2 files changed, 184 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/tools/security/eid-mw/default.nix b/nixpkgs/pkgs/tools/security/eid-mw/default.nix
new file mode 100644
index 000000000000..925931e6a3e3
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/eid-mw/default.nix
@@ -0,0 +1,101 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, autoconf-archive
+, pkg-config
+, makeWrapper
+, curl
+, gtk3
+, libassuan
+, libbsd
+, libproxy
+, libxml2
+, openssl
+, p11-kit
+, pcsclite
+, nssTools
+, substituteAll
+}:
+
+stdenv.mkDerivation rec {
+  pname = "eid-mw";
+  # NOTE: Don't just blindly update to the latest version/tag. Releases are always for a specific OS.
+  version = "5.0.28";
+
+  src = fetchFromGitHub {
+    owner = "Fedict";
+    repo = "eid-mw";
+    rev = "v${version}";
+    sha256 = "rrrzw8i271ZZkwY3L6aRw2Nlz+GmDr/1ahYYlUBvtzo=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook autoconf-archive pkg-config makeWrapper ];
+  buildInputs = [ curl gtk3 libassuan libbsd libproxy libxml2 openssl p11-kit pcsclite ];
+  preConfigure = ''
+    mkdir openssl
+    ln -s ${openssl.out}/lib openssl
+    ln -s ${openssl.bin}/bin openssl
+    ln -s ${openssl.dev}/include openssl
+    export SSL_PREFIX=$(realpath openssl)
+    substituteInPlace plugins_tools/eid-viewer/Makefile.in \
+      --replace "c_rehash" "openssl rehash"
+  '';
+  # pinentry uses hardcoded `/usr/bin/pinentry`, so use the built-in (uglier) dialogs for pinentry.
+  configureFlags = [ "--disable-pinentry" ];
+
+  postPatch = ''
+    sed 's@m4_esyscmd_s(.*,@[${version}],@' -i configure.ac
+  '';
+
+  postInstall =
+    let
+      eid-nssdb-in = substituteAll {
+        inherit (stdenv) shell;
+        isExecutable = true;
+        src = ./eid-nssdb.in;
+      };
+    in
+    ''
+      install -D ${eid-nssdb-in} $out/bin/eid-nssdb
+      substituteInPlace $out/bin/eid-nssdb \
+        --replace "modutil" "${nssTools}/bin/modutil"
+
+      rm $out/bin/about-eid-mw
+      wrapProgram $out/bin/eid-viewer --prefix XDG_DATA_DIRS : "$out/share/gsettings-schemas/$name"
+    '';
+
+  enableParallelBuilding = true;
+
+  doCheck = true;
+
+  meta = with lib; {
+    description = "Belgian electronic identity card (eID) middleware";
+    homepage = "https://eid.belgium.be/en";
+    license = licenses.lgpl3Only;
+    longDescription = ''
+      Allows user authentication and digital signatures with Belgian ID cards.
+      Also requires a running pcscd service and compatible card reader.
+
+      eid-viewer is also installed.
+
+      This package only installs the libraries. To use eIDs in Firefox or
+      Chromium, the eID Belgium add-on must be installed.
+      This package only installs the libraries. To use eIDs in NSS-compatible
+      browsers like Chrom{e,ium} or Firefox, each user must first execute:
+        ~$ eid-nssdb add
+      (Running the script once as root with the --system option enables eID
+      support for all users, but will *not* work when using Chrom{e,ium}!)
+      Before uninstalling this package, it is a very good idea to run
+        ~$ eid-nssdb [--system] remove
+      and remove all ~/.pki and/or /etc/pki directories no longer needed.
+
+      The above procedure doesn't seem to work in Firefox. You can override the
+      firefox wrapper to add this derivation to the PKCS#11 modules, like so:
+
+          firefox.override { pkcs11Modules = [ pkgs.eid-mw ]; }
+    '';
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ bfortz chvp ];
+  };
+}
diff --git a/nixpkgs/pkgs/tools/security/eid-mw/eid-nssdb.in b/nixpkgs/pkgs/tools/security/eid-mw/eid-nssdb.in
new file mode 100644
index 000000000000..636b4c1ee118
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/eid-mw/eid-nssdb.in
@@ -0,0 +1,83 @@
+#!@shell@
+
+rootdb="/etc/pki/nssdb"
+userdb="$HOME/.pki/nssdb"
+dbentry="Belgium eID"
+libfile="/run/current-system/sw/lib/libbeidpkcs11.so"
+
+dbdir="$userdb"
+
+while true; do
+	case "$1" in
+	--help|"")	cat << EOF
+(Un)register $dbentry with NSS-compatible browsers.
+
+Usage: `basename "$0"` [OPTION] ACTION [LIBRARY]
+
+Options:
+  --db PATH	use custom NSS database directory PATH
+  --user	use user NSS database $userdb (default)
+  --system	use global NSS database $rootdb
+  --help	show this message
+
+Actions:
+  add		add $dbentry to NSS database
+  remove	remove $dbentry from NSS database
+  show		show $dbentry NSS database entry
+
+Default arguments if unspecified:
+  LIBRARY	$libfile
+EOF
+		exit ;;
+	--db)	dbdir="$2"
+		shift 2 ;;
+	--user)	dbdir="$userdb"
+		shift ;;
+	--system)
+		dbdir="$rootdb"
+		shift ;;
+	-*)	echo "$0: unknown option: '$1'" >&2
+		echo "Try --help for usage information."
+		exit 1 ;;
+	*)	break ;;
+	esac
+done
+
+if [ "$2" ]; then
+	libfile="$2"
+	if ! [ -f "$libfile" ]; then
+		echo "$0: error: '$libfile' not found" >&2
+		exit 1
+	fi
+fi
+
+mkdir -p "$dbdir"
+if ! [ -d "$dbdir" ]; then
+	echo "$0: error: '$dbdir' must be a writable directory" >&2
+	exit 1
+fi
+
+dbdir="sql:$dbdir"
+
+echo "NSS database: $dbdir"
+echo "BEID library: $libfile"
+
+case "$1" in
+add)	echo "Adding $dbentry to database:"
+	modutil -dbdir "$dbdir" -add "$dbentry" -libfile "$libfile" ||
+		echo "Tip: try removing the module before adding it again." ;;
+remove) echo "Removing $dbentry from database:"
+	modutil -dbdir "$dbdir" -delete "$dbentry" ;;
+show)	echo "Displaying $dbentry database entry, if any:"
+	echo "Note: this may fail if you don't have the correct permissions." ;;
+'')	exec "$0" --help ;;
+*)	echo "$0: unknown action: '$1'" >&2
+	echo "Try --help for usage information."
+	exit 1 ;;
+esac
+
+ret=$?
+
+modutil -dbdir "$dbdir" -list "$dbentry" 2>/dev/null
+
+exit $ret