109 lines
3.3 KiB
Bash
Executable File
109 lines
3.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
if ! command -v docker >/dev/null 2>&1; then
|
|
echo "[gost-validate] docker is required but not found on PATH" >&2
|
|
exit 1
|
|
fi
|
|
|
|
ROOT_DIR="$(git rev-parse --show-toplevel)"
|
|
TIMESTAMP="$(date -u +%Y%m%dT%H%M%SZ)"
|
|
LOG_ROOT="${OPENSSL_GOST_LOG_DIR:-${ROOT_DIR}/logs/openssl_gost_validation_${TIMESTAMP}}"
|
|
IMAGE="${OPENSSL_GOST_IMAGE:-rnix/openssl-gost:latest}"
|
|
MOUNT_PATH="${LOG_ROOT}"
|
|
|
|
UNAME_OUT="$(uname -s || true)"
|
|
case "${UNAME_OUT}" in
|
|
MINGW*|MSYS*|CYGWIN*)
|
|
if command -v wslpath >/dev/null 2>&1; then
|
|
# Docker Desktop on Windows prefers Windows-style mount paths.
|
|
MOUNT_PATH="$(wslpath -m "${LOG_ROOT}")"
|
|
fi
|
|
;;
|
|
*)
|
|
MOUNT_PATH="${LOG_ROOT}"
|
|
;;
|
|
esac
|
|
|
|
mkdir -p "${LOG_ROOT}"
|
|
|
|
cat >"${LOG_ROOT}/message.txt" <<'EOF'
|
|
StellaOps OpenSSL GOST validation message (md_gost12_256)
|
|
EOF
|
|
|
|
echo "[gost-validate] Using image ${IMAGE}"
|
|
docker pull "${IMAGE}" >/dev/null
|
|
|
|
CONTAINER_SCRIPT_PATH="${LOG_ROOT}/container-script.sh"
|
|
|
|
cat > "${CONTAINER_SCRIPT_PATH}" <<'CONTAINER_SCRIPT'
|
|
set -eu
|
|
|
|
MESSAGE="/out/message.txt"
|
|
|
|
openssl version -a > /out/openssl-version.txt
|
|
openssl engine -c > /out/engine-list.txt
|
|
|
|
openssl genpkey -engine gost -algorithm gost2012_256 -pkeyopt paramset:A -out /tmp/gost.key.pem >/dev/null
|
|
openssl pkey -engine gost -in /tmp/gost.key.pem -pubout -out /out/gost.pub.pem >/dev/null
|
|
|
|
DIGEST_LINE="$(openssl dgst -engine gost -md_gost12_256 "${MESSAGE}")"
|
|
echo "${DIGEST_LINE}" > /out/digest.txt
|
|
DIGEST="$(printf "%s" "${DIGEST_LINE}" | awk -F'= ' '{print $2}')"
|
|
|
|
openssl dgst -engine gost -md_gost12_256 -sign /tmp/gost.key.pem -out /tmp/signature1.bin "${MESSAGE}"
|
|
openssl dgst -engine gost -md_gost12_256 -sign /tmp/gost.key.pem -out /tmp/signature2.bin "${MESSAGE}"
|
|
|
|
openssl dgst -engine gost -md_gost12_256 -verify /out/gost.pub.pem -signature /tmp/signature1.bin "${MESSAGE}" > /out/verify1.txt
|
|
openssl dgst -engine gost -md_gost12_256 -verify /out/gost.pub.pem -signature /tmp/signature2.bin "${MESSAGE}" > /out/verify2.txt
|
|
|
|
SIG1_SHA="$(sha256sum /tmp/signature1.bin | awk '{print $1}')"
|
|
SIG2_SHA="$(sha256sum /tmp/signature2.bin | awk '{print $1}')"
|
|
MSG_SHA="$(sha256sum "${MESSAGE}" | awk '{print $1}')"
|
|
|
|
cp /tmp/signature1.bin /out/signature1.bin
|
|
cp /tmp/signature2.bin /out/signature2.bin
|
|
|
|
DETERMINISTIC_BOOL=false
|
|
DETERMINISTIC_LABEL="no"
|
|
if [ "${SIG1_SHA}" = "${SIG2_SHA}" ]; then
|
|
DETERMINISTIC_BOOL=true
|
|
DETERMINISTIC_LABEL="yes"
|
|
fi
|
|
|
|
cat > /out/summary.txt <<SUMMARY
|
|
OpenSSL GOST validation (Linux engine)
|
|
Image: ${VALIDATION_IMAGE:-unknown}
|
|
Digest algorithm: md_gost12_256
|
|
Message SHA256: ${MSG_SHA}
|
|
Digest: ${DIGEST}
|
|
Signature1 SHA256: ${SIG1_SHA}
|
|
Signature2 SHA256: ${SIG2_SHA}
|
|
Signatures deterministic: ${DETERMINISTIC_LABEL}
|
|
SUMMARY
|
|
|
|
cat > /out/summary.json <<SUMMARYJSON
|
|
{
|
|
"image": "${VALIDATION_IMAGE:-unknown}",
|
|
"digest_algorithm": "md_gost12_256",
|
|
"message_sha256": "${MSG_SHA}",
|
|
"digest": "${DIGEST}",
|
|
"signature1_sha256": "${SIG1_SHA}",
|
|
"signature2_sha256": "${SIG2_SHA}",
|
|
"signatures_deterministic": ${DETERMINISTIC_BOOL}
|
|
}
|
|
SUMMARYJSON
|
|
|
|
CONTAINER_SCRIPT
|
|
|
|
docker run --rm \
|
|
-e VALIDATION_IMAGE="${IMAGE}" \
|
|
-v "${MOUNT_PATH}:/out" \
|
|
"${IMAGE}" /bin/sh "/out/$(basename "${CONTAINER_SCRIPT_PATH}")"
|
|
|
|
rm -f "${CONTAINER_SCRIPT_PATH}"
|
|
|
|
echo "[gost-validate] Artifacts written to ${LOG_ROOT}"
|
|
echo "[gost-validate] Summary:"
|
|
cat "${LOG_ROOT}/summary.txt"
|