diff --git a/tests/test_fips.py b/tests/test_fips.py index f7486150..91a79bd2 100644 --- a/tests/test_fips.py +++ b/tests/test_fips.py @@ -320,3 +320,32 @@ def test_icainfo_binary(container_per_test: ContainerData) -> None: ) container_per_test.connection.check_output("icastats -k") container_per_test.connection.check_output("icastats -S") + + +@pytest.mark.parametrize( + "container_per_test", FIPS_TESTER_IMAGES, indirect=True +) +def test_nss_firefox_cert(container_per_test: ContainerData) -> None: + container_per_test.connection.check_output( + "zypper -n install mozilla-nss mozilla-nss-tools" + ) + # Seed file + container_per_test.connection.check_output( + "cat /dev/urandom | head -n 120 > seedfile.dat" + ) + # Empty password + container_per_test.connection.check_output("echo \"\" > password.txt") + # Create database, needed prerequisite, needs one as interaction + assert (container_per_test.connection.check_output( + "rm -rf nssdb && mkdir -p nssdb && certutil -N -d \"${PWD}/nssdb\" --empty-password && modutil -fips true -dbdir \"${PWD}/nssdb\" -force" + ) == "FIPS mode enabled."), f"FIPS mode not enabled properly" + # Following will fail in FIPS mode because to short rsa keylength (1024) + assert container_per_test.connection.run_expect( + [255], + "NSS_FIPS=1 certutil -R -k rsa -g 1024 -s \"CN=Daniel Duesentrieb3,O=Example Corp,L=Mountain View,ST=California,C=DE\" -d \"${PWD}/nssdb\" -o cert9.cer -f password.txt -z seedfile.dat" + ), f"RSA keylengths of 1024 or shorter must not be enabled in FIPS mode" + + assert container_per_test.connection.run_expect( + [0], + "NSS_FIPS=1 certutil -R -k rsa -g 2048 -s \"CN=Daniel Duesentrieb3,O=Example Corp,L=Mountain View,ST=California,C=DE\" -d \"${PWD}/nssdb\" -o cert9.cer -f password.txt -z seedfile.dat" + ), f"RSA keylengths of 2048 or greater should work fine in FIPS mode"