From 16e4a92e0de44af134e76ffbd80029eed201f2a7 Mon Sep 17 00:00:00 2001
From: Charles Duffy <charles@dyfis.net>
Date: Fri, 3 Mar 2023 11:14:43 -0600
Subject: [PATCH 1/3] pcsc-safenet: 10.0.37 -> 10.8.28

Update pcsc-safenet to a version with better hardware support, clearer licensing, less-unofficial download location

- Version 10.8 explicitly supports the 5110+ CC line of SafeNet tokens.

- Version 10.8 release notes explicitly document that "from SAC 10.8 release onwards, no license is required for SAC on Linux".

It's not clear to me whether this is sufficient to allow clearing the nonfree flag, but it's certainly an improvement.

Also, we're now getting our downloads from a company that distributes SafeNet hardware rather than a website under the control of an Arch contributor, and thus have a clearer chain-of-custody for these security-critical binaries.
---
 pkgs/tools/security/pcsc-safenet/default.nix | 78 +++++++++++---------
 1 file changed, 43 insertions(+), 35 deletions(-)

diff --git a/pkgs/tools/security/pcsc-safenet/default.nix b/pkgs/tools/security/pcsc-safenet/default.nix
index 68006a40da8d..be86f9cd643d 100644
--- a/pkgs/tools/security/pcsc-safenet/default.nix
+++ b/pkgs/tools/security/pcsc-safenet/default.nix
@@ -1,22 +1,31 @@
 { stdenv
 , lib
+, runCommand
 , fetchurl
 , autoPatchelfHook
 , dpkg
-, gtk2
-, openssl
+, gtk3
+, openssl_1_1
 , pcsclite
+, unzip
 }:
 
 stdenv.mkDerivation rec {
   pname = "pcsc-safenet";
-  version = "10.0.37-0";
+  version = "10.8.28";
 
-  # https://aur.archlinux.org/packages/sac-core/
-  src = fetchurl {
-    url = "https://storage.spidlas.cz/public/soft/safenet/SafenetAuthenticationClient-core-${version}_amd64.deb";
-    sha256 = "1r9739bhal7ramj1rpawaqvik45xbs1c756l1da96din638gzy5l";
-  };
+  # extract debian package from larger zip file
+  src = runCommand "sac.deb" {
+    zipSrc = let
+      versionWithUnderscores = builtins.replaceStrings ["."] ["_"] version;
+    in fetchurl {
+      url = "https://www.digicert.com/StaticFiles/SAC_${versionWithUnderscores}_GA_Build.zip";
+      hash = "sha256-bh+TB7ZGDMh9G4lcPtv7mc0XeGhmCfMMqrlqtyGIIaA=";
+    };
+    debName = "SAC ${version} GA Build/Installation/Standard/Ubuntu-2004/safenetauthenticationclient_${version}_amd64.deb";
+  } ''
+    ${unzip}/bin/unzip -p "$zipSrc" "$debName" >"$out"
+  '';
 
   dontBuild = true;
   dontConfigure = true;
@@ -26,13 +35,13 @@ stdenv.mkDerivation rec {
   '';
 
   buildInputs = [
-    gtk2
-    openssl
+    gtk3
+    openssl_1_1
     pcsclite
   ];
 
   runtimeDependencies = [
-    openssl
+    openssl_1_1
   ];
 
   nativeBuildInputs = [
@@ -41,35 +50,34 @@ stdenv.mkDerivation rec {
   ];
 
   installPhase = ''
-    # Set up for pcsc drivers
+    mv usr/* .
+
     mkdir -p pcsc/drivers
-    mv usr/share/eToken/drivers/* pcsc/drivers/
-    rm -r usr/share/eToken/drivers
+    mv -- lib/pkcs11/* pcsc/drivers/
+    rmdir lib/pkcs11
 
-    # Move binaries out
-    mv usr/bin bin
+    mkdir "$out"
+    cp -r ./* "$out/"
 
-    # Move UI to bin
-    mv usr/share/SAC/SACUIProcess bin/
-    rm -r usr/share/SAC
+    (
+      cd "$out/lib/" || exit
+      for f in *.so.*.*.*; do
+        ln -sf "$f" "''${f%.*}" || exit
+        ln -sf "$f" "''${f%.*.*}" || exit
+        ln -sf "$f" "''${f%.*.*.*}" || exit
+      done
+    ) || exit
 
-    mkdir $out
-    cp -r {bin,etc,lib,pcsc,usr,var} $out/
+    (
+      cd "$out/pcsc/drivers" || exit
+      for f in *; do
+        if [[ ! -e $f && -e ../../lib/$f ]]; then
+          ln -sf ../../lib/"$f" "$f" || exit
+        fi
+      done
+    ) || exit
 
-    cd "$out/lib/"
-    ln -sf libeToken.so.10.0.37 libeTPkcs11.so
-    ln -sf libeToken.so.10.0.37 libeToken.so.10.0
-    ln -sf libeToken.so.10.0.37 libeToken.so.10
-    ln -sf libeToken.so.10.0.37 libeToken.so
-    ln -sf libcardosTokenEngine.so.10.0.37 libcardosTokenEngine.so.10.0
-    ln -sf libcardosTokenEngine.so.10.0.37 libcardosTokenEngine.so.10
-    ln -sf libcardosTokenEngine.so.10.0.37 libcardosTokenEngine.so
-
-    cd $out/pcsc/drivers/aks-ifdh.bundle/Contents/Linux/
-    ln -sf libAksIfdh.so.10.0 libAksIfdh.so
-    ln -sf libAksIfdh.so.10.0 libAksIfdh.so.10
-
-    ln -sf ${lib.getLib openssl}/lib/libcrypto.so $out/lib/libcrypto.so.1.0.0
+    ln -sf ${lib.getLib openssl_1_1}/lib/libcrypto.so $out/lib/libcrypto.so.1.1.0
   '';
 
   dontAutoPatchelf = true;

From aed907112c7108a25ff9a7bb9a29e9205217ae64 Mon Sep 17 00:00:00 2001
From: Charles Duffy <charles@dyfis.net>
Date: Mon, 27 Mar 2023 12:55:52 -0500
Subject: [PATCH 2/3] pcsc-safenet: switch from fetchurl to fetchzip

---
 pkgs/tools/security/pcsc-safenet/default.nix | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/pkgs/tools/security/pcsc-safenet/default.nix b/pkgs/tools/security/pcsc-safenet/default.nix
index be86f9cd643d..c424dfb32667 100644
--- a/pkgs/tools/security/pcsc-safenet/default.nix
+++ b/pkgs/tools/security/pcsc-safenet/default.nix
@@ -1,7 +1,7 @@
 { stdenv
 , lib
 , runCommand
-, fetchurl
+, fetchzip
 , autoPatchelfHook
 , dpkg
 , gtk3
@@ -14,24 +14,22 @@ stdenv.mkDerivation rec {
   pname = "pcsc-safenet";
   version = "10.8.28";
 
+  debName = "Installation/Standard/Ubuntu-2004/safenetauthenticationclient_${version}_amd64.deb";
+
   # extract debian package from larger zip file
-  src = runCommand "sac.deb" {
-    zipSrc = let
+  src =
+    let
       versionWithUnderscores = builtins.replaceStrings ["."] ["_"] version;
-    in fetchurl {
+    in fetchzip {
       url = "https://www.digicert.com/StaticFiles/SAC_${versionWithUnderscores}_GA_Build.zip";
-      hash = "sha256-bh+TB7ZGDMh9G4lcPtv7mc0XeGhmCfMMqrlqtyGIIaA=";
+      hash = "sha256-7XWj3T9/KnmgQ05urOJV6dqgkAS/A2G7efnqjQO2ing=";
     };
-    debName = "SAC ${version} GA Build/Installation/Standard/Ubuntu-2004/safenetauthenticationclient_${version}_amd64.deb";
-  } ''
-    ${unzip}/bin/unzip -p "$zipSrc" "$debName" >"$out"
-  '';
 
   dontBuild = true;
   dontConfigure = true;
 
   unpackPhase = ''
-    dpkg-deb -x $src .
+    dpkg-deb -x "$src/$debName" .
   '';
 
   buildInputs = [

From 8b5a5c29f7ed0ab739b8581518ba9aabd2b74ffd Mon Sep 17 00:00:00 2001
From: Charles Duffy <charles@dyfis.net>
Date: Mon, 27 Mar 2023 12:56:51 -0500
Subject: [PATCH 3/3] pcsc-safenet: add comments documenting library symlink
 munging

---
 pkgs/tools/security/pcsc-safenet/default.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkgs/tools/security/pcsc-safenet/default.nix b/pkgs/tools/security/pcsc-safenet/default.nix
index c424dfb32667..2fcbd302e8cc 100644
--- a/pkgs/tools/security/pcsc-safenet/default.nix
+++ b/pkgs/tools/security/pcsc-safenet/default.nix
@@ -57,15 +57,17 @@ stdenv.mkDerivation rec {
     mkdir "$out"
     cp -r ./* "$out/"
 
+    # for each library like libfoo.so.1.2.3, create symlinks to it from libfoo.so, libfoo.so.1, libfoo.so.1.2
     (
       cd "$out/lib/" || exit
-      for f in *.so.*.*.*; do
-        ln -sf "$f" "''${f%.*}" || exit
-        ln -sf "$f" "''${f%.*.*}" || exit
-        ln -sf "$f" "''${f%.*.*.*}" || exit
+      for f in *.so.*.*.*; do                # find library names with three-layer suffixes
+        ln -sf "$f" "''${f%.*}" || exit      # strip only one suffix layer
+        ln -sf "$f" "''${f%.*.*}" || exit    # strip two suffix layers
+        ln -sf "$f" "''${f%.*.*.*}" || exit  # strip all three suffix layers
       done
     ) || exit
 
+    # when library links are missing in pcsc/drivers, create them
     (
       cd "$out/pcsc/drivers" || exit
       for f in *; do