Docker image with OpenSSL 1.1.1d, GOST engine and cURL

This image was built to have ability to connect to servers with GOST SSL certificates. In addition, it helps to encrypt, decrypt, hash messages with GOST algorithms.

Since version 1.1.0 OpenSSL does not contain GOST-engine anymore, but it can be compiled and used separately. This image does this work.

Output of openssl ciphers:

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:GOST2012-GOST8912-GOST8912:GOST2001-GOST89-GOST89:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA

The main part is:

GOST2012-GOST8912-GOST8912
GOST2001-GOST89-GOST89

Take a look at GOST-engine documentation: https://github.com/gost-engine/engine/blob/master/README.gost

There are some issues with OpenSSL 1.1.0h and GOST-engine (GOST ciphers are not in list), so versions are fixed in default docker's build args.

Usage

The image has been built and pushed into https://hub.docker.com/r/rnix/openssl-gost/. In examples below I use image rnix/openssl-gost from Docker Hub, but you can build this image for you own and use your tag.

As usual, you can run commands directly from host or you can use 'interactive mode' with -i. Pull the image and run a container with mounted current dir in interactive mode:

docker run --rm -i -t -v `pwd`:`pwd` -w `pwd` rnix/openssl-gost bash

Run command with mounted current dir without interactive mode:

docker run --rm -v `pwd`:`pwd` -w `pwd` rnix/openssl-gost openssl version

If you use Windows, pwd is incorrect. Use absolute path instead, for example:

docker run --rm -i -t -v /c/workspace/:/c/workspace/ -w /c/workspace/ rnix/openssl-gost bash

In the container you run commands.

Examples

To show certificate of host with GOST

openssl s_client -connect gost.example.com:443 -showcerts

To send a file to host with POST and save the response into new file

curl -X POST --data-binary @file.txt https://gost.example.com --output response.txt

To generate new key and certificate with Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001

openssl req -x509 -newkey gost2001 -pkeyopt paramset:A -nodes -keyout key.pem -out cert.pem

To sign file with electronic signature by GOST using public certificate (-signer cert.pem), private key (-inkey key.pem), with opaque signing (-nodetach), DER as output format without including certificate and attributes (-nocerts -noattr):

openssl cms -sign -signer cert.pem -inkey key.pem -binary -in file.txt -nodetach -outform DER -nocerts -noattr -out signed.sgn

To extract data (verify) from signed file (DER-format) using public certificate (-certfile cert.pem) issued by CA (-CAfile cert.pem) (the same because cert.pem is self-signed):

openssl cms -verify -in signed.sgn -certfile cert.pem -CAfile cert.pem -inform der -out data.txt

More examples with GOST can be found here: https://github.com/gost-engine/engine/blob/master/README.gost

Certification authority (CA)

In Russia, it is common to issue GOST-certificates signed by CA which are not worldwide trusted. In this case you get error. For example, curl: (60) SSL certificate problem: unable to get local issuer certificate. To solve this problem you have two options: 1) do not verify CA (not recommended), 2) find and use CA.

To ignore security error use -k with curl and -noverify with openssl. For example curl https://gost.examples.com -k or openssl cms -verify -noverify.
Find and download CA-certificate file. For example, CryptoPRO CA. It is PKCS7, but you need PEM. Run command to extract all certificates from p7b and write them as a chain of certificates in one file:

openssl pkcs7 -inform DER -outform PEM -in cacer.p7b -print_certs > crypto_pro_ca_bundle.crt

When you have CA-file you can:

Install it in default CA certificate store
Specify it in every openssl or curl command

To install it in default CA certificate store use commands:

cp crypto_pro_ca_bundle.crt /usr/local/share/ca-certificates/
update-ca-certificates

To specify it in curl:

curl https://gost.example.com/ --cacert crypto_pro_ca_bundle.crt

To specify it in openssl with verifying signature:

openssl cms -verify -in signed.txt -signer cert.pem -inform DER -CAfile crypto_pro_ca_bundle.crt -out unsigned.txt

Usage in other Dockerfiles

Compiled libraries can be used in other Dockerfiles with multi-stage approach. Basic template is in any-gost directory. Working example with PHP is in php-fpm-gost directory.

There some notices:

OpenSSL and cURL are build in custom directory /usr/local/ssl and usr/local/curl which contain bin, include, lib.
Before compiling the main Dockerfile folders /usr/local/ssl and usr/local/curl should be copied into new image.
During building packages openssl and curl can be installed and overwrite new /usr/bin/openssl and /usr/bin/curl.
Specify paths of libraries in configuring scripts to new locations.

License