Fix incorrect approval of DSS

Author: mxsasha

checks/tasks/tls/scans.py

@@ -74,7 +74,7 @@
     TLSExtendedMasterSecretEvaluation,
 )
 from checks.tasks.tls.tls_constants import (
-    CERT_SIGALG_GOOD,
+    CERT_SIGALG_SUFFICIENT,
     CERT_CURVES_GOOD,
     CERT_EC_CURVES_GOOD,
     CERT_EC_CURVES_PHASE_OUT,
@@ -389,7 +389,7 @@ def cert_checks(hostname: str, mode: ChecksMode, af_ip_pair=None, *args, **kwarg
     for cert in cert_deployment.received_certificate_chain:
         if not is_root_cert(cert):
             sigalg = cert.signature_algorithm_oid
-            if sigalg not in CERT_SIGALG_GOOD:
+            if sigalg not in CERT_SIGALG_SUFFICIENT:
                 sigalg_bad[get_common_name(cert)] = sigalg._name
                 sigalg_score = scoring.WEB_TLS_SIGNATURE_BAD
 

checks/tasks/tls/tls_constants.py

@@ -6,14 +6,15 @@
 
 
 # NCSC 3.3.2 / 3.3.5
-CERT_SIGALG_GOOD = [
+CERT_SIGALG_SUFFICIENT = [
     SignatureAlgorithmOID.RSA_WITH_SHA256,
     SignatureAlgorithmOID.RSA_WITH_SHA384,
     SignatureAlgorithmOID.RSA_WITH_SHA512,
     SignatureAlgorithmOID.ECDSA_WITH_SHA256,
     SignatureAlgorithmOID.ECDSA_WITH_SHA384,
     SignatureAlgorithmOID.ECDSA_WITH_SHA512,
-    SignatureAlgorithmOID.DSA_WITH_SHA256,
+    SignatureAlgorithmOID.ED25519,
+    SignatureAlgorithmOID.ED448,
 ]
 
 # NCSC 3.3.2.1