v0.0.5-beta

.dockerignore

@@ -1,12 +1,11 @@
 config/*.yml
 docs/
 examples/
-pkg/
 test/
 terraform/
-.github/
 
 *.md
 .dockerignore
 .git
 .gitignore
+.github/

.github/workflows/release_build.yml

@@ -8,7 +8,6 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
-
 jobs:
   build:
 
@@ -21,40 +20,41 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
-      # Workaround: https://github.com/docker/build-push-action/issues/461
-      - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
+      # QEMU
+      - name: QEMU
+        uses: docker/setup-qemu-action@v3
+
+      # Setup Docker BuildX
+      - name: Setup Docker BuildX
+        uses: docker/setup-buildx-action@v3
 
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
+      # Login Docker Registry
+      - name: Log Registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        uses: docker/login-action@v1
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
+      # Extract Metadata for Docker
       - name: Extract Docker Metadata
         id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             type=ref,event=tag
             type=sha
 
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
+      # Build and Push Docker Image with BuildX
       - name: Build and Push Docker Image
-        id: build-and-push
-        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
           cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-to: type=gha,mode=max

Dockerfile

@@ -1,24 +1,41 @@
-# Build Image
-FROM golang:1.20 as builder
+FROM golang:1.21 as builder
+
+# Docker BuildX Target Architecture
+ARG TARGETARCH
 
 ENV CGO_ENABLED=0
 WORKDIR /baseca
 COPY . /baseca
-RUN apt update && apt clean && make build
+
+# Build ARM64 or AMD64 Binary
+RUN apt update && apt clean && \
+    if [ "$TARGETARCH" = "amd64" ]; then \
+        make build_amd64; \
+    elif [ "$TARGETARCH" = "arm64" ]; then \
+        make build_arm64; \
+    else \
+        echo "Unsupported Architecture [$TARGETARCH]"; \
+        exit 1; \
+    fi
 
 # Deploy Image
 FROM alpine:3.17
 
+# Non-Root User
 RUN adduser --home /home/baseca baseca --gecos "baseca" --disabled-password && \
     apk --no-cache add ca-certificates && \
     rm -rf /var/cache/apk/*
 
+# Copy Binary and Configuration from Build Image
 COPY --from=builder /baseca/target/bin/linux/baseca /home/baseca/baseca
 COPY --from=builder /baseca/config /home/baseca/config
 
+# Permissions for Non-Root User
 RUN chown -R baseca:baseca /home/baseca
 
+# Switch to Non-Root User
 USER baseca
 WORKDIR /home/baseca
 
-CMD ["/home/baseca/baseca"]
+# Execute coinbase/baseca
+CMD ["/home/baseca/baseca"]

Makefile

@@ -29,9 +29,17 @@ test: info clean dependencies
 
 .PHONY: build
 build: info clean
-	@ GOOS=darwin GOARCH=amd64 go build $(LDFLAGS) -o $(BIN)/darwin/$(SERVICE) cmd/baseca/server.go
+	@ GOOS=darwin GOARCH=amd64 go build $(LDFLAGS) -o $(BIN)/amd64/$(SERVICE) cmd/baseca/server.go
+	@ GOOS=darwin GOARCH=arm64 go build $(LDFLAGS) -o $(BIN)/arm64/$(SERVICE) cmd/baseca/server.go
+
+.PHONY: build_amd64
+build_amd64: info clean
 	@ GOOS=linux GOARCH=amd64 go build $(LDFLAGS) -o $(BIN)/linux/$(SERVICE) cmd/baseca/server.go
 
+.PHONY: build_arm64
+build_arm64: info clean
+	@ GOOS=linux GOARCH=arm64 go build $(LDFLAGS) -o $(BIN)/linux/$(SERVICE) cmd/baseca/server.go
+
 .PHONY: sqlc
 sqlc:
 	@ sqlc generate -f db/sqlc.yaml

config/aws/ec2.amazonaws.com.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDIjCCAougAwIBAgIJAKnL4UEDMN/FMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgw
+FgYDVQQKEw9BbWF6b24uY29tIEluYy4xGjAYBgNVBAMTEWVjMi5hbWF6b25hd3Mu
+Y29tMB4XDTE0MDYwNTE0MjgwMloXDTI0MDYwNTE0MjgwMlowajELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGDAWBgNV
+BAoTD0FtYXpvbi5jb20gSW5jLjEaMBgGA1UEAxMRZWMyLmFtYXpvbmF3cy5jb20w
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIe9GN//SRK2knbjySG0ho3yqQM3
+e2TDhWO8D2e8+XZqck754gFSo99AbT2RmXClambI7xsYHZFapbELC4H91ycihvrD
+jbST1ZjkLQgga0NE1q43eS68ZeTDccScXQSNivSlzJZS8HJZjgqzBlXjZftjtdJL
+XeE4hwvo0sD4f3j9AgMBAAGjgc8wgcwwHQYDVR0OBBYEFCXWzAgVyrbwnFncFFIs
+77VBdlE4MIGcBgNVHSMEgZQwgZGAFCXWzAgVyrbwnFncFFIs77VBdlE4oW6kbDBq
+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh
+dHRsZTEYMBYGA1UEChMPQW1hem9uLmNvbSBJbmMuMRowGAYDVQQDExFlYzIuYW1h
+em9uYXdzLmNvbYIJAKnL4UEDMN/FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
+BQADgYEAFYcz1OgEhQBXIwIdsgCOS8vEtiJYF+j9uO6jz7VOmJqO+pRlAbRlvY8T
+C1haGgSI/A1uZUKs/Zfnph0oEI0/hu1IIJ/SKBDtN5lvmZ/IzbOPIJWirlsllQIQ
+7zvWbGd9c9+Rm3p04oTvhup99la7kZqevJK0QRdD/6NpCKsqP/0=
+-----END CERTIFICATE-----

db/sqlc/common.go

@@ -1,25 +1,16 @@
 package db
 
-import "github.com/coinbase/baseca/internal/types"
-
-type CertificateResponseData struct {
-	Certificate                  string                    `json:"certificate"`
-	IntermediateCertificateChain string                    `json:"intermediate_certificate_chain,omitempty"`
-	RootCertificateChain         string                    `json:"root_certificate_chain,omitempty"`
-	Metadata                     types.CertificateMetadata `json:"metadata"`
-}
-
 type DatabaseEndpoints struct {
 	Writer Store
 	Reader Store
 }
 
-type CachedServiceAccount struct {
+type ServiceAccountAttestation struct {
 	ServiceAccount Account        `json:"service_account"`
 	AwsIid         AwsAttestation `json:"aws_iid"`
 }
 
-type CachedProvisionerAccount struct {
+type ProvisionerAccountAttestation struct {
 	ProvisionerAccount Provisioner    `json:"provisioner_account"`
 	AwsIid             AwsAttestation `json:"aws_iid"`
 }

db/sqlc/tx_provisioner_account.go

@@ -3,6 +3,7 @@ package db
 import (
 	"context"
 
+	"github.com/coinbase/baseca/internal/types"
 	"github.com/google/uuid"
 )
 
@@ -19,7 +20,7 @@ func (store *SQLStore) TxCreateProvisionerAccount(ctx context.Context, arg Creat
 
 		for _, node_attestation := range arg.NodeAttestation {
 			switch node_attestation {
-			case "AWS_IID":
+			case types.AWS_IID.String():
 				// Add to AWS_IID Database
 				_, err = store.StoreInstanceIdentityDocument(ctx, iid)
 				if err != nil {

db/sqlc/tx_service_account.go

@@ -3,6 +3,7 @@ package db
 import (
 	"context"
 
+	"github.com/coinbase/baseca/internal/types"
 	"github.com/google/uuid"
 )
 
@@ -19,7 +20,7 @@ func (store *SQLStore) TxCreateServiceAccount(ctx context.Context, arg CreateSer
 
 		for _, node_attestation := range arg.NodeAttestation {
 			switch node_attestation {
-			case "AWS_IID":
+			case types.AWS_IID.String():
 				// Add to AWS_IID Database
 				_, err = store.StoreInstanceIdentityDocument(ctx, iid)
 				if err != nil {

db/sqlc/tx_update_account.go

@@ -26,19 +26,19 @@ func (store *SQLStore) TxUpdateServiceAccount(ctx context.Context, arg Account,
 		NodeAttestation:             arg.NodeAttestation,
 	}
 
-	raw_message, err := validator.MapToNullRawMessage(attestation.AWSInstanceIdentityDocument.InstanceTags)
+	raw_message, err := validator.MapToNullRawMessage(attestation.EC2NodeAttestation.InstanceTags)
 	if err != nil {
 		return nil, err
 	}
 
 	iid := StoreInstanceIdentityDocumentParams{
 		ClientID:        arg.ClientID,
-		RoleArn:         sql.NullString{String: attestation.AWSInstanceIdentityDocument.RoleArn, Valid: len(attestation.AWSInstanceIdentityDocument.RoleArn) != 0},
-		AssumeRole:      sql.NullString{String: attestation.AWSInstanceIdentityDocument.AssumeRole, Valid: len(attestation.AWSInstanceIdentityDocument.AssumeRole) != 0},
-		SecurityGroupID: attestation.AWSInstanceIdentityDocument.SecurityGroups,
-		Region:          sql.NullString{String: attestation.AWSInstanceIdentityDocument.Region, Valid: len(attestation.AWSInstanceIdentityDocument.Region) != 0},
-		InstanceID:      sql.NullString{String: attestation.AWSInstanceIdentityDocument.InstanceID, Valid: len(attestation.AWSInstanceIdentityDocument.InstanceID) != 0},
-		ImageID:         sql.NullString{String: attestation.AWSInstanceIdentityDocument.ImageID, Valid: len(attestation.AWSInstanceIdentityDocument.ImageID) != 0},
+		RoleArn:         sql.NullString{String: attestation.EC2NodeAttestation.RoleArn, Valid: len(attestation.EC2NodeAttestation.RoleArn) != 0},
+		AssumeRole:      sql.NullString{String: attestation.EC2NodeAttestation.AssumeRole, Valid: len(attestation.EC2NodeAttestation.AssumeRole) != 0},
+		SecurityGroupID: attestation.EC2NodeAttestation.SecurityGroups,
+		Region:          sql.NullString{String: attestation.EC2NodeAttestation.Region, Valid: len(attestation.EC2NodeAttestation.Region) != 0},
+		InstanceID:      sql.NullString{String: attestation.EC2NodeAttestation.InstanceID, Valid: len(attestation.EC2NodeAttestation.InstanceID) != 0},
+		ImageID:         sql.NullString{String: attestation.EC2NodeAttestation.ImageID, Valid: len(attestation.EC2NodeAttestation.ImageID) != 0},
 		InstanceTags:    raw_message,
 	}
 
@@ -52,7 +52,7 @@ func (store *SQLStore) TxUpdateServiceAccount(ctx context.Context, arg Account,
 
 		for _, node_attestation := range arg.NodeAttestation {
 			switch node_attestation {
-			case types.Attestation.AWS_IID:
+			case types.AWS_IID.String():
 				// Add to AWS_IID Database
 				_, err = store.StoreInstanceIdentityDocument(ctx, iid)
 				if err != nil {

docs/GETTING_STARTED.md

@@ -221,13 +221,11 @@ ssl_mode: disable
 Compile the Golang Binary `baseca`
 
 ```sh
-# Darwin AMD64
-GOOS=darwin GOARCH=amd64 go build -o target/bin/darwin/baseca cmd/baseca/server.go
-database_credentials=secret ./target/bin/darwin/baseca
+cd /path/to/baseca
+make build
 
-# Linux AMD64
-GOOS=linux GOARCH=amd64 go build -o target/bin/linux/baseca cmd/baseca/server.go
-database_credentials=secret ./target/bin/linux/baseca
+# Update Path Based on AMD64 or ARM64 Architecture
+database_credentials=secret ./target/bin/arm64/baseca
 ```
 
 ## Signing x.509 Certificate

examples/certificate/baseca.v1.Certificate/code_sign.go → examples/baseca.v1.Certificate/code_sign.go

@@ -2,7 +2,7 @@ package examples
 
 import (
 	"crypto/x509"
-	"fmt"
+	"log"
 	"os"
 
 	baseca "github.com/coinbase/baseca/pkg/client"
@@ -22,12 +22,12 @@ func CodeSign() {
 
 	client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
 	if err != nil {
-		fmt.Println(err)
+		log.Fatal(err)
 	}
 
 	metadata := baseca.CertificateRequest{
-		CommonName:            "sandbox.coinbase.com",
-		SubjectAlternateNames: []string{"sandbox.coinbase.com"},
+		CommonName:            "example.coinbase.com",
+		SubjectAlternateNames: []string{"example.coinbase.com"},
 		SigningAlgorithm:      x509.ECDSAWithSHA384,
 		PublicKeyAlgorithm:    x509.ECDSA,
 		KeySize:               256,
@@ -45,28 +45,33 @@ func CodeSign() {
 	}
 
 	data, _ := os.ReadFile("/bin/chmod")
-	signature, chain, err := client.GenerateSignature(metadata, data)
+	signature, chain, err := client.GenerateSignature(metadata, &data)
 	if err != nil {
-		panic(err)
+		log.Fatal(err)
 	}
 
 	// Validation Happens on Different Server
 	manifest := types.Manifest{
 		CertificateChain: chain,
-		Signature:        *signature,
-		Data:             data,
-		SigningAlgorithm: x509.SHA256WithRSA,
+		Signature:        signature,
+		SigningAlgorithm: x509.ECDSAWithSHA512,
+		Data: types.Data{
+			Path: types.Path{
+				File:   "/bin/chmod",
+				Buffer: 4096,
+			},
+		},
 	}
 
 	tc := types.TrustChain{
 		CommonName:                "sandbox.coinbase.com",
-		CertificateAuthorityFiles: []string{"/path/to/intermediate.pem"},
+		CertificateAuthorityFiles: []string{"/path/to/intermediate_ca.crt"},
 	}
 
-	err = client.ValidateSignature(tc, manifest)
+	err = baseca.ValidateSignature(tc, manifest)
 	if err != nil {
-		panic(err)
+		log.Fatal(err)
 	}
 
-	fmt.Println("Signature Verified")
+	log.Print("Signature Verified")
 }

examples/certificate/baseca.v1.Certificate/operations_sign_csr.go → examples/baseca.v1.Certificate/operations_sign_csr.go

@@ -2,7 +2,6 @@ package examples
 
 import (
 	"crypto/x509"
-	"fmt"
 	"log"
 
 	apiv1 "github.com/coinbase/baseca/gen/go/baseca/v1"
@@ -22,7 +21,7 @@ func OperationsSignCSR() {
 
 	client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
 	if err != nil {
-		fmt.Println(err)
+		log.Fatal(err)
 	}
 
 	certAuth := apiv1.CertificateAuthorityParameter{

examples/certificate/baseca.v1.Certificate/sign_csr.go → examples/baseca.v1.Certificate/sign_csr.go

@@ -2,7 +2,6 @@ package examples
 
 import (
 	"crypto/x509"
-	"fmt"
 	"log"
 
 	baseca "github.com/coinbase/baseca/pkg/client"
@@ -21,15 +20,15 @@ func SignCSR() {
 
 	client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
 	if err != nil {
-		fmt.Println(err)
+		log.Fatal(err)
 	}
 
 	metadata := baseca.CertificateRequest{
-		CommonName:            "sandbox.coinbase.com",
-		SubjectAlternateNames: []string{"sandbox.coinbase.com"},
-		SigningAlgorithm:      x509.SHA384WithRSA,
-		PublicKeyAlgorithm:    x509.RSA,
-		KeySize:               4096,
+		CommonName:            "example.coinbase.com",
+		SubjectAlternateNames: []string{"example.coinbase.com"},
+		SigningAlgorithm:      x509.ECDSAWithSHA384,
+		PublicKeyAlgorithm:    x509.ECDSA,
+		KeySize:               256,
 		DistinguishedName: baseca.DistinguishedName{
 			Organization: []string{"Coinbase"},
 			// Additional Fields