Update documentation for v1.2.0 certificate detection

thebenignhacker · thebenignhacker · commit 3ccec7ea1be2 · 2026-01-30T13:50:44.000-07:00
README.md:
- Added Certificates row to detection table
- Updated pattern count to 90+
- Updated roadmap to show v1.2 as current release
- Added certificate features to v1.2 release notes

PATTERNS.md:
- Added Certificates section with 19 patterns
- Added to Table of Contents
- Updated pattern count
- Documented critical findings and remediation
diff --git a/PATTERNS.md b/PATTERNS.md
@@ -1,19 +1,20 @@
 # CryptoScan Detection Patterns
 
-CryptoScan uses 100+ detection patterns to identify cryptographic algorithms, protocols, keys, and configurations in your codebase. Each pattern includes quantum risk classification and remediation guidance.
+CryptoScan uses 90+ detection patterns to identify cryptographic algorithms, protocols, keys, certificates, and configurations in your codebase. Each pattern includes quantum risk classification and remediation guidance.
 
 ## Table of Contents
 
 - [How Detection Works](#how-detection-works)
 - [Confidence Scoring](#confidence-scoring)
 - [Pattern Categories](#pattern-categories)
-  - [Post-Quantum Cryptography](#post-quantum-cryptography) *(NEW)*
-  - [Hybrid Cryptography](#hybrid-cryptography) *(NEW)*
+  - [Post-Quantum Cryptography](#post-quantum-cryptography)
+  - [Hybrid Cryptography](#hybrid-cryptography)
   - [Asymmetric Encryption](#asymmetric-encryption)
   - [Symmetric Encryption](#symmetric-encryption)
   - [Hash Functions](#hash-functions)
-  - [Message Authentication Codes (MACs)](#message-authentication-codes-macs) *(NEW)*
-  - [Key Derivation Functions (KDFs)](#key-derivation-functions-kdfs) *(NEW)*
+  - [Message Authentication Codes (MACs)](#message-authentication-codes-macs)
+  - [Key Derivation Functions (KDFs)](#key-derivation-functions-kdfs)
+  - [Certificates](#certificates) *(NEW in v1.2)*
   - [TLS/SSL Protocols](#tlsssl-protocols)
   - [Key Material & Secrets](#key-material--secrets)
   - [Cloud KMS Services](#cloud-kms-services)
@@ -243,6 +244,44 @@ KDFs derive cryptographic keys from passwords or other input material.
 
 ---
 
+### Certificates
+
+X.509 certificates, certificate chains, and PKI infrastructure. *(NEW in v1.2)*
+
+| Pattern ID | Name | Quantum Risk | Severity | What It Detects |
+|------------|------|--------------|----------|-----------------|
+| CERT-001 | X.509 Certificate | UNKNOWN | Info | `-----BEGIN CERTIFICATE-----` |
+| CERT-CSR-001 | Certificate Signing Request | UNKNOWN | Info | `-----BEGIN CERTIFICATE REQUEST-----` |
+| CERT-PKCS12-001 | PKCS#12/PFX Container | UNKNOWN | Medium | `.p12`, `.pfx`, `PKCS12` references |
+| CERT-CHAIN-001 | Certificate Chain | UNKNOWN | Info | `cert_chain`, `ca_bundle`, `root_ca`, `trust_anchor` |
+| CERT-TRUSTED-001 | Trusted Certificate | UNKNOWN | Info | `-----BEGIN TRUSTED CERTIFICATE-----` |
+| CERT-EXPIRY-001 | Certificate Expiration | UNKNOWN | Info | `NotAfter`, `validUntil`, expiration checks |
+| CERT-SUBJECT-001 | Certificate Subject/Issuer | UNKNOWN | Info | `subjectDN`, `issuerDN`, `getSubject`, `getIssuer` |
+| CERT-SIGALG-001 | Certificate Signature Algorithm | VULNERABLE | Medium | `sha256WithRSA`, `ecdsaWithSHA256` |
+| CERT-SIGALG-WEAK-001 | Weak Certificate Signature | VULNERABLE | **Critical** | `sha1WithRSA`, `md5WithRSA` |
+| CERT-KEYUSAGE-001 | Certificate Key Usage | UNKNOWN | Info | `keyUsage`, `extendedKeyUsage` |
+| CERT-SAN-001 | Subject Alternative Name | UNKNOWN | Info | `subjectAltName`, `dnsNames` |
+| CERT-PARSE-001 | X.509 Certificate Parsing | UNKNOWN | Info | `x509.ParseCertificate`, `X509Certificate` |
+| CERT-VALIDATION-BYPASS-001 | Certificate Validation Bypass | UNKNOWN | **Critical** | `InsecureSkipVerify: true`, `verify=false`, `CERT_NONE` |
+| CERT-SELFSIGNED-001 | Self-Signed Certificate | UNKNOWN | Medium | `self_signed`, `generateSelfSignedCert` |
+| CERT-MTLS-001 | Mutual TLS (mTLS) | PARTIAL | Info | `mutual_tls`, `client_cert`, `RequireClientCert` |
+| CERT-REVOCATION-001 | Certificate Revocation | UNKNOWN | Info | `OCSP`, `CRL`, `checkRevocation` |
+| CERT-PINNING-001 | Certificate Pinning | UNKNOWN | Info | `cert_pin`, `TrustManagerFactory` |
+| CERT-ACME-001 | ACME/Let's Encrypt | VULNERABLE | Info | `letsencrypt`, `certbot`, `acme_challenge` |
+| KEY-JWK-001 | JSON Web Key (JWK) | VULNERABLE | Medium | `"kty": "RSA"`, `"kty": "EC"`, `.well-known/jwks` |
+
+**Critical Findings**:
+- **Certificate Validation Bypass**: Disabling certificate validation enables man-in-the-middle attacks. This should be fixed immediately.
+- **Weak Certificate Signatures**: SHA-1 and MD5 signatures are deprecated and insecure. Replace certificates immediately.
+
+**Remediation**:
+- Use certificates with RSA-3072+ or ECC-P256+ keys
+- Ensure SHA-256 or stronger signature algorithms
+- Never disable certificate validation in production
+- Plan for PQC certificate migration when standards finalize
+
+---
+
 ### TLS/SSL Protocols
 
 | Pattern ID | Name | Quantum Risk | Severity | What It Detects |
diff --git a/README.md b/README.md
@@ -169,13 +169,14 @@ CryptoScan identifies cryptographic usage across your entire technology stack:
 | **Hash Functions** | SHA-2, SHA-3, SHAKE128/256, BLAKE2, BLAKE3, MD5, SHA-1 |
 | **MACs** | HMAC-SHA256/384/512, HMAC-SHA3, KMAC128/256, CMAC, GMAC, Poly1305 |
 | **Key Derivation (KDFs)** | HKDF, PBKDF2, Argon2id, scrypt, bcrypt |
-| **TLS/SSL** | Protocol versions, cipher suites, weak configurations |
+| **Certificates** | X.509, CSR, PKCS#12/PFX, certificate chains, mTLS, validation bypass, expiration, JWK |
+| **TLS/SSL** | Protocol versions, cipher suites, weak configurations, certificate pinning |
 | **Key Material** | Private keys (RSA, EC, SSH, PGP, PKCS#8), JWT secrets, HMAC keys |
 | **Cloud KMS** | AWS KMS, Azure Key Vault, GCP Cloud KMS, HashiCorp Vault |
 | **Dependencies** | Crypto libraries across 20+ package managers |
 | **Configurations** | Hardcoded key sizes, algorithm selections, TLS settings |
 
-**[100+ detection patterns](PATTERNS.md)** with context-aware confidence scoring to minimize false positives.
+**[90+ detection patterns](PATTERNS.md)** with context-aware confidence scoring to minimize false positives.
 
 ### Quantum Risk Classification
 
@@ -478,22 +479,26 @@ cryptoscan/
 
 ## Roadmap
 
-### v1.1 (Current Release)
+### v1.2 (Current Release)
 - [x] Local and remote repository scanning
-- [x] 100+ cryptographic patterns (expanded from 50+)
+- [x] 90+ cryptographic patterns
 - [x] Multiple output formats (text, JSON, CSV, SARIF, CBOM)
 - [x] Context-aware analysis with confidence scoring
 - [x] Dependency scanning for 20+ package managers
 - [x] Parallel scanning with worker pools
 - [x] Inline ignore comments
-- [x] **NEW: Post-Quantum Cryptography detection (ML-KEM, ML-DSA, SLH-DSA, FN-DSA, XMSS, LMS)**
-- [x] **NEW: Hybrid cryptography recognition (X25519+ML-KEM, composite signatures)**
-- [x] **NEW: Comprehensive MAC detection (HMAC, KMAC, CMAC, GMAC, Poly1305)**
-- [x] **NEW: KDF detection (HKDF, PBKDF2, Argon2id, scrypt, bcrypt)**
-- [x] **NEW: Migration Readiness Score with visual dashboard**
-- [x] **NEW: QRAMM framework integration (CVI Dimension mapping)**
-
-### v1.2 (Next)
+- [x] Post-Quantum Cryptography detection (ML-KEM, ML-DSA, SLH-DSA, FN-DSA, XMSS, LMS)
+- [x] Hybrid cryptography recognition (X25519+ML-KEM, composite signatures)
+- [x] Comprehensive MAC detection (HMAC, KMAC, CMAC, GMAC, Poly1305)
+- [x] KDF detection (HKDF, PBKDF2, Argon2id, scrypt, bcrypt)
+- [x] Migration Readiness Score with visual dashboard
+- [x] QRAMM framework integration (CVI Dimension mapping)
+- [x] **NEW: Certificate detection (X.509, CSR, PKCS#12, chains, mTLS, JWK)**
+- [x] **NEW: Certificate validation bypass detection (CRITICAL severity)**
+- [x] **NEW: Weak certificate signature detection (SHA-1/MD5)**
+- [x] **NEW: Enhanced false positive reduction with smart context analysis**
+
+### v1.3 (Next)
 - [ ] Smart remediation engine with language-specific recommendations
 - [ ] Enhanced CBOM output (CycloneDX 1.6 cryptoProperties)
 - [ ] Git history scanning (find crypto in past commits)
@@ -504,7 +509,6 @@ cryptoscan/
 - [ ] Azure resource scanning (Key Vault, App Configuration)
 - [ ] GCP resource scanning (Cloud KMS, Secret Manager)
 - [ ] Infrastructure-as-Code analysis (Terraform, CloudFormation, Pulumi)
-- [ ] Certificate chain analysis
 
 ## Contributing
 
