unprovable · January 20, 2025 14:23
diff --git a/Dockerfile b/Dockerfile
 # You could just use https://github.com/open-quantum-safe/oqs-demos/tree/main/httpd ...
 # but if you REALLY want ubuntu flavoured PQC... here's a working version of the script
 # on this blog: https://medium.com/be-tech-with-santander/how-to-configure-post-quantum-cryptography-in-your-web-server-fcf79e05e526
 # (theirs has a gnarly typo that is fixed below)
 # This will PROBABLY BREAK when OpenSSL changes it's format for the default openssl.cnf file, but until then this should be good. 
 # -M.

 # set some versions
 ARG OPENSSL_TAG=openssl-3.4.0

 FROM ubuntu:latest
 ARG OPENSSL_TAG

 # install apache
 RUN apt-get update && apt-get upgrade
 RUN apt install -y apache2 
 RUN apt install -y apache2-utils 

 # enable ssl
 WORKDIR /etc/ssl/
 RUN openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj \
    "/C=GB/ST=London/L=London/O=London/CN=Acme" \
    -keyout ./ssl.key -out ./ssl.crt
 RUN cp ssl.key /etc/ssl/private/localhost.key
 RUN cp ssl.crt /etc/ssl/certs/localhost.crt
 RUN echo '<VirtualHost *:443>\n\
    DocumentRoot "/var/www/html"\n\
    ServerName localhost\n\
 \n\
    SSLEngine on\n\
    SSLCertificateFile "/etc/ssl/certs/localhost.crt"\n\
    SSLCertificateKeyFile "/etc/ssl/private/localhost.key"\n\
 </VirtualHost>' >> /etc/apache2/sites-available/localhost-ssl.conf
 RUN echo 'ServerName localhost' >> /etc/apache2/apache2.conf

 RUN a2enmod ssl &&\
    a2enmod rewrite &&\
    a2dissite 000-default default-ssl &&\
    a2ensite localhost-ssl

 # install the OQS provider
 RUN apt install -y git cmake libssl-dev openssl ninja-build

 WORKDIR /opt
 RUN git clone https://github.com/open-quantum-safe/oqs-provider.git
 WORKDIR /opt/oqs-provider
 RUN ./scripts/fullbuild.sh
 RUN cmake --install _build
 # we can run tests to make sure we're kosher
 RUN ./scripts/runtests.sh
 # add the provider
 RUN echo '58a59,63\n\
 > oqsprovider = oqsprovider_sect\n\
 > [default_sect]\n\
 > activate = 1\n\
 > [oqsprovider_sect]\n\
 > activate = 1\n\
 71,72d75\n\
 < [default_sect]\n\
 < # activate = 1' > openssl.cnf.patch
 RUN patch /etc/ssl/openssl.cnf openssl.cnf.patch
 # test it's there - mostly for debugging output
 RUN openssl list -providers

 # setup apache with oqs
 # RUN sed -i 's/^SSLOpenSSLConfCmd.*/SSLOpenSSLConfCmd Curves X25519MLKEM768:X448:X25519:prime256v1/g' /etc/apache2/mods-enabled/ssl.conf
 RUN echo '\nSSLOpenSSLConfCmd Curves X25519MLKEM768:X448:X25519:prime256v1' >> /etc/apache2/mods-enabled/ssl.conf

 # expose port
 EXPOSE 443

 # run apache2
 CMD ["apachectl", "-D", "FOREGROUND"]
	# You could just use https://github.com/open-quantum-safe/oqs-demos/tree/main/httpd ...
	# but if you REALLY want ubuntu flavoured PQC... here's a working version of the script
	# on this blog: https://medium.com/be-tech-with-santander/how-to-configure-post-quantum-cryptography-in-your-web-server-fcf79e05e526
	# (theirs has a gnarly typo that is fixed below)
	# This will PROBABLY BREAK when OpenSSL changes it's format for the default openssl.cnf file, but until then this should be good.
	# -M.

	# set some versions
	ARG OPENSSL_TAG=openssl-3.4.0

	FROM ubuntu:latest
	ARG OPENSSL_TAG

	# install apache
	RUN apt-get update && apt-get upgrade
	RUN apt install -y apache2
	RUN apt install -y apache2-utils

	# enable ssl
	WORKDIR /etc/ssl/
	RUN openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj \
	"/C=GB/ST=London/L=London/O=London/CN=Acme" \
	-keyout ./ssl.key -out ./ssl.crt
	RUN cp ssl.key /etc/ssl/private/localhost.key
	RUN cp ssl.crt /etc/ssl/certs/localhost.crt
	RUN echo '<VirtualHost *:443>\n\
	DocumentRoot "/var/www/html"\n\
	ServerName localhost\n\
	\n\
	SSLEngine on\n\
	SSLCertificateFile "/etc/ssl/certs/localhost.crt"\n\
	SSLCertificateKeyFile "/etc/ssl/private/localhost.key"\n\
	</VirtualHost>' >> /etc/apache2/sites-available/localhost-ssl.conf
	RUN echo 'ServerName localhost' >> /etc/apache2/apache2.conf

	RUN a2enmod ssl &&\
	a2enmod rewrite &&\
	a2dissite 000-default default-ssl &&\
	a2ensite localhost-ssl

	# install the OQS provider
	RUN apt install -y git cmake libssl-dev openssl ninja-build

	WORKDIR /opt
	RUN git clone https://github.com/open-quantum-safe/oqs-provider.git
	WORKDIR /opt/oqs-provider
	RUN ./scripts/fullbuild.sh
	RUN cmake --install _build
	# we can run tests to make sure we're kosher
	RUN ./scripts/runtests.sh
	# add the provider
	RUN echo '58a59,63\n\
	> oqsprovider = oqsprovider_sect\n\
	> [default_sect]\n\
	> activate = 1\n\
	> [oqsprovider_sect]\n\
	> activate = 1\n\
	71,72d75\n\
	< [default_sect]\n\
	< # activate = 1' > openssl.cnf.patch
	RUN patch /etc/ssl/openssl.cnf openssl.cnf.patch
	# test it's there - mostly for debugging output
	RUN openssl list -providers

	# setup apache with oqs
	# RUN sed -i 's/^SSLOpenSSLConfCmd.*/SSLOpenSSLConfCmd Curves X25519MLKEM768:X448:X25519:prime256v1/g' /etc/apache2/mods-enabled/ssl.conf
	RUN echo '\nSSLOpenSSLConfCmd Curves X25519MLKEM768:X448:X25519:prime256v1' >> /etc/apache2/mods-enabled/ssl.conf

	# expose port
	EXPOSE 443

	# run apache2
	CMD ["apachectl", "-D", "FOREGROUND"]