pqaudit 0.2.0

TLS post-quantum readiness auditor
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

use crate::audit::tables::{AlgorithmStatus, DeadlineInfo, DeadlineTable};
use crate::AlgorithmId;

pub struct Cnsa2Table;

impl DeadlineTable for Cnsa2Table {
    fn name(&self) -> &'static str {
        "NSA CNSA 2.0"
    }

    fn deadline_for(&self, alg: &AlgorithmId) -> Option<DeadlineInfo> {
        Some(match alg {
            // Classical algorithms all deprecated, disallowed 2030
            AlgorithmId::Rsa { .. }
            | AlgorithmId::EcP256
            | AlgorithmId::EcP384
            | AlgorithmId::X25519
            | AlgorithmId::Ed25519
            | AlgorithmId::Dh { .. } => DeadlineInfo {
                deprecated_year: 2024,
                disallowed_year: 2030,
                note: "CNSA 1.0 algorithms",
            },
            // AES-128 insufficient now
            AlgorithmId::Aes128 => DeadlineInfo {
                deprecated_year: 2024,
                disallowed_year: 2024,
                note: "AES-256 required",
            },
            // SHA-256 insufficient for NSS (SHA-384+ required)
            AlgorithmId::Sha256 => DeadlineInfo {
                deprecated_year: 2024,
                disallowed_year: 2024,
                note: "SHA-384+ required",
            },
            _ => return None,
        })
    }

    fn status_for(&self, alg: &AlgorithmId) -> AlgorithmStatus {
        const CURRENT_YEAR: u32 = 2026;
        match self.deadline_for(alg) {
            None => AlgorithmStatus::Unknown,
            Some(d) if d.disallowed_year <= CURRENT_YEAR => AlgorithmStatus::Disallowed,
            Some(d) if d.deprecated_year <= CURRENT_YEAR => AlgorithmStatus::Deprecated,
            Some(_) => AlgorithmStatus::Approved,
        }
    }
}