feat(expansion): add email security, SSH fingerprint, and TLS certificate modules

[DarkAngel-agents]

Three new standalone expansion modules for infrastructure security assessment:

email_security_check

• Input: domain/hostname
• Checks: SPF, DKIM (12 common selectors), DMARC (policy extraction), MTA-STS
• Output: posture assessment with score /5
• Dependencies: dnspython (already in project)

ssh_fingerprint

• Input: ip-src/ip-dst
• Grabs: SSH banner, host key algorithms, KEX algorithms, KEX init hash
• Use case: detect server key changes / MitM over time
• Dependencies: none (stdlib socket)

tls_certificate_check

• Input: domain/hostname
• Extracts: subject, issuer, serial, protocol version, validity period, SANs
• Flags: EXPIRED / EXPIRING SOON / VALID with days remaining
• Dependencies: none (stdlib ssl + socket)

All three modules require zero external APIs or paid services.
Tested on NixOS 25.11 against google.com and 8.8.8.8.

[adulau]

Thanks a lot. Could you update the modules to support the misp-objects instead of attributes? as the misp-modules have two output format, the latest one is actually much more advanced and could make the modules even more useful in misp workflow and alike.

[DarkAngel-agents]

Thanks for the review! I'm working on updating the modules to return misp-objects (x509, passive-ssh) instead of plain text attributes. Will push the update shortly.

[DarkAngel-agents]

Updated all three modules to return misp-objects as requested:

• tls_certificate_check → x509 object (serial-number, issuer, subject, validity, dns_names/SANs)
• ssh_fingerprint → passive-ssh object (host, port, banner, fingerprint)
• email_security_check → domain-ip object with SPF/DKIM/DMARC/MTA-STS findings as structured attributes

All modules now use format: misp_standard with MISPEvent/MISPObject/MISPAttribute from pymisp.