Merge pull request redpanda-data#24094 from IoannisRP/ik-fix-pkcs12-test

IoannisRP · web-flow · commit 0a893453315b · 2024-11-14T17:01:16.000Z
[CORE-7766] dt: disable pkcs12 test in fips mode
diff --git a/tests/rptest/tests/pkcs12_test.py b/tests/rptest/tests/pkcs12_test.py
@@ -10,8 +10,8 @@
 import socket
 
 from ducktape.cluster.cluster import ClusterNode
-from ducktape.mark import matrix
 from ducktape.services.service import Service
+from rptest.utils.mode_checks import skip_fips_mode
 from rptest.clients.rpk import RpkTool
 from rptest.services.admin import Admin
 from rptest.services.cluster import cluster
@@ -21,9 +21,8 @@
 
 
 class P12TLSProvider(TLSProvider):
-    def __init__(self, tls: TLSCertManager, use_pkcs12: bool):
+    def __init__(self, tls: TLSCertManager):
         self.tls = tls
-        self.use_pkcs12 = use_pkcs12
 
     @property
     def ca(self) -> CertificateAuthority:
@@ -40,7 +39,7 @@ def create_service_client_cert(self, _: Service, name: str) -> Certificate:
                                     common_name=name)
 
     def use_pkcs12_file(self) -> bool:
-        return self.use_pkcs12
+        return True
 
     def p12_password(self, node: ClusterNode) -> str:
         assert node.name in self.tls.certs, f"No certificate associated with node {node.name}"
@@ -63,9 +62,9 @@ def setUp(self):
         # Skip set up to allow test to control how Redpanda's TLS settings are configured
         pass
 
-    def _prepare_cluster(self, use_pkcs12: bool):
+    def _prepare_cluster(self):
         self.tls = TLSCertManager(self.logger)
-        self.provider = P12TLSProvider(self.tls, use_pkcs12)
+        self.provider = P12TLSProvider(self.tls)
         self.user_cert = self.tls.create_cert(socket.gethostname(),
                                               common_name="walterP",
                                               name="user")
@@ -86,13 +85,18 @@ def _prepare_cluster(self, use_pkcs12: bool):
         self.admin.create_user("walterP", self.password, self.algorithm)
         self.rpk = RpkTool(self.redpanda, tls_cert=self.user_cert)
 
+    # This should be revisited when OpenSSL has been upgraded to 3.4+
+    # Until then, the pkcs#12 file generated by OpenSSL is not FIPS compliant
+    # as it uses the PKCS12KDF MAC which is not an approved FIPS algorithm.
+    # Some further reading can be found here:
+    # https://www.redhat.com/en/blog/fips-140-3-changes-pkcs-12
+    @skip_fips_mode
     @cluster(num_nodes=3)
-    @matrix(use_pkcs12=[True, False])
-    def test_smoke(self, use_pkcs12: bool):
+    def test_smoke(self):
         """
         Simple smoke test to verify that the PKCS12 file is being used
         """
-        self._prepare_cluster(use_pkcs12)
+        self._prepare_cluster()
         TOPIC_NAME = "foo"
         self.rpk.create_topic(TOPIC_NAME)
         topics = [t for t in self.rpk.list_topics()]
