From de1a292d1c4e99d52a9c8fe223e159f79d7782dd Mon Sep 17 00:00:00 2001
From: Jan Brasna <1784648+janbrasna@users.noreply.github.com>
Date: Mon, 18 Nov 2024 00:41:57 +0100
Subject: [PATCH] Update sigalg analyze from guidelines

---
 analyze.py | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/analyze.py b/analyze.py
index c163cde..5f2cf73 100755
--- a/analyze.py
+++ b/analyze.py
@@ -114,7 +114,7 @@ def is_old(results):
     lvl = 'old'
     isold = True
     has_3des = False
-    has_sha1 = True
+    has_sigalg = True
     has_pfs = True
     has_ocsp = True
     all_proto = []
@@ -131,11 +131,9 @@ def is_old(results):
         for proto in conn['protocols']:
             if proto not in all_proto:
                 all_proto.append(proto)
-        # verify required sha1 signature is used
-        if 'sha1WithRSAEncryption' not in conn['sigalg']:
+        if conn['sigalg'][0] not in old["certificate_signatures"]:
             logging.debug(conn['sigalg'][0] + ' is a not an old signature')
-            has_sha1 = False
-        # verify required pfs parameter is used
+            has_sigalg = False
         if conn['pfs'] != 'None':
             if not has_good_pfs(conn['pfs'], old["dh_param_size"], old["ecdh_param_size"], True):
                 logging.debug(conn['pfs']+ ' is not a good PFS parameter for the old configuration')
@@ -155,8 +153,8 @@ def is_old(results):
         logging.debug("DES-CBC3-SHA is not supported and required by the old configuration")
         failures[lvl].append("add cipher DES-CBC3-SHA")
         isold = False
-    if not has_sha1:
-        failures[lvl].append("use a certificate with sha1WithRSAEncryption signature")
+    if not has_sigalg:
+        failures[lvl].append("use a certificate signed with %s" % " or ".join(inter["certificate_signatures"]))
         isold = False
     if not has_pfs:
         failures[lvl].append("use DHE of {dhe}bits and ECC of {ecdhe}bits".format(
@@ -165,7 +163,7 @@ def is_old(results):
     if not has_ocsp:
         failures[lvl].append("consider enabling OCSP Stapling")
     if results['serverside'] != ('True' if old['server_preferred_order'] else 'False'):
-        failures[lvl].append("enforce server side ordering" if old['server_preferred_order'] else "enforce client side ordering")
+        failures[lvl].append("enforce server side ordering" if old['server_preferred_order'] else "allow client preference")
         isold = False
     return isold
 
@@ -219,7 +217,7 @@ def is_intermediate(results):
     if not has_ocsp:
         failures[lvl].append("consider enabling OCSP Stapling")
     if results['serverside'] != ('True' if inter['server_preferred_order'] else 'False'):
-        failures[lvl].append("enforce server side ordering" if inter['server_preferred_order'] else "enforce client side ordering")
+        failures[lvl].append("enforce server side ordering" if inter['server_preferred_order'] else "allow client preference")
     return isinter
 
 # is_modern is similar to is_old but for modern configuration from
@@ -268,7 +266,7 @@ def is_modern(results):
     if not has_ocsp:
         failures[lvl].append("consider enabling OCSP Stapling")
     if results['serverside'] != ('True' if modern['server_preferred_order'] else 'False'):
-        failures[lvl].append("enforce server side ordering" if modern['server_preferred_order'] else "enforce client side ordering")
+        failures[lvl].append("enforce server side ordering" if modern['server_preferred_order'] else "allow client preference")
     return ismodern
 
 def is_ordered(results, ref_ciphersuite, lvl):