up

ops/cryptopro/linux-csp-service/Dockerfile

@@ -0,0 +1,31 @@
+# syntax=docker/dockerfile:1.7
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    CRYPTOPRO_ACCEPT_EULA=1 \
+    CRYPTOPRO_MINIMAL=1
+
+WORKDIR /app
+
+# System deps
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends python3 python3-pip tar xz-utils && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy CryptoPro packages (provided in repo) and installer
+COPY opt/cryptopro/downloads/*.tgz /opt/cryptopro/downloads/
+COPY ops/cryptopro/install-linux-csp.sh /usr/local/bin/install-linux-csp.sh
+RUN chmod +x /usr/local/bin/install-linux-csp.sh
+
+# Install CryptoPro CSP
+RUN /usr/local/bin/install-linux-csp.sh
+
+# Python deps
+COPY ops/cryptopro/linux-csp-service/requirements.txt /app/requirements.txt
+RUN pip3 install --no-cache-dir -r /app/requirements.txt
+
+# App
+COPY ops/cryptopro/linux-csp-service/app.py /app/app.py
+
+EXPOSE 8080
+CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "8080"]

ops/cryptopro/linux-csp-service/README.md

@@ -0,0 +1,25 @@
+# CryptoPro Linux CSP Service (experimental)
+
+Minimal FastAPI wrapper around the Linux CryptoPro CSP binaries to prove installation and expose simple operations.
+
+## Build
+
+```bash
+docker build -t cryptopro-linux-csp -f ops/cryptopro/linux-csp-service/Dockerfile .
+```
+
+## Run
+
+```bash
+docker run --rm -p 8080:8080 cryptopro-linux-csp
+```
+
+Endpoints:
+- `GET /health` — checks `csptest` presence.
+- `GET /license` — runs `csptest -license`.
+- `POST /hash` with `{ "data_b64": "<base64>" }` — runs `csptest -hash -hash_alg gost12_256`.
+
+## Notes
+- Uses the provided CryptoPro `.tgz` bundles under `opt/cryptopro/downloads`. Ensure you have rights to these binaries; the image builds with `CRYPTOPRO_ACCEPT_EULA=1`.
+- Default install is minimal (no browser/plugin). Set `CRYPTOPRO_INCLUDE_PLUGIN=1` if you need plugin packages.
+- This is not a production service; intended for validation only.

ops/cryptopro/linux-csp-service/app.py

@@ -0,0 +1,57 @@
+import base64
+import subprocess
+from pathlib import Path
+from typing import Optional
+
+from fastapi import FastAPI, HTTPException
+from pydantic import BaseModel
+
+app = FastAPI(title="CryptoPro Linux CSP Service", version="0.1.0")
+
+CSPTEST = Path("/opt/cprocsp/bin/amd64/csptest")
+
+
+def run_cmd(cmd: list[str], input_bytes: Optional[bytes] = None, allow_fail: bool = False) -> str:
+    try:
+        proc = subprocess.run(
+            cmd,
+            input=input_bytes,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+            check=True,
+        )
+        return proc.stdout.decode("utf-8", errors="replace")
+    except subprocess.CalledProcessError as exc:
+        output = exc.stdout.decode("utf-8", errors="replace") if exc.stdout else ""
+        if allow_fail:
+            return output
+        raise HTTPException(status_code=500, detail={"cmd": cmd, "output": output})
+
+
+@app.get("/health")
+def health():
+    if not CSPTEST.exists():
+        raise HTTPException(status_code=500, detail="csptest binary not found; ensure CryptoPro CSP is installed")
+    return {"status": "ok", "csptest": str(CSPTEST)}
+
+
+@app.get("/license")
+def license_info():
+    output = run_cmd([str(CSPTEST), "-keyset", "-info"], allow_fail=True)
+    return {"output": output}
+
+
+class HashRequest(BaseModel):
+    data_b64: str
+
+
+@app.post("/hash")
+def hash_data(body: HashRequest):
+    try:
+        data = base64.b64decode(body.data_b64)
+    except Exception:
+        raise HTTPException(status_code=400, detail="Invalid base64")
+
+    cmd = [str(CSPTEST), "-hash", "-in", "-", "-hash_alg", "gost12_256"]
+    output = run_cmd(cmd, input_bytes=data)
+    return {"output": output}

ops/cryptopro/linux-csp-service/requirements.txt

@@ -0,0 +1,2 @@
+fastapi==0.111.0
+uvicorn[standard]==0.30.1