From 06a6fcb1696cc20e92f72b38b60a877465c566be Mon Sep 17 00:00:00 2001 From: Ioannis Kavvadias Date: Mon, 11 Nov 2024 21:35:46 +0000 Subject: [PATCH 1/2] dt: disable pkcs12 test in fips mode pkcs12 is not a fips-compliant algorithm. When openssl operates in fips mode it allows only for fips-compliant algorithms, thus using it with pkcs12 produces an error. --- tests/rptest/tests/pkcs12_test.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/rptest/tests/pkcs12_test.py b/tests/rptest/tests/pkcs12_test.py index 072ad841be0a1..cc23ba17f25f4 100644 --- a/tests/rptest/tests/pkcs12_test.py +++ b/tests/rptest/tests/pkcs12_test.py @@ -12,6 +12,7 @@ from ducktape.cluster.cluster import ClusterNode from ducktape.mark import matrix from ducktape.services.service import Service +from rptest.utils.mode_checks import skip_fips_mode from rptest.clients.rpk import RpkTool from rptest.services.admin import Admin from rptest.services.cluster import cluster @@ -86,6 +87,12 @@ def _prepare_cluster(self, use_pkcs12: bool): self.admin.create_user("walterP", self.password, self.algorithm) self.rpk = RpkTool(self.redpanda, tls_cert=self.user_cert) + # This should be revisited when OpenSSL has been upgraded to 3.4+ + # Until then, the pkcs#12 file generated by OpenSSL is not FIPS compliant + # as it uses the PKCS12KDF MAC which is not an approved FIPS algorithm. + # Some further reading can be found here: + # https://www.redhat.com/en/blog/fips-140-3-changes-pkcs-12 + @skip_fips_mode @cluster(num_nodes=3) @matrix(use_pkcs12=[True, False]) def test_smoke(self, use_pkcs12: bool): From 41126c9919c3737492a2989b81ee2d20e9cfde13 Mon Sep 17 00:00:00 2001 From: Ioannis Kavvadias Date: Tue, 12 Nov 2024 13:27:36 +0000 Subject: [PATCH 2/2] dt: simplify pkcs12 test pkcs12 test doesn't need to test that topic creation works when pkcs12 is not active. This is being actively tested by every other test that implements a non-P12 TLSProvider --- tests/rptest/tests/pkcs12_test.py | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/tests/rptest/tests/pkcs12_test.py b/tests/rptest/tests/pkcs12_test.py index cc23ba17f25f4..39241157b80bd 100644 --- a/tests/rptest/tests/pkcs12_test.py +++ b/tests/rptest/tests/pkcs12_test.py @@ -10,7 +10,6 @@ import socket from ducktape.cluster.cluster import ClusterNode -from ducktape.mark import matrix from ducktape.services.service import Service from rptest.utils.mode_checks import skip_fips_mode from rptest.clients.rpk import RpkTool @@ -22,9 +21,8 @@ class P12TLSProvider(TLSProvider): - def __init__(self, tls: TLSCertManager, use_pkcs12: bool): + def __init__(self, tls: TLSCertManager): self.tls = tls - self.use_pkcs12 = use_pkcs12 @property def ca(self) -> CertificateAuthority: @@ -41,7 +39,7 @@ def create_service_client_cert(self, _: Service, name: str) -> Certificate: common_name=name) def use_pkcs12_file(self) -> bool: - return self.use_pkcs12 + return True def p12_password(self, node: ClusterNode) -> str: assert node.name in self.tls.certs, f"No certificate associated with node {node.name}" @@ -64,9 +62,9 @@ def setUp(self): # Skip set up to allow test to control how Redpanda's TLS settings are configured pass - def _prepare_cluster(self, use_pkcs12: bool): + def _prepare_cluster(self): self.tls = TLSCertManager(self.logger) - self.provider = P12TLSProvider(self.tls, use_pkcs12) + self.provider = P12TLSProvider(self.tls) self.user_cert = self.tls.create_cert(socket.gethostname(), common_name="walterP", name="user") @@ -94,12 +92,11 @@ def _prepare_cluster(self, use_pkcs12: bool): # https://www.redhat.com/en/blog/fips-140-3-changes-pkcs-12 @skip_fips_mode @cluster(num_nodes=3) - @matrix(use_pkcs12=[True, False]) - def test_smoke(self, use_pkcs12: bool): + def test_smoke(self): """ Simple smoke test to verify that the PKCS12 file is being used """ - self._prepare_cluster(use_pkcs12) + self._prepare_cluster() TOPIC_NAME = "foo" self.rpk.create_topic(TOPIC_NAME) topics = [t for t in self.rpk.list_topics()]