From 045fd4fe6f52dea4cd6de0725c1afef3f97211b2 Mon Sep 17 00:00:00 2001
From: Kenneth Kehl <@kkehl@flexion.us>
Date: Wed, 21 Feb 2024 10:49:24 -0800
Subject: [PATCH] deleted fips.sh script and replace with alpine dockerfile

---
 dockerfile_alpine.txt | 176 ++++++++++++++++++++++++++++++++++++++++++
 fips.sh               |  21 -----
 2 files changed, 176 insertions(+), 21 deletions(-)
 create mode 100644 dockerfile_alpine.txt
 delete mode 100644 fips.sh

diff --git a/dockerfile_alpine.txt b/dockerfile_alpine.txt
new file mode 100644
index 000000000..8a95811f7
--- /dev/null
+++ b/dockerfile_alpine.txt
@@ -0,0 +1,176 @@
+FROM alpine:3.19
+
+
+#### OPENSSL STUFF ####
+
+ARG OPENSSL_VERSION=3.0.8
+
+# Make the fips module using FIPS-approved openssl 3.0.8
+RUN apk add --no-cache --virtual .build-deps \
+   make gcc libgcc musl-dev linux-headers perl vim \
+   &&  wget https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz \
+   && tar -xf openssl-${OPENSSL_VERSION}.tar.gz\
+   && cd openssl-${OPENSSL_VERSION} \
+   && ./Configure enable-fips --libdir=lib --prefix=/usr/local --openssldir=/usr/local/ssl \
+   && make \
+   && make install \
+   && make install_fips
+   # && apk del .build-deps \
+   # && rm -rf openssl-${OPENSSL_VERSION}.tar.gz openssl-${OPENSSL_VERSION}
+
+
+
+# Add openssl to the path
+ENV PATH="${PATH}:/usr/local/bin"
+
+# As per documentation, tests have to be run on every machine that uses
+# openssl in FIPS mode
+WORKDIR "/openssl-3.0.8"
+RUN make tests
+
+# TODO NOTE that we are running tests against /openssl-3.0.8 and not
+# against /usr/local/bin.  Something is wrong with /usr/local/bin still!
+
+# TODO why does this say "/etc/ssl" and not "/usr/local/ssl"?
+RUN echo "GET THE CONF DIRECTORY HERE"
+RUN openssl version -d
+
+
+
+# See https://www.openssl.org/docs/manmaster/man7/fips_module.html
+RUN echo -e '\
+config_diagnostics = 1\n\
+openssl_conf = openssl_init\n\
+\n\
+.include /usr/local/ssl/fipsmodule.cnf\n\
+\n\
+[openssl_init]\n\
+providers = provider_sect\n\
+alg_section = algorithm_sect\n\
+\n\
+[provider_sect]\n\
+fips = fips_sect\n\
+default = default_sect\n\
+\n\
+[default_sect]\n\
+activate = 1\n\
+\n\
+[algorithm_sect]\n\
+default_properties = fips=yes'\
+>> /usr/local/ssl/openssl.cnf
+
+# Just to look at what you think you wrote
+# RUN cat /usr/local/ssl/openssl.cnf
+
+
+# This tells us what versions of openssl we have and if any are FIPs providers
+RUN echo "looking /openssl-3.0.8"
+WORKDIR "/openssl-3.0.8"
+RUN ls -l
+RUN ./util/wrap.pl -fips apps/openssl list -provider-path providers -provider fips -providers
+
+
+
+#### PYTHON STUFF ####
+
+# TODO Note that python does not build successfully with the version of openssl we made above
+# It will build successful with a default installation of openssl
+# The failure says we are missing a half dozen library files with names like lib-devz and lib-zdev, etc.
+# But trying to apk add the listed files results in the same error
+
+# you can specify python version during image build
+ARG PYTHON_VERSION=3.12.2
+
+WORKDIR "/"
+
+# install build dependencies and needed tools
+RUN apk add \
+  wget \
+  gcc \
+  make \
+  zlib-dev \
+  libffi-dev \
+  openssl-dev \
+  musl-dev
+
+# download and extract python sources
+RUN cd /opt \
+  && wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz \
+  && tar xzf Python-${PYTHON_VERSION}.tgz
+
+# build python and remove left-over sources
+RUN cd /opt/Python-${PYTHON_VERSION} \
+  && ./configure --prefix=/usr/local --with-openssl=/openssl-3.0.8 -with-ensurepip=install \
+  && make install \
+  && rm /opt/Python-${PYTHON_VERSION}.tgz /opt/Python-${PYTHON_VERSION} -rf
+
+# python doesn't come with cryptography by default so make a fake requirements.txt file to pull
+# cryptography in
+RUN echo -e '\
+cryptography == 42.0.0'\
+>> ./requirements.txt
+
+RUN pip3 install -r ./requirements.txt
+
+# This is a little test everyone uses to see if cryptography is fips-enabled
+RUN echo -e '\
+from cryptography.hazmat.backends import default_backend\n\
+def is_fips_enabled():\n\
+    try:\n\
+        backend = default_backend()\n\
+        fips_mode = backend._fips_enabled\n\
+        return fips_mode\n\
+    except AttributeError:\n\
+        return False\n\
+print(f"IS FIPS ENABLED? {is_fips_enabled()}")'\
+>> ./is_fips_enabled.py
+
+RUN echo "TRYING TO RUN is_fips_enabled.py"
+RUN python3 ./is_fips_enabled.py
+
+
+
+# Abandoned effort to just build cryptography
+
+# It seems like we can't install cryptography until we install python, because we need pip
+#Try to build cryptography https://cryptography.io/en/latest/installation/
+# RUN apk add gcc musl-dev python3-dev libffi-dev openssl-dev cargo pkgconfig
+# RUN apk add py3-pip
+# RUN pip3 install cryptography --no-binary cryptography
+# RUN pip3 wheel --no-cache-dir --no-binary cryptography cryptography
+
+# TODO in theory if we could retrieve this wheel somehow, we could
+# put it somewhere and notifications-utils could pull down this
+# version of cartography.  And if we did that, our app might be FIPS-compliant
+
+# TODO NEED TO GET PIP INSTALLED SOMEHOW\
+
+
+# RUN apk add --no-cache curl gcc python3 musl-dev python3 py3-pip libffi-dev openssl-dev git python3-dev
+
+# Break system packages to avoid 'system is externally managed' error
+# We don't care about this system, and we don't care about poetry
+# We are just using it to generate a cryptography wheel
+# RUN pip install poetry --break-system-packages
+
+# ENV OPENSSL_FIPS=1
+
+# RUN git clone https://github.com/pyca/cryptography.git
+# RUN cd cryptography
+# RUN ls -l
+# WORKDIR /cryptography
+
+
+# RUN poetry build
+
+# RUN echo "WTF"
+# RUN ls -l
+
+# RUN apk del gcc musl-dev libffi-dev openssl-dev git python3-dev && \
+#     rm -rf /var/cache/apk/*
+
+# WORKDIR /wheels
+
+# CMD ["cp", "-r", ".", "/target"]
+
+# docker run --rm -v "$(pwd)/wheels:/target" cryptography-builder
diff --git a/fips.sh b/fips.sh
deleted file mode 100644
index 59c80cbf2..000000000
--- a/fips.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-
-#!/bin/zsh
-
-# clone from openssl
-git clone https://github.com/openssl/openssl.git
-cd openssl
-
-# get 3.0.8, the latest fips compliant version
-git checkout 31157bc
-
-
-mkdir build
-cd build
-
-# Configure for Ken's laptop architecture, plus enable FIPS (!!) plus specify output folder
-../Configure darwin64-x86_64 enable-fips --debug --prefix=/Users/kkehl/Projects/fips/openssl/install
-make
-make install
-
-# Check the version.  There should be comments about FIPS enabled as well
-/Users/kkehl/Projects/fips/openssl/install/bin/openssl version