Post-quantum X509 Signature Algorithms

🗓️ 08 Dec 2025 00:00:00Reported by TenableType
Detects which post-quantum TLS signature algorithms are supported by the remote service.
#TRUSTED 4141d6f5adca1179e1782107e3436dbb4297bbf6169b48c761a4317aa36d6617225922e893db93911d863be02c35bf9a0dd524fa66662b3bdbc59c3573cb46ac6eeb7172a8fd94ed4354258794d5bfe47a0f9b8821893dab417879a7251277be2cbdfae8cf0e00647820446f4e82474159287fcd57345a99e51165f7cb761254213c2ebdbd3bb5e5426c5bee05af25c2c299099b45ab4c538c62cd492d4e8097dd63a6ce9e56bc522fd86ce9884845d08e1819bda1fc07a7f06e8c0b3ffefb03b14ddcfe781aff4a15f39aba0afdc6c5833c27426aa1f4fe1001f18f9e926dec1a03c4281187d5046388097fc6efafbcc72be4c43371248ae6404ace2864678e35b8e48d3ce8a117894bd5387733ee801803a5cfc684a212ba7c7fe5e35dd0bf83af697b729ca94423575a8cce501911e397adc245d05b5614a7b2f74d2644f56a122c14b508efd23711f23365842d811e971337fb3d3732034fa3d282d34d424fd2ea9891a576867086bc7d3863759cd3f2c6777f4feddf3c0d00a5940271bace639d57fe5af99b8975b8a280f987c98b18138a8352ae0ecb3cac6e7749dd9e46579a9f3f29577128a3039d5d6611b055259ff0ea6144c277a236871a34621fe4861f3d65522dca896ea84176bb0499df9da0bf641035f443fbc8219b5e1209809fd4ee41c36a932ebead930cd98faa44ed6c6e53ecef6cb093667b53e854f0
#TRUST-RSA-SHA256 3cd0f284452da1326f834a454a0eddf00440c8083cdc87819ed0565760230a52108894121fb190bdfb9253db399c368a03c681f28fc81443422a88da6b2f5e22e5dc748d5bb9bc9ce3220ef5a2e7f0ba0f842b76f2ff4640f6c4c0a2bc5e856f617352ace4fd498683fefdd8ff6397beaecbe2cd5b596c15c263be2afc25a95566c6aad60df87091b61a94d5dd44411b5986dfc07e81cd1998abebc1ad9e6793195dc0f869fcbab72977fc592f9f8a988f58aa91335e304705e9f407a21b3ba86c557bb78e5ad845e93ad32c8890fb2d31ea95a6f5cf4c9f64e300793c09a9b0091c9e4e03c692475fed1b971c942ca125422408beaf5ca533bbb7dab2184587c8dc57e573a741dfcf05fbe0bf3f6a59de8f760c9882709a6598d3f95bcd9b544882924ca7b97e98b16a27f8dda95b5f3713d6fceb4f4dc7f3b17d9e40c6be1f140190afea22f6f39277f86b632d5b8881eaf9b9b506d8e140d63c625d04de1cfe65e33cc935f7a8c828a7b9c313ff27f206d6afffe052f083e2adcd427d2d5e0dd4ff85e4ba199e94113e175143fb88d4003ca32bdbda5d7cf8cab4c6c3a9e5da9ea9348b534480e7d6c31523086b862c24e7df2bdf37b5602330ff52001ec69b06f3a980593bff8f9803c786b51df88f959f06ffac25ff018a66885381d15c1109f56613724d886aa908365f292c44f9dfe2bdc47b3f38dec74e3d5644974e
#%NASL_MIN_LEVEL 80900
#TRUST-RSA-SHA256
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(277651);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/08");

  script_name(english:"Post-quantum X509 Signature Algorithms");

  script_set_attribute(attribute:"synopsis", value:
"The remote service supports post-quantum TLS signature algorithms.");
  script_set_attribute(attribute:"description", value:
"This plugin detects which post-quantum TLS signature algorithms are
supported by the remote service.");
  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/08");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssl_certificate_chain.nasl");
  script_require_keys("SSL/Supported");

  exit(0);
}

include("ssl_funcs.inc");

if(!get_kb_item("SSL/Supported"))
  exit(1, "The 'SSL/Supported' KB is not set.");

# Get a port to operate on, forking for each one.
var pp_info = get_tls_dtls_ports(fork:TRUE, dtls:FALSE, check_port:TRUE);
var port = pp_info["port"];
if (isnull(port))
  exit(1, "The host does not appear to have any TLS based services.");

var cert_kbs = get_kb_list("SSL/Certificate/" + port + "*");
var algos = {};
var res, algo, tbs;
var report = "";
var subject;

for(var cert of cert_kbs)
{
  res = parse_certs(data:cert);
  if(!isnull(res))
  {
    algo = res[0][0]["signatureAlgorithm"];
    if(!isnull(algo))
    {
      replace_kb_item(name:"X509/signature_algo/" + port, value:oid_name[algo]);
      if("ML-DSA" >< oid_name[algo] || "SLH-DSA" >< oid_name[algo])
        algos[algo] = TRUE;
    }

    if(isnull(get_one_kb_item("Transport/SSL/" + port + "/subject")))
    {
      tbs = res[0][0]["tbsCertificate"];
      if(!isnull(tbs) && !isnull(tbs.subject))
      {
        subject = parsed_rdn_to_string(rdn:tbs.subject);
        replace_kb_item(name:"Transport/SSL/" + port + "/subject", value:subject);
      }
    }
  }
}

if(empty_or_null(algos))
  exit(0, "TCP port " + port + " does not appear to support post-quantum TLS signatures.");

replace_kb_item(name:"X509/signature_algos", value:TRUE);

var do_cipher_inventory = get_preference("collect_crypto_inventory");

if(isnull(do_cipher_inventory) || do_cipher_inventory != "yes")
  exit(0, "Cipher inventory disabled by scan policy preference.");

var name;
for(algo in algos)
{
  name = oid_name[algo];
  if(!empty_or_null(name))
  {
    if(strlen(report) == 0)
    {
      report += 'OID                        Name\n';
      report += '-------------------------------\n';
    }

    report += algo;
    report += crap(data:' ', 27 - strlen(algo));
    report += name;

  }
}

report =
  '\nHere is the list of TLS post quantum signature algorithms supported' +
  '\nby the remote server :\n' +
  '\n' + report;

security_report_v4(port:port, severity:SECURITY_NOTE, extra:report);
08 Dec 2025 00:00Current
5.5Medium risk
Vulners AI Score5.5