From 602fae0c54a14a0e3b339f08c82e7044e3b4665d Mon Sep 17 00:00:00 2001
From: Ian Tewksbury <itewksbu@redhat.com>
Date: Fri, 13 Jun 2014 11:47:23 -0400
Subject: [PATCH] add option to enable FIPS on the NSS DB.

---
 README.md           | 10 +++++++++-
 manifests/create.pp | 27 +++++++++++++++++++++------
 2 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index dcfc419..d802870 100644
--- a/README.md
+++ b/README.md
@@ -74,6 +74,7 @@ nsstools::create { '/etc/dirsrv/slapd-ldap1':
   mode           => '0660',
   password       => 'example',
   manage_certdir => false,
+  enable_fips    => false,
 }
 
 nsstools::add_cert_and_key{ 'Server-Cert':
@@ -128,7 +129,8 @@ nsstools::create { <title>:
   group          => undef,
   mode           => '0600',
   certdir_mode   => '0700',
-  manage_certdir => true
+  manage_certdir => true,
+  enable_fips    => false,
 }
 ```
 
@@ -175,6 +177,12 @@ nsstools::create { <title>:
 
     `String` Defaults to: `0700`
 
+ * `enable_fips`
+
+    `Boolean` Defaults to: `true`
+
+    If `true` enables FIPS compliance mode on the NSS DB.
+
 ### `add_cert`
 
 Insert a certificate into an existing NSS database.
diff --git a/manifests/create.pp b/manifests/create.pp
index a1ee8c4..125984d 100644
--- a/manifests/create.pp
+++ b/manifests/create.pp
@@ -8,6 +8,7 @@
 #   $mode           - optional - defaults to '0600'
 #   $certdir_mode   - optional - defaults to '0700'
 #   $manage_certdir - optional - defaults to true
+#   $enable_fips    - optional - defaults to false
 #
 # Actions:
 #   creates a new NSS database, consisting of 4 files:
@@ -25,7 +26,8 @@
 #     group          => 'root',
 #     mode           => '0600',
 #     certdir_mode   => '0700',
-#     manage_certdir => true
+#     manage_certdir => true,
+#     enable_fips    => false,
 #   }
 #
 #
@@ -36,7 +38,8 @@
   $group          = undef,
   $mode           = '0600',
   $certdir_mode   = '0700',
-  $manage_certdir = true
+  $manage_certdir = true,
+  $enable_fips    = false,
 ) {
   include nsstools
 
@@ -47,6 +50,7 @@
   validate_string($mode)
   validate_string($certdir_mode)
   validate_bool($manage_certdir)
+  validate_bool($enable_fips)
 
   if $manage_certdir {
     file { $certdir:
@@ -62,7 +66,8 @@
     $require_certdir = undef
   }
 
-  file { "${certdir}/nss-password.txt":
+  $_password_file = "${certdir}/nss-password.txt"
+  file { $_password_file:
     ensure  => file,
     owner   => $owner,
     group   => $group,
@@ -81,17 +86,27 @@
     group   => $group,
     mode    => $mode,
     require => [
-      File["${certdir}/nss-password.txt"],
+      File[$_password_file],
       Exec["create_nss_db_${title}"],
     ],
   }
 
   exec { "create_nss_db_${title}":
-    command => "/usr/bin/certutil -N -d ${certdir} -f ${certdir}/nss-password.txt",
+    command => "/usr/bin/certutil -N -d ${certdir} -f ${_password_file}",
     creates => ["${certdir}/cert8.db", "${certdir}/key3.db", "${certdir}/secmod.db"],
     require => [
-      File["${certdir}/nss-password.txt"],
+      File[$_password_file],
       Class['nsstools'],
     ]
   }
+
+  if $enable_fips {
+    # enable fips mode on the NSS DB after DB creation
+    exec { "enable_fips_mode_${title}":
+      command     => "/usr/bin/modutil -fips true -dbdir ${certdir} -force",
+      unless      => "/usr/bin/modutil -chkfips true -dbdir ${certdir}",
+      subscribe   => [Exec["create_nss_db_${title}"],],
+      refreshonly => true,
+    }
+  }
 }