From dd7513af9c2876b95593dbb2ecb13dd31ab6816b Mon Sep 17 00:00:00 2001
From: TLS-Attacker Assistant <assistant@tls-attacker.com>
Date: Fri, 27 Jun 2025 11:03:12 +0000
Subject: [PATCH] Fix #89: Clarify SignatureAndHash ambiguity in report output

This commit addresses the ambiguity in the TLS-Scanner report where "Supported Signature and Hash Algorithms"
didn't clearly distinguish between handshake signature algorithms (used in Server Key Exchange) and
certificate signature algorithms.

Changes:
- Updated ServerReportPrinter to display "Supported Handshake Signature Algorithms (Server Key Exchange)"
  instead of the generic "Supported Signature and Hash Algorithms"
- Updated ServerContainerReportCreator with the same clarification
- Also updated the TLS 1.3 section title to "Supported Handshake Signature Algorithms TLS 1.3" for consistency

This makes it clear that these algorithms are specifically for handshake signatures, not certificate signatures.
Certificate signature algorithms continue to be displayed within each certificate's details as before.
---
 .../report/ServerContainerReportCreator.java    | 17 ++++++++++++++++-
 .../report/ServerReportPrinter.java             |  5 +++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/ServerContainerReportCreator.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/ServerContainerReportCreator.java
index 0ee2d66bd..32ed9d9dc 100644
--- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/ServerContainerReportCreator.java
+++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/ServerContainerReportCreator.java
@@ -258,7 +258,9 @@ private void appendCurves(ServerReport report, ListContainer container) {
 
     private void appendSignatureAndHashAlgorithms(ServerReport report, ListContainer container) {
         if (report.getSupportedSignatureAndHashAlgorithms() != null) {
-            container.add(new HeadlineContainer("Supported Signature and Hash Algorithms"));
+            container.add(
+                    new HeadlineContainer(
+                            "Supported Handshake Signature Algorithms (Server Key Exchange)"));
             if (!report.getSupportedSignatureAndHashAlgorithms().isEmpty()) {
                 for (SignatureAndHashAlgorithm algorithm :
                         report.getSupportedSignatureAndHashAlgorithms()) {
@@ -268,6 +270,19 @@ private void appendSignatureAndHashAlgorithms(ServerReport report, ListContainer
                 container.add(createDefaultTextContainer("none"));
             }
         }
+
+        if (report.getSupportedSignatureAndHashAlgorithmsTls13() != null) {
+            container.add(
+                    new HeadlineContainer("Supported Handshake Signature Algorithms TLS 1.3"));
+            if (!report.getSupportedSignatureAndHashAlgorithmsTls13().isEmpty()) {
+                for (SignatureAndHashAlgorithm algorithm :
+                        report.getSupportedSignatureAndHashAlgorithmsTls13()) {
+                    container.add(createDefaultTextContainer(algorithm.toString()));
+                }
+            } else {
+                container.add(createDefaultTextContainer("none"));
+            }
+        }
     }
 
     private ReportContainer createEcPointFormatsContainer(ServerReport report) {
diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/ServerReportPrinter.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/ServerReportPrinter.java
index 6a0d3d3ca..e400307fb 100644
--- a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/ServerReportPrinter.java
+++ b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/ServerReportPrinter.java
@@ -2914,7 +2914,8 @@ public StringBuilder appendSignatureAndHashAlgorithms(StringBuilder builder) {
         List<SignatureAndHashAlgorithm> algorithms =
                 report.getSupportedSignatureAndHashAlgorithms();
         if (algorithms != null) {
-            prettyAppendHeading(builder, "Supported Signature and Hash Algorithms");
+            prettyAppendHeading(
+                    builder, "Supported Handshake Signature Algorithms (Server Key Exchange)");
             if (report.getSupportedSignatureAndHashAlgorithms().size() > 0) {
                 for (SignatureAndHashAlgorithm algorithm :
                         report.getSupportedSignatureAndHashAlgorithms()) {
@@ -2932,7 +2933,7 @@ public StringBuilder appendSignatureAndHashAlgorithms(StringBuilder builder) {
         List<SignatureAndHashAlgorithm> algorithmsTls13 =
                 report.getSupportedSignatureAndHashAlgorithmsTls13();
         if (algorithmsTls13 != null) {
-            prettyAppendHeading(builder, "Supported Signature and Hash Algorithms TLS 1.3");
+            prettyAppendHeading(builder, "Supported Handshake Signature Algorithms TLS 1.3");
             if (report.getSupportedSignatureAndHashAlgorithmsTls13().size() > 0) {
                 for (SignatureAndHashAlgorithm algorithm :
                         report.getSupportedSignatureAndHashAlgorithmsTls13()) {