From 9772d16e9352a83eb5316afbab586ae6ef062741 Mon Sep 17 00:00:00 2001 From: Joachim Vandersmissen Date: Wed, 11 Mar 2026 14:24:29 -0700 Subject: [PATCH 01/12] Separate out AES KW / KWP Also add some missing standards to AES Signed-off-by: Joachim Vandersmissen --- schema/cryptography-defs.json | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 2d1a7f19..0fd04dc7 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -368,9 +368,13 @@ "url": "https://doi.org/10.6028/NIST.FIPS.197-upd1" }, { - "name": "SP800-38{A-G}", + "name": "SP800-38A", "url": "https://doi.org/10.6028/NIST.SP.800-38A" }, + { + "name": "SP800-38E", + "url": "https://doi.org/10.6028/NIST.SP.800-38E" + }, { "name": "RFC5116", "url": "https://doi.org/10.17487/RFC5116" @@ -383,6 +387,10 @@ }, { "standard": [ + { + "name": "SP800-38C", + "url": "https://doi.org/10.6028/NIST.SP.800-38C" + }, { "name": "SP800-38D", "url": "https://doi.org/10.6028/NIST.SP.800-38D" @@ -425,6 +433,16 @@ "pattern": "AES[-(128|192|256)]-SIV", "primitive": "ae" }, + { + "standard": [ + { + "name": "SP800-38F", + "url": "https://doi.org/10.6028/NIST.SP.800-38F" + } + ], + "pattern": "AES[-(128|192|256)][-(KW|KWP)]", + "primitive": "key-wrap" + }, { "standard": [ { @@ -432,10 +450,20 @@ "url": "https://doi.org/10.17487/RFC5649" } ], - "pattern": "AES[-(128|192|256)]-Wrap[-(PAD|KWP|PKCS7)]", + "pattern": "AES[-(128|192|256)]-Wrap[-PKCS7]", "primitive": "key-wrap" }, { + "standard": [ + { + "name": "SP800-38B", + "url": "https://doi.org/10.6028/NIST.SP.800-38B" + }, + { + "name": "SP800-38D", + "url": "https://doi.org/10.6028/NIST.SP.800-38D" + } + ], "pattern": "AES[-(128|192|256)][-(GMAC|CMAC)]", "primitive": "mac" }, From 3302c7d9c3dc57ebd6237df52eef20c46d07cd95 Mon Sep 17 00:00:00 2001 From: Joachim Vandersmissen Date: Wed, 11 Mar 2026 15:26:08 -0700 Subject: [PATCH 02/12] Remove dash from EdDSA According to RFC8032, the names are Ed25519ph, Ed25519ctx, and Ed448ph. There is no dash. Signed-off-by: Joachim Vandersmissen --- schema/cryptography-defs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 2d1a7f19..0f065ba3 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -80,7 +80,7 @@ ], "variant": [ { - "pattern": "Ed(25519|448)[-(ph|ctx)]", + "pattern": "Ed(25519|448)[(ph|ctx)]", "primitive": "signature" } ] From 0a5d2813543fbd6b4f85a12f93eaf2c4e977c6d6 Mon Sep 17 00:00:00 2001 From: Joachim Vandersmissen Date: Wed, 11 Mar 2026 15:44:22 -0700 Subject: [PATCH 03/12] Remove dash from SHA-3 hash algorithms The official name of the hash algorithms does not contain the dash. Signed-off-by: Joachim Vandersmissen --- schema/cryptography-defs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 2d1a7f19..dbdbbe34 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -323,7 +323,7 @@ ], "variant": [ { - "pattern": "SHA-3-(224|256|384|512)", + "pattern": "SHA3-(224|256|384|512)", "primitive": "hash" }, { From 7c03de546e1c368fb978d8e57fa2da7eaecae834 Mon Sep 17 00:00:00 2001 From: Joachim Vandersmissen Date: Wed, 11 Mar 2026 16:02:26 -0700 Subject: [PATCH 04/12] Add hashAlgorithm to IKE-PRF fixes #872 Also changes primitive to "kdf" since this is a KDF, not a key agreement function. Signed-off-by: Joachim Vandersmissen --- schema/cryptography-defs.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 2d1a7f19..343044f6 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -821,16 +821,16 @@ ], "variant": [ { - "pattern": "IKE_PRF_DERIVE", - "primitive": "key-agree" + "pattern": "IKE_PRF_DERIVE[-{hashAlgorithm}]", + "primitive": "kdf" }, { - "pattern": "IKE1_(PRF|Extended)_DERIVE", - "primitive": "key-agree" + "pattern": "IKE1_(PRF|Extended)_DERIVE[-{hashAlgorithm}]", + "primitive": "kdf" }, { - "pattern": "IKE2_PRF_PLUS_DERIVE", - "primitive": "key-agree" + "pattern": "IKE2_PRF_PLUS_DERIVE[-{hashAlgorithm}]", + "primitive": "kdf" } ] }, From 6277ecfea7eb26a2b4e0803793f01b13ff3a49b4 Mon Sep 17 00:00:00 2001 From: Joachim Vandersmissen Date: Wed, 11 Mar 2026 17:52:23 -0700 Subject: [PATCH 05/12] Add TLS-PRF family Fixes #874 The additional distinction for RFC7627 is to distinguish between usage of the extended master secret and not. Signed-off-by: Joachim Vandersmissen --- schema/cryptography-defs.json | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 2d1a7f19..74f47bce 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -834,6 +834,41 @@ } ] }, + { + "family": "TLS-PRF", + "standard": [ + { + "name": "RFC2246", + "url": "https://doi.org/10.17487/RFC2246" + }, + { + "name": "RFC5246", + "url": "https://doi.org/10.17487/RFC5246" + }, + { + "name": "RFC7627", + "url": "https://doi.org/10.17487/RFC7627" + }, + { + "name": "RFC8446", + "url": "https://doi.org/10.17487/RFC8446" + } + ], + "variant": [ + { + "pattern": "TLS1-PRF[-RFC7627]", + "primitive": "kdf" + }, + { + "pattern": "TLS12-PRF[-RFC7627][-{hashAlgorithm}]", + "primitive": "kdf" + }, + { + "pattern": "TLS13-PRF[-{hashAlgorithm}]", + "primitive": "kdf" + } + ] + }, { "family": "GOST", "variant": [ From 2927c1f72be96e9970f811618712c5d4c46d051d Mon Sep 17 00:00:00 2001 From: Joachim Vandersmissen Date: Wed, 11 Mar 2026 18:13:21 -0700 Subject: [PATCH 06/12] Add SP800-56C family Fixes #876 Signed-off-by: Joachim Vandersmissen --- schema/cryptography-defs.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 2d1a7f19..a302063c 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -1098,6 +1098,21 @@ } ] }, + { + "family": "SP800-56C", + "standard": [ + { + "name": "SP800-56C", + "url": "https://doi.org/10.6028/NIST.SP.800-56Cr2" + } + ], + "variant": [ + { + "pattern": "SP800_56C_(OneStep|TwoStep)[-{auxFunction}][-{dkmLength}]", + "primitive": "key-derive" + } + ] + }, { "family": "BLAKE2", "standard": [ From 29740a0cd5e2c162e9a21a971398b340faa823a3 Mon Sep 17 00:00:00 2001 From: Mehrn0ush Date: Thu, 12 Mar 2026 12:41:05 +0330 Subject: [PATCH 07/12] Deduplicate MD4 and MD5 entries in cryptography registry Fixes #878 Signed-off-by: Mehrn0ush --- schema/cryptography-defs.json | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 2d1a7f19..20254b3f 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -591,36 +591,6 @@ } ] }, - { - "family": "MD5", - "standard": [ - { - "name": "RFC1321", - "url": "https://doi.org/10.17487/RFC1321" - } - ], - "variant": [ - { - "pattern": "MD5", - "primitive": "hash" - } - ] - }, - { - "family": "MD4", - "standard": [ - { - "name": "RFC1320", - "url": "https://doi.org/10.17487/RFC1320" - } - ], - "variant": [ - { - "pattern": "MD4", - "primitive": "hash" - } - ] - }, { "family": "RC4", "standard": [ From 6f6b79b82a407b3bb834526344c6f685247ca4b5 Mon Sep 17 00:00:00 2001 From: Joachim Vandersmissen Date: Wed, 11 Mar 2026 20:24:00 -0500 Subject: [PATCH 08/12] Add two variants instead of one Signed-off-by: Joachim Vandersmissen --- schema/cryptography-defs.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index a302063c..e6cdca6a 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -1108,7 +1108,11 @@ ], "variant": [ { - "pattern": "SP800_56C_(OneStep|TwoStep)[-{auxFunction}][-{dkmLength}]", + "pattern": "SP800_56C_OneStep[-{auxFunction}][-{dkmLength}]", + "primitive": "key-derive" + } + { + "pattern": "SP800_56C_TwoStep_(CounterKDF|FeedbackKDF|DoublePipelineKDF)[-{auxFunction}][-{dkmLength}]", "primitive": "key-derive" } ] From 8c9e8260cd027213a5db0bba0cf3a83544602347 Mon Sep 17 00:00:00 2001 From: Joachim Vandersmissen Date: Thu, 12 Mar 2026 10:31:49 -0500 Subject: [PATCH 09/12] Fix primitive Signed-off-by: Joachim Vandersmissen --- schema/cryptography-defs.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index e6cdca6a..4a6a8ca3 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -1094,7 +1094,7 @@ "variant": [ { "pattern": "SP800_108_(CounterKDF|FeedbackKDF|DoublePipelineKDF|KMAC)[-{prfFunction}][-{dkmLength}]", - "primitive": "key-derive" + "primitive": "kdf" } ] }, @@ -1109,11 +1109,11 @@ "variant": [ { "pattern": "SP800_56C_OneStep[-{auxFunction}][-{dkmLength}]", - "primitive": "key-derive" + "primitive": "kdf" } { "pattern": "SP800_56C_TwoStep_(CounterKDF|FeedbackKDF|DoublePipelineKDF)[-{auxFunction}][-{dkmLength}]", - "primitive": "key-derive" + "primitive": "kdf" } ] }, From ce0b592ae0eecb4cba9fdc161cc870090bb9b345 Mon Sep 17 00:00:00 2001 From: Joachim Vandersmissen Date: Thu, 12 Mar 2026 09:47:05 -0700 Subject: [PATCH 10/12] Add ANSI KDFs Fixes #856 Signed-off-by: Joachim Vandersmissen --- schema/cryptography-defs.json | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 2d1a7f19..66f1fa80 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -834,6 +834,29 @@ } ] }, + { + "family": "ANSI-KDF", + "standard": [ + { + "name": "X9.42", + "url": "https://webstore.ansi.org/standards/ASCX9/ansix9422003r2013" + }, + { + "name": "X9.63", + "url": "https://webstore.ansi.org/standards/ASCX9/ansix9632011r2017" + } + ], + "variant": [ + { + "pattern": "ANSI-KDF-X9.42[-{hashAlgorithm}]", + "primitive": "kdf" + }, + { + "pattern": "ANSI-KDF-X9.63[-{hashAlgorithm}]", + "primitive": "kdf" + } + ] + }, { "family": "GOST", "variant": [ From 5ca781b21d98470263775609a696ce799940cbe1 Mon Sep 17 00:00:00 2001 From: Mehrn0ush Date: Thu, 12 Mar 2026 20:50:38 +0330 Subject: [PATCH 11/12] Fix SipHash primitive classification in cryptography registry Fixes #882 Signed-off-by: Mehrn0ush --- schema/cryptography-defs.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 2d1a7f19..c4e13559 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -1538,13 +1538,13 @@ "standard": [ { "name": "SipHash Spec", - "url": "https://131002.net/siphash/" + "url": "https://doi.org/10.1007/978-3-642-34931-7_28" } ], "variant": [ { "pattern": "SipHash[-{compressionRounds}-{finalizationRounds}]", - "primitive": "hash" + "primitive": "mac" } ] }, From 20f78d863e0c7689ebf751ef91d8568f2d9fa92f Mon Sep 17 00:00:00 2001 From: Mehrn0ush Date: Thu, 12 Mar 2026 22:07:34 +0330 Subject: [PATCH 12/12] Add AES-OCB to cryptography registry Fixes #884 Signed-off-by: Mehrn0ush --- schema/cryptography-defs.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/schema/cryptography-defs.json b/schema/cryptography-defs.json index 2d1a7f19..c4223273 100644 --- a/schema/cryptography-defs.json +++ b/schema/cryptography-defs.json @@ -405,6 +405,16 @@ "pattern": "AES[-(128|192|256)]-GCM-SIV[-{tagLength}][-{ivLength}]", "primitive": "ae" }, + { + "standard": [ + { + "name": "RFC7253", + "url": "https://doi.org/10.17487/RFC7253" + } + ], + "pattern": "AES[-(128|192|256)]-OCB[-{tagLength}]", + "primitive": "ae" + }, { "standard": [ {