v0.0.6-beta

Dockerfile

@@ -18,24 +18,28 @@ RUN apt update && apt clean && \
         exit 1; \
     fi
 
-# Deploy Image
-FROM alpine:3.17
+# Deploy Image using Alpine Linux
+FROM alpine:3.19
 
-# Non-Root User
-RUN adduser --home /home/baseca baseca --gecos "baseca" --disabled-password && \
-    apk --no-cache add ca-certificates && \
+# Add a Non-Root User
+RUN addgroup -S baseca && adduser -S baseca -G baseca && \
+    mkdir -p /home/baseca/config && \
+    chown -R baseca:baseca /home/baseca
+
+# Install Required Dependencies
+RUN apk --no-cache add ca-certificates && \
     rm -rf /var/cache/apk/*
 
 # Copy Binary and Configuration from Build Image
 COPY --from=builder /baseca/target/bin/linux/baseca /home/baseca/baseca
 COPY --from=builder /baseca/config /home/baseca/config
 
-# Permissions for Non-Root User
+# Set permissions for copied files
 RUN chown -R baseca:baseca /home/baseca
 
 # Switch to Non-Root User
 USER baseca
 WORKDIR /home/baseca
 
 # Execute coinbase/baseca
-CMD ["/home/baseca/baseca"]
+CMD ["/home/baseca/baseca"]

docs/ENDPOINTS.md

@@ -59,7 +59,7 @@ Sign Certificate Signing Request (CSR)
 Service Account Authentication
 
 **Client Example**
-[sign_csr.go](../examples/certificate/baseca.v1.Certificate/sign_csr.go)
+[sign_csr.go](../examples/baseca.v1.Certificate/sign_csr.go)
 
 **Request**
 
@@ -340,7 +340,7 @@ Manual Sign Certificate Signing Request (CSR)
 Provisioner Account Authentication
 
 **Client Example**
-[operations_sign_csr.go](../examples/certificate/baseca.v1.Certificate/operations_sign_csr.go)
+[operations_sign_csr.go](../examples/baseca.v1.Certificate/operations_sign_csr.go)
 
 **Request**
 

docs/GETTING_STARTED.md

@@ -320,36 +320,29 @@ import (
     "log"
 
     baseca "github.com/coinbase/baseca/pkg/client"
+    "github.com/coinbase/baseca/pkg/types"
 )
 
 func main() {
-    configuration := baseca.Configuration{
-      URL:         "localhost:9090",
-      Environment: baseca.Env.Local,
-    }
-
-    authentication := baseca.Authentication{
-      ClientId:    "CLIENT_ID",
-      ClientToken: "CLIENT_TOKEN",
-    }
+    client, err := baseca.NewClient("localhost:9090", baseca.Attestation.Local,
+      baseca.WithClientId("CLIENT_ID"), baseca.WithClientToken("CLIENT_TOKEN"),
+      baseca.WithInsecure()) // Insecure for Local Development
 
-    client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
     if err != nil {
-      // Handle Error
       log.Fatal(err)
     }
 
-    metadata := baseca.CertificateRequest{
+    metadata := types.CertificateRequest{
       CommonName:            "development.coinbase.com",
       SubjectAlternateNames: []string{"development.coinbase.com"},
       SigningAlgorithm:      x509.SHA512WithRSA,
       PublicKeyAlgorithm:    x509.RSA,
       KeySize:               4096,
-      DistinguishedName: baseca.DistinguishedName{
+      DistinguishedName: types.DistinguishedName{
         Organization: []string{"Coinbase"},
         // Additional Fields
       },
-      Output: baseca.Output{
+      Output: types.Output{
         PrivateKey:                   "/tmp/private.key", // baseca Generate Private Key Output Location
         Certificate:                  "/tmp/certificate.crt", // baseca Signed Leaf Certificate Output Location
         IntermediateCertificateChain: "/tmp/intermediate_chain.crt", // baseca Signed Certificate Chain Up to Intermediate CA Output Location

examples/baseca.v1.Certificate/code_sign.go

@@ -3,49 +3,47 @@ package examples
 import (
 	"crypto/x509"
 	"log"
-	"os"
 
 	baseca "github.com/coinbase/baseca/pkg/client"
 	"github.com/coinbase/baseca/pkg/types"
 )
 
 func CodeSign() {
-	configuration := baseca.Configuration{
-		URL:         "localhost:9090",
-		Environment: baseca.Env.Local,
-	}
-
-	authentication := baseca.Authentication{
-		ClientId:    "CLIENT_ID",
-		ClientToken: "CLIENT_TOKEN",
-	}
-
-	client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
+	client, err := baseca.NewClient("localhost:9090", baseca.Attestation.Local,
+		baseca.WithClientId("CLIENT_ID"), baseca.WithClientToken("CLIENT_TOKEN"),
+		baseca.WithInsecure())
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	metadata := baseca.CertificateRequest{
-		CommonName:            "example.coinbase.com",
-		SubjectAlternateNames: []string{"example.coinbase.com"},
-		SigningAlgorithm:      x509.ECDSAWithSHA384,
-		PublicKeyAlgorithm:    x509.ECDSA,
-		KeySize:               256,
-		DistinguishedName: baseca.DistinguishedName{
-			Organization: []string{"Coinbase"},
-			// Additional Fields
+	metadata := types.Signature{
+		CertificateRequest: types.CertificateRequest{
+			CommonName:            "example.coinbase.com",
+			SubjectAlternateNames: []string{"example.coinbase.com"},
+			SigningAlgorithm:      x509.ECDSAWithSHA512,
+			PublicKeyAlgorithm:    x509.ECDSA,
+			KeySize:               256,
+			Output: types.Output{
+				PrivateKey:                   "/tmp/private.key",
+				Certificate:                  "/tmp/certificate.crt",
+				IntermediateCertificateChain: "/tmp/intermediate_chain.crt",
+				RootCertificateChain:         "/tmp/root_chain.crt",
+				CertificateSigningRequest:    "/tmp/certificate_request.csr",
+			},
+			DistinguishedName: types.DistinguishedName{
+				Organization: []string{"Coinbase"},
+			},
 		},
-		Output: baseca.Output{
-			PrivateKey:                   "/tmp/private.key",
-			Certificate:                  "/tmp/certificate.crt",
-			IntermediateCertificateChain: "/tmp/intermediate_chain.crt",
-			RootCertificateChain:         "/tmp/root_chain.crt",
-			CertificateSigningRequest:    "/tmp/certificate_request.csr",
+		SigningAlgorithm: x509.ECDSAWithSHA512,
+		Data: types.Data{
+			Path: types.Path{
+				File:   "/path/to/artifact",
+				Buffer: 4096,
+			},
 		},
 	}
 
-	data, _ := os.ReadFile("/bin/chmod")
-	signature, chain, err := client.GenerateSignature(metadata, &data)
+	signature, chain, err := client.GenerateSignature(metadata)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -57,15 +55,15 @@ func CodeSign() {
 		SigningAlgorithm: x509.ECDSAWithSHA512,
 		Data: types.Data{
 			Path: types.Path{
-				File:   "/bin/chmod",
+				File:   "/path/to/artifact",
 				Buffer: 4096,
 			},
 		},
 	}
 
 	tc := types.TrustChain{
-		CommonName:                "sandbox.coinbase.com",
-		CertificateAuthorityFiles: []string{"/path/to/intermediate_ca.crt"},
+		CommonName:                "example.coinbase.com",
+		CertificateAuthorityFiles: []string{"/path/to/intermetidate.crt"},
 	}
 
 	err = baseca.ValidateSignature(tc, manifest)

examples/baseca.v1.Certificate/operations_sign_csr.go

@@ -6,20 +6,13 @@ import (
 
 	apiv1 "github.com/coinbase/baseca/gen/go/baseca/v1"
 	baseca "github.com/coinbase/baseca/pkg/client"
+	"github.com/coinbase/baseca/pkg/types"
 )
 
 func OperationsSignCSR() {
-	configuration := baseca.Configuration{
-		URL:         "localhost:9090",
-		Environment: baseca.Env.Local,
-	}
-
-	authentication := baseca.Authentication{
-		ClientId:    "CLIENT_ID",
-		ClientToken: "CLIENT_TOKEN",
-	}
-
-	client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
+	client, err := baseca.NewClient("localhost:9090", baseca.Attestation.Local,
+		baseca.WithClientId("CLIENT_ID"), baseca.WithClientToken("CLIENT_TOKEN"),
+		baseca.WithInsecure())
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -32,17 +25,17 @@ func OperationsSignCSR() {
 		Validity:      30,
 	}
 
-	certificateRequest := baseca.CertificateRequest{
+	certificateRequest := types.CertificateRequest{
 		CommonName:            "example.coinbase.com",
 		SubjectAlternateNames: []string{"example.coinbase.com"},
 		SigningAlgorithm:      x509.SHA384WithRSA,
 		PublicKeyAlgorithm:    x509.RSA,
 		KeySize:               4096,
-		DistinguishedName: baseca.DistinguishedName{
+		DistinguishedName: types.DistinguishedName{
 			Organization: []string{"Coinbase"},
 			// Additional Fields
 		},
-		Output: baseca.Output{
+		Output: types.Output{
 			PrivateKey:                   "/tmp/sandbox.key",
 			CertificateSigningRequest:    "/tmp/sandbox.csr",
 			Certificate:                  "/tmp/sandbox.crt",

examples/baseca.v1.Certificate/sign_csr.go

@@ -5,35 +5,32 @@ import (
 	"log"
 
 	baseca "github.com/coinbase/baseca/pkg/client"
+	"github.com/coinbase/baseca/pkg/types"
 )
 
 func SignCSR() {
-	configuration := baseca.Configuration{
-		URL:         "localhost:9090",
-		Environment: baseca.Env.Local,
-	}
-
-	authentication := baseca.Authentication{
-		ClientId:    "CLIENT_ID",
-		ClientToken: "CLIENT_TOKEN",
-	}
-
-	client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
+	client, err := baseca.NewClient("localhost:9090", baseca.Attestation.Local,
+		baseca.WithClientId("CLIENT_ID"), baseca.WithClientToken("CLIENT_TOKEN"),
+		baseca.WithInsecure())
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	metadata := baseca.CertificateRequest{
+	metadata := types.CertificateRequest{
 		CommonName:            "example.coinbase.com",
 		SubjectAlternateNames: []string{"example.coinbase.com"},
 		SigningAlgorithm:      x509.ECDSAWithSHA384,
 		PublicKeyAlgorithm:    x509.ECDSA,
 		KeySize:               256,
-		DistinguishedName: baseca.DistinguishedName{
-			Organization: []string{"Coinbase"},
+		DistinguishedName: types.DistinguishedName{
+			Organization:       []string{"Coinbase"},
+			Locality:           []string{"San Francisco"},
+			Province:           []string{"California"},
+			Country:            []string{"US"},
+			OrganizationalUnit: []string{"Security"},
 			// Additional Fields
 		},
-		Output: baseca.Output{
+		Output: types.Output{
 			PrivateKey:                   "/tmp/private.key",
 			Certificate:                  "/tmp/certificate.crt",
 			IntermediateCertificateChain: "/tmp/intermediate_chain.crt",

go.mod

@@ -30,7 +30,7 @@ require (
 	go.uber.org/fx v1.20.0
 	go.uber.org/mock v0.3.0
 	go.uber.org/zap v1.25.0
-	golang.org/x/crypto v0.14.0
+	golang.org/x/crypto v0.19.0
 	golang.org/x/net v0.17.0
 	google.golang.org/grpc v1.57.1
 	google.golang.org/protobuf v1.31.0
@@ -75,8 +75,8 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
 	go.uber.org/dig v1.17.0 // indirect
 	go.uber.org/multierr v1.10.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/sys v0.17.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -328,8 +328,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -457,8 +457,8 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -468,8 +468,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

internal/v1/certificate/operations_test.go

@@ -12,6 +12,7 @@ import (
 	db "github.com/coinbase/baseca/db/sqlc"
 	apiv1 "github.com/coinbase/baseca/gen/go/baseca/v1"
 	c "github.com/coinbase/baseca/pkg/client"
+	"github.com/coinbase/baseca/pkg/types"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
 )
@@ -80,7 +81,7 @@ func TestOperationsSignCSR(t *testing.T) {
 		{
 			name: "OK_NO_CERTIFICATE_AUTHORITY_INPUT",
 			req: func() *apiv1.OperationsSignRequest {
-				req := c.CertificateRequest{
+				req := types.CertificateRequest{
 					CommonName:            "development.example.com",
 					SubjectAlternateNames: []string{"development.example.com"},
 					SigningAlgorithm:      x509.SHA512WithRSA,
@@ -138,7 +139,7 @@ func TestOperationsSignCSR(t *testing.T) {
 		{
 			name: "OK_CERTIFICATE_AUTHORITY_INPUT",
 			req: func() *apiv1.OperationsSignRequest {
-				req := c.CertificateRequest{
+				req := types.CertificateRequest{
 					CommonName:            "development.example.com",
 					SubjectAlternateNames: []string{"development.example.com"},
 					SigningAlgorithm:      x509.SHA512WithRSA,

internal/v1/certificate/sign.go

@@ -80,7 +80,7 @@ func (c *Certificate) SignCSR(ctx context.Context, req *apiv1.CertificateSigning
 
 func (c *Certificate) requestCertificate(ctx context.Context, authPayload *types.ServiceAccountPayload, certificateRequest *x509.CertificateRequest) (*types.CertificateResponseData, error) {
 	var subordinate *types.CertificateAuthority
-	var parameters baseca.CertificateRequest
+	var parameters lib.CertificateRequest
 	var csr *bytes.Buffer
 	var err error
 
@@ -108,13 +108,13 @@ func (c *Certificate) requestCertificate(ctx context.Context, authPayload *types
 			return nil, fmt.Errorf("invalid signing algorithm: %s", c.ca.SigningAlgorithm)
 		}
 
-		parameters = baseca.CertificateRequest{
+		parameters = lib.CertificateRequest{
 			CommonName:            intermediateCa,
 			SubjectAlternateNames: []string{intermediateCa},
 			SigningAlgorithm:      signingAlgorithm.Common,
 			PublicKeyAlgorithm:    lib.PublicKeyAlgorithmStrings[c.ca.KeyAlgorithm].Algorithm,
 			KeySize:               c.ca.KeySize,
-			DistinguishedName: baseca.DistinguishedName{
+			DistinguishedName: lib.DistinguishedName{
 				Country:            []string{c.ca.Country},
 				Province:           []string{c.ca.Province},
 				Locality:           []string{c.ca.Locality},