Remove RSA-PKCS test

This was removed from NCSC TLS update.

Author: mxsasha

checks/categories.py

@@ -3,7 +3,7 @@
 from typing import Optional
 
 from checks import scoring
-from checks.models import TLSClientInitiatedRenegotiationStatus, KexRSAPKCSStatus, TLSExtendedMasterSecretStatus
+from checks.models import TLSClientInitiatedRenegotiationStatus, TLSExtendedMasterSecretStatus
 from checks.scoring import (
     ORDERED_STATUSES,
     STATUS_ERROR,
@@ -185,7 +185,6 @@ def __init__(self, name="web-tls"):
             WebTlsZeroRTT,
             WebTlsOCSPStapling,
             WebTlsKexHashFunc,
-            WebTlsKexRSAPKCSStatus,
             WebTLSExtendedMasterSecret,
             # WebTlsDaneRollover,
         ]
@@ -259,7 +258,6 @@ def __init__(self, name="mail-tls"):
             MailTlsDaneRollover,
             MailTlsZeroRTT,
             MailTlsKexHashFunc,
-            MailTlsKexRSAPKCSStatus,
             MailTLSExtendedMasterSecret,
             # MailTlsOCSPStapling,  # Disabled for mail.
         ]
@@ -1536,42 +1534,6 @@ def result_phase_out(self, tech_data):
         self.tech_data = tech_data
 
 
-class WebTlsKexRSAPKCSStatus(Subtest):
-    def __init__(self):
-        super().__init__(
-            name="key_exchange_rsa_pkcs",
-            label="detail web tls key-exchange-rsa-pkcs label",
-            explanation="detail web tls key-exchange-rsa-pkcs exp",
-            tech_string="detail web tls key-exchange-rsa-pkcs tech table",
-            worst_status=scoring.STATUS_INFO,
-            full_score=scoring.TLS_KEX_RSA_PKCS_GOOD,
-            model_score_field="key_exchange_rsa_pkcs_score",
-        )
-
-    def save_result(self, status: KexRSAPKCSStatus):
-        handlers = {
-            KexRSAPKCSStatus.good: self.result_good,
-            KexRSAPKCSStatus.bad: self.result_bad,
-            KexRSAPKCSStatus.unknown: self.result_unknown,
-        }
-        return handlers[status]()
-
-    def result_good(self):
-        self._status(STATUS_SUCCESS)
-        self.verdict = "detail web tls key-exchange-rsa-pkcs verdict good"
-        self.tech_data = "detail tech data good"
-
-    def result_bad(self):
-        self._status(STATUS_FAIL)
-        self.verdict = "detail web tls key-exchange-rsa-pkcs verdict bad"
-        self.tech_data = "detail tech data insufficient"
-
-    def result_unknown(self):
-        self._status(STATUS_INFO)
-        self.verdict = "detail web tls key-exchange-rsa-pkcs verdict other"
-        self.tech_data = "detail tech data not-applicable"
-
-
 class WebTLSExtendedMasterSecret(Subtest):
     def __init__(self):
         super().__init__(
@@ -2205,42 +2167,6 @@ def result_phase_out(self, tech_data):
         self.tech_data = tech_data
 
 
-class MailTlsKexRSAPKCSStatus(Subtest):
-    def __init__(self):
-        super().__init__(
-            name="key_exchange_rsa_pkcs",
-            label="detail mail tls key-exchange-rsa-pkcs label",
-            explanation="detail mail tls key-exchange-rsa-pkcs exp",
-            tech_string="detail mail tls key-exchange-rsa-pkcs tech table",
-            worst_status=scoring.STATUS_INFO,
-            full_score=scoring.TLS_KEX_RSA_PKCS_GOOD,
-            model_score_field="key_exchange_rsa_pkcs_score",
-        )
-
-    def save_result(self, status: KexRSAPKCSStatus):
-        handlers = {
-            KexRSAPKCSStatus.good: self.result_good,
-            KexRSAPKCSStatus.bad: self.result_bad,
-            KexRSAPKCSStatus.unknown: self.result_unknown,
-        }
-        return handlers[status]()
-
-    def result_good(self):
-        self._status(STATUS_SUCCESS)
-        self.verdict = "detail mail tls key-exchange-rsa-pkcs verdict good"
-        self.tech_data = "detail tech data good"
-
-    def result_bad(self):
-        self._status(STATUS_FAIL)
-        self.verdict = "detail mail tls key-exchange-rsa-pkcs verdict bad"
-        self.tech_data = "detail tech data insufficient"
-
-    def result_unknown(self):
-        self._status(STATUS_INFO)
-        self.verdict = "detail mail tls key-exchange-rsa-pkcs verdict unknown"
-        self.tech_data = "detail tech data not-applicable"
-
-
 class MailTLSExtendedMasterSecret(Subtest):
     def __init__(self):
         super().__init__(

checks/migrations/0020_domaintesttls_extended_master_secret_and_more.py

@@ -25,14 +25,4 @@ class Migration(migrations.Migration):
             name="extended_master_secret_score",
             field=models.IntegerField(null=True),
         ),
-        migrations.AddField(
-            model_name="domaintesttls",
-            name="key_exchange_rsa_pkcs",
-            field=enumfields.fields.EnumField(default=2, enum=checks.models.KexRSAPKCSStatus, max_length=10),
-        ),
-        migrations.AddField(
-            model_name="domaintesttls",
-            name="key_exchange_rsa_pkcs_score",
-            field=models.IntegerField(null=True),
-        ),
     ]

checks/models.py

@@ -101,12 +101,6 @@ class ZeroRttStatus(Enum):
     na = 2
 
 
-class KexRSAPKCSStatus(Enum):
-    bad = 0
-    good = 1
-    unknown = 2
-
-
 class KexHashFuncStatus(Enum):
     bad = 0
     good = 1
@@ -551,9 +545,6 @@ class DomainTestTls(BaseTestModel):
     kex_hash_func_score = models.IntegerField(null=True)
     kex_hash_func_bad_hash = models.CharField(max_length=255, null=True, default=None)
 
-    key_exchange_rsa_pkcs = EnumField(KexRSAPKCSStatus, default=KexRSAPKCSStatus.unknown)
-    key_exchange_rsa_pkcs_score = models.IntegerField(null=True)
-
     extended_master_secret = EnumField(TLSExtendedMasterSecretStatus, default=TLSExtendedMasterSecretStatus.unknown)
     extended_master_secret_score = models.IntegerField(null=True)
 
@@ -635,8 +626,6 @@ def __dir__(self):
             "ocsp_stapling_score",
             "kex_hash_func",
             "kex_hash_func_score",
-            "key_exchange_rsa_pkcs",
-            "key_exchange_rsa_pkcs_score",
             "extended_master_secret",
             "extended_master_secret_score",
             "forced_https",
@@ -684,7 +673,6 @@ def get_web_api_details(self):
             "zero_rtt": self.zero_rtt.name,
             "ocsp_stapling": self.ocsp_stapling.name,
             "kex_hash_func": self.kex_hash_func.name,
-            "key_exchange_rsa_pkcs": self.key_exchange_rsa_pkcs.name,
             "extended_master_secret": self.extended_master_secret.name,
             "https_redirect": self.forced_https.name,
             "http_compression": self.http_compression_enabled,
@@ -721,7 +709,6 @@ def get_mail_api_details(self):
             "client_reneg": self.client_reneg.name if self.client_reneg else None,
             "zero_rtt": self.zero_rtt.name,
             "kex_hash_func": self.kex_hash_func.name,
-            "key_exchange_rsa_pkcs": self.key_exchange_rsa_pkcs.name,
             "extended_master_secret": self.extended_master_secret.name,
             "cert_chain": self.cert_chain,
             "cert_trusted": self.cert_trusted,

checks/scoring.py

@@ -196,11 +196,6 @@
 WEB_TLS_OCSP_STAPLING_BAD = NO_POINTS
 WEB_TLS_OCSP_STAPLING_WORST_STATUS = STATUS_NOTICE
 
-TLS_KEX_RSA_PKCS_GOOD = FULL_WEIGHT_POINTS
-TLS_KEX_RSA_PKCS_OK = FULL_WEIGHT_POINTS
-TLS_KEX_RSA_PKCS_BAD = NO_POINTS
-TLS_KEX_RSA_PKCS_WORST_STATUS = STATUS_NOTICE
-
 WEB_TLS_KEX_HASH_FUNC_GOOD = FULL_WEIGHT_POINTS
 WEB_TLS_KEX_HASH_FUNC_OK = FULL_WEIGHT_POINTS
 WEB_TLS_KEX_HASH_FUNC_BAD = NO_POINTS

checks/tasks/tls/evaluation.py

@@ -20,7 +20,6 @@
     KexHashFuncStatus,
     CipherOrderStatus,
     OcspStatus,
-    KexRSAPKCSStatus,
     TLSClientInitiatedRenegotiationStatus,
     TLSExtendedMasterSecretStatus,
 )
@@ -312,17 +311,6 @@ def score_client_initiated_renegotiation(self) -> scoring.Score:
         return scores[self.status_client_initiated_renegotiation]
 
 
-@dataclass(frozen=True)
-class KeyExchangeRSAPKCSFunctionEvaluation:
-    """
-    Results of support for PKCS padding for RSA per NCSC 3.3.2.1.
-    NCSC table 5
-    """
-
-    status: KexRSAPKCSStatus
-    score: scoring.Score
-
-
 @dataclass(frozen=True)
 class KeyExchangeHashFunctionEvaluation:
     """

checks/tasks/tls/scans.py

@@ -60,7 +60,6 @@
     ZeroRttStatus,
     KexHashFuncStatus,
     CipherOrderStatus,
-    KexRSAPKCSStatus,
 )
 from checks.resolver import dns_resolve_tlsa, DNSSECStatus, dns_resolve_a
 from checks.tasks.tls import TLSException
@@ -71,7 +70,6 @@
     KeyExchangeHashFunctionEvaluation,
     TLSCipherOrderEvaluation,
     TLSOCSPEvaluation,
-    KeyExchangeRSAPKCSFunctionEvaluation,
     TLSRenegotiationEvaluation,
     TLSExtendedMasterSecretEvaluation,
 )
@@ -85,7 +83,6 @@
     CERT_RSA_MIN_PHASE_OUT_KEY_SIZE,
     SIGNATURE_ALGORITHMS_BAD_HASH,
     SIGNATURE_ALGORITHMS_PHASE_OUT_HASH,
-    SIGNATURE_ALGORITHMS_RSA_PKCS,
 )
 from internetnl import log
 
@@ -642,7 +639,6 @@ def check_mail_tls(
         prots_accepted,
         cipher_evaluation,
     )
-    key_exchange_rsa_pkcs_evaluation = test_key_exchange_rsa_pkcs(server_conn_info)
     key_exchange_hash_evaluation = test_key_exchange_hash(server_conn_info)
 
     session_reneg_result = result.scan_result.session_renegotiation.result
@@ -706,8 +702,6 @@ def check_mail_tls(
             and result.scan_result.tls_1_3_early_data.result.supports_early_data
             else scoring.WEB_TLS_ZERO_RTT_GOOD
         ),
-        key_exchange_rsa_pkcs=key_exchange_rsa_pkcs_evaluation.status,
-        key_exchange_rsa_pkcs_score=key_exchange_rsa_pkcs_evaluation.score,
         kex_hash_func=key_exchange_hash_evaluation.status,
         kex_hash_func_score=key_exchange_hash_evaluation.score,
         kex_hash_func_bad_hash=key_exchange_hash_evaluation.found_hash,
@@ -782,7 +776,6 @@ def check_web_tls(url, af_ip_pair=None, *args, **kwargs):
         supported_tls_versions,
         cipher_evaluation,
     )
-    key_exchange_rsa_pkcs_evaluation = test_key_exchange_rsa_pkcs(server_conn_info)
     key_exchange_hash_evaluation = test_key_exchange_hash(server_conn_info)
     session_reneg_result = result.scan_result.session_renegotiation.result
     if session_reneg_result is not None:
@@ -844,8 +837,6 @@ def check_web_tls(url, af_ip_pair=None, *args, **kwargs):
         ),
         ocsp_stapling=ocsp_evaluation.status,
         ocsp_stapling_score=ocsp_evaluation.score,
-        key_exchange_rsa_pkcs=key_exchange_rsa_pkcs_evaluation.status,
-        key_exchange_rsa_pkcs_score=key_exchange_rsa_pkcs_evaluation.score,
         kex_hash_func=key_exchange_hash_evaluation.status,
         kex_hash_func_score=key_exchange_hash_evaluation.score,
         kex_hash_func_bad_hash=key_exchange_hash_evaluation.found_hash,
@@ -910,27 +901,6 @@ def raise_sslyze_errors(result: ServerScanResult) -> None:
         raise TLSException(str(last_error_trace))
 
 
-def test_key_exchange_rsa_pkcs(
-    server_connectivity_info: ServerConnectivityInfo,
-) -> KeyExchangeRSAPKCSFunctionEvaluation:
-    """
-    Test key exchange for RSA PKCS support per NCSC 3.3.2.1.
-    See also RFC8446 1.3 and 4.2.3, RFC 5246 7.4.1.4.1.
-    """
-    rsa_pkcs_result = _test_connection_with_limited_sigalgs(server_connectivity_info, SIGNATURE_ALGORITHMS_RSA_PKCS)
-    if rsa_pkcs_result:
-        log.info(f"RSA-PKCS key exchange check: negotiated bad sigalg ({rsa_pkcs_result})")
-        return KeyExchangeRSAPKCSFunctionEvaluation(
-            status=KexRSAPKCSStatus.bad,
-            score=scoring.TLS_KEX_RSA_PKCS_BAD,
-        )
-
-    return KeyExchangeRSAPKCSFunctionEvaluation(
-        status=KexRSAPKCSStatus.good,
-        score=scoring.TLS_KEX_RSA_PKCS_GOOD,
-    )
-
-
 def test_key_exchange_hash(
     server_connectivity_info: ServerConnectivityInfo,
 ) -> KeyExchangeHashFunctionEvaluation:

checks/tasks/tls/tasks_reports.py

@@ -275,8 +275,6 @@ def save_results(model, results, addr, domain, category):
                     model.ocsp_stapling_score = result.get("ocsp_stapling_score")
                     model.kex_hash_func = result.get("kex_hash_func")
                     model.kex_hash_func_score = result.get("kex_hash_func_score")
-                    model.key_exchange_rsa_pkcs = result.get("key_exchange_rsa_pkcs")
-                    model.key_exchange_rsa_pkcs_score = result.get("key_exchange_rsa_pkcs_score")
                     model.kex_hash_func_bad_hash = result.get("kex_hash_func_bad_hash")
                     model.extended_master_secret = result.get("extended_master_secret")
                     model.extended_master_secret_score = result.get("extended_master_secret_score")
@@ -355,8 +353,6 @@ def save_results(model, results, addr, domain, category):
                     # model.ocsp_stapling_score = result.get("ocsp_stapling_score")
                     model.kex_hash_func = result.get("kex_hash_func")
                     model.kex_hash_func_score = result.get("kex_hash_func_score")
-                    model.key_exchange_rsa_pkcs = result.get("key_exchange_rsa_pkcs")
-                    model.key_exchange_rsa_pkcs_score = result.get("key_exchange_rsa_pkcs_score")
                     model.kex_hash_func_bad_hash = result.get("kex_hash_func_bad_hash")
                     model.extended_master_secret = result.get("extended_master_secret")
                     model.extended_master_secret_score = result.get("extended_master_secret_score")
@@ -584,7 +580,6 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
             elif dttls.kex_hash_func == KexHashFuncStatus.phase_out:
                 category.subtests["kex_hash_func"].result_phase_out(dttls.kex_hash_func_bad_hash)
 
-            category.subtests["key_exchange_rsa_pkcs"].save_result(dttls.key_exchange_rsa_pkcs)
             category.subtests["extended_master_secret"].save_result(dttls.extended_master_secret)
 
     elif isinstance(category, categories.MailTls):
@@ -749,7 +744,6 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
             elif dttls.kex_hash_func == KexHashFuncStatus.phase_out:
                 category.subtests["kex_hash_func"].result_phase_out(dttls.kex_hash_func_bad_hash)
 
-            category.subtests["key_exchange_rsa_pkcs"].save_result(dttls.key_exchange_rsa_pkcs)
             category.subtests["extended_master_secret"].save_result(dttls.extended_master_secret)
 
     dttls.report = category.gen_report()

checks/tasks/tls/tls_constants.py

@@ -133,16 +133,6 @@
     (OpenSslDigestNidEnum.SHA224, OpenSslEvpPkeyEnum.RSA),
     (OpenSslDigestNidEnum.SHA224, OpenSslEvpPkeyEnum.DSA),
 ]
-# NCSC 3.3.2.1: RSA PKCS must not be used.
-# Failing these algs means the server has no RSA or RSA in PSS only, either is fine.
-SIGNATURE_ALGORITHMS_RSA_PKCS = [
-    # (OpenSslDigestNidEnum.MD5, OpenSslEvpPkeyEnum.RSA),
-    (OpenSslDigestNidEnum.SHA1, OpenSslEvpPkeyEnum.RSA),
-    (OpenSslDigestNidEnum.SHA224, OpenSslEvpPkeyEnum.RSA),
-    (OpenSslDigestNidEnum.SHA512, OpenSslEvpPkeyEnum.RSA),
-    (OpenSslDigestNidEnum.SHA384, OpenSslEvpPkeyEnum.RSA),
-    (OpenSslDigestNidEnum.SHA256, OpenSslEvpPkeyEnum.RSA),
-]
 
 # Mail servers with an increased connection limit,
 # matched by substring matching on their hostname.

interface/batch/openapi.yaml

@@ -689,14 +689,6 @@ components:
             * `not_allowed` - not allowed by server.
             * `allowed_with_low_limit` - allowed by server, but with a sufficiently low limit (<10).
             * `allowed_with_too_high_limit` - allowed by server, with a limit that is too high (>=10).
-        kex_rsa_pkcs:
-          type: string
-          enumClass: KexRSAPKCSStatus
-          description: |
-            RSA PKCS#1 v1.5 support:
-            * `good` - server does not support RSA PKCS#1 v1.5 padding.
-            * `bad` - server supports RSA PKCS#1 v1.5 padding.
-            * `unknown` - support could not be determined or test ran before this feature was added.
         kex_hash_func:
           type: string
           enumClass: KexHashFuncStatus

interface/templates/domain-results.html

@@ -42,7 +42,6 @@ <h1>
     {% include "details-test-item.html" with testitem=details.tls_cipher_order %}
     {% include "details-test-item.html" with testitem=details.fs_params %}
     {% include "details-test-item.html" with testitem=details.kex_hash_func %}
-    {% include "details-test-item.html" with testitem=details.key_exchange_rsa_pkcs %}
     {% include "details-test-item.html" with testitem=details.tls_compression %}
     {% include "details-test-item.html" with testitem=details.renegotiation_secure %}
     {% include "details-test-item.html" with testitem=details.renegotiation_client %}