pcsc-safenet: 10.0.37 -> 10.8.28

Update pcsc-safenet to a version with better hardware support, clearer licensing, less-unofficial download location - Version 10.8 explicitly supports the 5110+ CC line of SafeNet tokens. - Version 10.8 release notes explicitly document that "from SAC 10.8 release onwards, no license is required for SAC on Linux". It's not clear to me whether this is sufficient to allow clearing the nonfree flag, but it's certainly an improvement. Also, we're now getting our downloads from a company that distributes SafeNet hardware rather than a website under the control of an Arch contributor, and thus have a clearer chain-of-custody for these security-critical binaries.
NixOS · Mar 3, 2023 · 16e4a92 · 16e4a92
1 parent e1b3ba6
commit 16e4a92
Showing 1 changed file with 48 additions and 40 deletions.
diff --git a/pkgs/tools/security/pcsc-safenet/default.nix b/pkgs/tools/security/pcsc-safenet/default.nix
@@ -1,22 +1,31 @@
 { stdenv
 , lib
+, runCommand
 , fetchurl
 , autoPatchelfHook
 , dpkg
-, gtk2
-, openssl
+, gtk3
+, openssl_1_1
 , pcsclite
+, unzip
 }:
 
 stdenv.mkDerivation rec {
   pname = "pcsc-safenet";
-  version = "10.0.37-0";
-
-  # https://aur.archlinux.org/packages/sac-core/
-  src = fetchurl {
-    url = "https://storage.spidlas.cz/public/soft/safenet/SafenetAuthenticationClient-core-${version}_amd64.deb";
-    sha256 = "1r9739bhal7ramj1rpawaqvik45xbs1c756l1da96din638gzy5l";
-  };
+  version = "10.8.28";
+
+  # extract debian package from larger zip file
+  src = runCommand "sac.deb" {
+    zipSrc = let
+      versionWithUnderscores = builtins.replaceStrings ["."] ["_"] version;
+    in fetchurl {
+      url = "https://www.digicert.com/StaticFiles/SAC_${versionWithUnderscores}_GA_Build.zip";
+      hash = "sha256-bh+TB7ZGDMh9G4lcPtv7mc0XeGhmCfMMqrlqtyGIIaA=";
+    };
+    debName = "SAC ${version} GA Build/Installation/Standard/Ubuntu-2004/safenetauthenticationclient_${version}_amd64.deb";
+  } ''
+    ${unzip}/bin/unzip -p "$zipSrc" "$debName" >"$out"
+  '';
 
   dontBuild = true;
   dontConfigure = true;
@@ -26,13 +35,13 @@ stdenv.mkDerivation rec {
   '';
 
   buildInputs = [
-    gtk2
-    openssl
+    gtk3
+    openssl_1_1
     pcsclite
   ];
 
   runtimeDependencies = [
-    openssl
+    openssl_1_1
   ];
 
   nativeBuildInputs = [
@@ -41,35 +50,34 @@ stdenv.mkDerivation rec {
   ];
 
   installPhase = ''
-    # Set up for pcsc drivers
-    mkdir -p pcsc/drivers
-    mv usr/share/eToken/drivers/* pcsc/drivers/
-    rm -r usr/share/eToken/drivers
-
-    # Move binaries out
-    mv usr/bin bin
+    mv usr/* .
 
-    # Move UI to bin
-    mv usr/share/SAC/SACUIProcess bin/
-    rm -r usr/share/SAC
-
-    mkdir $out
-    cp -r {bin,etc,lib,pcsc,usr,var} $out/
-
-    cd "$out/lib/"
-    ln -sf libeToken.so.10.0.37 libeTPkcs11.so
-    ln -sf libeToken.so.10.0.37 libeToken.so.10.0
-    ln -sf libeToken.so.10.0.37 libeToken.so.10
-    ln -sf libeToken.so.10.0.37 libeToken.so
-    ln -sf libcardosTokenEngine.so.10.0.37 libcardosTokenEngine.so.10.0
-    ln -sf libcardosTokenEngine.so.10.0.37 libcardosTokenEngine.so.10
-    ln -sf libcardosTokenEngine.so.10.0.37 libcardosTokenEngine.so
-
-    cd $out/pcsc/drivers/aks-ifdh.bundle/Contents/Linux/
-    ln -sf libAksIfdh.so.10.0 libAksIfdh.so
-    ln -sf libAksIfdh.so.10.0 libAksIfdh.so.10
-
-    ln -sf ${lib.getLib openssl}/lib/libcrypto.so $out/lib/libcrypto.so.1.0.0
+    mkdir -p pcsc/drivers
+    mv -- lib/pkcs11/* pcsc/drivers/
+    rmdir lib/pkcs11
+
+    mkdir "$out"
+    cp -r ./* "$out/"
+
+    (
+      cd "$out/lib/" || exit
+      for f in *.so.*.*.*; do
+        ln -sf "$f" "''${f%.*}" || exit
+        ln -sf "$f" "''${f%.*.*}" || exit
+        ln -sf "$f" "''${f%.*.*.*}" || exit
+      done
+    ) || exit
+
+    (
+      cd "$out/pcsc/drivers" || exit
+      for f in *; do
+        if [[ ! -e $f && -e ../../lib/$f ]]; then
+          ln -sf ../../lib/"$f" "$f" || exit
+        fi
+      done
+    ) || exit
+
+    ln -sf ${lib.getLib openssl_1_1}/lib/libcrypto.so $out/lib/libcrypto.so.1.1.0
   '';
 
   dontAutoPatchelf = true;