Distroless Image Validation Report

This high-assurance report documents the automated verification process for the Wolfi OpenSSL FIPS (Distroless) image.

---

Execution Summary

• Passed Verifications --- 43 All cryptographic boundaries intact

• Compliance Failures --- 3 Immediate remediation required

• Total Latency --- 59.6s End-to-end execution time

---

Test Details

Fips Config File Indicators (0.69s)

File Path: tests/test_01_core_policy.py

Provider Version Metadata (0.2s)

File Path: tests/test_01_core_policy.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless list -providers -verbose

Mandatory Fips Property (0.19s)

File Path: tests/test_01_core_policy.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless dgst -sha256 -propquery fips=no /dev/null

Operational State Stability (0.2s)

File Path: tests/test_01_core_policy.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless list -providers -verbose

Default Provider Isolation (0.21s)

File Path: tests/test_01_core_policy.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless dgst -md5 /dev/null

Md5 Execution Rejection (0.21s)

File Path: tests/test_02_hashing_and_digests.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless dgst -md5 /dev/null

Sha256 Availability (0.19s)

File Path: tests/test_02_hashing_and_digests.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless dgst -sha256 /dev/null

Sha3 Availability (0.19s)

File Path: tests/test_02_hashing_and_digests.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless dgst -sha3-256 /dev/null

Shake Xof Functionality (0.21s)

File Path: tests/test_02_hashing_and_digests.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless dgst -propquery fips=yes -shake128 /dev/null

Aes Gcm Tag Length (0.21s)

File Path: tests/test_03_symmetric_ciphers.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless dgst -aes-256-gcm -macopt taglen:4 /dev/null

Fips Cipher List Integrity (0.2s)

File Path: tests/test_03_symmetric_ciphers.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless list -cipher-algorithms -propquery fips=yes

Aes Xts Duplicate Key Rejection (0.2s)

File Path: tests/test_03_symmetric_ciphers.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless enc -aes-256-xts -e -K 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -iv 00000000000000000000000000000000 -nosalt -in /dev/null

Aes Cbc Known Answer (0.38s)

File Path: tests/test_03_symmetric_ciphers.py

Aes Key Unwrapping Allowed (0.2s)

File Path: tests/test_03_symmetric_ciphers.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless list -cipher-algorithms -propquery fips=yes

3des Encryption Rejection (0.21s)

File Path: tests/test_03_symmetric_ciphers.py

Des Algorithm Absence (0.21s)

File Path: tests/test_03_symmetric_ciphers.py

Hmac Sha2 Key Length Exhaustive (0.79s)

File Path: tests/test_04_mac_integrity.py

---

Failure Message:

AssertionError: Compliance Failure: FIPS provider allowed weak 8-bit key for: ['SHA224', 'SHA256', 'SHA384', 'SHA512']
assert not ['SHA224', 'SHA256', 'SHA384', 'SHA512']

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless mac -propquery fips=yes -digest SHA224 -macopt hexkey:01 HMAC
[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless mac -propquery fips=yes -digest SHA256 -macopt hexkey:01 HMAC
[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless mac -propquery fips=yes -digest SHA384 -macopt hexkey:01 HMAC
[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless mac -propquery fips=yes -digest SHA512 -macopt hexkey:01 HMAC

Hmac 112bit Security Boundary (0.2s)

File Path: tests/test_04_mac_integrity.py

---

Failure Message:

AssertionError: Compliance Failure: System accepted 104-bit key under FIPS query.
assert 0 != 0
 +  where 0 = CleanResult(returncode=0, stdout='AF310B4D5EAE49576A38C421DC3B8483E810491E0988BE623AA25C1CE7A91631\n', stderr='').returncode

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless mac -propquery fips=yes -digest SHA256 -macopt hexkey:0102030405060708090A0B0C0D HMAC

Cmac Aes Key Policy (0.19s)

File Path: tests/test_04_mac_integrity.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless mac -cipher AES-128-CBC -macopt hexkey:0102030405060708 CMAC

Kmac Sha3 Strength (0.2s)

File Path: tests/test_04_mac_integrity.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless mac -digest KMAC128 -macopt hexkey:01020304 KMAC

Sp800 108 Counter Kdf (0.41s)

File Path: tests/test_04_mac_integrity.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless kdf -help
[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless kdf -propquery fips=yes -kdfopt mac:HMAC -kdfopt digest:SHA256 -kdfopt hexkey:0102030405060708090A0B0C0D0E0F10 -kdfopt mode:COUNTER -keylen 16 KBKDF

Sp800 108 Feedback Kdf (0.2s)

File Path: tests/test_04_mac_integrity.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless kdf -propquery fips=yes -kdfopt mac:HMAC -kdfopt digest:SHA256 -kdfopt hexkey:0102030405060708090A0B0C0D0E0F10 -kdfopt mode:FEEDBACK -keylen 16 KBKDF

Rsa Large Modulus Support (0.78s)

File Path: tests/test_05_asymmetric_and_pqc.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless genpkey -propquery fips=yes -algorithm RSA -pkeyopt rsa_keygen_bits:4096

Rsa Keygen 2048 Compliance (0.28s)

File Path: tests/test_05_asymmetric_and_pqc.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless genpkey -propquery fips=yes -algorithm RSA -pkeyopt rsa_keygen_bits:2048

Rsa Keygen Weak Rejection (0.2s)

File Path: tests/test_05_asymmetric_and_pqc.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless genpkey -propquery fips=yes -algorithm RSA -pkeyopt rsa_keygen_bits:1024

Rsa Pss Padding Signature (0.68s)

File Path: tests/test_05_asymmetric_and_pqc.py

Strict Block Legacy Curves And Algos (1.01s)

File Path: tests/test_05_asymmetric_and_pqc.py

---

Failure Message:

AssertionError: Security Policy Violation: The following algorithms were PERMITTED in FIPS mode: ['X25519']. Check Debug Logs.
assert not ['X25519']

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless list -key-exchange-algorithms -propquery fips=yes
[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless list -signature-algorithms -propquery fips=yes
[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless genpkey -algorithm Ed25519 -propquery fips=yes
[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless genpkey -algorithm X25519 -propquery fips=yes
[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless genpkey -algorithm Ed448 -propquery fips=yes

Ecdsa P384 Signing Flow (0.41s)

File Path: tests/test_05_asymmetric_and_pqc.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless genpkey -propquery fips=yes -algorithm EC -pkeyopt ec_paramgen_curve:P-384
[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless ecparam -list_curves

Md5 Signature Verification Rejection (0.2s)

File Path: tests/test_05_asymmetric_and_pqc.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless dgst -propquery fips=yes -md5 /dev/null

Ecdh Key Derivation Raw (0.81s)

File Path: tests/test_05_asymmetric_and_pqc.py

Ml Kem Isolation In Fips (0.2s)

File Path: tests/test_05_asymmetric_and_pqc.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless genpkey -propquery fips=yes -algorithm ML-KEM-768

Legacy Engines Absence (0.21s)

File Path: tests/test_06_architecture_compliance.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless engine

Container User Security (0.01s)

File Path: tests/test_06_architecture_compliance.py

Drbg Functionality (0.2s)

File Path: tests/test_06_architecture_compliance.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless rand -propquery fips=yes -hex 32

Entropy Source Validation (0.21s)

File Path: tests/test_06_architecture_compliance.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless list -random-generators -verbose

Pbkdf2 Derivation (0.21s)

File Path: tests/test_06_architecture_compliance.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless kdf -propquery fips=yes -kdfopt digest:SHA256 -kdfopt pass:password123 -kdfopt hexsalt:0102030405060708090A0B0C0D0E0F10 -kdfopt iter:1000 -keylen 32 PBKDF2

Tcp Connectivity (0.25s)

File Path: tests/test_11_network_tls.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless s_client -connect 1.1.1.1:443

Dns Resolution (0.26s)

File Path: tests/test_11_network_tls.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless s_client -connect google.com:443

Certificate Parsing (0.22s)

File Path: tests/test_11_network_tls.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless x509 -in /etc/ssl/certs/ca-certificates.crt -noout -text

Cipher Suite Enforcement (0.23s)

File Path: tests/test_11_network_tls.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless s_client -connect www.google.com:443 -ciphersuites TLS_AES_256_GCM_SHA384

Integrity Check Tampering (0.4s)

File Path: tests/test_11_network_tls.py

Tls Legacy Protocol Blocking (0.22s)

File Path: tests/test_11_network_tls.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless s_client -connect google.com:443 -tls1

Non Fips Cipher Rejection Over Network (0.21s)

File Path: tests/test_11_network_tls.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless s_client -connect www.openssl.org:443 -cipher RC4-MD5

Fips Approved Key Exchange Negotiation (15.24s)

File Path: tests/test_11_network_tls.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless s_client -connect www.cloudflare.com:443 -curves secp384r1 -ign_eof

Rejection Of Sha1 Certificate Signature (0.62s)

File Path: tests/test_11_network_tls.py

---

View Logs

[INFO] Executing: docker run --user 0 --rm ghcr.io/taha2samy/wolfi-openssl-fips:3.5.5-distroless s_client -connect sha1-2017.badssl.com:443

Secure Tls13 Session Resumption (30.45s)

File Path: tests/test_11_network_tls.py