Add NSS Mozilla cert test for FIPS. Fixes #615

tests/test_fips.py

@@ -320,3 +320,35 @@ def test_icainfo_binary(container_per_test: ContainerData) -> None:
     )
     container_per_test.connection.check_output("icastats -k")
     container_per_test.connection.check_output("icastats -S")
+
+
+@pytest.mark.parametrize(
+    "container_per_test", FIPS_TESTER_IMAGES, indirect=True
+)
+def test_nss_firefox_cert(container_per_test: ContainerData) -> None:
+    container_per_test.connection.check_output(
+        "zypper -n install mozilla-nss mozilla-nss-tools"
+    )
+    # Seed file
+    container_per_test.connection.check_output(
+        "cat /dev/urandom | head -n 120 > seedfile.dat"
+    )
+    # Empty password
+    container_per_test.connection.check_output('echo "" > password.txt')
+    # Create database, needed prerequisite, needs one <enter> as interaction
+    assert (
+        container_per_test.connection.check_output(
+            'rm -rf nssdb && mkdir -p nssdb && certutil -N -d "${PWD}/nssdb" --empty-password && modutil -fips true -dbdir "${PWD}/nssdb" -force'
+        )
+        == "FIPS mode enabled."
+    ), "FIPS mode not enabled properly"
+    # Following will fail in FIPS mode because to short rsa keylength (1024)
+    assert container_per_test.connection.run_expect(
+        [255],
+        'NSS_FIPS=1 certutil -R -k rsa -g 1024 -s "CN=Daniel Duesentrieb3,O=Example Corp,L=Mountain View,ST=California,C=DE" -d "${PWD}/nssdb" -o cert9.cer -f password.txt -z seedfile.dat',
+    ), "RSA keylengths of 1024 or shorter must not be enabled in FIPS mode"
+
+    assert container_per_test.connection.run_expect(
+        [0],
+        'NSS_FIPS=1 certutil -R -k rsa -g 2048 -s "CN=Daniel Duesentrieb3,O=Example Corp,L=Mountain View,ST=California,C=DE" -d "${PWD}/nssdb" -o cert9.cer -f password.txt -z seedfile.dat',
+    ), "RSA keylengths of 2048 or greater should work fine in FIPS mode"