Docker images with OpenSSL and Russian GOST crypto algorithms
This is the Git repo of the for docker-gost
Docker images. See the Docker Hub page for the full readme on how to use this Docker image and for information regarding contributing and issues.
To check if GOST ciphers are present, start container:
docker run --rm -it mbrav/docker-gost bash
Inside the container grep the list of available OpenSSL ciphers:
openssl ciphers | tr ":" "\n" | grep GOST
GOST2012-MAGMA-MAGMAOMAC
GOST2012-KUZNYECHIK-KUZNYECHIKOMAC
LEGACY-GOST2012-GOST8912-GOST8912
IANA-GOST2012-GOST8912-GOST8912
GOST2001-GOST89-GOST89
If you do not see this list, please file an issue.
This is by no means a professional guide, please refer to RFC 4357 for all technical details about GOST algorithms.
- Generate a Private Key: Once inside a
mbrav/docker-gost
container, create a private key:
openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out cert.key
The possible parameters for -algorithm
are:
gost2001
- To generate a GOST 2001 certificate;gost2012_256
- To generate a GOST 2012 certificate with a key length of 256;gost2012_512
- To generate a GOST 2012 certificate with a key length of 512.
The -pkeyopt paramset:A
option specifies that you want to use parameter set A, which corresponds to a particular curve. Different parameter sets (curves) may offer different levels of security and performance.
Keep in mind that GOST 2001 is a bit different from traditional key-based algorithms in this regard. You choose a parameter set (curve) based on your security requirements, and the key pair is generated accordingly. There isn't a direct control over "key length" as in some other algorithms.
Based on v3.0.2
version of gost-engine, there are three Parameter sets for the gost2001 algorithm:
ecp_id_GostR3410_2001_CryptoPro_A_ParamSet
ecp_id_GostR3410_2001_CryptoPro_B_ParamSet
ecp_id_GostR3410_2001_CryptoPro_C_ParamSet
- Create a Certificate Signing Request (CSR): Generate a CSR using the private key you created in the previous step:
openssl req -new -key cert.key -out cert.csr \
-subj "/C=RU/ST=Moscow_Olast/L=Moscow/O=Big_Brother_LTD/OU=IT/CN=bigbrother.ru/emailAddress=donos@bigbrother.ru"
- Generate a Self-Signed Certificate: Now, use the private key and CSR to generate a self-signed certificate.
openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.pem
This command will create a self-signed certificate valid for 365 days.
- Verify the Certificate (Optional): You can verify the details of the generated certificate using the following command:
openssl x509 -in cert.pem -text -noout
The mbrav/docker-gost
repository is tagged with the following scheme where x.x.x
is the OpenSSL version and y.y.y
is the nginx version:
- Debian 12 ("Bookworm"):
- Tags:
latest
,bookworm
,bookworm-x.x.x
- Dockerfile: debian-bookworm/Dockerfile
- Tags:
- Debian 12 ("Bookworm") with Nginx:
- Tags:
bookworm-nginx
,bookworm-nginx-x.x.x
,bookworm-nginx-x.x.x-y.y.y
,nginx
,nginx-x.x.x
,nginx-x.x.x-y.y.y
- Dockerfile: debian-bookworm/nginx.Dockerfile
- Tags:
- Alpine 3:
- Tags:
alpine
,alpine-x.x.x
- Dockerfile: alpine/Dockerfile
- Tags:
- Alpine 3 with Nginx: WIP
See data.json
metadata file for actual information.
- Maintained by: mbrav
- Where to get help: Literally nowhere, hence the reason I created this repository.
- Why to use this image: If your application needs
openssl
with GOST crypto algorithms (gost-engine
). Docker images are available atmbav/docker-gost
and are automatically built and uploaded to Docker Hub using GitHub actions.
Please see the contributing guide for guidelines on how to best contribute to this project.
As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.
© mbrav 2023