Skip to content

API Reference: Cipher Algorithms

certmonitor.cipher_algorithms

ALLOWED_CIPHER_SUITES module-attribute 

ALLOWED_CIPHER_SUITES = {'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-CHACHA20-POLY1305', 'ECDHE-RSA-CHACHA20-POLY1305', 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384'}

ALLOWED_TLS_VERSIONS module-attribute 

ALLOWED_TLS_VERSIONS = {'TLSv1.2', 'TLSv1.3'}

ALL_ALGORITHMS module-attribute 

ALL_ALGORITHMS: Dict[str, AlgorithmDict] = {'encryption': {'AES': 'AES', 'CHACHA20': 'CHACHA20', '3DES': '3DES|DES-EDE3', 'CAMELLIA': 'CAMELLIA', 'ARIA': 'ARIA', 'SEED': 'SEED', 'SM4': 'SM4', 'IDEA': 'IDEA', 'RC4': 'RC4'}, 'key_exchange': {'ECDHE': 'ECDHE|EECDH', 'DHE': 'DHE|EDH', 'ECDH': 'ECDH', 'DH': 'DH', 'RSA': 'RSA', 'PSK': 'PSK', 'SRP': 'SRP', 'GOST': 'GOST', 'ECCPWD': 'ECCPWD', 'SM2': 'SM2'}, 'mac': {'SHA384': 'SHA384', 'SHA256': 'SHA256', 'SHA224': 'SHA224', 'SHA': 'SHA1?', 'MD5': 'MD5', 'POLY1305': 'POLY1305', 'AEAD': 'GCM|CCM|OCB', 'GOST': 'GOST28147|GOST34\\.11', 'SM3': 'SM3'}}

AlgorithmDict module-attribute 

AlgorithmDict = Dict[str, Union[str, Pattern[str]]]

list_algorithms 

list_algorithms() -> Dict[str, Any]

List all known algorithms by category.

Source code in certmonitor/cipher_algorithms.py 
88
89
90
91
92
93
94
95
def list_algorithms() -> Dict[str, Any]:
    """
    List all known algorithms by category.
    """
    alg_list = {}
    for category, alg_dict in ALL_ALGORITHMS.items():
        alg_list[category] = list(alg_dict.keys())
    return alg_list

parse_cipher_suite cached 

parse_cipher_suite(cipher_suite: str) -> Dict[str, str]

Parse a cipher suite string to identify encryption, key exchange, and MAC algorithms.

Source code in certmonitor/cipher_algorithms.py 
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
@lru_cache(maxsize=128)
def parse_cipher_suite(cipher_suite: str) -> Dict[str, str]:
    """
    Parse a cipher suite string to identify encryption, key exchange, and MAC algorithms.
    """
    result = {"encryption": "Unknown", "key_exchange": "Unknown", "mac": "Unknown"}

    for category, algorithms in ALL_ALGORITHMS.items():
        for alg, pattern in algorithms.items():
            # At runtime, patterns are compiled regex objects after initialization
            compiled_pattern = cast(Pattern[str], pattern)
            if compiled_pattern.search(cipher_suite):
                result[category] = alg
                break

    return result

update_algorithms 

update_algorithms(custom_algorithms: Dict[str, Dict[str, str]]) -> None

Update the ALL_ALGORITHMS dictionary with user-provided custom algorithms.

Source code in certmonitor/cipher_algorithms.py 
 98
 99
100
101
102
103
104
105
106
107
108
109
110
def update_algorithms(custom_algorithms: Dict[str, Dict[str, str]]) -> None:
    """
    Update the ALL_ALGORITHMS dictionary with user-provided custom algorithms.
    """
    global ALL_ALGORITHMS

    for category, algs in custom_algorithms.items():
        if category not in ALL_ALGORITHMS:
            ALL_ALGORITHMS[category] = {}
        for alg_name, pattern in algs.items():
            ALL_ALGORITHMS[category][alg_name] = re.compile(pattern)

    parse_cipher_suite.cache_clear()

update_allowed_lists 

update_allowed_lists(custom_tls_versions: Optional[Set[str]] = None, custom_ciphers: Optional[Set[str]] = None) -> None

Update the sets of allowed TLS versions and cipher suites.

Parameters:

Name Type Description Default
custom_tls_versions set

A set of allowed TLS versions. E.g., {"TLSv1.2", "TLSv1.3"}

 None
custom_ciphers set

A set of allowed cipher suites. E.g., {"ECDHE-RSA-AES128-GCM-SHA256"}

 None
Source code in certmonitor/cipher_algorithms.py 
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
def update_allowed_lists(
    custom_tls_versions: Optional[Set[str]] = None,
    custom_ciphers: Optional[Set[str]] = None,
) -> None:
    """
    Update the sets of allowed TLS versions and cipher suites.

    Args:
        custom_tls_versions (set): A set of allowed TLS versions. E.g., {"TLSv1.2", "TLSv1.3"}
        custom_ciphers (set): A set of allowed cipher suites. E.g., {"ECDHE-RSA-AES128-GCM-SHA256"}
    """
    global ALLOWED_TLS_VERSIONS, ALLOWED_CIPHER_SUITES
    if custom_tls_versions is not None:
        ALLOWED_TLS_VERSIONS = custom_tls_versions

    if custom_ciphers is not None:
        ALLOWED_CIPHER_SUITES = custom_ciphers