Add new checks to db/categories/template

Author: mxsasha

checks/categories.py

@@ -3,7 +3,7 @@
 from typing import Optional
 
 from checks import scoring
-from checks.models import TLSClientInitiatedRenegotiationStatus
+from checks.models import TLSClientInitiatedRenegotiationStatus, KexRSAPKCSStatus, TLSExtendedMasterSecretStatus
 from checks.scoring import (
     ORDERED_STATUSES,
     STATUS_ERROR,
@@ -185,6 +185,8 @@ def __init__(self, name="web-tls"):
             WebTlsZeroRTT,
             WebTlsOCSPStapling,
             WebTlsKexHashFunc,
+            WebTlsKexRSAPKCSStatus,
+            WebTLSExtendedMasterSecret,
             # WebTlsDaneRollover,
         ]
         super().__init__(name, subtests)
@@ -257,6 +259,8 @@ def __init__(self, name="mail-tls"):
             MailTlsDaneRollover,
             MailTlsZeroRTT,
             MailTlsKexHashFunc,
+            MailTlsKexRSAPKCSStatus,
+            MailTLSExtendedMasterSecret,
             # MailTlsOCSPStapling,  # Disabled for mail.
         ]
         super().__init__(name, subtests)
@@ -1525,6 +1529,84 @@ def result_phase_out(self):
         self.tech_data = "detail tech data phase-out"
 
 
+class WebTlsKexRSAPKCSStatus(Subtest):
+    def __init__(self):
+        super().__init__(
+            name="key_exchange_rsa_pkcs",
+            label="detail web tls key-exchange-rsa-pkcs label",
+            explanation="detail web tls key-exchange-rsa-pkcs exp",
+            tech_string="detail web tls key-exchange-rsa-pkcs tech table",
+            worst_status=scoring.TLS_KEX_RSA_PKCS_WORST_STATUS,
+            full_score=scoring.TLS_KEX_RSA_PKCS_GOOD,
+            model_score_field="key_exchange_rsa_pkcs_score",
+        )
+
+    def save_result(self, status: KexRSAPKCSStatus):
+        handlers = {
+            KexRSAPKCSStatus.good: self.result_good,
+            KexRSAPKCSStatus.bad: self.result_bad,
+            KexRSAPKCSStatus.unknown: self.result_unknown,
+        }
+        return handlers[status]()
+
+    def result_good(self):
+        self._status(STATUS_SUCCESS)
+        self.verdict = "detail web tls key-exchange-rsa-pkcs verdict good"
+        self.tech_data = "detail tech data good"
+
+    def result_bad(self):
+        self._status(STATUS_FAIL)
+        self.verdict = "detail web tls key-exchange-rsa-pkcs verdict bad"
+        self.tech_data = "detail tech data insufficient"
+
+    def result_unknown(self):
+        self._status(STATUS_INFO)
+        self.verdict = "detail web tls key-exchange-rsa-pkcs verdict other"
+        self.tech_data = "detail tech data not-applicable"
+
+
+class WebTLSExtendedMasterSecret(Subtest):
+    def __init__(self):
+        super().__init__(
+            name="extended_master_secret",
+            label="detail web tls extended-master-secret label",
+            explanation="detail web tls extended-master-secret exp",
+            tech_string="detail web tls extended-master-secret tech table",
+            worst_status=scoring.TLS_EXTENDED_MASTER_SECRET_WORST_STATUS,
+            full_score=scoring.TLS_EXTENDED_MASTER_SECRET_GOOD,
+            model_score_field="extended_master_secret_score",
+        )
+
+    def save_result(self, status: TLSExtendedMasterSecretStatus):
+        handlers = {
+            TLSExtendedMasterSecretStatus.supported: self.result_good,
+            TLSExtendedMasterSecretStatus.na_no_tls_1_2: self.result_na_no_tls_1_2,
+            TLSExtendedMasterSecretStatus.not_supported: self.result_bad,
+            TLSExtendedMasterSecretStatus.unknown: self.result_unknown,
+        }
+        return handlers[status]()
+
+    def result_good(self):
+        self._status(STATUS_SUCCESS)
+        self.verdict = "detail web tls extended-master-secret verdict good"
+        self.tech_data = "detail tech data good"
+
+    def result_bad(self):
+        self._status(STATUS_FAIL)
+        self.verdict = "detail web tls extended-master-secret verdict bad"
+        self.tech_data = "detail tech data insufficient"
+
+    def result_unknown(self):
+        self._status(STATUS_INFO)
+        self.verdict = "detail web tls extended-master-secret verdict other"
+        self.tech_data = "detail tech data not-applicable"
+
+    def result_na_no_tls_1_2(self):
+        self._status(STATUS_NOTICE)
+        self.verdict = "detail web tls extended-master-secret verdict na-no-tls-1-2"
+        self.tech_data = "detail tech data phase-out"
+
+
 class MailTlsStarttlsExists(Subtest):
     def __init__(self):
         super().__init__(
@@ -2115,6 +2197,84 @@ def result_phase_out(self):
         self.tech_data = "detail tech data phase-out"
 
 
+class MailTlsKexRSAPKCSStatus(Subtest):
+    def __init__(self):
+        super().__init__(
+            name="key_exchange_rsa_pkcs",
+            label="detail mail tls key-exchange-rsa-pkcs label",
+            explanation="detail mail tls key-exchange-rsa-pkcs exp",
+            tech_string="detail mail tls key-exchange-rsa-pkcs tech table",
+            worst_status=scoring.TLS_KEX_RSA_PKCS_WORST_STATUS,
+            full_score=scoring.TLS_KEX_RSA_PKCS_GOOD,
+            model_score_field="key_exchange_rsa_pkcs_score",
+        )
+
+    def save_result(self, status: KexRSAPKCSStatus):
+        handlers = {
+            KexRSAPKCSStatus.good: self.result_good,
+            KexRSAPKCSStatus.bad: self.result_bad,
+            KexRSAPKCSStatus.unknown: self.result_unknown,
+        }
+        return handlers[status]()
+
+    def result_good(self):
+        self._status(STATUS_SUCCESS)
+        self.verdict = "detail mail tls key-exchange-rsa-pkcs verdict good"
+        self.tech_data = "detail tech data good"
+
+    def result_bad(self):
+        self._status(STATUS_FAIL)
+        self.verdict = "detail mail tls key-exchange-rsa-pkcs verdict bad"
+        self.tech_data = "detail tech data insufficient"
+
+    def result_unknown(self):
+        self._status(STATUS_INFO)
+        self.verdict = "detail mail tls key-exchange-rsa-pkcs verdict other"
+        self.tech_data = "detail tech data not-applicable"
+
+
+class MailTLSExtendedMasterSecret(Subtest):
+    def __init__(self):
+        super().__init__(
+            name="extended_master_secret",
+            label="detail mail tls extended-master-secret label",
+            explanation="detail mail tls extended-master-secret exp",
+            tech_string="detail mail tls extended-master-secret tech table",
+            worst_status=scoring.TLS_EXTENDED_MASTER_SECRET_WORST_STATUS,
+            full_score=scoring.TLS_EXTENDED_MASTER_SECRET_GOOD,
+            model_score_field="extended_master_secret_score",
+        )
+
+    def save_result(self, status: TLSExtendedMasterSecretStatus):
+        handlers = {
+            TLSExtendedMasterSecretStatus.supported: self.result_good,
+            TLSExtendedMasterSecretStatus.na_no_tls_1_2: self.result_na_no_tls_1_2,
+            TLSExtendedMasterSecretStatus.not_supported: self.result_bad,
+            TLSExtendedMasterSecretStatus.unknown: self.result_unknown,
+        }
+        return handlers[status]()
+
+    def result_good(self):
+        self._status(STATUS_SUCCESS)
+        self.verdict = "detail mail tls extended-master-secret verdict good"
+        self.tech_data = "detail tech data good"
+
+    def result_bad(self):
+        self._status(STATUS_FAIL)
+        self.verdict = "detail mail tls extended-master-secret verdict bad"
+        self.tech_data = "detail tech data insufficient"
+
+    def result_unknown(self):
+        self._status(STATUS_INFO)
+        self.verdict = "detail mail tls extended-master-secret verdict other"
+        self.tech_data = "detail tech data not-applicable"
+
+    def result_na_no_tls_1_2(self):
+        self._status(STATUS_NOTICE)
+        self.verdict = "detail mail tls extended-master-secret verdict na-no-tls-1-2"
+        self.tech_data = "detail tech data phase-out"
+
+
 class MailTlsDaneExists(Subtest):
     def __init__(self):
         super().__init__(

checks/migrations/0020_domaintesttls_extended_master_secret_and_more.py

@@ -0,0 +1,38 @@
+# Generated by Django 4.2.22 on 2025-08-12 12:28
+
+import checks.models
+from django.db import migrations, models
+import enumfields.fields
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("checks", "0019_domaintesttls_client_reneg_to_enum"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="domaintesttls",
+            name="extended_master_secret",
+            field=enumfields.fields.EnumField(
+                default=3,
+                enum=checks.models.TLSExtendedMasterSecretStatus,
+                max_length=10,
+            ),
+        ),
+        migrations.AddField(
+            model_name="domaintesttls",
+            name="extended_master_secret_score",
+            field=models.IntegerField(null=True),
+        ),
+        migrations.AddField(
+            model_name="domaintesttls",
+            name="key_exchange_rsa_pkcs",
+            field=enumfields.fields.EnumField(default=2, enum=checks.models.KexRSAPKCSStatus, max_length=10),
+        ),
+        migrations.AddField(
+            model_name="domaintesttls",
+            name="key_exchange_rsa_pkcs_score",
+            field=models.IntegerField(null=True),
+        ),
+    ]

checks/models.py

@@ -550,6 +550,12 @@ class DomainTestTls(BaseTestModel):
     kex_hash_func = EnumField(KexHashFuncStatus, default=KexHashFuncStatus.bad)
     kex_hash_func_score = models.IntegerField(null=True)
 
+    key_exchange_rsa_pkcs = EnumField(KexRSAPKCSStatus, default=KexRSAPKCSStatus.unknown)
+    key_exchange_rsa_pkcs_score = models.IntegerField(null=True)
+
+    extended_master_secret = EnumField(TLSExtendedMasterSecretStatus, default=TLSExtendedMasterSecretStatus.unknown)
+    extended_master_secret_score = models.IntegerField(null=True)
+
     forced_https = EnumField(ForcedHttpsStatus, default=ForcedHttpsStatus.bad)
     forced_https_score = models.IntegerField(null=True)
 
@@ -628,6 +634,10 @@ def __dir__(self):
             "ocsp_stapling_score",
             "kex_hash_func",
             "kex_hash_func_score",
+            "key_exchange_rsa_pkcs",
+            "key_exchange_rsa_pkcs_score",
+            "extended_master_secret",
+            "extended_master_secret_score",
             "forced_https",
             "forced_https_score",
             "http_compression_enabled",
@@ -673,6 +683,8 @@ def get_web_api_details(self):
             "zero_rtt": self.zero_rtt.name,
             "ocsp_stapling": self.ocsp_stapling.name,
             "kex_hash_func": self.kex_hash_func.name,
+            "key_exchange_rsa_pkcs": self.key_exchange_rsa_pkcs.name,
+            "extended_master_secret": self.extended_master_secret.name,
             "https_redirect": self.forced_https.name,
             "http_compression": self.http_compression_enabled,
             "hsts": self.hsts_enabled,
@@ -708,6 +720,8 @@ def get_mail_api_details(self):
             "client_reneg": self.client_reneg,
             "zero_rtt": self.zero_rtt.name,
             "kex_hash_func": self.kex_hash_func.name,
+            "key_exchange_rsa_pkcs": self.key_exchange_rsa_pkcs.name,
+            "extended_master_secret": self.extended_master_secret.name,
             "cert_chain": self.cert_chain,
             "cert_trusted": self.cert_trusted,
             "cert_pubkey_bad": self.cert_pubkey_bad,

checks/scoring.py

@@ -165,10 +165,10 @@
 WEB_TLS_HOSTMATCH_BAD = NO_POINTS
 WEB_TLS_HOSTMATCH_WORST_STATUS = STATUS_FAIL
 
-WEB_TLS_EXTENDED_MASTER_SECRET_GOOD = FULL_WEIGHT_POINTS
-WEB_TLS_EXTENDED_MASTER_SECRET_OK = FULL_WEIGHT_POINTS
-WEB_TLS_EXTENDED_MASTER_SECRET_BAD = NO_POINTS
-WEB_TLS_EXTENDED_MASTER_SECRET_WORST_STATUS = STATUS_FAIL
+TLS_EXTENDED_MASTER_SECRET_GOOD = FULL_WEIGHT_POINTS
+TLS_EXTENDED_MASTER_SECRET_OK = FULL_WEIGHT_POINTS
+TLS_EXTENDED_MASTER_SECRET_BAD = NO_POINTS
+TLS_EXTENDED_MASTER_SECRET_WORST_STATUS = STATUS_FAIL
 
 CAA_GOOD = FULL_WEIGHT_POINTS
 CAA_BAD = NO_POINTS
@@ -196,10 +196,10 @@
 WEB_TLS_OCSP_STAPLING_BAD = NO_POINTS
 WEB_TLS_OCSP_STAPLING_WORST_STATUS = STATUS_NOTICE
 
-WEB_TLS_KEX_RSA_PKCS_GOOD = FULL_WEIGHT_POINTS
-WEB_TLS_KEX_RSA_PKCS_OK = FULL_WEIGHT_POINTS
-WEB_TLS_KEX_RSA_PKCS_BAD = NO_POINTS
-WEB_TLS_KEX_RSA_PKCS_WORST_STATUS = STATUS_NOTICE
+TLS_KEX_RSA_PKCS_GOOD = FULL_WEIGHT_POINTS
+TLS_KEX_RSA_PKCS_OK = FULL_WEIGHT_POINTS
+TLS_KEX_RSA_PKCS_BAD = NO_POINTS
+TLS_KEX_RSA_PKCS_WORST_STATUS = STATUS_NOTICE
 
 WEB_TLS_KEX_HASH_FUNC_GOOD = FULL_WEIGHT_POINTS
 WEB_TLS_KEX_HASH_FUNC_OK = FULL_WEIGHT_POINTS

checks/tasks/tls/evaluation.py

@@ -24,7 +24,7 @@
     TLSClientInitiatedRenegotiationStatus,
     TLSExtendedMasterSecretStatus,
 )
-from checks.scoring import WEB_TLS_EXTENDED_MASTER_SECRET_GOOD, WEB_TLS_EXTENDED_MASTER_SECRET_BAD
+from checks.scoring import TLS_EXTENDED_MASTER_SECRET_GOOD, TLS_EXTENDED_MASTER_SECRET_BAD
 from checks.tasks.tls.tls_constants import (
     PROTOCOLS_GOOD,
     PROTOCOLS_SUFFICIENT,
@@ -353,7 +353,7 @@ class TLSExtendedMasterSecretEvaluation:
     """
 
     status: TLSExtendedMasterSecretStatus = TLSExtendedMasterSecretStatus.na_no_tls_1_2
-    score: scoring.Score = WEB_TLS_EXTENDED_MASTER_SECRET_GOOD
+    score: scoring.Score = TLS_EXTENDED_MASTER_SECRET_GOOD
 
     def update_for_connection(self, ssl_connection: SslConnection, tls_version: TlsVersionEnum) -> None:
         if tls_version != TlsVersionEnum.TLS_1_2:
@@ -362,10 +362,10 @@ def update_for_connection(self, ssl_connection: SslConnection, tls_version: TlsV
         ems_support = ssl_connection.ssl_client.get_extended_master_secret_support()
         if ems_support == ExtendedMasterSecretSupportEnum.USED_IN_CURRENT_SESSION:
             self.status = TLSExtendedMasterSecretStatus.supported
-            self.score = WEB_TLS_EXTENDED_MASTER_SECRET_GOOD
+            self.score = TLS_EXTENDED_MASTER_SECRET_GOOD
         elif ems_support == ExtendedMasterSecretSupportEnum.NOT_USED_IN_CURRENT_SESSION:
             self.status = TLSExtendedMasterSecretStatus.not_supported
-            self.score = WEB_TLS_EXTENDED_MASTER_SECRET_BAD
+            self.score = TLS_EXTENDED_MASTER_SECRET_BAD
 
 
 def _unique_unhashable(items: List[Any]) -> List[Any]:

checks/tasks/tls/scans.py

@@ -886,12 +886,12 @@ def test_key_exchange_rsa_pkcs(
         log.info(f"RSA-PKCS key exchange check: negotiated bad sigalg ({rsa_pkcs_result})")
         return KeyExchangeRSAPKCSFunctionEvaluation(
             status=KexRSAPKCSStatus.bad,
-            score=scoring.WEB_TLS_KEX_RSA_PKCS_BAD,
+            score=scoring.TLS_KEX_RSA_PKCS_BAD,
         )
 
     return KeyExchangeRSAPKCSFunctionEvaluation(
         status=KexRSAPKCSStatus.good,
-        score=scoring.WEB_TLS_KEX_RSA_PKCS_GOOD,
+        score=scoring.TLS_KEX_RSA_PKCS_GOOD,
     )
 
 

checks/tasks/tls/tasks_reports.py

@@ -275,6 +275,10 @@ def save_results(model, results, addr, domain, category):
                     model.ocsp_stapling_score = result.get("ocsp_stapling_score")
                     model.kex_hash_func = result.get("kex_hash_func")
                     model.kex_hash_func_score = result.get("kex_hash_func_score")
+                    model.key_exchange_rsa_pkcs = result.get("key_exchange_rsa_pkcs")
+                    model.key_exchange_rsa_pkcs_score = result.get("key_exchange_rsa_pkcs_score")
+                    model.extended_master_secret = result.get("extended_master_secret")
+                    model.extended_master_secret_score = result.get("extended_master_secret_score")
 
             elif testname == "cert" and result.get("tls_cert"):
                 model.cert_chain = result.get("chain")
@@ -350,6 +354,10 @@ def save_results(model, results, addr, domain, category):
                     # model.ocsp_stapling_score = result.get("ocsp_stapling_score")
                     model.kex_hash_func = result.get("kex_hash_func")
                     model.kex_hash_func_score = result.get("kex_hash_func_score")
+                    model.key_exchange_rsa_pkcs = result.get("key_exchange_rsa_pkcs")
+                    model.key_exchange_rsa_pkcs_score = result.get("key_exchange_rsa_pkcs_score")
+                    model.extended_master_secret = result.get("extended_master_secret")
+                    model.extended_master_secret_score = result.get("extended_master_secret_score")
                 if result.get("tls_cert"):
                     model.cert_chain = result.get("chain")
                     model.cert_trusted = result.get("trusted")
@@ -574,6 +582,9 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
             elif dttls.kex_hash_func == KexHashFuncStatus.phase_out:
                 category.subtests["kex_hash_func"].result_phase_out()
 
+            category.subtests["key_exchange_rsa_pkcs"].save_result(dttls.key_exchange_rsa_pkcs)
+            category.subtests["extended_master_secret"].save_result(dttls.extended_master_secret)
+
     elif isinstance(category, categories.MailTls):
         if dttls.could_not_test_smtp_starttls:
             category.subtests["starttls_exists"].result_could_not_test()
@@ -736,6 +747,9 @@ def annotate_and_combine_all(good_items, sufficient_items, bad_items, phaseout_i
             elif dttls.kex_hash_func == KexHashFuncStatus.phase_out:
                 category.subtests["kex_hash_func"].result_phase_out()
 
+            category.subtests["key_exchange_rsa_pkcs"].save_result(dttls.key_exchange_rsa_pkcs)
+            category.subtests["extended_master_secret"].save_result(dttls.extended_master_secret)
+
     dttls.report = category.gen_report()