-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathDockerfile.oqs
More file actions
125 lines (88 loc) · 5.22 KB
/
Dockerfile.oqs
File metadata and controls
125 lines (88 loc) · 5.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#https://github.com/open-quantum-safe/oqs-demos/blob/main/openssl3/Dockerfile
# Multi-stage build: First the full builder image:
ARG INSTALLDIR_OPENSSL=/opt/openssl32
ARG INSTALLDIR_LIBOQS=/opt/liboqs
# liboqs build type variant; maximum portability of image:
ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON"
# Define the degree of parallelism when building the image; leave the number away only if you know what you are doing
ARG MAKE_DEFINES="-j 8"
ARG SIG_ALG="dilithium3"
ARG BASE_IMAGE="node:lts-alpine3.20"
FROM ${BASE_IMAGE} AS buildopenssl
ARG INSTALLDIR_OPENSSL
ARG INSTALLDIR_LIBOQS
ARG LIBOQS_BUILD_DEFINES
ARG MAKE_DEFINES
ARG SIG_ALG
LABEL version="1"
ENV DEBIAN_FRONTEND=noninteractive
RUN apk update && apk upgrade
# Get all software packages required for builing openssl
RUN apk add build-base linux-headers \
libtool automake autoconf \
make \
git wget
# get current openssl sources
RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch openssl-3.4.0 --single-branch https://github.com/openssl/openssl.git
#mkdir /optbuild && cd /optbuild && git clone --branch master https://github.com/openssl/openssl.git && cd /optbuild/openssl && git checkout db2ac4f
# build OpenSSL3
WORKDIR /optbuild/openssl
RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR_OPENSSL}/lib64" ./config enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-des enable-dsa enable-rc4 enable-dh shared --prefix=${INSTALLDIR_OPENSSL} && \
make ${MAKE_DEFINES} && make install && if [ -d ${INSTALLDIR_OPENSSL}/lib64 ]; then ln -s ${INSTALLDIR_OPENSSL}/lib64 ${INSTALLDIR_OPENSSL}/lib; fi && if [ -d ${INSTALLDIR_OPENSSL}/lib ]; then ln -s ${INSTALLDIR_OPENSSL}/lib ${INSTALLDIR_OPENSSL}/lib64; fi
FROM ${BASE_IMAGE} AS buildliboqs
# Take in all global args
ARG INSTALLDIR_OPENSSL
ARG INSTALLDIR_LIBOQS
ARG LIBOQS_BUILD_DEFINES
ARG MAKE_DEFINES
ARG SIG_ALG
LABEL version="1"
ENV DEBIAN_FRONTEND=noninteractive
# Get all software packages required for builing liboqs:
RUN apk add build-base linux-headers \
libtool automake autoconf cmake ninja \
make \
git wget
# Get OpenSSL image (from cache)
COPY --from=buildopenssl ${INSTALLDIR_OPENSSL} ${INSTALLDIR_OPENSSL}
RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch 0.12.0 https://github.com/open-quantum-safe/liboqs
WORKDIR /optbuild/liboqs
RUN mkdir build && cd build && cmake -G"Ninja" .. -DOQS_ALGS_ENABLED=All -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR_LIBOQS} && ninja install
FROM ${BASE_IMAGE} AS buildoqsprovider
# Take in all global args
ARG INSTALLDIR_OPENSSL
ARG INSTALLDIR_LIBOQS
ARG LIBOQS_BUILD_DEFINES
ARG MAKE_DEFINES
ARG SIG_ALG
LABEL version="1"
ENV DEBIAN_FRONTEND=noninteractive
# Get all software packages required for builing oqsprovider
RUN apk add build-base linux-headers \
libtool cmake ninja \
git wget
RUN mkdir /optbuild && cd /optbuild && git clone --depth 1 --branch 0.8.0 https://github.com/open-quantum-safe/oqs-provider.git
# Get openssl32 and liboqs
COPY --from=buildopenssl ${INSTALLDIR_OPENSSL} ${INSTALLDIR_OPENSSL}
COPY --from=buildliboqs ${INSTALLDIR_LIBOQS} ${INSTALLDIR_LIBOQS}
# build & install provider (and activate by default)
WORKDIR /optbuild/oqs-provider
RUN liboqs_DIR=${INSTALLDIR_LIBOQS} cmake -DOQS_ALGS_ENABLED=All -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR_OPENSSL} -S . -B _build && cmake --build _build && cmake --install _build && cp _build/lib/oqsprovider.so ${INSTALLDIR_OPENSSL}/lib64/ossl-modules && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf && sed -i "s/HOME\t\t\t= ./HOME = .\nDEFAULT_GROUPS = kyber768/g" ${INSTALLDIR_OPENSSL}/ssl/openssl.cnf
WORKDIR ${INSTALLDIR_OPENSSL}/bin
# set path to use 'new' openssl. Dyn libs have been properly linked in to match
ENV PATH="${INSTALLDIR_OPENSSL}/bin:${PATH}"
ARG CACHE_DATE=2025-02-03v2
# update config to allow unsafe renegotiation
RUN sed -i '/\[system_default_sect\]/a Options = UnsafeLegacyRenegotiation' /opt/openssl32/ssl/openssl.cnf
#RUN sed -i '/\[openssl_init\]/a ssl_conf = ssl_sect' /etc/ssl/openssl.cnf && echo >> /etc/ssl/openssl.cnf && echo "[ssl_sect]" >> /etc/ssl/openssl.cnf && echo "system_default = system_default_sect" >> /etc/ssl/openssl.cnf && echo >> /etc/ssl/openssl.cnf && echo "[system_default_sect]" >> /etc/ssl/openssl.cnf && echo "Options = UnsafeLegacyRenegotiation" >> /etc/ssl/openssl.cnf
LABEL maintainer="Lyas Spiehler"
RUN apk add --update openssl git && \
rm -rf /var/cache/apk/*
WORKDIR /var/node
RUN git clone https://github.com/lspiehler/node-openssl-rest.git
WORKDIR /var/node/node-openssl-rest
VOLUME /var/node/node-openssl-rest/ca
RUN npm install
EXPOSE 8443
EXPOSE 8080
CMD ["node", "index.js"]