kms/shell.nix at develop · Manuthor/kms · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
{
  pkgs ? import (builtins.fetchTarball {
    url = "https://github.com/NixOS/nixpkgs/archive/24.05.tar.gz";
    sha256 = "1lr1h35prqkd1mkmzriwlpvxcb34kmhc9dnr48gkm8hh089hifmx";
  }) { },
}:

let
  inherit (pkgs.stdenv) isLinux;
  # Import project-level outputs to access tools like cargo-packager
  project = import ./default.nix { inherit pkgs; };
  hostGlibc =
    if isLinux then
      (pkgs.stdenv.cc.libc.version or (pkgs.lib.getVersion pkgs.stdenv.cc.libc))
    else
      "n/a";
  nixpkgs1903 = builtins.getEnv "NIXPKGS_GLIBC_228_URL";
  pkgs228 =
    if isLinux && !(pkgs.lib.versionOlder hostGlibc "2.29") then
      import (builtins.fetchTarball {
        url =
          if nixpkgs1903 != "" then
            nixpkgs1903
          else
            "https://github.com/NixOS/nixpkgs/archive/refs/heads/nixos-19.03.tar.gz";
      }) { }
    else
      pkgs;
  # Use custom OpenSSL 3.1.2 (FIPS-capable) for both FIPS and non-FIPS modes
  # The same OpenSSL library is used; FIPS vs non-FIPS is controlled at runtime
  # via OPENSSL_CONF and OPENSSL_MODULES environment variables
  openssl312 = pkgs228.callPackage ./nix/openssl.nix { };
  # SoftHSM override with OpenSSL-only backend (Botan disabled)
  # Note: softhsm 2.5.x in nixos-19.03 uses autotools (configure), not CMake
  # Prefer nixpkgs' OpenSSL for building SoftHSM (ensures compatibility); server uses openssl312
  opensslForSofthsm = pkgs228.openssl;
  softhsm_pkg = pkgs228.softhsm.overrideAttrs (
    old:
    let
      lib = pkgs.lib or pkgs228.lib;
      # Drop crypto-backend and backend-specific flags to avoid duplicates
      filteredFlags = lib.filter (
        f:
        !(lib.hasPrefix "--with-crypto-backend=" f)
        && !(lib.hasPrefix "--with-botan" f)
        && !(lib.hasPrefix "--with-openssl" f)
      ) (old.configureFlags or [ ]);
      # Force OpenSSL backend only (no Botan)
      extraFlags = [
        "--with-crypto-backend=openssl"
        "--with-openssl=${opensslForSofthsm}"
      ];
      extraInputs = [ opensslForSofthsm ];
    in
    {
      configureFlags = filteredFlags ++ extraFlags;
      buildInputs = (old.buildInputs or [ ]) ++ extraInputs;
    }
  );
  # Allow selectively adding extra tools from the environment (kept via nix-shell --keep)
  withWget = (builtins.getEnv "WITH_WGET") == "1";
  withHsm = (builtins.getEnv "WITH_HSM") == "1";
  withPython = (builtins.getEnv "WITH_PYTHON") == "1";
  extraTools = if withWget then [ pkgs228.wget ] else [ ];
in
pkgs228.mkShell {
  name = "cosmian-kms-dev-shell";
  buildInputs = [
    pkgs228.pkg-config
    pkgs228.cmake
    pkgs228.git
    pkgs228.rustup
    # Provide cargo-packager in the shell so packaging scripts can call `cargo packager`
    project.cargoPackagerTool
  ]
  ++ (
    if isLinux then
      [
        pkgs228.gcc
        pkgs228.binutils
      ]
    else
      [ ]
  )
  ++ (
    if pkgs228.stdenv.isDarwin then
      [ pkgs228.libiconv ]
      ++ (with pkgs228.darwin.apple_sdk.frameworks; [
        SystemConfiguration
        Security
        CoreFoundation
      ])
    else
      [ ]
  )
  ++ [ openssl312 ]
  ++ extraTools
  ++ (
    if withHsm then
      [
        pkgs228.psmisc
        # Use a SoftHSM build with OpenSSL backend (Botan disabled)
        softhsm_pkg
      ]
    else
      [ ]
  )
  ++ (
    if withPython then
      # Python 3.11 fallback logic: older pinned nixpkgs (e.g. 19.03) does not provide python311.
      # Use host 'pkgs' Python when python311 is absent from pkgs228.
      let
        pyBase = pkgs228.python311 or pkgs.python311;
        pyVenv =
          if (pkgs228 ? python311Packages) && (pkgs228.python311Packages ? virtualenv) then
            pkgs228.python311Packages.virtualenv
          else
            pkgs.python311Packages.virtualenv;
      in
      [
        pyBase
        pyVenv
      ]
    else
      [ ]
  );
  shellHook = ''
    export NIX_OPENSSL_OUT="${openssl312}"
    ${
      if isLinux then
        ''
          export NIX_CC_BIN="${pkgs228.stdenv.cc}/bin"
          export NIX_BINUTILS_BIN="${pkgs228.binutils}/bin"
          export NIX_BINUTILS_UNWRAPPED_BIN="${(pkgs228.binutils-unwrapped or pkgs228.binutils)}/bin"
          export NIX_GLIBC_LIB="${pkgs228.glibc}/lib"
          export NIX_DYN_LINKER="${pkgs228.glibc}/lib/ld-linux-x86-64.so.2"
        ''
      else
        ""
    }
    # --- Begin inlined nix/shell-hook.sh ---
    set -euo pipefail

    export OPENSSL_NO_VENDOR=1
    export OPENSSL_STATIC=1
    export PKG_CONFIG_ALL_STATIC=1
    [ -d ${"\${NIX_OPENSSL_OUT:-}"}/bin ] && export PATH=${"\${NIX_OPENSSL_OUT}"}/bin:$PATH
    if [ -n ${"\${NIX_OPENSSL_OUT:-}"} ]; then
      export OPENSSL_DIR=${"\${NIX_OPENSSL_OUT}"}
      export OPENSSL_LIB_DIR=${"\${NIX_OPENSSL_OUT}"}/lib
      export OPENSSL_INCLUDE_DIR=${"\${NIX_OPENSSL_OUT}"}/include

      # Add OpenSSL lib directory to LD_LIBRARY_PATH so dynamically linked binaries can find it
      export LD_LIBRARY_PATH=${"\${NIX_OPENSSL_OUT}"}/lib:${"\${LD_LIBRARY_PATH:-}"}

      # Configure FIPS provider for runtime (needed for tests)
      # Point to the FIPS configuration and provider modules
      if [ -f ${"\${NIX_OPENSSL_OUT}"}/ssl/openssl.cnf ]; then
        export OPENSSL_CONF=${"\${NIX_OPENSSL_OUT}"}/ssl/openssl.cnf
      fi
      if [ -d ${"\${NIX_OPENSSL_OUT}"}/lib/ossl-modules ]; then
        export OPENSSL_MODULES=${"\${NIX_OPENSSL_OUT}"}/lib/ossl-modules
      fi

      # Force openssl-sys to use our specific OpenSSL and detect version correctly
      # Disable pkg-config to prevent it from finding wrong OpenSSL versions
      export OPENSSL_NO_PKG_CONFIG=1
      if [ -d ${"\${NIX_OPENSSL_OUT}"}/lib/pkgconfig ]; then
        export PKG_CONFIG_PATH=${"\${NIX_OPENSSL_OUT}"}/lib/pkgconfig:${"\${PKG_CONFIG_PATH:-}"}
      fi
      if [ -d ${"\${NIX_OPENSSL_OUT}"}/lib64/pkgconfig ]; then
        export PKG_CONFIG_PATH=${"\${NIX_OPENSSL_OUT}"}/lib64/pkgconfig:${"\${PKG_CONFIG_PATH:-}"}
      fi
    fi

    if [ "$(uname -s)" = "Linux" ]; then
      [ -n ${"\${NIX_CC_BIN:-}"} ] && PATH=${"\${NIX_CC_BIN}"}:$PATH
      [ -n ${"\${NIX_BINUTILS_BIN:-}"} ] && PATH=${"\${NIX_BINUTILS_BIN}"}:$PATH
      AR_BIN=${"\${NIX_BINUTILS_UNWRAPPED_BIN:-\${NIX_BINUTILS_BIN:-}}"}
      export CC=${"\${NIX_CC_BIN:-}"}/cc
      export AR="$AR_BIN/ar"
      if [ ! -x "$AR" ] && command -v ar >/dev/null 2>&1; then AR="$(command -v ar)"; fi
      export CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER="$CC"
      export CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_AR="$AR"
      export CC_x86_64_unknown_linux_gnu="$CC"
      export AR_x86_64_unknown_linux_gnu="$AR"
    fi
    # --- End inlined nix/shell-hook.sh ---
  '';
}