URL: https://github.com/freeipa/freeipa/pull/6112 Author: ssidhaye Title: #6112: ipatests : local ca is not generated under fips Action: opened
PR body: """ Certmonger uses default OpenSSL encryption algorithms to generate the PKCS12 object used for the local CA. This uses operations that are disallowed under fips, and so the local ca pkcs12 creds file is not generated. Bugzilla Link: https://bugzilla.redhat.com/show_bug.cgi?id=1950132 Signed-off-by: Sumedh Sidhaye <ssidh...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/6112/head:pr6112 git checkout pr6112
From 28cd366920d3351acbceb52667a0bed61555e574 Mon Sep 17 00:00:00 2001 From: Sumedh Sidhaye <ssidh...@redhat.com> Date: Fri, 26 Nov 2021 12:57:01 +0530 Subject: [PATCH] Certmonger uses default OpenSSL encryption algorithms to generate the PKCS12 object used for the local CA. This uses operations that are disallowed under fips, and so the local ca pkcs12 creds file is not generated. Bugzilla Link: https://bugzilla.redhat.com/show_bug.cgi?id=1950132 Signed-off-by: Sumedh Sidhaye <ssidh...@redhat.com> --- ipatests/test_integration/test_fips.py | 34 +++++++++++++++++++------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/ipatests/test_integration/test_fips.py b/ipatests/test_integration/test_fips.py index 680a44926d9..af013daae75 100644 --- a/ipatests/test_integration/test_fips.py +++ b/ipatests/test_integration/test_fips.py @@ -3,19 +3,16 @@ # """Smoke tests for FreeIPA installation in (fake) userspace FIPS mode """ +import time + +from ipaplatform.paths import paths from ipapython.dn import DN from ipapython.ipautil import ipa_generate_password, realm_to_suffix - -from ipatests.pytest_ipa.integration import tasks -from ipatests.pytest_ipa.integration import fips +from ipatests.pytest_ipa.integration import fips, tasks from ipatests.test_integration.base import IntegrationTest -from .test_dnssec import ( - test_zone, - dnssec_install_master, - dnszone_add_dnssec, - wait_until_record_is_signed, -) +from .test_dnssec import (dnssec_install_master, dnszone_add_dnssec, test_zone, + wait_until_record_is_signed) class TestInstallFIPS(IntegrationTest): @@ -125,3 +122,22 @@ def test_krb_enctypes(self): self.master.run_command(["ipa-server-upgrade"]) result = tasks.ldapsearch_dm(self.master, str(dn), args, scope="base") assert "camellia" not in result.stdout_text + + def local_ca_generation(self): + """ + Certmonger uses default OpenSSL encryption algorithms + to generate the PKCS12 object used for the local CA. + This uses operations that are disallowed under fips, + and so the local ca pkcs12 creds file is not generated. + + Bugzilla link : https://bugzilla.redhat.com/show_bug.cgi?id=1950132 + """ + self.master.run_command( + r'rm -rf {}/local/creds'.format(paths.VAR_LIB_CERTMONGER_DIR)) + self.master.run_command(['systemctl', 'restart', 'certmonger']) + time.sleep(5) + openssl_cmd = [ + 'openssl', 'pkcs12', '-info', '-in', + '{}/local/creds'.format(paths.VAR_LIB_CERTMONGER_DIR), '-noout'] + result = self.master.run_command(openssl_cmd, stdin_text=f"\n") + assert 'AES-128-CBC' in result.stdout_text
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
