tests: add fips.enable.https

To verify that using TLS works in FIPS mode by having Ignition
fetch a remote resource over HTTPS with FIPS compatible algorithms.

tests/containers: setup nginx only serves files over HTTPS with
FIPS compatible algorithms.

Fixes https://issues.redhat.com/browse/COS-3487

Author: HuijingHei

mantle/kola/tests/fips/fips.go

@@ -140,6 +140,70 @@ func init() {
 			}
 		}`),
 	})
+	// Test that using TLS works in FIPS mode by having Ignition fetch
+	// a remote resource over HTTPS with FIPS compatible algorithms.
+	// See https://issues.redhat.com/browse/COS-3487
+	// Note that 34.136.148.229 (on GCP) is an HTTPS server powered by
+	// nginx, delivering a small file exclusively over HTTPS using
+	// FIPS-compliant algorithms.
+	register.RegisterTest(&register.Test{
+		Run:         fipsEnableTest,
+		ClusterSize: 1,
+		Name:        `fips.enable.https`,
+		Description: "Verify that fips enabled works if fetching a remote resource over HTTPS with FIPS compatible algorithms.",
+		Flags:       []register.Flag{},
+		Tags:        []string{kola.NeedsInternetTag},
+		Distros:     []string{"rhcos"},
+		Platforms:   []string{"qemu"},
+		UserData: conf.Ignition(`{
+			"ignition": {
+				"config": {
+					"replace": {
+						"source": null,
+						"verification": {}
+					}
+				},
+				"security": {
+					"tls": {
+						"certificateAuthorities": [
+							{
+								"compression": "gzip",
+								"source": "data:;base64,H4sIAAAAAAAC/2SUyc67SBLE7zzF3NEIDMY2h/+hirUwYAqzGG4Ym93sUJinH33f9KW78/hLKZQpRcR/fwYqGrL/Iymuh1QkAU/5pZSFkGJUkgS6Uw4IgiBHfphDf1ec6UuCl7glnBA2aSZXtM8rRMaRce1iVKypDbBiUhADou/Ky4KTBg6+Agjx3brB/hf6nmrlgRbsLwl68cPg4gciepHaVhURaweCJacsZcuIC3/g/gu5H/jLKpBZLks0EskBxrIMXe0eQA+prvUjHj9sFql2Q6Vt3KQ/LyTon+dBiIGc55oDZEkCUSfluQaBOfiNtsJ1dDVZ3Y8UmwguZ3wCYxRuhfnkNNmxBPwsF9GrXqmPA21L6zbuc7CVn8XH7eHMFWKaYTcrxwQL1KOLuN5yDibGp5RVzZIJRvy8+OpSkio+uuOb6D3J6jcaX6+pbfJHaEVCvd0zwvInWaKYJWws1h9zyG+HXlU1Rr1r+Oltr63OVe5wjI5kXvDUzqIqrmO+qH09nbVeGxr2zpSQ0sni2BLzOIyGPdTZ0GV1XJzJZ3pnbO8P9f2cIZNlu/Xx9L+Aufpxrot6aDROsuJJCChQF2f4Pp+zOMZP83lT4toajH3sr6fnHShpvaNqJ0XUh8dPmbs9A1IbJ13iJMvzCfeequJdjWeeLlujylMzXcwsPAkKMpLytqKbu7sDU9nu5SCmxl2fVuKr9OmBw3yor1DAC6XXNF15hrSH73xwPWLV4NL3QlA9ir188q/0pI/z+65zZkTLimM7lhk9twv/yI5nPdI6ioF5ZFnO1XLyYRngh1/V01E33c9XDLKdyzRhChbaf9YtL3w4T5YwkgEGsDt0JJTBjYK5Hej4AkF2USCwJJgAouaRHLhsA7DOQECIlEfoSiIIsa8DohCZ/O5dCHJCwS5VUFf6ggde/xc7KmqOfU2TpNQ2mMRC5TvKUmk/XTiPzokO/uZY6idRf1kWAq29LTVnuygNHD7KnZKvP+Gtvr6KEykfHkGHIaTldoNWnU3R8crAM2XsheguE7Ju61HqrVPjJ/pMW5d7HY2emtIXYanZA/9q+sz9rNxc9qZEsuy9lCf7enitVN8zLK8+V/T9CpKUTNfKZD/f99cqR5kchLEjN63lp/myZffuI9d8V8ustt7riCv8XA+pZvYq2+EL/cJFGhwDus/y4fwyu/r65sak+AgXTmmbZb4nM7LWzdUmTpx59fE5BanRbhTig13rfe7qFS5kl++8uQFmkgN/9NAqJ/40QDxdZk2KgXs/mHz/8tJkwo6gMElSiw2VHeJWedl6aTf1zbKudvDQFJrZwgsX6HQbPObiLMYuCu4O6Rv2w1YBOBVtl3a0G3rLlXI8e9VaWbokE6vvDW2lhyVXSuGUI5HfrF7cjCkbTFEYWJugJWLe7Cl4h81tEY/z1kZUW/F8dJkekTKLGS1gWXJ2+vkuDFX3xm6bAsN4Sbsz6A9P3Phw55E5ztZZ79TpSLNAofbMVLubdwZtGOrgzx/qt6wVW/53gf8vAAD///rvDevdBQAA"
+							}
+						]
+					}
+				},
+				"timeouts": {},
+				"version": "3.4.0"
+			},
+			"passwd": {},
+			"storage": {
+				"files": [
+					{
+						"group": {
+							"name": "root"
+						},
+						"overwrite": true,
+						"path": "/etc/ignition-machine-config-encapsulated.json",
+						"user": {
+							"name": "root"
+						},
+						"contents": {
+							"source": "data:,%7B%22metadata%22%3A%7B%22name%22%3A%22rendered-worker-1cc576110e0cf8396831ce4016f63900%22%2C%22selfLink%22%3A%22%2Fapis%2Fmachineconfiguration.openshift.io%2Fv1%2Fmachineconfigs%2Frendered-worker-1cc576110e0cf8396831ce4016f63900%22%2C%22uid%22%3A%2248871c03-899d-4332-a5f5-bef94e54b23f%22%2C%22resourceVersion%22%3A%224168%22%2C%22generation%22%3A1%2C%22creationTimestamp%22%3A%222019-11-04T15%3A54%3A08Z%22%2C%22annotations%22%3A%7B%22machineconfiguration.openshift.io%2Fgenerated-by-controller-version%22%3A%22bd846958bc95d049547164046a962054fca093df%22%7D%2C%22ownerReferences%22%3A%5B%7B%22apiVersion%22%3A%22machineconfiguration.openshift.io%2Fv1%22%2C%22kind%22%3A%22MachineConfigPool%22%2C%22name%22%3A%22worker%22%2C%22uid%22%3A%223d0dee9e-c9d6-4656-a4a9-81785b9ab01a%22%2C%22controller%22%3Atrue%2C%22blockOwnerDeletion%22%3Atrue%7D%5D%7D%2C%22spec%22%3A%7B%22osImageURL%22%3A%22registry.svc.ci.openshift.org%2Focp%2F4.3-2019-11-04-125204%40sha256%3A8a344c5b157bd01c3ca1abfcef0004fc39f5d69cac1cdaad0fd8dd332ad8e272%22%2C%22config%22%3A%7B%22ignition%22%3A%7B%22config%22%3A%7B%7D%2C%22security%22%3A%7B%22tls%22%3A%7B%7D%7D%2C%22timeouts%22%3A%7B%7D%2C%22version%22%3A%223.0.0%22%7D%2C%22networkd%22%3A%7B%7D%2C%22passwd%22%3A%7B%7D%2C%22storage%22%3A%7B%7D%2C%22systemd%22%3A%7B%7D%7D%2C%22kernelArguments%22%3A%5B%5D%2C%22fips%22%3Atrue%7D%7D",
+							"verification": {}
+						},
+						"mode": 420
+					},
+					{
+						"path": "/var/resource/https-fips",
+						"contents": {
+							"source": "https://34.136.148.229:8443/index.html"
+						}
+					}
+				]
+			}
+		}`),
+	})
 }
 
 // Test: Run basic FIPS test

tests/containers/fips-nginx/Containerfile

@@ -0,0 +1,16 @@
+FROM quay.io/fedora/fedora:43
+
+RUN dnf install -y nginx && dnf clean all
+
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY index.html /usr/share/nginx/html/index.html
+
+# TLS material
+COPY fips-server.crt /etc/nginx/tls/fips-server.crt
+COPY fips-server.key /etc/nginx/tls/fips-server.key
+
+RUN chmod 600 /etc/nginx/tls/fips-server.key
+
+EXPOSE 8443
+
+CMD ["nginx", "-g", "daemon off;"]

tests/containers/fips-nginx/README.md

@@ -0,0 +1,11 @@
+# fips-nginx Container
+
+This is used by the `fips.enable.https` test to verify that using
+TLS works in FIPS mode by having Ignition fetch a remote resource
+over HTTPS with FIPS compatible algorithms.
+
+To build the container using command:
+`./build.sh <IP>`
+
+To run the container image using command:
+`podman run -d --name fips-nginx -p 8443:8443 fips-nginx`

tests/containers/fips-nginx/build.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+
+# Run the image using command:
+# podman run -d --name fips-nginx -p 8443:8443 fips-nginx
+set -euo pipefail
+
+# Check if argument is provided
+if [ $# -eq 0 ]; then
+    echo "Error: Missing IP address argument"
+    echo "Usage: $0 <ip-address>"
+    exit 1
+fi
+
+ip="$1"
+
+cd "$(mktemp -d)"
+# Prepare openssl.cnf
+# The IP must point to an nginx server configured with FIPS-compliant ciphers
+cat <<SSLEOF > openssl.cnf
+[ req ]
+default_bits        = 3072
+distinguished_name  = dn
+prompt              = no
+string_mask         = utf8only
+req_extensions      = req_ext
+
+[ dn ]
+CN = FIPS TLS Test Server
+
+[ req_ext ]
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = critical, serverAuth
+subjectAltName = @alt_names
+
+[ alt_names ]
+IP.1 = ${ip}
+SSLEOF
+
+# Prepare index.html
+cat <<EOF > index.html
+This file was served from an RHCOS FIPS-hardened server.
+EOF
+
+# Prepare nginx.conf
+cat <<EOF > nginx.conf
+events {}
+
+http {
+    server {
+        listen 8443 ssl;
+        server_name _;
+
+        # ---- FIPS-only TLS ----
+        ssl_protocols TLSv1.2;
+        ssl_prefer_server_ciphers on;
+
+        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256;
+
+        ssl_certificate     /etc/nginx/tls/fips-server.crt;
+        ssl_certificate_key /etc/nginx/tls/fips-server.key;
+
+        location / {
+            root /usr/share/nginx/html;
+            index index.html;
+        }
+    }
+}
+EOF
+
+# Prepare key and crt
+## Generate the private key (FIPS-approved)
+openssl genpkey \
+  -algorithm RSA \
+  -pkeyopt rsa_keygen_bits:3072 \
+  -out fips-server.key
+
+## Generate CSR (still FIPS-only)
+openssl req -new -key fips-server.key -out fips-server.csr -config openssl.cnf
+
+## Self-sign the certificate (TLS-compatible + FIPS)
+openssl x509 -req \
+  -in fips-server.csr \
+  -signkey fips-server.key \
+  -out fips-server.crt \
+  -days 3650 \
+  -sha256 \
+  -extfile openssl.cnf \
+  -extensions req_ext
+
+# Verify SAN present
+openssl x509 -in fips-server.crt -noout -text | grep -A2 "Subject Alternative Name"
+
+openssl verify \
+  -provider fips \
+  -CAfile fips-server.crt \
+  fips-server.crt
+
+rm fips-server.csr openssl.cnf
+
+podman build -t fips-nginx .