Add NSS Mozilla cert test for FIPS. Fixes #615

tests/test_fips.py

@@ -320,3 +320,32 @@ def test_icainfo_binary(container_per_test: ContainerData) -> None:
     )
     container_per_test.connection.check_output("icastats -k")
     container_per_test.connection.check_output("icastats -S")
+
+
+@pytest.mark.parametrize(
+    "container_per_test", FIPS_TESTER_IMAGES, indirect=True
+)
+def test_nss_firefox_cert(container_per_test: ContainerData) -> None:
+    container_per_test.connection.check_output(
+        "zypper -n install mozilla-nss mozilla-nss-tools"
+    )
+    # Seed file
+    container_per_test.connection.check_output(
+        "cat /dev/urandom | head -n 120 > seedfile.dat"
+    )
+    # Empty password
+    container_per_test.connection.check_output("echo \"\" > password.txt")
+    # Create database, needed prerequisite, needs one <enter> as interaction
+    assert (container_per_test.connection.check_output(
+        "rm -rf nssdb && mkdir -p nssdb && certutil -N -d \"${PWD}/nssdb\" --empty-password && modutil -fips true -dbdir \"${PWD}/nssdb\" -force"
+    ) == "FIPS mode enabled."), f"FIPS mode not enabled properly"
+    # Following will fail in FIPS mode because to short rsa keylength (1024)
+    assert container_per_test.connection.run_expect(
+        [255],
+        "NSS_FIPS=1 certutil -R -k rsa -g 1024 -s \"CN=Daniel Duesentrieb3,O=Example Corp,L=Mountain View,ST=California,C=DE\" -d \"${PWD}/nssdb\" -o cert9.cer -f password.txt -z seedfile.dat"
+    ), f"RSA keylengths of 1024 or shorter must not be enabled in FIPS mode"
+
+    assert container_per_test.connection.run_expect(
+        [0],
+        "NSS_FIPS=1 certutil -R -k rsa -g 2048 -s \"CN=Daniel Duesentrieb3,O=Example Corp,L=Mountain View,ST=California,C=DE\" -d \"${PWD}/nssdb\" -o cert9.cer -f password.txt -z seedfile.dat"
+    ), f"RSA keylengths of 2048 or greater should work fine in FIPS mode"