tjh.dev
nixpkgs mirror (for testing)
github.com/NixOS/nixpkgs
nix
1{
2 lib,
3 stdenv,
4 fetchFromGitHub,
5 openssl,
6 nss,
7 p11-kit,
8 opensc,
9 gnutls,
10 expect,
11 which,
12 meson,
13 ninja,
14 pkg-config,
15 valgrind,
16 python3,
17 nix-update-script,
18}:
19
20let
21 pkcs11ProviderPython3 = python3.withPackages (pythonPkgs: with pythonPkgs; [ six ]);
22in
23stdenv.mkDerivation rec {
24 pname = "pkcs11-provider";
25 version = "1.0";
26
27 src = fetchFromGitHub {
28 owner = "latchset";
29 repo = "pkcs11-provider";
30 rev = "v${version}";
31 fetchSubmodules = true;
32 hash = "sha256-Q9dmzYDBco+LLVWdORFTjRyk0RX8qhmZ1m+Kgfeyr04=";
33 };
34
35 buildInputs = [
36 openssl
37 nss
38 p11-kit
39 ];
40 nativeBuildInputs = [
41 meson
42 ninja
43 pkg-config
44 which
45 ];
46
47 # don't add SoftHSM to here: https://github.com/openssl/openssl/issues/22508
48 nativeCheckInputs = [
49 p11-kit.bin
50 opensc
51 nss.tools
52 gnutls
53 openssl.bin
54 expect
55 valgrind
56 pkcs11ProviderPython3
57 ];
58
59 postPatch = ''
60 patchShebangs --build .
61 '';
62
63 preInstall = ''
64 # Meson tries to install to `$out/$out` and `$out/''${openssl.out}`; so join them.
65 mkdir -p "$out"
66 for dir in "$out" "${openssl.out}"; do
67 mkdir -p .install/"$(dirname -- "$dir")"
68 ln -s "$out" ".install/$dir"
69 done
70 export DESTDIR="$(realpath .install)"
71 '';
72
73 enableParallelBuilding = true;
74
75 # Frequently fails due to a race condition.
76 enableParallelInstalling = false;
77
78 doCheck = true;
79
80 passthru.updateScript = nix-update-script {
81 extraArgs = [
82 "--version-regex"
83 "v(\\d\\.\\d)"
84 ];
85 };
86
87 meta = with lib; {
88 homepage = "https://github.com/latchset/pkcs11-provider";
89 description = "OpenSSL 3.x provider to access hardware or software tokens using the PKCS#11 Cryptographic Token Interface";
90 maintainers = with maintainers; [ numinit ];
91 license = licenses.asl20;
92 platforms = platforms.unix;
93 };
94}