feat: implement TLS/certificate scanner #4
Description
Description
Implement a scanner that analyzes TLS endpoints and X.509 certificates to detect quantum-vulnerable key exchange algorithms and certificate signing methods. This scanner focuses on network-level cryptographic posture assessment.
Tasks
- Implement TLS endpoint scanner:
- Connect to endpoints and inspect negotiated cipher suites
- Detect quantum-vulnerable key exchange mechanisms (RSA, ECDH, DHE)
- Identify PQC-ready configurations (ML-KEM, X25519+Kyber768 hybrid)
- Report TLS version and cipher suite details
- Implement X.509 certificate parser:
- Extract certificate signing algorithm (RSA-SHA256, ECDSA-SHA384, etc.)
- Extract public key type and size
- Identify algorithm OIDs for PQC detection
- Check certificate chain for mixed algorithm usage
- Support multiple input methods:
- URL list (one per line or from config)
- CIDR range scanning
- Certificate file analysis (PEM, DER)
- Classify findings by severity:
- Critical: RSA-2048 key exchange, RSA-signed certificates
- Warning: ECDH key exchange (P-256), ECDSA certificates
- Info: X25519 (quantum-vulnerable but fast migration path)
- Handle connection errors, timeouts, and certificate validation gracefully
- Write unit tests with mock TLS servers and sample certificates