up

scripts/crypto/validate-openssl-gost.sh

@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if ! command -v docker >/dev/null 2>&1; then
+    echo "[gost-validate] docker is required but not found on PATH" >&2
+    exit 1
+fi
+
+ROOT_DIR="$(git rev-parse --show-toplevel)"
+TIMESTAMP="$(date -u +%Y%m%dT%H%M%SZ)"
+LOG_ROOT="${OPENSSL_GOST_LOG_DIR:-${ROOT_DIR}/logs/openssl_gost_validation_${TIMESTAMP}}"
+IMAGE="${OPENSSL_GOST_IMAGE:-rnix/openssl-gost:latest}"
+MOUNT_PATH="${LOG_ROOT}"
+
+UNAME_OUT="$(uname -s || true)"
+case "${UNAME_OUT}" in
+    MINGW*|MSYS*|CYGWIN*)
+        if command -v wslpath >/dev/null 2>&1; then
+            # Docker Desktop on Windows prefers Windows-style mount paths.
+            MOUNT_PATH="$(wslpath -m "${LOG_ROOT}")"
+        fi
+        ;;
+    *)
+        MOUNT_PATH="${LOG_ROOT}"
+        ;;
+esac
+
+mkdir -p "${LOG_ROOT}"
+
+cat >"${LOG_ROOT}/message.txt" <<'EOF'
+StellaOps OpenSSL GOST validation message (md_gost12_256)
+EOF
+
+echo "[gost-validate] Using image ${IMAGE}"
+docker pull "${IMAGE}" >/dev/null
+
+CONTAINER_SCRIPT_PATH="${LOG_ROOT}/container-script.sh"
+
+cat > "${CONTAINER_SCRIPT_PATH}" <<'CONTAINER_SCRIPT'
+set -eu
+
+MESSAGE="/out/message.txt"
+
+openssl version -a > /out/openssl-version.txt
+openssl engine -c > /out/engine-list.txt
+
+openssl genpkey -engine gost -algorithm gost2012_256 -pkeyopt paramset:A -out /tmp/gost.key.pem >/dev/null
+openssl pkey -engine gost -in /tmp/gost.key.pem -pubout -out /out/gost.pub.pem >/dev/null
+
+DIGEST_LINE="$(openssl dgst -engine gost -md_gost12_256 "${MESSAGE}")"
+echo "${DIGEST_LINE}" > /out/digest.txt
+DIGEST="$(printf "%s" "${DIGEST_LINE}" | awk -F'= ' '{print $2}')"
+
+openssl dgst -engine gost -md_gost12_256 -sign /tmp/gost.key.pem -out /tmp/signature1.bin "${MESSAGE}"
+openssl dgst -engine gost -md_gost12_256 -sign /tmp/gost.key.pem -out /tmp/signature2.bin "${MESSAGE}"
+
+openssl dgst -engine gost -md_gost12_256 -verify /out/gost.pub.pem -signature /tmp/signature1.bin "${MESSAGE}" > /out/verify1.txt
+openssl dgst -engine gost -md_gost12_256 -verify /out/gost.pub.pem -signature /tmp/signature2.bin "${MESSAGE}" > /out/verify2.txt
+
+SIG1_SHA="$(sha256sum /tmp/signature1.bin | awk '{print $1}')"
+SIG2_SHA="$(sha256sum /tmp/signature2.bin | awk '{print $1}')"
+MSG_SHA="$(sha256sum "${MESSAGE}" | awk '{print $1}')"
+
+cp /tmp/signature1.bin /out/signature1.bin
+cp /tmp/signature2.bin /out/signature2.bin
+
+DETERMINISTIC_BOOL=false
+DETERMINISTIC_LABEL="no"
+if [ "${SIG1_SHA}" = "${SIG2_SHA}" ]; then
+  DETERMINISTIC_BOOL=true
+  DETERMINISTIC_LABEL="yes"
+fi
+
+cat > /out/summary.txt <<SUMMARY
+OpenSSL GOST validation (Linux engine)
+Image: ${VALIDATION_IMAGE:-unknown}
+Digest algorithm: md_gost12_256
+Message SHA256: ${MSG_SHA}
+Digest: ${DIGEST}
+Signature1 SHA256: ${SIG1_SHA}
+Signature2 SHA256: ${SIG2_SHA}
+Signatures deterministic: ${DETERMINISTIC_LABEL}
+SUMMARY
+
+cat > /out/summary.json <<SUMMARYJSON
+{
+  "image": "${VALIDATION_IMAGE:-unknown}",
+  "digest_algorithm": "md_gost12_256",
+  "message_sha256": "${MSG_SHA}",
+  "digest": "${DIGEST}",
+  "signature1_sha256": "${SIG1_SHA}",
+  "signature2_sha256": "${SIG2_SHA}",
+  "signatures_deterministic": ${DETERMINISTIC_BOOL}
+}
+SUMMARYJSON
+
+CONTAINER_SCRIPT
+
+docker run --rm \
+    -e VALIDATION_IMAGE="${IMAGE}" \
+    -v "${MOUNT_PATH}:/out" \
+    "${IMAGE}" /bin/sh "/out/$(basename "${CONTAINER_SCRIPT_PATH}")"
+
+rm -f "${CONTAINER_SCRIPT_PATH}"
+
+echo "[gost-validate] Artifacts written to ${LOG_ROOT}"
+echo "[gost-validate] Summary:"
+cat "${LOG_ROOT}/summary.txt"