From 64ce56ab15d148f8f9f35803ba93c008d4aa8fdc Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Fri, 19 Jun 2026 15:02:17 +0200
Subject: [PATCH 1/2] ROX-35107: Add verify-crypto-policies

---
 tasks/verify-crypto-policies-task.yaml | 42 ++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 tasks/verify-crypto-policies-task.yaml

diff --git a/tasks/verify-crypto-policies-task.yaml b/tasks/verify-crypto-policies-task.yaml
new file mode 100644
index 0000000..425a27d
--- /dev/null
+++ b/tasks/verify-crypto-policies-task.yaml
@@ -0,0 +1,42 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: verify-crypto-policies
+  labels:
+    app.kubernetes.io/version: "0.1"
+spec:
+  description: >-
+    Verify that OpenSSL in the built image is configured to support post-quantum
+    cryptography (more specifically, the ML-KEM algorithm group). Regressions can
+    occur e.g. if the crypto-policy setting is removed from the Dockerfile, or the
+    base image is changed to one that does not support post-quantum cryptography.
+  params:
+  - name: IMAGE_URL
+    description: The URL of the built image to verify.
+    type: string
+  - name: IMAGE_DIGEST
+    description: The digest of the built image to verify.
+    type: string
+  steps:
+  - name: check-pq-crypto-policy
+    image: $(params.IMAGE_URL)@$(params.IMAGE_DIGEST)
+    imagePullPolicy: IfNotPresent
+    env:
+    - name: EXPECTED_GROUP
+      value: X25519MLKEM768
+    - name: CONFIG_FILE
+      value: /etc/crypto-policies/back-ends/opensslcnf.config
+    script: |
+      #!/bin/bash
+      set -euo pipefail
+      echo "Verifying post-quantum crypto policy configuration..."
+      if grep -q "${EXPECTED_GROUP}" "${CONFIG_FILE}"; then
+        echo "PASS: ${EXPECTED_GROUP} found in ${CONFIG_FILE}"
+      else
+        echo "Contents of ${CONFIG_FILE}:"
+        cat "${CONFIG_FILE}"
+        echo
+        echo "FAIL: The image's OpenSSL is not configured to support ML-KEM."
+        echo "FAIL: ${EXPECTED_GROUP} not found in ${CONFIG_FILE}"
+        exit 1
+      fi

From 12866a8deef790a14cddec03c4ca24c5b40f74b4 Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Fri, 19 Jun 2026 15:17:46 +0200
Subject: [PATCH 2/2] Apply code review comments

---
 tasks/verify-crypto-policies-task.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tasks/verify-crypto-policies-task.yaml b/tasks/verify-crypto-policies-task.yaml
index 425a27d..66b16fd 100644
--- a/tasks/verify-crypto-policies-task.yaml
+++ b/tasks/verify-crypto-policies-task.yaml
@@ -1,7 +1,7 @@
 apiVersion: tekton.dev/v1
 kind: Task
 metadata:
-  name: verify-crypto-policies
+  name: verify-pq-crypto-policies
   labels:
     app.kubernetes.io/version: "0.1"
 spec:
@@ -30,7 +30,11 @@ spec:
       #!/bin/bash
       set -euo pipefail
       echo "Verifying post-quantum crypto policy configuration..."
-      if grep -q "${EXPECTED_GROUP}" "${CONFIG_FILE}"; then
+      if [ ! -f "${CONFIG_FILE}" ]; then
+        echo "FAIL: ${CONFIG_FILE} not found in image"
+        exit 1
+      fi
+      if grep -qF "${EXPECTED_GROUP}" "${CONFIG_FILE}"; then
         echo "PASS: ${EXPECTED_GROUP} found in ${CONFIG_FILE}"
       else
         echo "Contents of ${CONFIG_FILE}:"