CBOM: add custom fingerprints

[bhess]

Extend the fingerprint definition in cyclonedx-cryptography-2.0.schema.json to support custom fingerprint algorithms alongside standard hash algorithms.

Changes

• Replace the flat $ref: hash on certificateProperties.fingerprint and relatedCryptoMaterialProperties.fingerprint with a single central $defs/fingerprint definition
• $defs/fingerprint uses oneOf with two branches:
  • Standard Hash — alg + content (refs to existing hashAlgorithm / hashValue); fully backward compatible
  • Custom Fingerprint — customAlg + customContent for non-standard algorithms

Backward Compatibility

Existing documents with {"alg": "SHA-256", "content": "..."} satisfy the Standard Hash branch unchanged.

[jkowalleck]

RFC notice sent on May 04, 2026

• https://groups.io/g/CycloneDX/topic/119149389
• https://cyclonedx.slack.com/archives/CVA0G10FN/p1777922813922089

Public RFC period ends June 01, 2026

[jkowalleck]

please add a title and description

Suggested change

	"$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashAlgorithm"
	"$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashAlgorithm",
	"title": "Standard, well-known Fingerprint Algorithm",
	"description": "The standard, well-known algorithm used to compute the fingerprint."

[stevespringett]

@bhess, if the title and description of the alg property differ from the title and description of the hashAlgorithm definition, we'll need a title and description here. If they are the same, there is no need for a title and description. Please confirm.

[bhess]

@bhess, if the title and description of the alg property differ from the title and description of the hashAlgorithm definition, we'll need a title and description here. If they are the same, there is no need for a title and description. Please confirm.

The title/descrption don't differ from the ones of hashAlgorithm .

[jkowalleck]

please add a title and description

Suggested change

	"$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashValue"
	"$ref": "cyclonedx-common-2.0.schema.json#/$defs/hashValue",
	"title": "Standard, well-known Fingerprint Content",
	"description": "The value of the fingerprint computed using the standard, well-known algorithm."

[stevespringett]

@bhess, if the title and description of the content property differ from the title and description of the hashValue definition, we'll need a title and description here. If they are the same, there is no need for a title and description. Please confirm.

[bhess]

@bhess, if the title and description of the content property differ from the title and description of the hashValue definition, we'll need a title and description here. If they are the same, there is no need for a title and description. Please confirm.

The title/descrption don't differ from the ones of hashValue.

[jkowalleck]

@stevespringett

this data structure looks pretty much like cyclonedx-common-2.0.schema.json#$defs/hash.

To prevent any confusion, we should add narrow titles/descriptions to cyclonedx-common-2.0.schema.json#$defs/hash/properties/alg and cyclonedx-common-2.0.schema.json#$defs/hash/properties/content

something like

{
// cyclonedx-common-2.0.schema.json#$defs
    "hash": {
      "type": "object",
      "title": "Hash",
      "required": [
        "alg",
        "content"
      ],
      "additionalProperties": false,
      "properties": {
        "alg": {
          "$ref": "#/$defs/hashAlgorithm",
          "titile": "Hash algorithm",
          "description": "Standard, well-known algorithm used to compute the hash"
        },
        "content": {
          "$ref": "#/$defs/hashValue",
          "titile": "Hash value",
          "description": "The value of the hash computed using the standard, well-known algorithm"
        }
      }
    },
}

[stevespringett]

Agreed. I will need to check to see if those are in place or not.

[bhess]

Thanks @jkowalleck, I've added the title/descriptions accordingly in d54f9a0

[jkowalleck]

just some remarks on the schema docs.
Technically, this looks solid. 👍