Docker images with OpenSSL and Russian GOST crypto algorithms

This is the Git repo of the for docker-gost Docker images. See the Docker Hub page for the full readme on how to use this Docker image and for information regarding contributing and issues.

To check if GOST ciphers are present, start container:

docker run --rm -it mbrav/docker-gost bash

Inside the container grep the list of available OpenSSL ciphers:

openssl ciphers | tr ":" "\n" | grep GOST
GOST2012-MAGMA-MAGMAOMAC
GOST2012-KUZNYECHIK-KUZNYECHIKOMAC
LEGACY-GOST2012-GOST8912-GOST8912
IANA-GOST2012-GOST8912-GOST8912
GOST2001-GOST89-GOST89

If you do not see this list, please file an issue.

This is by no means a professional guide, please refer to RFC 4357 for all technical details about GOST algorithms.

1. Generate a Private Key: Once inside a mbrav/docker-gost container, create a private key:

openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out cert.key

The possible parameters for -algorithm are:

• gost2001 - To generate a GOST 2001 certificate;
• gost2012_256 - To generate a GOST 2012 certificate with a key length of 256;
• gost2012_512 - To generate a GOST 2012 certificate with a key length of 512.

The -pkeyopt paramset:A option specifies that you want to use parameter set A, which corresponds to a particular curve. Different parameter sets (curves) may offer different levels of security and performance.

Keep in mind that GOST 2001 is a bit different from traditional key-based algorithms in this regard. You choose a parameter set (curve) based on your security requirements, and the key pair is generated accordingly. There isn't a direct control over "key length" as in some other algorithms.

Based on v3.0.2 version of gost-engine, there are three Parameter sets for the gost2001 algorithm:

• ecp_id_GostR3410_2001_CryptoPro_A_ParamSet
• ecp_id_GostR3410_2001_CryptoPro_B_ParamSet
• ecp_id_GostR3410_2001_CryptoPro_C_ParamSet

2. Create a Certificate Signing Request (CSR): Generate a CSR using the private key you created in the previous step:

openssl req -new -key cert.key -out cert.csr \
  -subj "/C=RU/ST=Moscow_Olast/L=Moscow/O=Big_Brother_LTD/OU=IT/CN=bigbrother.ru/[email protected]"

3. Generate a Self-Signed Certificate: Now, use the private key and CSR to generate a self-signed certificate.

openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.pem

This command will create a self-signed certificate valid for 365 days.

4. Verify the Certificate (Optional): You can verify the details of the generated certificate using the following command:

openssl x509 -in cert.pem -text -noout

The mbrav/docker-gost repository is tagged with the following scheme where x.x.x is the OpenSSL version and y.y.y is the nginx version:

• Debian 12 ("Bookworm"):
  • Tags: latest, bookworm, bookworm-x.x.x
  • Dockerfile: debian-bookworm/Dockerfile
• Debian 12 ("Bookworm") with Nginx:
  • Tags: bookworm-nginx, bookworm-nginx-x.x.x, bookworm-nginx-x.x.x-y.y.y, nginx, nginx-x.x.x, nginx-x.x.x-y.y.y
  • Dockerfile: debian-bookworm/nginx.Dockerfile
• Alpine 3:
  • Tags: alpine, alpine-x.x.x
  • Dockerfile: alpine/Dockerfile
• Alpine 3 with Nginx: WIP

See data.json metadata file for actual information.

• Maintained by: mbrav
• Where to get help: Literally nowhere, hence the reason I created this repository.
• Why to use this image: If your application needs openssl with GOST crypto algorithms (gost-engine). Docker images are available at mbav/docker-gost and are automatically built and uploaded to Docker Hub using GitHub actions.

Please see the contributing guide for guidelines on how to best contribute to this project.

BSD 3-Clause LICENSE

As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.

© mbrav 2023