NixOS · numinit · Feb 2, 2025 · Feb 2, 2025 · Feb 17, 2025 · illdefined
diff --git a/pkgs/by-name/tp/tpm2-pkcs11/disable-java-integration.patch b/pkgs/by-name/tp/tpm2-pkcs11/disable-java-integration.patch
@@ -0,0 +1,58 @@
+diff --git a/Makefile-integration.am b/Makefile-integration.am
+index e2255de..3cea1d8 100644
+--- a/Makefile-integration.am
++++ b/Makefile-integration.am
+@@ -7,7 +7,6 @@ integration_scripts = \
+     test/integration/pkcs11-dbup.sh.nosetup \
+     test/integration/tls-tests.sh \
+     test/integration/openssl.sh \
+-    test/integration/pkcs11-javarunner.sh.java \
+     test/integration/nss-tests.sh \
+     test/integration/ptool-link.sh.nosetup \
+     test/integration/python-pkcs11.sh
+@@ -110,13 +109,5 @@ test_integration_pkcs_lockout_int_CFLAGS  = $(AM_CFLAGS) $(TESTS_CFLAGS)
+ test_integration_pkcs_lockout_int_LDADD   = $(TESTS_LDADD)  $(SQLITE3_LIBS)
+ test_integration_pkcs_lockout_int_SOURCES = test/integration/pkcs-lockout.int.c test/integration/test.c
+
+-#
+-# Java Tests
+-#
+-AM_JAVA_LOG_FLAGS = --tabrmd-tcti=$(TABRMD_TCTI) --tsetup-script=$(top_srcdir)/test/integration/scripts/create_pkcs_store.sh
+-JAVA_LOG_COMPILER=$(LOG_COMPILER)
+-dist_noinst_JAVA = test/integration/PKCS11JavaTests.java
+-CLEANFILES += test/integration/PKCS11JavaTests.class
+-
+ endif
+ # END INTEGRATION
+diff --git a/configure.ac b/configure.ac
+index 1ec6eb4..7a0a8ee 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -258,13 +258,6 @@ AC_ARG_ENABLE(
+     [build and execute integration tests])],,
+   [enable_integration=no])
+
+-# Test for Java compiler and interpreter without throwing fatal errors (since
+-# these macros are defined using AC_DEFUN they cannot be called conditionally)
+-m4_pushdef([AC_MSG_ERROR], [have_javac=no])
+-AX_PROG_JAVAC()
+-AX_PROG_JAVA()
+-m4_popdef([AC_MSG_ERROR])
+-
+ AC_DEFUN([integration_test_checks], [
+
+   AC_CHECK_PROG([tpm2_createprimary], [tpm2_createprimary], [yes], [no])
+@@ -382,13 +375,6 @@ AC_DEFUN([integration_test_checks], [
+         [AC_MSG_ERROR([Integration tests enabled but tss2_provision executable not found.])])
+   ])
+
+-  AS_IF([test "x$have_javac" = "xno"],
+-    [AC_MSG_ERROR([Integration tests enabled but no Java compiler was found])])
+-  AX_CHECK_CLASS([org.junit.Assert], ,
+-    [AC_MSG_ERROR([Integration tests enabled but JUnit not found, try setting CLASSPATH])])
+-  AX_CHECK_CLASS([org.hamcrest.SelfDescribing], ,
+-    [AC_MSG_ERROR([Integration tests enabled but Hamcrest not found, try setting CLASSPATH])])
+-
+   AC_SUBST([ENABLE_INTEGRATION], [$enable_integration])
+ ]) # end function integration_test_checks
+
diff --git a/pkgs/by-name/tp/tpm2-pkcs11/graceful-fapi-fail.patch b/pkgs/by-name/tp/tpm2-pkcs11/graceful-fapi-fail.patch
diff --git a/pkgs/by-name/tp/tpm2-pkcs11/package.nix b/pkgs/by-name/tp/tpm2-pkcs11/package.nix
@@ -1,101 +1,205 @@
 {
-  stdenv,
-  lib,
-  fetchFromGitHub,
-  pkg-config,
-  autoreconfHook,
   autoconf-archive,
+  autoreconfHook,
+  buildEnv,
+  clangStdenv,
+  cmocka,
+  dbus,
+  expect,
+  fetchFromGitHub,
+  glibc,
+  gnutls,
+  iproute2,
+  lib,
+  libyaml,
   makeWrapper,
-  patchelf,
-  tpm2-tss,
-  tpm2-tools,
   opensc,
+  openssh,
   openssl,
-  sqlite,
+  nss,
+  p11-kit,
+  patchelf,
+  pkg-config,
   python3,
-  glibc,
-  libyaml,
-  abrmdSupport ? true,
-  tpm2-abrmd ? null,
+  stdenv,
+  sqlite,
+  swtpm,
+  tpm2-abrmd,
+  tpm2-openssl,
+  tpm2-pkcs11, # for passthru abrmd tests
+  tpm2-tools,
+  tpm2-tss,
+  which,
+  xxd,
+  abrmdSupport ? false,
   fapiSupport ? true,
+  enableFuzzing ? false,
 }:
 
-stdenv.mkDerivation rec {
+let
+  chosenStdenv = if enableFuzzing then clangStdenv else stdenv;
+in
+chosenStdenv.mkDerivation (finalAttrs: {
   pname = "tpm2-pkcs11";
-  version = "1.9.0";
+  version = "1.9.1";
 
   src = fetchFromGitHub {
     owner = "tpm2-software";
-    repo = pname;
-    rev = version;
-    sha256 = "sha256-SoHtgZRIYNJg4/w1MIocZAM26mkrM+UOQ+RKCh6nwCk=";
+    repo = "tpm2-pkcs11";
+    tag = finalAttrs.version;
+    hash = "sha256-W74ckrpK7ypny1L3Gn7nNbOVh8zbHavIk/TX3b8XbI8=";
   };
 
-  patches = [
-    ./version.patch
-    ./graceful-fapi-fail.patch
-  ];
+  # Disable Java‐based tests because of missing dependencies
+  patches = [ ./disable-java-integration.patch ];
 
-  # The preConfigure phase doesn't seem to be working here
-  # ./bootstrap MUST be executed as the first step, before all
-  # of the autoreconfHook stuff
   postPatch = ''
-    echo ${version} > VERSION
+    echo ${lib.escapeShellArg finalAttrs.version} >VERSION
+
+    # Don't run git in the bootstrap
+    substituteInPlace bootstrap --replace-warn "git" "# git"
+
+    # Provide configuration file for D-Bus
+    substituteInPlace Makefile.am --replace-fail \
+      "dbus-run-session" \
+      "dbus-run-session --config-file=${dbus}/share/dbus-1/session.conf"
+
+    # Disable failing tests
+    sed -E -i '/\<test\/integration\/(pkcs-crypt\.int|pkcs11-tool\.sh)\>/d' \
+      Makefile-integration.am
+
+    patchShebangs test tools
+
+    # The preConfigure phase doesn't seem to be working here
+    # ./bootstrap MUST be executed as the first step, before all
+    # of the autoreconfHook stuff
     ./bootstrap
   '';
 
-  configureFlags = lib.optionals (!fapiSupport) [
-    # Note: this will be renamed to with-fapi in next release.
-    "--enable-fapi=no"
-  ];
+  configureFlags =
+    [
+      (lib.enableFeature finalAttrs.doCheck "unit")
+      (lib.enableFeature finalAttrs.doCheck "integration")
+    ]
+    ++ lib.optionals enableFuzzing [
+      "--enable-fuzzing"
+      "--disable-hardening"
+    ]
+    ++ lib.optional fapiSupport "--with-fapi";
+
+  strictDeps = true;
 
   nativeBuildInputs = [
-    pkg-config
-    autoreconfHook
     autoconf-archive
+    autoreconfHook
     makeWrapper
     patchelf
-  ];
-  buildInputs = [
-    tpm2-tss
-    tpm2-tools
-    opensc
-    openssl
-    sqlite
-    libyaml
+    pkg-config
     (python3.withPackages (
-      ps: with ps; [
+      ps:
+      with ps;
+      [
         packaging
         pyyaml
+        python-pkcs11
         cryptography
         pyasn1-modules
         tpm2-pytss
       ]
+      ++ cryptography.optional-dependencies.ssh
     ))
   ];
 
+  buildInputs = [
+    libyaml
+    opensc
+    openssl
+    sqlite
+    tpm2-tools
+    tpm2-tss
+  ];
+
+  nativeCheckInputs = [
+    dbus
+    expect
+    gnutls
+    iproute2
+    nss.tools
+    opensc
+    openssh
+    openssl
+    p11-kit
+    sqlite
+    swtpm
+    tpm2-abrmd
+    tpm2-tools
+    which
+    xxd
+  ];
+
+  checkInputs = [
+    cmocka
+    tpm2-abrmd
+  ];
+
+  enableParallelBuilding = true;
+  hardeningDisable = lib.optional enableFuzzing "all";
+
   outputs = [
     "out"
     "bin"
     "dev"
   ];
 
+  doCheck = true;
   dontStrip = true;
   dontPatchELF = true;
 
+  preCheck =
+    let
+      openssl-modules = buildEnv {
+        name = "openssl-modules";
+        pathsToLink = [ "/lib/ossl-modules" ];
+        paths = map lib.getLib [
+          openssl
+          tpm2-openssl
+        ];
+      };
+    in
+    ''
+      # Enable tests to load TCTI modules
+      export LD_LIBRARY_PATH+=":${
+        lib.makeLibraryPath [
+          swtpm
+          tpm2-tools
+          tpm2-abrmd
+        ]
+      }"
+
+      # Enable tests to load TPM2 OpenSSL module
+      export OPENSSL_MODULES="${openssl-modules}/lib/ossl-modules"
+    '';
+
+  postInstall = ''
+    mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/
+    mv ./tools/* $bin/share/tpm2_pkcs11/
+    makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \
+      --prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
+  '';
+
   # To be able to use the userspace resource manager, the RUNPATH must
   # explicitly include the tpm2-abrmd shared libraries.
   preFixup =
     let
       rpath = lib.makeLibraryPath (
-        (lib.optional abrmdSupport tpm2-abrmd)
-        ++ [
-          tpm2-tss
-          sqlite
-          openssl
+        [
           glibc
           libyaml
+          openssl
+          sqlite
+          tpm2-tss
         ]
+        ++ (lib.optional abrmdSupport tpm2-abrmd)
       );
     in
     ''
@@ -106,19 +210,18 @@ stdenv.mkDerivation rec {
         $out/lib/libtpm2_pkcs11.so.0.0.0
     '';
 
-  postInstall = ''
-    mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/
-    mv ./tools/* $bin/share/tpm2_pkcs11/
-    makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \
-      --prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
-  '';
+  passthru = {
+    tests.tpm2-pkcs11-abrmd = tpm2-pkcs11.override {
+      abrmdSupport = true;
+    };
-    tests.tpm2-pkcs11-abrmd = tpm2-pkcs11.override {
-      abrmdSupport = true;
-    };
+    tests = {
+      tpm2-pkcs11-abrmd = tpm2-pkcs11.override {
+        abrmdSupport = true;
+      };
+      
+      tpm2-pkcs11-fuzzing = tpm2-pkcs11.override {
+        enableFuzzing = true;
+      };
+    };
-    tests.tpm2-pkcs11-abrmd = tpm2-pkcs11.override {
-      abrmdSupport = true;
-    };
+    tests = {
+      tpm2-pkcs11-abrmd = tpm2-pkcs11.override {
+        abrmdSupport = true;
+      };
+      
+      tpm2-pkcs11-fuzzing = tpm2-pkcs11.override {
+        enableFuzzing = true;
+      };
+    };
+  };
 
-  meta = with lib; {
+  meta = {
     description = "PKCS#11 interface for TPM2 hardware";
     homepage = "https://github.com/tpm2-software/tpm2-pkcs11";
-    license = licenses.bsd2;
-    platforms = platforms.linux;
-    maintainers = [ ];
+    license = lib.licenses.bsd2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ numinit ];
     mainProgram = "tpm2_ptool";
   };
-}
+})