stidantic 0.1.0__py3-none-any.whl

stidantic/sro.py

@@ -0,0 +1,159 @@
+from typing import Literal, Self, Annotated
+from datetime import datetime
+from pydantic import Field
+from pydantic.functional_validators import model_validator
+from pydantic.types import PositiveInt
+from stidantic.types import StixRelationship, Identifier, StixType
+
+
+# 5.1 Relationship
+class Relationship(StixRelationship):
+    """
+    The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to
+    each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs)
+    represent "edges".
+
+    STIX defines many relationship types to link together SDOs and SCOs. These relationships are contained in the
+    "Relationships" table under each SDO and SCO definition. Relationship types defined in the specification SHOULD
+    be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates
+    a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition.
+
+    STIX also allows relationships from any SDO or SCO to any SDO or SCO that have not been defined in this
+    specification. These relationships MAY use the related-to relationship type or MAY use a user-defined
+    relationship type. As an example, a user might want to link malware directly to a tool.
+    They can do so using related-to to say that the Malware is related to the Tool but not describe how,
+    or they could use delivered-by (a user-defined name they determined) to indicate more detail.
+
+    Note that some relationships in STIX may seem like "shortcuts". For example, an Indicator doesn't really detect
+    a Campaign: it detects activity (Attack Patterns, Malware, Infrastructure, etc.) that are often used by that
+    campaign. While some analysts might want all of the source data and think that shortcuts are misleading,
+    in many cases it's helpful to provide just the key points (shortcuts) and leave out the low-level details.
+    In other cases, the low-level analysis may not be known or sharable, while the high-level analysis is.
+    For these reasons, relationships that might appear to be "shortcuts" are not excluded from STIX.
+    """
+
+    type: Literal["relationship"] = "relationship"  # pyright: ignore[reportIncompatibleVariableOverride]
+    # The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the
+    # relationships for the source and target SDO, but MAY be any string.
+    relationship_type: StixType
+    # A description that provides more details and context about the Relationship,
+    # potentially including its purpose and its key characteristics.
+    description: str | None = None
+    # The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO
+    # (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition).
+    source_ref: Identifier
+    # The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO
+    # (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition).
+    target_ref: Identifier
+    # This optional timestamp represents the earliest time at which the Relationship between the objects exists.
+    # If this property is a future timestamp, at the time the start_time property is defined,
+    # then this represents an estimate by the producer of the intelligence of the earliest
+    # time at which relationship will be asserted to be true.
+    # If it is not specified, then the earliest time at which the relationship between the objects exists
+    # is not defined.
+    start_time: datetime | None = None
+    # The latest time at which the Relationship between the objects exists. If this property is a future timestamp,
+    # at the time the stop_time property is defined, then this represents an estimate by the producer of the
+    # intelligence of the latest time at which relationship will be asserted to be true.
+    # If stop_time is not specified, then the latest time at which the relationship between
+    # the objects exists is either not known, not disclosed, or has no defined stop time.
+    stop_time: datetime | None = None
+
+    @model_validator(mode="after")
+    def validate_start_stop_interval(self) -> Self:
+        """
+        If start_time and stop_time are both defined, then stop_time MUST be later than the start_time value.
+        """
+        if self.start_time and self.stop_time and self.start_time > self.stop_time:
+            raise ValueError(
+                "the stop_time property MUST be greater than or equal to the timestamp in the start_time property"
+            )
+        return self
+
+
+# 5.2 Sighting
+class Sighting(StixRelationship):
+    """
+    A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.)
+    was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to
+    track trends in attack behavior.
+
+    The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties
+    not present on the Generic Relationship object. These extra properties are included to represent data specific
+    to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes
+    a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship
+    because you cannot have a sighting unless you have something that has been sighted.
+    Sighting does not make sense without the relationship to what was sighted.
+
+    Sighting relationships relate three aspects of the sighting:
+    ●      What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref)
+    ●      Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs)
+    ●      What was actually seen on systems and networks, represented as Observed Data (observed_data_refs)
+
+    What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it,
+    where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide
+    that level of detail in order to provide value.
+
+    Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little
+    information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or
+    threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary;
+    saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those
+    IPs is still malicious.
+
+    Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor")
+    while Observed Data is simply information ("I saw this file"). When you combine them by including the linked
+    Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw
+    this threat actor".
+    """
+
+    type: Literal["sighting"] = "sighting"  # pyright: ignore[reportIncompatibleVariableOverride]
+    # A description that provides more details and context about the Sighting.
+    description: str | None = None
+    # The beginning of the time window during which the SDO referenced by the sighting_of_ref property was sighted.
+    first_seen: datetime | None = None
+    # The end of the time window during which the SDO referenced by the sighting_of_ref property was sighted.
+    last_seen: datetime | None = None
+    # If present, this MUST be an integer between 0 and 999,999,999 inclusive and represents the number of times the
+    # SDO referenced by the sighting_of_ref property was sighted.
+    # Observed Data has a similar property called number_observed, which refers to the number of times the data was
+    # observed. These counts refer to different concepts and are distinct.
+    # For example, a single sighting of a DDoS bot might have many millions of observations of the network traffic
+    # that it generates. Thus, the Sighting count would be 1 (the bot was observed once) but the Observed Data
+    # number_observed would be much higher.
+    # As another example, a sighting with a count of 0 can be used to express that an indicator was not seen at all.
+    count: PositiveInt | None = None
+    # An ID reference to the SDO that was sighted (e.g., Indicator or Malware).
+    # For example, if this is a Sighting of an Indicator, that Indicator’s ID would be the value of this property.
+    # This property MUST reference only an SDO.
+    sighting_of_ref: Identifier | None = None
+    # A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting.
+    # For example, a Sighting of an Indicator with an IP address could include the Observed Data for the
+    # network connection that the Indicator was used to detect.
+    # This property MUST reference only Observed Data SDOs.
+    observed_data_refs: list[Identifier] | None = None
+    # A list of ID references to the Identity or Location objects describing the entities or types of entities
+    # that saw the sighting.
+    # Omitting the where_sighted_refs property does not imply that the sighting was seen by the object creator.
+    # To indicate that the sighting was seen by the object creator, an Identity representing the object creator
+    # should be listed in where_sighted_refs.
+    # This property MUST reference only Identity or Location SDOs.
+    where_sighted_refs: list[Identifier] | None = None
+    # The summary property indicates whether the Sighting should be considered summary data.
+    # Summary data is an aggregation of previous Sightings reports and should not be considered primary source data.
+    # Default value is false.
+    summary: bool | None = False
+
+    @model_validator(mode="after")
+    def validate_first_last_interval(self) -> Self:
+        """
+        If this property and the first_seen property are both defined, then this property
+        MUST be greater than or equal to the timestamp in the first_seen property.
+        """
+        if self.first_seen and self.last_seen and self.first_seen > self.last_seen:
+            raise ValueError(
+                "the last_seen property MUST be greater than or equal to the timestamp in the first_seen property"
+            )
+        return self
+
+
+SROs = Annotated[(Relationship | Sighting), Field(discriminator="type")]

stidantic/types.py

@@ -0,0 +1,409 @@
+from typing import Annotated, Literal, Any, Self
+from enum import Enum
+from pydantic import BaseModel, ConfigDict, Field, GetCoreSchemaHandler
+from pydantic.functional_validators import AfterValidator, model_validator
+from pydantic.networks import AnyUrl, UrlConstraints
+from pydantic.types import Base64Bytes, StringConstraints
+from pydantic_core import CoreSchema, core_schema
+from datetime import datetime
+from re import compile
+
+from stidantic.validators import (
+    validate_bin_field,
+    validate_hex_field,
+)
+
+
+# Common constraints on Stix dictionnary keys.
+StixKeyPattern = compile(r"^[a-zA-Z0-9\-\_]+$")
+StixKeyConstraint = StringConstraints(max_length=250, pattern=StixKeyPattern)
+StixKey = Annotated[str, StixKeyConstraint]
+
+# Common constraints on Stix type names.
+StixTypePattern = compile(r"^[a-zA-Z0-9\-]+$")
+StixTypeConstraint = StringConstraints(pattern=StixTypePattern)
+StixType = Annotated[str, StixTypeConstraint]
+
+# Common constraints on Stix property names.
+StixPropPattern = compile(r"^[a-zA-Z0-9\_]+$")
+StixPropConstraint = StringConstraints(
+    min_length=3, max_length=250, pattern=StixPropPattern
+)
+StixProp = Annotated[str, StixPropConstraint]
+
+# 2.1 Binary
+# The binary data type represents a sequence of bytes. In order to allow pattern matching on custom objects,
+# for all properties that use the binary type, the property name MUST end with '_bin'.
+type StixBinary = Annotated[Base64Bytes, AfterValidator(validate_bin_field)]
+
+# 2.8 Hexadecimal
+# The hex data type encodes an array of octets (8-bit bytes) as hexadecimal. The string MUST consist of an even number
+# of hexadecimal characters, which are the digits '0' through '9' and the lower-case letters 'a' through 'f'. In order
+# to allow pattern matching on custom objects, for all properties that use the hex type,
+# the property name MUST end with '_hex'.
+type StixHex = Annotated[str, AfterValidator(validate_hex_field)]
+
+# 2.3 Dictionnary
+# Dictionary keys MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters
+# a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_).
+# Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase.
+type StixDict = dict[
+    StixKey,
+    Any,  # pyright: ignore[reportExplicitAny]
+]
+
+
+# A URL reference to an external resource [RFC3986].
+type StixUrl = Annotated[AnyUrl, UrlConstraints(preserve_empty_path=True)]
+
+
+# 2.9 Identifier
+class Identifier(str):
+    @classmethod
+    def __get_pydantic_core_schema__(
+        cls,
+        source_type: Any,  # pyright: ignore[reportExplicitAny, reportAny]
+        handler: GetCoreSchemaHandler,
+    ) -> CoreSchema:
+        return core_schema.no_info_after_validator_function(cls, handler(str))
+
+    def get_type(self: str) -> str:
+        return self.split("--", maxsplit=1)[0]
+
+
+class StixCore(BaseModel):
+    model_config = ConfigDict(  # pyright: ignore[reportUnannotatedClassAttribute]
+        use_enum_values=True, validate_by_alias=True, frozen=True
+    )
+
+
+# 2.7 Hashes
+class Hashes(StixCore, extra="allow"):
+    """
+    The Hashes type represents one or more cryptographic hashes, as a special set of key/value pairs.
+    Accordingly, the name of each hashing algorithm MUST be specified as a key in the dictionary
+    and MUST identify the name of the hashing algorithm used to generate the corresponding value.
+    This name SHOULD come from one of the values defined in the hash-algorithm-ov open vocabulary.
+
+    To enhance compatibility, the SHA-256 hash SHOULD be used whenever possible.
+    """
+
+    # Specifies the MD5 message digest algorithm. The corresponding hash string for this
+    # value MUST be a valid MD5 message digest as defined in [RFC1321].
+    md5: Annotated[str | None, Field(alias="MD5")] = None
+    # Specifies the SHA-1 (secure-hash algorithm 1) cryptographic hash function.
+    # The corresponding hash string for this value MUST be a valid SHA-1 message digest as defined in [RFC3174].
+    sha1: Annotated[str | None, Field(alias="SHA-1")] = None
+    # Specifies the SHA-256 cryptographic hash function (part of the SHA2 family).
+    # The corresponding hash string for this value MUST be a valid SHA-256 message digest as defined in [RFC6234].
+    sha256: Annotated[str | None, Field(alias="SHA-256")] = None
+    # Specifies the SHA-512 cryptographic hash function (part of the SHA2 family).
+    # The corresponding hash string for this value MUST be a valid SHA-512 message digest as defined in [RFC6234].
+    sha512: Annotated[str | None, Field(alias="SHA-512")] = None
+    # Specifies the SHA3-256 cryptographic hash function. The corresponding hash string
+    # for this value MUST be a valid SHA3-256 message digest as defined in [FIPS202].
+    sha3_256: Annotated[str | None, Field(alias="SHA3-256")] = None
+    # Specifies the SHA3-512 cryptographic hash function. The corresponding hash string
+    # for this value MUST be a valid SHA3-512 message digest as defined in [FIPS202].
+    sha3_512: Annotated[str | None, Field(alias="SHA3-512")] = None
+    # Specifies the ssdeep fuzzy hashing algorithm. The corresponding hash string for this
+    # value MUST be a valid piecewise hash as defined in the [SSDEEP] specification.
+    ssdeep: Annotated[str | None, Field(alias="SSDEEP")] = None
+    # Specifies the TLSH fuzzy hashing algorithm. The corresponding hash string for this
+    # value MUST be a valid 35 byte long hash as defined in the [TLSH] specification.
+    tlsh: Annotated[str | None, Field(alias="TLSH")] = None
+
+    @model_validator(mode="after")
+    def lang_or_marking_ref(self) -> "Hashes":
+        """
+        Dictionary keys MUST be unique in each hashes property, MUST be in ASCII, and are limited to the
+        characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_).
+        Dictionary keys MUST have a minimum length of 3 ASCII characters
+        and MUST be no longer than 250 ASCII characters in length.
+        The value MUST be a string in the appropriate format defined by the hash type indicated in the dictionary key.
+        """
+        if self.__pydantic_extra__ and any(
+            not (len(key) > 250 or len(key) < 3 or StixKeyPattern.match(key))
+            for key in self.__pydantic_extra__.keys()
+        ):
+            raise ValueError("Invalid extra hash key.")
+        return self
+
+
+# 2.5 External Reference
+class ExternalReference(StixCore):
+    """
+    External references are used to describe pointers to information represented outside of STIX.
+    For example, a Malware object could use an external reference to indicate an ID for that malware
+    in an external database or a report could use references to represent source material.
+    """
+
+    # The name of the source that the external-reference is defined within (system, registry, organization, etc.).
+    source_name: str
+    # A human readable description.
+    description: str | None = None
+    # A URL reference to an external resource [RFC3986].
+    url: StixUrl | None = None
+    # Specifies a dictionary of hashes for the contents of the url. This SHOULD be provided when the url property is
+    # present. Dictionary keys MUST come from one of the entries listed in the hash-algorithm-ov open vocabulary.
+    # As stated in Section 2.7, to ensure interoperability, a SHA-256 hash SHOULD be included whenever possible.
+    hashes: Hashes | None = None
+    # An identifier for the external reference content.
+    external_id: str | None = None
+
+    @model_validator(mode="before")
+    def at_least_one(cls, values: dict[str, str]) -> dict[str, str]:
+        """
+        In addition to the source_name property, at least one of the description, url,
+        or external_id properties MUST be present.
+        """
+        for value in values.values():
+            if value:
+                return values
+        raise ValueError("Missing at least one hash value.")
+
+
+# 2.11 Kill Chain Phase
+class KillChainPhase(StixCore):
+    """
+    The kill-chain-phase represents a phase in a kill chain, which describes the
+    various phases an attacker may undertake in order to achieve their objectives.
+    """
+
+    # The name of the kill chain. The value of this property SHOULD be all lowercase
+    # and SHOULD use hyphens instead of spaces or underscores as word separators.
+    kill_chain_name: str
+    # The name of the phase in the kill chain. The value of this property SHOULD be all
+    # lowercase and SHOULD use hyphens instead of spaces or underscores as word separators.
+    phase_name: str
+
+
+# 7.2.3 Granular Markings
+class GranularMarking(StixCore):
+    """
+    The granular-marking type defines how the list of marking-definition objects referenced by
+    the marking_refs property to apply to a set of content identified by
+    the list of selectors in the selectors property.
+    """
+
+    # The lang property identifies the language of the text identified by this marking. The value of the lang property,
+    # if present, MUST be an [RFC5646] language code. If the marking_ref property is not present, this property MUST
+    # be present. If the marking_ref property is present, this property MUST NOT be present.
+    lang: str | None = None
+    # The marking_ref property specifies the ID of the marking-definition object that describes the marking.
+    # If the lang property is not present, this property MUST be present. If the lang property is present,
+    # this property MUST NOT be present.
+    marking_ref: Identifier | None = None
+    # The selectors property specifies a list of selectors for content contained within the STIX Object in which this
+    # property appears. Selectors MUST conform to the syntax defined below. The marking-definition referenced in
+    # the marking_ref property is applied to the content selected by the selectors in this list. The [RFC5646] language
+    # code specified by the lang property is applied to the content selected by the selectors in this list.
+    selectors: list[str] | None = None
+    # Selector Syntax:
+    # Selectors contained in the selectors list are strings that consist of multiple components that MUST be separated
+    # by the . character. Each component MUST be one of:
+    #    ●      A property name or dictionary key, e.g., description, or;
+    #    ●      A zero-based list index, specified as a non-negative integer in square brackets, e.g., [4]
+    # Selectors denote path traversals: the root of each selector is the STIX Object
+    # that the granular_markings property appears in.
+    # Starting from that root, for each component in the selector, properties and list items are traversed.
+    # When the complete list has been traversed, the value of the content is considered selected.
+    # Selectors MUST refer to properties or list items that are actually present on the marked object.
+
+    @model_validator(mode="after")
+    def lang_or_marking_ref(self) -> "GranularMarking":
+        if self.lang and self.marking_ref:
+            raise ValueError(
+                "Both lang and marking_ref properties MUST NOT be present."
+            )
+        if not self.lang and not self.marking_ref:
+            raise ValueError("Either lang or marking_ref property MUST be present.")
+        return self
+
+
+# 10.5 Extension Types Enumeration
+class ExtensionType(Enum):
+    new_sdo = "new-sdo"
+    new_sco = "new-sco"
+    new_sro = "new-sro"
+    property_extension = "property-extension"
+    toplevel_property_extension = "toplevel-property-extension"
+
+
+class Extension(StixCore):
+    extension_type: ExtensionType
+
+
+# 3.2 Common Properties
+class StixCommon(StixCore):
+    """
+    This section defines the common properties that MAY exist on a STIX Objects. While some STIX Objects use all
+    of these common properties, not all object types do.
+    Each type of STIX Object defines which common properties are required, which are optional,
+    and which are not in use.
+    """
+
+    # All STIX Objects and the STIX Bundle Object have an id property that uniquely identifies each instance
+    # of the object.
+    # This id MUST meet the requirements of the identifier type (see section 2.9).
+    # For objects that support versioning, all objects with the same id are considered different versions
+    # of the same object and the version of the object is identified by its modified property.
+    id: Identifier
+    # The type property identifies the type of STIX Object.
+    type: str
+    # The value of this property MUST be 2.1 for STIX Objects defined according to this specification.
+    spec_version: Literal["2.1"] = "2.1"
+    # The revoked property is only used by STIX Objects that support versioning and indicates whether the object
+    # has been revoked.
+    revoked: bool | None = None
+    # The labels property specifies a set of terms used to describe this object.
+    # Where an object has a specific property defined in the specification for characterizing
+    # subtypes of that object, the labels property MUST NOT be used for that purpose.
+    labels: list[str] | None = None
+    # The confidence property identifies the confidence that the creator has in the correctness of their data.
+    # The confidence value MUST be a number in the range of 0-100.
+    confidence: Annotated[int, Field(ge=0, le=100)] | None = None
+    # The lang property identifies the language of the text content in this object.
+    # When present, it MUST be a language code conformant to [RFC5646].
+    # RFC5646 does not enforce ISO 639-1 alpha-2 or ISO 639-3 alpha-3 formats.
+    lang: str | None = None
+    # The external_references property specifies a list of external references which refers to non-STIX information.
+    external_references: list[ExternalReference] | None = None
+    # The object_marking_refs property specifies a list of id properties of marking-definition objects that apply
+    # to this object.
+    object_marking_refs: list[Identifier] | None = None
+    # The granular_markings property specifies a list of granular markings applied to this object.
+    granular_markings: list[GranularMarking] | None = None
+    # Specifies any extensions of the object, as a dictionary.
+    # Dictionary keys SHOULD be the id of a STIX Extension object or the name of a predefined object extension found
+    # in this specification, depending on the type of extension being used.
+    # The corresponding dictionary values MUST contain the contents of the extension instance.
+    # Each extension dictionary MAY contain the property extension_type.
+    # The value of this property MUST come from the extension-type-enum enumeration.
+    # If the extension_type property is not present, then this is a predefined extension which
+    # does not use the extension facility described in section 7.3.
+    # When this extension facility is used the extension_type property MUST be present.
+    extensions: dict[str, Extension] | None = None
+
+
+class StixDomain(StixCommon):
+    # The created_by_ref property specifies the id property of the identity object that describes the entity that
+    # created this object.
+    created_by_ref: Identifier | None = None
+    # The created property represents the time at which the object was originally created.
+    # The created property MUST NOT be changed when creating a new version of the object.
+    created: datetime
+    # The modified property is only used by STIX Objects that support versioning and represents
+    # the time that this particular version of the object was last modified.
+    # Object creators MUST set the modified property when creating a new
+    # version of an object if the created property was set.
+    modified: datetime
+
+    @model_validator(mode="after")
+    def validate_modified_after_created(self) -> Self:
+        """
+        If the created property is defined, then the value of the modified property for a given object version
+        MUST be later than or equal to the value of the created property.
+        """
+        if self.created > self.modified:
+            raise ValueError(
+                "The modified property MUST be later than or equal to the value of the created property."
+            )
+        return self
+
+
+class StixObservable(StixCommon):
+    # This property defines whether or not the data contained within the object has been defanged.
+    defanged: bool | None = None
+
+
+class StixRelationship(StixCommon):
+    type: Literal["relationship"] = "relationship"  # pyright: ignore[reportIncompatibleVariableOverride]
+    relationship_type: str
+    # The created property represents the time at which the object was originally created.
+    # The created property MUST NOT be changed when creating a new version of the object.
+    created: datetime
+    # The modified property is only used by STIX Objects that support versioning and represents
+    # the time that this particular version of the object was last modified.
+    # Object creators MUST set the modified property when creating a new
+    # version of an object if the created property was set.
+    modified: datetime
+    # The created_by_ref property specifies the id property of the identity object that describes the entity that
+    # created this object.
+    created_by_ref: Identifier | None = None
+
+    @model_validator(mode="after")
+    def validate_modified_after_created(self) -> Self:
+        """
+        If the created property is defined, then the value of the modified property for a given object version
+        MUST be later than or equal to the value of the created property.
+        """
+        if self.created > self.modified:
+            raise ValueError(
+                "The modified property MUST be later than or equal to the value of the created property."
+            )
+        return self
+
+
+class StixMeta(StixCommon):
+    type: str
+    # The created property represents the time at which the object was originally created.
+    # The created property MUST NOT be changed when creating a new version of the object.
+    created: datetime
+
+
+class StixLanguage(StixMeta):
+    # The created_by_ref property specifies the id property of the identity object that describes the entity that
+    # created this object.
+    created_by_ref: Identifier | None = None
+    # The modified property is only used by STIX Objects that support versioning and represents
+    # the time that this particular version of the object was last modified.
+    # Object creators MUST set the modified property when creating a new
+    # version of an object if the created property was set.
+    modified: datetime
+
+    @model_validator(mode="after")
+    def validate_modified_after_created(self) -> Self:
+        """
+        If the created property is defined, then the value of the modified property for a given object version
+        MUST be later than or equal to the value of the created property.
+        """
+        if self.created > self.modified:
+            raise ValueError(
+                "The modified property MUST be later than or equal to the value of the created property."
+            )
+        return self
+
+
+class StixMarking(StixMeta):
+    # The created_by_ref property specifies the id property of the identity object that describes the entity that
+    # created this object.
+    created_by_ref: Identifier | None = None
+
+
+class StixExtension(StixMeta):
+    # The created_by_ref property specifies the id property of the identity object that describes the entity that
+    # created this object.
+    created_by_ref: Identifier
+    # The modified property is only used by STIX Objects that support versioning and represents
+    # the time that this particular version of the object was last modified.
+    # Object creators MUST set the modified property when creating a new
+    # version of an object if the created property was set.
+    modified: datetime
+
+    @model_validator(mode="after")
+    def validate_modified_after_created(self) -> Self:
+        """
+        If the created property is defined, then the value of the modified property for a given object version
+        MUST be later than or equal to the value of the created property.
+        """
+        if self.created > self.modified:
+            raise ValueError(
+                "The modified property MUST be later than or equal to the value of the created property."
+            )
+        return self
+
+
+# 3.4 SCO Deterministic ID Creation
+# To enable deterministic IDs for STIX Cyber-observable Objects (SCOs), each SCO defines a set of one or more properties named "ID Contributing Properties". These properties MAY be used in the default calculation of the id when creating a SCO. In some cases, additional selection of extension properties that contribute to the ID may be described in the ID Contributing Properties section listed on each SCO. The default algorithm that creates the SCO ID based on those named properties is a UUIDv5 as defined in Section 2.9, however, other algorithms for creating the SCO ID MAY be used.
+# Deterministic IDs (UUIDv5) in the example SCOs contained in this specification were computed using the algorithm defined in section 2.9. Every attempt was made for these IDs to be accurate. Certain IDs which were used in reference properties of the examples did not include the actual object, and therefore it was impossible to accurately compute the appropriate UUIDv5. In these cases, a UUIDv4 was generated.

stidantic/validators.py

@@ -0,0 +1,20 @@
+from pydantic import ValidationInfo
+
+
+def validate_identifier(value: str) -> str:
+    _type, _uuid = value.split("--")
+    if not _type and not _uuid:
+        raise ValueError("Invalid identifier format.")
+    return value
+
+
+def validate_bin_field(value: str, info: ValidationInfo) -> str:
+    if info.field_name and not info.field_name.endswith("_bin"):
+        raise ValueError("The property name MUST end with '_bin'.")
+    return value
+
+
+def validate_hex_field(value: str, info: ValidationInfo) -> str:
+    if info.field_name and info.field_name.endswith("_hex"):
+        raise ValueError("The property name MUST end with '_hex'.")
+    return value