[bug#31298] [PATCH 0/2] Add some packages related to security tokens

[bug#31298] [PATCH 0/2] Add some packages related to security tokens

[Chris Marusich]

Hi Guix!

These two patches add opensc and yubico-piv-tool.  The former is
useful because, among other reasons, its PKCS#11 shared library can be
used with an SSH agent to fetch credentials from a smart card (such as
a YubiKey).  The latter is useful for interacting with the PIV
application on a YubiKey.  I have verified that both of these work on
my system for those purposes, with a YubiKey.

To successfully use the OpenSC PKCS#11 shared library with an SSH
agent, you need to take care to start your ssh-agent with the -P
option to whitelist the path of the library's .so file.  If you don't
do that, then any attempt to invoke ssh-add with the -s option will
fail with a generic message.

Chris Marusich (2):
  gnu: Add opensc.
  gnu: Add yubico-piv-tool.

 gnu/packages/security-token.scm | 91 +++++++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)

-- 
2.17.0

[bug#31298] [PATCH 1/2] gnu: Add opensc.

[Chris Marusich]

* gnu/packages/security-token.scm (opensc): New variable.
---
 gnu/packages/security-token.scm | 51 +++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index 6ff83ce5a..305e3d8a4 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -31,6 +32,7 @@
   #:use-module (guix build-system glib-or-gtk)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages curl)
+  #:use-module (gnu packages docbook)
   #:use-module (gnu packages gettext)
   #:use-module (gnu packages gtk)
   #:use-module (gnu packages libusb)
@@ -38,6 +40,7 @@
   #:use-module (gnu packages man)
   #:use-module (gnu packages networking)
   #:use-module (gnu packages cyrus-sasl)
+  #:use-module (gnu packages readline)
   #:use-module (gnu packages tls)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
@@ -202,3 +205,51 @@ one-time-password (OTP) YubiKey against Yubico’s servers.  See the Yubico
 website for more information about Yubico and the YubiKey.")
     (home-page "https://developers.yubico.com/yubico-c-client/")
     (license license:bsd-2)))
+
+(define-public opensc
+  (package
+    (name "opensc")
+    (version "0.17.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://github.com/OpenSC/OpenSC/releases/download/"
+                    version "/opensc-" version ".tar.gz"))
+              (sha256
+               (base32
+                "0043jh5g7q2lyd5vnb0akwb5y349isx7vbm9wqhlgav7d20wcwxy"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         ;; By setting an absolute path here, we arrange for OpenSC to
+         ;; successfully dlopen libpcsclite.so.1 by default.  The user can
+         ;; still override this if they want to, by specifying a custom OpenSC
+         ;; configuration file at runtime.
+         (add-after 'unpack 'set-default-libpcsclite.so.1-path
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let ((libpcsclite (string-append (assoc-ref inputs "pcsc-lite")
+                                               "/lib/libpcsclite.so.1")))
+               (substitute* "configure"
+                 (("DEFAULT_PCSC_PROVIDER=\"libpcsclite\\.so\\.1\"")
+                  (string-append
+                   "DEFAULT_PCSC_PROVIDER=\"" libpcsclite "\"")))
+               #t))))))
+    (inputs
+     `(("readline" ,readline)
+       ("openssl" ,openssl)
+       ("pcsc-lite" ,pcsc-lite)
+       ("ccid" ,ccid)))
+    (native-inputs
+     `(("libxslt" ,libxslt)
+       ("docbook-xsl" ,docbook-xsl)
+       ("pkg-config" ,pkg-config)))
+    (home-page "https://github.com/OpenSC/OpenSC/wiki")
+    (synopsis "Tools and libraries related to smart cards")
+    (description
+     "OpenSC is a set of software tools and libraries to work with smart
+cards, with the focus on smart cards with cryptographic capabilities.  OpenSC
+facilitate the use of smart cards in security applications such as
+authentication, encryption and digital signatures.  OpenSC implements the PKCS
+#15 standard and the PKCS #11 API.")
+    (license license:lgpl2.1+)))
-- 
2.17.0

[bug#31298] [PATCH 2/2] gnu: Add yubico-piv-tool.

[Chris Marusich]

* gnu/packages/security-token.scm (yubico-piv-tool): New variable.
---
 gnu/packages/security-token.scm | 40 +++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index 305e3d8a4..64fe7d833 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -32,8 +32,11 @@
   #:use-module (guix build-system glib-or-gtk)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages curl)
+  #:use-module (gnu packages check)
   #:use-module (gnu packages docbook)
+  #:use-module (gnu packages documentation)
   #:use-module (gnu packages gettext)
+  #:use-module (gnu packages graphviz)
   #:use-module (gnu packages gtk)
   #:use-module (gnu packages libusb)
   #:use-module (gnu packages linux)
@@ -42,6 +45,7 @@
   #:use-module (gnu packages cyrus-sasl)
   #:use-module (gnu packages readline)
   #:use-module (gnu packages tls)
+  #:use-module (gnu packages tex)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages xml))
@@ -253,3 +257,39 @@ facilitate the use of smart cards in security applications such as
 authentication, encryption and digital signatures.  OpenSC implements the PKCS
 #15 standard and the PKCS #11 API.")
     (license license:lgpl2.1+)))
+
+(define-public yubico-piv-tool
+  (package
+    (name "yubico-piv-tool")
+    (version "1.5.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append
+                    "https://developers.yubico.com/yubico-piv-tool/Releases/"
+                    name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1axa0lnky5gsc8yack6mpfbjh49z0czr1cv52gbgjnx2kcbpb0y1"))))
+    (build-system gnu-build-system)
+    (inputs
+     `(("perl" ,perl)
+       ("pcsc-lite" ,pcsc-lite)
+       ("openssl" ,openssl)))
+    (native-inputs
+     `(("doxygen" ,doxygen)
+       ("graphviz" ,graphviz)
+       ("check" ,check)
+       ("texlive-bin" ,texlive-bin)
+       ("pkg-config" ,pkg-config)))
+    (home-page "https://developers.yubico.com/yubico-piv-tool/")
+    (synopsis "Interact with the PIV application on a YubiKey")
+    (description
+     "The Yubico PIV tool is used for interacting with the Privilege and
+Identification Card (PIV) application on a YubiKey.  With it you may generate
+keys on the device, import keys and certificates, create certificate requests,
+and other operations.  It includes a library and a command-line tool.")
+    ;; The file ykcs11/pkcs11.h also declares an additional, very short free
+    ;; license for that one file.  Please see it for details.  The files in
+    ;; the m4 directory are licensed under either a similarly terse free
+    ;; license or gpl2+.  The vast majority of files are licensed under bsd-2.
+    (license license:bsd-2)))
-- 
2.17.0

[bug#31298] [PATCH 1/2] gnu: Add opensc.

[Ludovic Courtès]

Chris Marusich <cmmarusich@gmail.com> skribis:

> * gnu/packages/security-token.scm (opensc): New variable.

LGTM, thanks!

[bug#31298] [PATCH 2/2] gnu: Add yubico-piv-tool.

[Ludovic Courtès]

Chris Marusich <cmmarusich@gmail.com> skribis:

> * gnu/packages/security-token.scm (yubico-piv-tool): New variable.

LGTM!

> +    (home-page "https://developers.yubico.com/yubico-piv-tool/")
> +    (synopsis "Interact with the PIV application on a YubiKey")
> +    (description
> +     "The Yubico PIV tool is used for interacting with the Privilege and
> +Identification Card (PIV) application on a YubiKey.  With it you may generate
> +keys on the device, import keys and certificates, create certificate requests,
> +and other operations.  It includes a library and a command-line tool.")
> +    ;; The file ykcs11/pkcs11.h also declares an additional, very short free
> +    ;; license for that one file.  Please see it for details.  The files in
> +    ;; the m4 directory are licensed under either a similarly terse free
> +    ;; license or gpl2+.  The vast majority of files are licensed under bsd-2.
> +    (license license:bsd-2)))

I think you can omit the bit about the m4/ directory since it’s pretty
much the same story in many packages.

Thanks,
Ludo’.

bug#31298: [PATCH 2/2] gnu: Add yubico-piv-tool.

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 312 bytes --]

ludo@gnu.org (Ludovic Courtès) writes:

> I think you can omit the bit about the m4/ directory since it’s pretty
> much the same story in many packages.

That's true.  I've tidied up the comment and committed this as
ba8d8820fc823eff8e71ab3157e3728f67094373.

Thank you for the review!

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]