Skip to content

Migrate enveloped signature support from JSF to JSS#858

Open
stevespringett wants to merge 1 commit into2.0-devfrom
2.0-dev-x590
Open

Migrate enveloped signature support from JSF to JSS#858
stevespringett wants to merge 1 commit into2.0-devfrom
2.0-dev-x590

Conversation

@stevespringett
Copy link
Member

@stevespringett stevespringett commented Mar 1, 2026

Migrate enveloped signature support from JSF to JSS (ITU-T X.590)

Summary

  • Replaced legacy JSON Signature Format (JSF) with JSON Signature Scheme (JSS) per ITU-T X.590 (10/2023). Added CycloneDX 2.0 model schema that implements JSS
  • Updated all schema files referencing signatures to use the new signatures array (JSS) instead of singular signature object (JSF)
  • Removed old JSF test (valid-signatures-2.0.json) and added 18 targeted JSS test cases (8 valid, 10 invalid)

This PR closes #851

All tests are structural validations only. Keys, certificates, thumbprints, and signature values are illustrative and may not be cryptographically valid. No content validation is performed.

@stevespringett
Migrated enveloped signature support from JSF to JSS. Expanded on the…
8147988 
… number of valid and invalid use cases.

Signed-off-by: Steve Springett <steve@springett.us>
@stevespringett stevespringett added this to the 2.0 milestone Mar 1, 2026
@stevespringett stevespringett requested a review from a team as a code owner March 1, 2026 20:45
@stevespringett stevespringett linked an issue Mar 1, 2026 that may be closed by this pull request
[FEATURE]: Update signatures to use formal standard X.590 (JSS) instead of JSF #851
Open
@stevespringett stevespringett self-assigned this Mar 1, 2026
@stevespringett stevespringett mentioned this pull request Mar 1, 2026
Open
j28smith
j28smith reviewed Mar 2, 2026
View reviewed changes
Copy link

@j28smith j28smith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took a quick look at this @stevespringett and it looks good at a high level. I noted a number of places where the descriptions still reference JSF instead of the updated JSS.

For the core change/update, is this the main file to look more closely at to ensure it references the JSS spec correctly?

schema/2.0/model/cyclonedx-jss_X590_2023_10-2.0.schema.json

schema/2.0/model/cyclonedx-annotation-2.0.schema.json
"signatures": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/signatures",
"title": "Signature",
"description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
Copy link

@j28smith j28smith Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the description here.

"description": "Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."

schema/2.0/model/cyclonedx-component-2.0.schema.json
"signatures": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/signatures",
"title": "Signature",
"description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
Copy link

@j28smith j28smith Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the description here.

"description": "Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."

schema/2.0/model/cyclonedx-composition-2.0.schema.json
"signatures": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/signatures",
"title": "Signature",
"description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
Copy link

@j28smith j28smith Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the description here.

"description": "Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."

schema/2.0/model/cyclonedx-declaration-2.0.schema.json
"signatures": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/signatures",
"title": "Signature",
"description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
Copy link

@j28smith j28smith Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the description here.

"description": "Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."

schema/2.0/model/cyclonedx-declaration-2.0.schema.json
"signatures": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/signatures",
"title": "Signature",
"description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
Copy link

@j28smith j28smith Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the description here.

"description": "Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."

schema/2.0/model/cyclonedx-declaration-2.0.schema.json
"signatures": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/signatures",
"title": "Signature",
"description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
Copy link

@j28smith j28smith Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the description here.

"description": "Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."

schema/2.0/model/cyclonedx-declaration-2.0.schema.json
"signatures": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/signatures",
"title": "Signature",
"description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
Copy link

@j28smith j28smith Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the description here.

"description": "Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."

schema/2.0/model/cyclonedx-declaration-2.0.schema.json
"signatures": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/signatures",
"title": "Signature",
"description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
Copy link

@j28smith j28smith Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the description here.

"description": "Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."

schema/2.0/model/cyclonedx-service-2.0.schema.json
"signatures": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/signatures",
"title": "Signature",
"description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
Copy link

@j28smith j28smith Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the description here.

"description": "Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."

schema/2.0/model/cyclonedx-standard-2.0.schema.json
"signatures": {
"$ref": "cyclonedx-common-2.0.schema.json#/$defs/signatures",
"title": "Signature",
"description": "Enveloped signature in [JSON Signature Format (JSF)](https://cyberphone.github.io/doc/security/jsf.html)."
Copy link

@j28smith j28smith Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the description here.

"description": "Enveloped signatures in [JSON Signature Scheme (JSS/ITU-T X.590)](https://www.itu.int/epublications/publication/itu-t-x-590-2023-10-json-signature-scheme-jss)."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@j28smith j28smith j28smith left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@stevespringett stevespringett

Labels

proposed core enhancement

Projects

None yet

Milestone

2.0

Development

Successfully merging this pull request may close these issues.

[FEATURE]: Update signatures to use formal standard X.590 (JSS) instead of JSF

2 participants

@stevespringett @j28smith