test: use crypto policy DEFAULT:PQ to enable PQC on el9.7 and later

richm · richm · commit 265421499060 · 2026-01-16T11:42:28.000-07:00
Have to enable crypto policy DEFAULT:PQ in order to use post quantum crypto
on el9.7 and later.

Signed-off-by: Rich Megginson &lt;rmeggins@redhat.com&gt;
diff --git a/tests/tests_certificate_existing.yml b/tests/tests_certificate_existing.yml
@@ -18,6 +18,34 @@
     - name: Check if cockpit is new enough (at least 257) to support existing certificates
       when: ansible_facts.packages['cockpit-ws'][0].version | int >= 257
       block:
+        - name: Check if the managed node needs crypto-policies to be able to use PQC
+          when:
+            - __cockpit_is_rh_distro | bool
+            - (ansible_facts["distribution"] == "RedHat" and ansible_facts["distribution_version"] is version("9.7", ">=")
+              and ansible_facts["distribution_version"] is version("10", "<"))
+              or (ansible_facts["distribution"] != "RedHat" and
+                  ansible_facts['distribution_major_version'] is version("9", "=="))
+          block:
+            # calling role with null will just return the current policy
+            - name: Get current crypto policy
+              include_role:
+                name: fedora.linux_system_roles.crypto_policies
+              vars:
+                crypto_policies_policy: null
+
+            - name: Set variables needed for support and cleanup
+              set_fact:
+                # We need to reset this after the test is done
+                __crypto_policies_policy: "{{ crypto_policies_active | d('') }}"
+
+            # https://issues.redhat.com/browse/RHEL-107877
+            # rhel 9.7 and later, or EL9 other than RHEL, needs crypto-policies to be able to use PQC
+            - name: Ensure managed node is able to use PQC
+              include_role:
+                name: fedora.linux_system_roles.crypto_policies
+              vars:
+                crypto_policies_policy: DEFAULT:PQ
+
         - name: Create test certificate key
           command: openssl ecparam -name secp521r1 -genkey -out /etc/myserver.key
           args:
@@ -73,5 +101,12 @@
             - always
             - tests::cleanup
 
+        - name: Reset crypto policies
+          include_role:
+            name: fedora.linux_system_roles.crypto_policies
+          vars:
+            crypto_policies_policy: "{{ __crypto_policies_policy }}"
+          when: __crypto_policies_policy | d("") | length > 0
+
         - name: Cleanup
           include_tasks: tasks/cleanup.yml
