git.stella-ops.org/docs/security/openssl-gost-remote.md

# Remote OpenSSL GOST Signer (OSS) · 2025-12-11

Portable, open-source remote signer for GOST R 34.10/34.11 using the `rnix/openssl-gost` image. Use when CryptoPro CSP is unavailable and a remote Linux host can expose signing via HTTP.

## Goals
- Remote, OSS-only signer for the `ru.openssl.gost` profile.
- Deterministic digest harness (fixed message) for smoke checks.
- Configurable endpoint so hosts can toggle between local and remote.

## Quickstart (remote host)
```bash
# 1) Run the OpenSSL GOST container on the remote host
docker run --rm -p 8088:8080 --name gost-remote rnix/openssl-gost:latest sleep 365d

# 2) Start the lightweight HTTP gateway (one-liner, no deps)
cat > /tmp/gost-remote.sh <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
msg_file="$(mktemp)"
sig_file="$(mktemp)"
pub_file="$(mktemp)"
trap 'rm -f "$msg_file" "$sig_file" "$pub_file"' EXIT

while true; do
  # Simple netcat JSON protocol: {"message_b64":"..."}
  nc -l -p 9090 -q 1 | {
    read payload
    msg_b64="$(echo "$payload" | jq -r .message_b64)"
    echo "$msg_b64" | base64 -d > "$msg_file"
    # Generate key once per container (persist by volume if desired)
    if [ ! -f /tmp/gost.key.pem ]; then
      openssl genpkey -engine gost -algorithm gost2012_256 -pkeyopt paramset:A -out /tmp/gost.key.pem >/dev/null
      openssl pkey -engine gost -in /tmp/gost.key.pem -pubout -out /tmp/gost.pub.pem >/dev/null
    fi
    # Sign (nonce-driven, signatures differ each call)
    openssl dgst -engine gost -md_gost12_256 -sign /tmp/gost.key.pem -out "$sig_file" "$msg_file"
    # Respond with signature/public key (base64)
    jq -n --arg sig_b64 "$(base64 -w0 "$sig_file")" \
          --arg pub_pem "$(base64 -w0 /tmp/gost.pub.pem)" \
          '{signature_b64:$sig_b64, public_key_pem_b64:$pub_pem}'
  }
done
EOF
chmod +x /tmp/gost-remote.sh
/tmp/gost-remote.sh
```

## Client invocation (any host)
```bash
MESSAGE="stellaops-remote-gost-smoke"
curl -s -X POST http://REMOTE_HOST:9090 \
  -d "{\"message_b64\":\"$(printf '%s' \"$MESSAGE\" | base64 -w0)\"}" \
  | tee /tmp/gost-remote-response.json

sig_b64=$(jq -r .signature_b64 /tmp/gost-remote-response.json)
pub_pem_b64=$(jq -r .public_key_pem_b64 /tmp/gost-remote-response.json)
printf '%s' "$pub_pem_b64" | base64 -d > /tmp/gost-remote.pub.pem
printf '%s' "$MESSAGE" > /tmp/gost-remote.msg
printf '%s' "$sig_b64" | base64 -d > /tmp/gost-remote.sig

# Verify locally
openssl dgst -engine gost -md_gost12_256 \
  -verify /tmp/gost-remote.pub.pem \
  -signature /tmp/gost-remote.sig /tmp/gost-remote.msg
```

## Configuration toggle (hosts)
- Add an env toggle to your deployment: `STELLAOPS_RU_OPENSSL_REMOTE_URL=http://remote-gost:9090`
- When set, route `ru.openssl.gost` signing through the HTTP gateway; when unset, use local `OpenSslGostProvider`.
- Keep Linux fallback enabled: `STELLAOPS_CRYPTO_ENABLE_RU_OPENSSL=1`.

## Determinism
- Digest is deterministic (`md_gost12_256` over caller-supplied message).
- Signatures vary per request (nonce) but verify deterministically; capture `signature_b64` and `public_key_pem_b64` for evidence.

## Operational notes
- Remote host must have Docker + `rnix/openssl-gost` image (no vendor binaries).
- Network access is limited to port 9090; use mTLS or SSH tunnel in production.
- Persist `/tmp/gost.key.pem` via a volume if you need stable `kid`; otherwise accept ephemeral keys for testing.

## Attach to sprint evidence
- Store `gost-remote-response.json`, `gost-remote.pub.pem`, and verification output with the sprint log.
- Record the remote endpoint and run timestamp in the sprint Execution Log.