From 1e823ea2eca9f1a4e05a2f4e723e327baaddbfa8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D0=B8=D0=BB=D1=8F=20=D0=90=D0=BB=D0=B0=D1=88?= =?UTF-8?q?=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Fri, 24 Jan 2025 12:12:48 +0300 Subject: [PATCH 1/8] =?UTF-8?q?SUPPORT-8883.=20=D0=98=D1=81=D0=BF=D1=80?= =?UTF-8?q?=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=B0=20=D0=BE=D1=88=D0=B8=D0=B1?= =?UTF-8?q?=D0=BA=D0=B0=20=D0=BF=D1=80=D0=B8=20=D1=80=D0=B0=D0=B1=D0=BE?= =?UTF-8?q?=D1=82=D0=B5=20=D1=81=20CryptoPro=20KC2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (cherry picked from commit a6aa8f79d4887dba5e79835327c36aad98b7a1d4) # Conflicts: # src/utils/cryptopro.c --- src/utils/cryptopro.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/utils/cryptopro.c b/src/utils/cryptopro.c index 5c3c82b..e56af6a 100644 --- a/src/utils/cryptopro.c +++ b/src/utils/cryptopro.c @@ -76,7 +76,8 @@ cryptopro_sign(const cryptopro_context_t *ctx, const str_t *data, /*out*/ str_t error: str_t_clear(&signed_data); str_t_clear(&sign_reversed); - LOG_ERROR("cryptopro_sign exit with error"); + LOG_ERROR("cryptopro_sign exit with error (sign_cert_thumbprint = '%.*s')", + (int) ctx->cert_thumbprint->len, ctx->cert_thumbprint->data); return -1; } @@ -253,7 +254,7 @@ sign_hash_data(const cryptopro_context_t *ctx, const str_t *data, /*out*/ str_t } if (!cp_function_list.CryptAcquireCertificatePrivateKey( - pSignerCert, + pSignerCert, CRYPT_ACQUIRE_SILENT_FLAG, NULL, &hCryptProv, @@ -587,8 +588,8 @@ cryptopro_verify(const str_t* cert_thumbprint, const str_t* alg, const str_t* da goto exit; } - if (!cp_function_list.CryptAcquireContext(&hCryptProv, NULL, CP_KC1_GR3410_2001_PROV, - PROV_GOST_2001_DH, CRYPT_VERIFYCONTEXT)) { + if (!cp_function_list.CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_GOST_2012_256, + CRYPT_VERIFYCONTEXT)) { LOG_ERROR("CryptAcquireContext() failed"); goto exit; } From dfc6fe2851a64b279e31c07c2929b09b5ed64644 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9D=D0=B0=D0=B8=D0=BB=D1=8F=20=D0=90=D0=BB=D0=B0=D1=88?= =?UTF-8?q?=D0=BA=D0=BE=D0=B2=D0=B0?= Date: Fri, 24 Jan 2025 12:24:55 +0300 Subject: [PATCH 2/8] =?UTF-8?q?=D0=B2=D0=B5=D1=80=D1=81=D0=B8=D1=8F=201.2.?= =?UTF-8?q?2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 9943d38..4837b54 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ CMAKE_MINIMUM_REQUIRED (VERSION 3.0) SET (CMAKE_C_COMPILER "gcc") -PROJECT (ervu-sign-module VERSION 1.2.1 LANGUAGES C) +PROJECT (ervu-sign-module VERSION 1.2.2 LANGUAGES C) IF (CMAKE_VERBOSE) SET (CMAKE_VERBOSE_MAKEFILE 1) From e6a6efe51795bf43b3349cd89af9a21eb7600e44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=A5=D0=B0=D0=BB=D1=82=D0=BE=D0=B1=D0=B8=D0=BD=20=D0=95?= =?UTF-8?q?=D0=B2=D0=B3=D0=B5=D0=BD=D0=B8=D0=B9?= Date: Mon, 27 Jan 2025 08:46:34 +0300 Subject: [PATCH 3/8] updated to KC2 --- Dockerfile.micord | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.micord b/Dockerfile.micord index 8507186..17a3662 100644 --- a/Dockerfile.micord +++ b/Dockerfile.micord @@ -1,4 +1,4 @@ -ARG BUILDER_IMAGE=repo.micord.ru/alt/alt-cprocsp:c10f1-5.0.13000-20241129 +ARG BUILDER_IMAGE=repo.micord.ru/alt/alt-cprocsp-kc2:c10f1-5.0.13000-20250124 ARG RUNTIME_IMAGE=registry.altlinux.org/basealt/altsp:c10f1 FROM ${BUILDER_IMAGE} AS builder From b48efc884112a49e8023217a84b38ea42956479f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=A5=D0=B0=D0=BB=D1=82=D0=BE=D0=B1=D0=B8=D0=BD=20=D0=95?= =?UTF-8?q?=D0=B2=D0=B3=D0=B5=D0=BD=D0=B8=D0=B9?= Date: Mon, 27 Jan 2025 10:01:32 +0300 Subject: [PATCH 4/8] fixed merge conflict in CMakeLists.txt --- CMakeLists.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 8897586..b970d76 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -51,6 +51,7 @@ SET (DEP_LIBS -ldl -ljson-glib-1.0 -lgobject-2.0 + -luuid ) # JSON-GLIB @@ -120,10 +121,12 @@ ADD_EXECUTABLE (${PROJECT_NAME} ${UTILS_DIR}/gconf_file.c ${UTILS_DIR}/glib_utils.c ${UTILS_DIR}/json_parser.c + ${UTILS_DIR}/json_writer.c ${UTILS_DIR}/jwt.c ${UTILS_DIR}/library.c ${UTILS_DIR}/logger.c ${UTILS_DIR}/str_t.c + ${UTILS_DIR}/uuid.c ${FCGISRV_DIR}/fcgi_map.c ${FCGISRV_DIR}/fcgi_server.c ${FCGISRV_DIR}/fcgi_thread.c From 9f25bf7fb927466fba52018481239f9c94c5f6b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=A5=D0=B0=D0=BB=D1=82=D0=BE=D0=B1=D0=B8=D0=BD=20=D0=95?= =?UTF-8?q?=D0=B2=D0=B3=D0=B5=D0=BD=D0=B8=D0=B9?= Date: Mon, 27 Jan 2025 10:58:29 +0300 Subject: [PATCH 5/8] Revert "updated to KC2" This reverts commit e6a6efe51795bf43b3349cd89af9a21eb7600e44. --- Dockerfile.micord | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.micord b/Dockerfile.micord index 17a3662..8507186 100644 --- a/Dockerfile.micord +++ b/Dockerfile.micord @@ -1,4 +1,4 @@ -ARG BUILDER_IMAGE=repo.micord.ru/alt/alt-cprocsp-kc2:c10f1-5.0.13000-20250124 +ARG BUILDER_IMAGE=repo.micord.ru/alt/alt-cprocsp:c10f1-5.0.13000-20241129 ARG RUNTIME_IMAGE=registry.altlinux.org/basealt/altsp:c10f1 FROM ${BUILDER_IMAGE} AS builder From 879cc78d7255986609fbb1ddb1340dea08fb37ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=A5=D0=B0=D0=BB=D1=82=D0=BE=D0=B1=D0=B8=D0=BD=20=D0=95?= =?UTF-8?q?=D0=B2=D0=B3=D0=B5=D0=BD=D0=B8=D0=B9?= Date: Mon, 27 Jan 2025 08:46:34 +0300 Subject: [PATCH 6/8] updated to KC2 --- Dockerfile.micord | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.micord b/Dockerfile.micord index 8507186..17a3662 100644 --- a/Dockerfile.micord +++ b/Dockerfile.micord @@ -1,4 +1,4 @@ -ARG BUILDER_IMAGE=repo.micord.ru/alt/alt-cprocsp:c10f1-5.0.13000-20241129 +ARG BUILDER_IMAGE=repo.micord.ru/alt/alt-cprocsp-kc2:c10f1-5.0.13000-20250124 ARG RUNTIME_IMAGE=registry.altlinux.org/basealt/altsp:c10f1 FROM ${BUILDER_IMAGE} AS builder From baf5792031526ff979781327e226a65724f3b0ed Mon Sep 17 00:00:00 2001 From: Pavel Zilke Date: Thu, 6 Feb 2025 13:18:01 +0300 Subject: [PATCH 7/8] DEVOPS-1922 --- Dockerfile.micord | 22 ++++++++++++++-------- entrypoint.sh | 20 +++++++++++++------- 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/Dockerfile.micord b/Dockerfile.micord index 17a3662..09f0521 100644 --- a/Dockerfile.micord +++ b/Dockerfile.micord @@ -1,5 +1,6 @@ ARG BUILDER_IMAGE=repo.micord.ru/alt/alt-cprocsp-kc2:c10f1-5.0.13000-20250124 ARG RUNTIME_IMAGE=registry.altlinux.org/basealt/altsp:c10f1 +ARG RUNTIME_USER=ervu FROM ${BUILDER_IMAGE} AS builder @@ -30,17 +31,19 @@ RUN mkdir -p .build \ FROM ${RUNTIME_IMAGE} ENV TZ=Europe/Moscow +ARG RUNTIME_USER +ENV RUNTIME_USER=$RUNTIME_USER COPY entrypoint.sh /entrypoint.sh RUN apt-get update \ - && apt-get -y install glib2 libfcgi libjson-glib libuuid \ + && apt-get -y install glib2 libfcgi libjson-glib libuuid su startup \ && apt-get clean \ && rm -f /var/cache/apt/*.bin \ && rm -f /var/lib/apt/lists/update* \ && chmod +x /entrypoint.sh \ - && groupadd --system --gid 500 ervu \ - && adduser --system --no-create-home --uid 500 --gid 500 ervu + && groupadd --system --gid 500 $RUNTIME_USER \ + && adduser --system --no-create-home --uid 500 --gid 500 $RUNTIME_USER COPY --from=builder /usr/lib/locale/ru_RU.utf8 /usr/lib/locale/ru_RU.utf8 COPY --from=builder /etc/opt/cprocsp /etc/opt/cprocsp @@ -52,15 +55,18 @@ COPY --from=builder /build/.build/ervu-sign-module /opt/ervu-sign-module/ervu-si EXPOSE 9009 -COPY --chown=ervu:ervu conf/cacerts /cacerts -COPY --chown=ervu:ervu conf/certs /certs +COPY --chown=$RUNTIME_USER:$RUNTIME_USER conf/cacerts /cacerts +COPY --chown=$RUNTIME_USER:$RUNTIME_USER conf/certs /certs + RUN echo "Installing CA certificates" \ + && /opt/cprocsp/sbin/amd64/cryptsrv \ && find /cacerts -regex ".*\.\(cer\|crt\)$" -exec /opt/cprocsp/bin/amd64/certmgr -install -store mRoot -file {} \; -USER ervu - RUN echo "Installing certificates" \ - && find /certs -regex ".*\.\(cer\|crt\)$" -exec /opt/cprocsp/bin/amd64/certmgr -install -file {} \; + && /opt/cprocsp/sbin/amd64/cryptsrv \ + && su -c 'find /certs -regex ".*\.\(cer\|crt\)$" -exec /opt/cprocsp/bin/amd64/certmgr -install -file {} \;' $RUNTIME_USER + +#USER ervu ENTRYPOINT ["/entrypoint.sh"] diff --git a/entrypoint.sh b/entrypoint.sh index dd2c6eb..f40af3d 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,19 +1,25 @@ #!/bin/bash -username=$(whoami) +username=$RUNTIME_USER + +set -e +echo "Starting cryptsrv" +/opt/cprocsp/sbin/amd64/cryptsrv +echo $? +set +e if [ ! -d /var/opt/cprocsp/keys/$username ]; then mkdir -m 700 /var/opt/cprocsp/keys/$username - cp -r ~/keys/* /var/opt/cprocsp/keys/$username/ + cp -r /home/$username/keys/* /var/opt/cprocsp/keys/$username/ chown -R $username:$username /var/opt/cprocsp/keys/$username fi -/opt/cprocsp/bin/amd64/csptest -absorb -certs -autoprov +su - -c '/opt/cprocsp/bin/amd64/csptest -absorb -certs -autoprov' $username echo "Installing CA certificates" -find ~/cacerts -regex ".*\.\(cer\|crt\)$" -exec /opt/cprocsp/bin/amd64/certmgr -install -store uCA -file {} \; +su - -c 'find ~/cacerts -regex ".*\.\(cer\|crt\)$" -exec /opt/cprocsp/bin/amd64/certmgr -install -store uCA -file {} \;' $username -echo "Installing certificates" \ -find ~/certs -regex ".*\.\(cer\|crt\)$" -exec /opt/cprocsp/bin/amd64/certmgr -install -file {} \; +echo "Installing certificates" +su - -c 'find ~/certs -regex ".*\.\(cer\|crt\)$" -exec /opt/cprocsp/bin/amd64/certmgr -install -file {} \;' $username -/opt/ervu-sign-module/ervu-sign-module +su - -c '/opt/ervu-sign-module/ervu-sign-module' $username From d9db9b393c257d56a1c3fe0955afc8033dcb50bc Mon Sep 17 00:00:00 2001 From: Pavel Zilke Date: Fri, 7 Feb 2025 13:17:03 +0300 Subject: [PATCH 8/8] DEVOPS-1922 grooming --- Dockerfile.micord | 2 -- 1 file changed, 2 deletions(-) diff --git a/Dockerfile.micord b/Dockerfile.micord index 09f0521..a3eda9b 100644 --- a/Dockerfile.micord +++ b/Dockerfile.micord @@ -67,6 +67,4 @@ RUN echo "Installing certificates" \ && /opt/cprocsp/sbin/amd64/cryptsrv \ && su -c 'find /certs -regex ".*\.\(cer\|crt\)$" -exec /opt/cprocsp/bin/amd64/certmgr -install -file {} \;' $RUNTIME_USER -#USER ervu - ENTRYPOINT ["/entrypoint.sh"]