Initial public version

.bazelrc

@@ -0,0 +1,43 @@
+import %workspace%/clang.bazelrc
+
+startup --host_jvm_args=-Xmx4g
+
+# This flag hints Bazel about the use of incompatible platforms for repositories.
+# Without this flag, Bazel may raise an error about a repo that is not compatible
+# with a specific platform, even if it is not the actual platform it is building
+# on.
+build --noincompatible_use_platforms_repo_for_constraints
+
+build --config=clang
+
+test --test_env=LANG=C
+test --test_output=errors
+test --build_tests_only
+test --test_summary=short
+
+# This flag is needed for building LLVM.
+build --cxxopt=-std=c++17 --host_cxxopt=-std=c++17
+
+###
+# Performance fixes
+###
+build --experimental_remote_merkle_tree_cache
+query --experimental_remote_merkle_tree_cache
+build --noexperimental_check_output_files --noexperimental_check_external_repository_files
+fetch --noexperimental_check_output_files --noexperimental_check_external_repository_files
+query --noexperimental_check_output_files --noexperimental_check_external_repository_files
+build --incompatible_remote_results_ignore_disk
+build --experimental_reuse_sandbox_directories
+
+
+###
+# Correctness guarantees
+###
+startup --host_jvm_args=-DBAZEL_TRACK_SOURCE_DIRECTORIES=1
+build --sandbox_default_allow_network=false
+test --incompatible_exclusive_test_sandboxed
+build --incompatible_strict_action_env
+build --nolegacy_external_runfiles
+build --incompatible_remote_results_ignore_disk
+build --incompatible_default_to_explicit_init_py
+common --incompatible_allow_tags_propagation

.circleci/config.yml

@@ -0,0 +1,194 @@
+version: 2.1
+
+jobs:
+  run-all-tests:
+    resource_class: xlarge
+    docker:
+      - image: "us-docker.pkg.dev/pqc-infra-test/circleci-runner/runner:latest"
+        auth:
+          username: _json_key
+          password: $RUNNER_GCR_SA_KEY
+    steps:
+      - checkout
+      - run:
+          name: "Run all test targets"
+          command: |
+            export GOOGLE_APPLICATION_CREDENTIALS="${HOME}/gcloud-service-key.json"
+            echo ${BAZEL_CACHE_GCS_SA_KEY} > ${GOOGLE_APPLICATION_CREDENTIALS}
+            bazelisk test --remote_cache=https://storage.googleapis.com/bazel-cache-bucket-3100644879 \
+              --google_default_credentials \
+              //...
+      - run:
+          name: "Test the external Go & Python integrations"
+          command: |
+            export GOOGLE_APPLICATION_CREDENTIALS="${HOME}/gcloud-service-key.json"
+            echo ${BAZEL_CACHE_GCS_SA_KEY} > ${GOOGLE_APPLICATION_CREDENTIALS}
+            bazelisk build --remote_cache=https://storage.googleapis.com/bazel-cache-bucket-3100644879 \
+              --google_default_credentials \
+              sandwich_c/...
+            export CC=clang-13
+            export CXX=clang++-13
+
+            export CGO_CFLAGS="-I$PWD -I$PWD/bazel-bin/"
+            export CGO_LDFLAGS="-L$PWD/bazel-bin/rust/"
+            export GO_EXAMPLE_DIR="$PWD/examples/go/echo_tls_server"
+            echo "replace github.com/sandbox-quantum/sandwich/go => $PWD/go" >>"$GO_EXAMPLE_DIR/go.mod"
+            pushd "$GO_EXAMPLE_DIR" && go build && popd
+
+            python3 -m venv venv
+            source venv/bin/activate
+            pip install .
+            SANDWICH_C_LIB="$PWD/bazel-bin/rust/libsandwich_full.so" python -c 'from pysandwich import sandwich; sandwich.Sandwich()'
+      - run:
+          name: "Build the Rust package natively"
+          command: |
+            export GOOGLE_APPLICATION_CREDENTIALS="${HOME}/gcloud-service-key.json"
+            echo ${BAZEL_CACHE_GCS_SA_KEY} > ${GOOGLE_APPLICATION_CREDENTIALS}
+
+            export CARGO_BAZELISK_EXTRA_ARGS="--remote_cache=https://storage.googleapis.com/bazel-cache-bucket-3100644879 --google_default_credentials"
+            export CC=clang-13
+            export CXX=clang++-13
+
+            cargo build --release -vv
+            cargo test --release --lib -vv
+
+  release-linux-dockerbuild:
+    parameters:
+      mode:
+        description: "Build release mode"
+        type: enum
+        enum:
+          - debug
+          - release
+        default: release
+      arch:
+        description: "Build machine architecture"
+        type: enum
+        enum:
+          - arm.xlarge
+          - xlarge
+    machine:
+      image: ubuntu-2204:2023.04.2
+    resource_class: << parameters.arch >>
+    steps:
+      - checkout
+      - run:
+          name: "Compile through docker"
+          command: |
+            if [[ "<< parameters.mode >>" -eq "release" ]]; then
+              bazelArgs=(--build-arg bazelArgs='-c opt')
+            fi
+            docker build . -t="sandwich" -f Dockerfile.linux "${bazelArgs[@]}"
+
+            # TODO: Update docker vesion, the one provided does not support `--output`
+            docker cp $(docker create --name sw sandwich sleep 100):/export.tar.bz2 export.tar.bz2 && docker rm sw
+      - run:
+          name: "Rename export"
+          command: |
+            finalName=sandwich_<< parameters.mode >>_$(dpkg --print-architecture)
+            mkdir -p ~/export_artifacts
+            mv export.tar.bz2  ~/export_artifacts/${finalName}.tar.bz2
+      - store_artifacts:
+          name: "Export build artifacts"
+          path: ~/export_artifacts/
+
+  release-macos:
+    macos:
+      xcode: 14.0.0
+    resource_class: << parameters.resource >>
+    parameters:
+      resource:
+        description: "Resource class"
+        type: enum
+        enum:
+          - macos.m1.large.gen1
+          - macos.x86.medium.gen2
+      arch:
+        description: "Arch name"
+        type: enum
+        enum:
+          - arm64
+          - amd64
+    steps:
+      - checkout
+      - run:
+          name: "Install bazelisk"
+          command: |
+            curl -L --output /usr/local/bin/bazelisk "https://github.com/bazelbuild/bazelisk/releases/download/v1.17.0/bazelisk-darwin-<< parameters.arch >>"
+            chmod +x /usr/local/bin/bazelisk
+      - run:
+          name: "Build release"
+          command: |
+            export GOOGLE_APPLICATION_CREDENTIALS="${HOME}/gcloud-service-key.json"
+            echo ${BAZEL_CACHE_GCS_SA_KEY} > ${GOOGLE_APPLICATION_CREDENTIALS}
+
+            # Not sourced by default on macOS executor
+            if [[ -f "${BASH_ENV}" ]]; then
+              source "${BASH_ENV}"
+            fi
+
+            bazelisk build //:export \
+              -c opt \
+              --remote_cache=https://storage.googleapis.com/bazel-cache-bucket-3100644879 \
+              --google_default_credentials \
+              --profile=/tmp/bazel-profile-<< parameters.resource >>.gz \
+
+            finalName=sandwich_macos_<< parameters.arch >>
+            mkdir -p ~/export_artifacts
+            mv "$(bazelisk cquery -c opt --output=files //:export)" ~/export_artifacts/${finalName}.tar.bz2
+
+      - store_artifacts:
+          name: "Export build artifacts"
+          path: ~/export_artifacts/
+
+
+  publish-doc:
+    resource_class: xlarge
+    docker:
+      - image: "us-docker.pkg.dev/pqc-infra-test/circleci-runner/runner:latest"
+        auth:
+          username: _json_key
+          password: $RUNNER_GCR_SA_KEY
+    steps:
+      - checkout
+      - add_ssh_keys:
+          fingerprints:
+            - "cb:67:a0:71:3b:89:1b:19:d6:40:d5:b8:84:38:33:a4"
+      - run:
+          name: "Deploy documentation"
+          command: |
+            DOC_HTML=$(bazelisk cquery --output files //docs:docs)
+            bazelisk build //docs:docs
+            ghp-import "$DOC_HTML" -p -o
+
+workflows:
+  presubmit:
+    jobs:
+      - run-all-tests:
+          context:
+            - bazel-cache
+      - publish-doc:
+          filters:
+            branches:
+              only:
+                - main
+      - release-linux-dockerbuild:
+          name: release-linux-dockerbuild_amd64
+          mode: release
+          arch: xlarge
+      - release-linux-dockerbuild:
+          name: release-linux-dockerbuild_arm64
+          mode: release
+          arch: arm.xlarge
+      - release-macos:
+          context:
+            - bazel-cache
+          name: release-macos-aarch64
+          resource: macos.m1.large.gen1
+          arch: arm64
+      - release-macos:
+          context:
+            - bazel-cache
+          name: release-macos-x86_64
+          resource: macos.x86.medium.gen2
+          arch: amd64

BUILD.bazel

@@ -0,0 +1,34 @@
+# Copyright (c) SandboxAQ. All rights reserved.
+# SPDX-License-Identifier: AGPL-3.0-only
+
+load("@rules_pkg//:mappings.bzl", "pkg_files")
+load("@rules_pkg//:pkg.bzl", "pkg_tar")
+
+
+# Export sandwich into a self-contained archive
+
+pkg_files(
+    name = "c_headers",
+    srcs = [
+        "//sandwich_c:sandwich_hdrs_all_files",
+    ],
+    prefix = "/include/sandwich_c",
+)
+
+pkg_files(
+    name = "c_lib",
+    srcs = [
+        "//rust:sandwich_full_ffi_shared",
+        "//rust:sandwich_full_ffi_static",
+    ],
+    prefix = "/lib",
+)
+
+pkg_tar(
+    name = "export",
+    srcs = [
+        ":c_headers",
+        ":c_lib",
+    ],
+    extension = ".tar.bz2",
+)

Cargo.toml

@@ -0,0 +1,43 @@
+[package]
+name = "sandwich"
+version = "0.1.0"
+edition = '2021'
+authors = ["SandboxAQ <[email protected]>"]
+description = "A simple, unified, and hard to misuse API for developers to use cryptographic algorithms and protocols."
+repository = "https://github.com/sandbox-quantum/sandwich"
+license = "AGPL-3.0-only"
+keywords = ["cryptography"]
+categories = ["cryptography"]
+
+
+
+[workspace]
+members = [
+    "rust_vendor/bazelisk-rs",
+    "rust_vendor/boringssl",
+    "rust_vendor/build-support",
+    "rust_vendor/openssl1_1_1",
+    "rust_vendor/sandwich-api-proto",
+    "rust_vendor/sandwich-proto",
+    "rust_vendor/testdata",
+]
+
+[lib]
+crate-type = ["cdylib", "lib", "staticlib"]
+path = "rust/lib.rs"
+
+[features]
+boringssl = []
+default = ["openssl1_1_1", "boringssl"]
+ffi = []
+openssl1_1_1 = []
+
+[dependencies]
+boringssl = { path = "rust_vendor/boringssl" }
+openssl1_1_1 = { path = "rust_vendor/openssl1_1_1" }
+protobuf = "3.2.0"
+sandwich-api-proto = { path = "rust_vendor/sandwich-api-proto" }
+sandwich-proto = { path = "rust_vendor/sandwich-proto" }
+
+[dev-dependencies]
+testdata = { path = "rust_vendor/testdata" }

Dockerfile.linux

@@ -0,0 +1,51 @@
+FROM ubuntu:22.04 as build-stage
+
+ARG bazeliskV="v1.17.0"
+ENV bazeliskVEnv=${bazeliskV}
+
+ARG llvm="15"
+ENV llvmEnv=${llvm}
+
+ARG buildArgs=""
+ENV buildArgsEnv=$buildArgs
+
+RUN apt update && apt install wget -y
+
+RUN echo "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-${llvmEnv} main" | tee /etc/apt/sources.list.d/llvm.list
+RUN wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc
+
+RUN apt update && apt install zip git ca-certificates clang-${llvmEnv} lld-${llvmEnv} -y
+
+# bazel(isk)
+RUN wget https://github.com/bazelbuild/bazelisk/releases/download/${bazeliskVEnv}/bazelisk-linux-$(dpkg --print-architecture) && \
+    chmod +x bazelisk-linux-$(dpkg --print-architecture) && \
+    mv bazelisk-linux-$(dpkg --print-architecture) /usr/local/bin/bazel
+
+RUN groupadd -r user && useradd -m -r -g user user
+WORKDIR /home/user/src
+COPY . .
+
+# Behond the absolute state of engineering
+# for some reason the CC is not getting picked up
+RUN ln -s $(which clang-${llvm}) /usr/bin/c++
+
+RUN chown -R user /home/user
+USER user
+
+ENV CC=clang-${llvmEnv}
+ENV CXX=clang++-${llvmEnv}
+ENV LD=lld-${llvmEnv}
+ENV LLVM_CONFIG=/usr/lib/llvm-${llvmEnv}/bin/llvm-config
+
+# compile sandwich
+RUN bazel build \
+    --action_env=CC=$CC   \
+    --action_env=CXX=$CXX \
+    --action_env=LD=$LD \
+    --action_env=LLVM_CONFIG=$LLVM_CONFIG \
+    -c opt \
+    //:export ${buildArgsEnv}
+
+# export to separate layer for easy copy out
+FROM scratch as release-stage
+COPY --from=build-stage /home/user/src/bazel-bin/export.tar.bz2 /export.tar.bz2