Skip to content

test: use crypto policy DEFAULT:PQ to enable PQC on el9.7 and later #253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
richm merged 1 commit into from
Jan 16, 2026
Merged

test: use crypto policy DEFAULT:PQ to enable PQC on el9.7 and later #253

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions tests/tests_certificate_existing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,34 @@
- name: Check if cockpit is new enough (at least 257) to support existing certificates
when: ansible_facts.packages['cockpit-ws'][0].version | int >= 257
block:
- name: Check if the managed node needs crypto-policies to be able to use PQC
when:
- __cockpit_is_rh_distro | bool
- (ansible_facts["distribution"] == "RedHat" and ansible_facts["distribution_version"] is version("9.7", ">=")
and ansible_facts["distribution_version"] is version("10", "<"))
or (ansible_facts["distribution"] != "RedHat" and
ansible_facts['distribution_major_version'] is version("9", "=="))
block:
# calling role with null will just return the current policy
- name: Get current crypto policy
include_role:
name: fedora.linux_system_roles.crypto_policies
vars:
crypto_policies_policy: null

- name: Set variables needed for support and cleanup
set_fact:
# We need to reset this after the test is done
__crypto_policies_policy: "{{ crypto_policies_active | d('') }}"

# https://issues.redhat.com/browse/RHEL-107877
# rhel 9.7 and later, or EL9 other than RHEL, needs crypto-policies to be able to use PQC
- name: Ensure managed node is able to use PQC
include_role:
name: fedora.linux_system_roles.crypto_policies
vars:
crypto_policies_policy: DEFAULT:PQ

- name: Create test certificate key
command: openssl ecparam -name secp521r1 -genkey -out /etc/myserver.key
args:
Expand Down Expand Up @@ -73,5 +101,12 @@
- always
- tests::cleanup

- name: Reset crypto policies
include_role:
name: fedora.linux_system_roles.crypto_policies
vars:
crypto_policies_policy: "{{ __crypto_policies_policy }}"
when: __crypto_policies_policy | d("") | length > 0

- name: Cleanup
include_tasks: tasks/cleanup.yml
Loading