
      "version": "2024.6.415",
      "description": "VPN client application: Cloudflare WARP",
      "properties": [
        {
          "name": "application:vendor",
          "value": "Cloudflare Inc."
        },
        {
          "name": "application:active",
          "value": "true"
        },
        {
          "name": "pqc:is-ready",
          "value": "true"
        },
        {
          "name": "pqc:quantum-resistance",
          "value": "high"
        },
        {
          "name": "pqc:supported-algorithms",
          "value": "Kyber768,X25519Kyber768Draft00"
        }
      ]
    },
    {
      "type": "cryptographic-asset",
      "bom-ref": "ipsec-tunnel:VPN-HQ",
      "name": "VPN-HQ",
      "version": "IKEv2",
      "description": "IPSec tunnel configuration: VPN-HQ",
      "cryptoProperties": {
        "assetType": "protocol",
        "protocolProperties": {
          "type": "IPSec",
          "version": "IKEv2",
          "supportedEncryptions": ["AES-256-GCM"],
          "supportedHashes": ["SHA256"],
          "supportedDHGroups": ["group19"]
        }
      },
      "properties": [
        {
          "name": "ipsec:implementation",
          "value": "strongSwan"
        },
        {
          "name": "ipsec:status",
          "value": "established"
        },
        {
          "name": "pqc:is-ready",
          "value": "false"
        }
      ]
    },
    {
      "type": "file",
      "bom-ref": "keystore-file:C:\\Users\\Admin\\certificates.pfx",
      "name": "Keystore (PKCS12)",
      "description": "Keystore file: C:\\Users\\Admin\\certificates.pfx",
      "properties": [
        {
          "name": "keystore:type",
          "value": "PKCS12"
        },
        {
          "name": "keystore:cert-count",
          "value": "3"
        },
        {
          "name": "keystore:accessible",
          "value": "true"
        }
      ]
    },
    {
      "type": "cryptographic-asset",
      "bom-ref": "keystore-cert:C:\\Users\\Admin\\certificates.pfx:1234567890",
      "name": "CN=MyApp Code Signing",
      "description": "Certificate from keystore: C:\\Users\\Admin\\certificates.pfx",
      "cryptoProperties": {
        "assetType": "certificate",
        "certificateProperties": {
          "subjectName": "CN=MyApp Code Signing,O=MyCompany",
          "issuerName": "CN=MyCompany Root CA",
          "notValidBefore": "2024-01-01T00:00:00Z",
          "notValidAfter": "2027-01-01T00:00:00Z",
          "certificateFormat": "X.509",
          "certificateExtension": "DER/PEM"
        }
      },
      "properties": [
        {
          "name": "cert:keystore-type",
          "value": "PKCS12"
        },
        {
          "name": "cert:has-private-key",
          "value": "true"
        },
        {
          "name": "cert:key-usage",
          "value": "digitalSignature,keyEncipherment"
        }
      ]
    }
  ]
}

Note: The "additionalComponents" section above shows example VPN client, IPSec tunnel, keystore file, and keystore certificate components. These would normally be in the main "components" array.

Cryptographic Asset Types

Cipher Suite Components

Each negotiated TLS cipher suite becomes a cryptographic-asset component

Asset Type: algorithm
Properties: primitive="cipher-suite", parameterSetIdentifier=cipher name
Custom Properties: openssl-name, key-length, is-preferred, intel data

Certificate Components

X.509 certificates from network connections and filesystem

Asset Type: certificate
Properties: subjectName, issuerName, validity periods
Hashes: SHA-256 certificate fingerprints

SSH Host Key Components

SSH host keys discovered during network scanning

Asset Type: relatedCryptoMaterial
Properties: type="public-key", algorithm=key type, size=bits
Custom Properties: fingerprint-sha256, banner

Cryptographic Library Components

Crypto libraries discovered in process memory

Component Type: library
Properties: path, crypto-type, product-name, company-name
Process Context: PID, process name, executable path

VPN Client Components NEW

VPN client applications with PQC readiness assessments

Component Type: application
Properties: client-name, vendor, version, install-path
PQC Assessment: is-pqc-ready, quantum-resistance, supported-algorithms

IPSec Tunnel Components NEW

IPSec tunnel configurations and cryptographic protocols

Asset Type: protocol
Properties: tunnel-name, implementation, encryption-algorithms
Custom Properties: local-subnet, remote-subnet, gateway, key-exchange-groups

Keystore Certificate Components NEW

Certificates from PKCS12, JKS, Windows Certificate Store, and macOS Keychain

Asset Type: certificate
Properties: subjectName, issuerName, validity, certificateFormat
Custom Properties: keystore-path, keystore-type, alias, has-private-key

Keystore File Components NEW

Keystore files and certificate containers discovered on filesystem

Component Type: file
Properties: keystore-type, cert-count, accessible, requires-auth
File Properties: path, size, owner, permissions, last-modified

Use Cases & Integration

Compliance & Governance

• Regulatory Compliance: NIST, FIPS, Common Criteria
• Audit Trails: Complete cryptographic asset inventory
• Risk Assessment: Identify weak or deprecated crypto
• Supply Chain Security: Track crypto dependencies

Tool Integration

• Vulnerability Scanners: Import crypto asset data
• Asset Management: Track crypto inventory changes
• Policy Engines: Validate crypto policy compliance
• Reporting Tools: Generate compliance reports

Example Workflows

# Generate quarterly compliance report
.\certscanner-windows-amd64.exe -host production-systems.txt -cipherscan `
  -tags "Q4-2025,compliance-audit" `
  -outputformat cbom -output Q4-crypto-inventory.cbom.json

# Continuous compliance monitoring
.\certscanner-windows-amd64.exe -mode local -scanfilesystem -scanmemory `
  -outputformat cbom -output daily-crypto-inventory.cbom.json

# Integration with vulnerability management
.\certscanner-windows-amd64.exe -host critical-infrastructure.txt `
  -outputformat cbom | vulnerability-analyzer --cbom-input

# Generate quarterly compliance report
./certscanner-linux-x64 -host production-systems.txt -cipherscan \
  -tags "Q4-2025,compliance-audit" \
  -outputformat cbom -output Q4-crypto-inventory.cbom.json

# Continuous compliance monitoring
./certscanner-linux-x64 -mode local -scanfilesystem -scanmemory \
  -outputformat cbom -output daily-crypto-inventory.cbom.json

# Integration with vulnerability management
./certscanner-linux-x64 -host critical-infrastructure.txt \
  -outputformat cbom | vulnerability-analyzer --cbom-input

# Generate quarterly compliance report
./certscanner-darwin-amd64 -host production-systems.txt -cipherscan \
  -tags "Q4-2025,compliance-audit" \
  -outputformat cbom -output Q4-crypto-inventory.cbom.json

# Continuous compliance monitoring
./certscanner-darwin-amd64 -mode local -scanfilesystem \
  -outputformat cbom -output daily-crypto-inventory.cbom.json

# Integration with vulnerability management  
./certscanner-darwin-amd64 -host critical-infrastructure.txt \
  -outputformat cbom | vulnerability-analyzer --cbom-input

Metadata Properties Reference

TYCHON Quantum Readiness includes comprehensive metadata in the CBOM metadata.properties array:

Scan Metadata Properties

Property Name	Description	Example Value
scan:type	Type of scan performed	"remote", "local"
scan:target	Target hostname or IP	"example.com:443"
scan:timestamp	When scan was performed	"2025-10-01T14:30:00Z"
scan:tags	User-defined tags	"production,compliance"

Observer System Properties

Property Name	Description	Example Value
observer:hostname	Scanner hostname	"scanner-01.example.com"
observer:os	Operating system	"windows"
observer:platform	Platform architecture	"amd64"
observer:version	OS version	"10.0.19045"
observer:fips_mode_enabled	FIPS mode status	"true", "false"
observer:organization	Organization name	"ACME Corporation"

Quantum Readiness Properties

Property Name	Description	Example Value
quantum:assessment_id	Unique assessment ID	"qa_abc123..."
quantum:fips_mode_enabled	System FIPS mode	"true", "false"
quantum:overall_score	Total readiness score	"75"
quantum:max_score	Maximum possible score	"100"
quantum:readiness_status	Overall readiness level	"ready", "partial", "not_ready"
quantum:ready_timeline	Expected timeline	"2025", "2026-2027", "2028+"

Schema Validation

Validation Against IBM CBOM Schema

TYCHON Quantum Readiness's CBOM output is designed to validate against the official IBM CBOM 1.0 schema:

# Validate with JSON schema tools
jsonschema -i compliance.cbom.json \
  https://github.com/IBM/CBOM/blob/main/bom-1.4-cbom-1.0.schema.json