From eff8cc1f6fee587c14344a4b813b54637f18be1a Mon Sep 17 00:00:00 2001 From: aszlig Date: Mon, 6 Jun 2016 04:58:37 +0200 Subject: pkgs: Add a wrapped browser for Santander HBCI I didn't get the starcoscard to run with aqbanking so far and the bank itself is very uncooperative if it comes to giving specific details about their implementation of FinTS 3.00, so in the end I'm going to move away from the bank. But during transition this will work much better than running a Windows VM (which I didn't have access to in the meantime, so I *had* to get this running somehow), especially because we can wrap this plugin in *any* browser that supports NPAPI. Also, there seems to be some work implementing PPAPI support for pipelight, but the branch is stale since quite a while: https://bitbucket.org/mmueller2012/pipelight/branch/ppapi Going back to the pesky Santander plugin: In order to support PC/SC-Lite, we need to patch Wine to get support for the winscard API. We also patch out unixfs, so while there definitely are better sandboxing options this should suffice so that the plugin doesn't write garbage on any location of the system (basically it works entirely read-only). So in the end we get a nice and small dwb browser, which directly opens up the login page along with the plugin. The browser is wrapped so that it only writes to a temporary location, so as soon as it is closed all the cruft is cleaned up afterwards. Signed-off-by: aszlig --- pkgs/santander/default.nix | 144 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 144 insertions(+) create mode 100644 pkgs/santander/default.nix (limited to 'pkgs/santander/default.nix') diff --git a/pkgs/santander/default.nix b/pkgs/santander/default.nix new file mode 100644 index 00000000..27fd6f6a --- /dev/null +++ b/pkgs/santander/default.nix @@ -0,0 +1,144 @@ +{ stdenv, pkgsi686Linux, fetchurl, fetchgit, fetchFromBitbucket +, runCommand, writeScript, writeScriptBin, writeText +, xvfb_run, xdotool, coreutils, wineStaging, pipelight, dwb +}: + +let + name = "SecurityPluginHBCIChipcard"; + version = "2.9.8.0"; + dllName = "NP_${name}.dll"; + + pluginInstaller = fetchurl { + url = "https://service.santanderbank.de/special/banking/files/" + + "SecurityPluginHBCIChipcard-${version}-Installer.exe"; + sha256 = "0xnfb730mwxdx83dnqyplp4bxwx6g01wc87xa4dl1spxia9kjmmh"; + }; + + patchedWine = let + libpcsclite = "${pkgsi686Linux.pcsclite}/lib/libpcsclite.so"; + in (wineStaging.override { + wineBuild = "wine32"; + }).overrideDerivation (drv: { + scard4wine = fetchgit { + url = "git://git.code.sf.net/p/scard4wine/code"; + rev = "c14c02c80bf1f2bb4cedd1f53a3a2ab9c48bed76"; + sha256 = "0ffmbl9mdnaih4h3ggpnzqbih3kgbwl3wv6j1ag5s4czn8gcpdq3"; + }; + + prePatch = (drv.prePatch or "") + '' + cp -t dlls/winscard "$scard4wine/src/"* + sed -i -re 's,"libpcsclite\.so(\.[0-9]+)*","${libpcsclite}",' \ + dlls/winscard/winscard.c + ''; + + patches = (drv.patches or []) ++ [ ./winscard.patch ]; + + postPatch = (drv.postPatch or "") + '' + sed -i -e '/not owned by you/d' libs/wine/config.c + # Modified patch from https://bugs.winehq.org/show_bug.cgi?id=22450 + patch -p1 < "${./wine-no-unixfs.patch}" + ''; + }); + + installPath = [ "Program Files" "ppi" "SecurityPluginHBCIChipcard" ]; + + scard4wine = stdenv.mkDerivation rec { + name = "scard4wine-${version}"; + version = "1.2.0-2016-06-05"; + + src = fetchgit { + url = "git://git.code.sf.net/p/scard4wine/code"; + rev = "c14c02c80bf1f2bb4cedd1f53a3a2ab9c48bed76"; + sha256 = "0ffmbl9mdnaih4h3ggpnzqbih3kgbwl3wv6j1ag5s4czn8gcpdq3"; + }; + }; + + winePrefix = runCommand "santander-wineprefix" { + installPath = stdenv.lib.concatStringsSep "/" (installPath ++ [ dllName ]); + } '' + export WINEPREFIX="$out" + mkdir -p "$out" + ${patchedWine}/bin/wine wineboot.exe + ${xvfb_run}/bin/xvfb-run "${writeScript "install-santander-wine" '' + ${patchedWine}/bin/wine "${pluginInstaller}" & + while [ "$(jobs -r | wc -l)" -gt 0 ]; do + ${xdotool}/bin/xdotool \ + search --sync --onlyvisible \ + --name 'Security-Plugin-HBCI-Chipcard ${version}' \ + key Return &> /dev/null || : + sleep 1 + done + wait + ''}" + if [ ! -e "$out/drive_c/$installPath" ]; then + echo "Unable to find plugin in $installPath." >&2 + exit 1 + fi + ln -sf -T "${builtins.storeDir}" "$WINEPREFIX/dosdevices/z:" + echo disable > "$WINEPREFIX/.update-timestamp" + ''; + + pluginConfig = { + winePath = "$share/wine"; + inherit winePrefix dllName; + wineArch = "win32"; + pluginLoaderPath = "$share/pluginloader.exe"; + dllPath = "c:\\${stdenv.lib.concatStringsSep "\\" installPath}"; + }; + + pipelightConfigFile = let + mkVal = val: if val == true then "true" + else if val == false then "false" + else toString val; + mkCfgLine = key: val: "# ${key} = ${mkVal val}"; + in with stdenv.lib; writeText "pipelight-santander.config" '' + # ---BEGIN CONFIG--- + ${concatStringsSep "\n" (mapAttrsToList mkCfgLine pluginConfig)} + # ---END CONFIG--- + ''; + + finalPlugin = runCommand "santander-plugin" { + pipelight = (pipelight.override { + wineStaging = patchedWine; + }).overrideDerivation (drv: { + src = fetchFromBitbucket { + repo = "pipelight"; + owner = "mmueller2012"; + rev = "181bab804f80b99cb46f63f9ed36e4fdf12ca319"; + sha256 = "0ydivpxayzs5aklf0x5vl5bl4issz10k7zl3cv76649kxxhxkh1z"; + }; + + patches = [ ./pipelight.patch ]; + + postPatch = (drv.postPatch or "") + '' + sed -i -e '/static \+bool \+openConfig.*{$/,/}/ { + /getConfigNameFromLibrary/a \ + configFile.open("${pipelightConfigFile}"); \ + if (configFile.is_open()) return true; + }' src/linux/libpipelight/configloader.c + ''; + }); + } '' + install -vD "$pipelight/lib/pipelight/libpipelight.so" \ + "$out/lib/pipelight/libpipelight-santander.so" + ''; + + dwbWithPlugin = stdenv.lib.overrideDerivation dwb (wrapperDrv: { + plugins = [ "${finalPlugin}/lib/pipelight" ]; + }); + +in writeScriptBin "santander" '' + #!${stdenv.shell} + if tmpdir="$("${coreutils}/bin/mktemp" -d)"; then + trap "rm -rf '$tmpdir'" EXIT + export XDG_RUNTIME_DIR="$tmpdir" + export XDG_CONFIG_HOME="$tmpdir" + export XDG_DATA_HOME="$tmpdir" + export XDG_CACHE_HOME="$tmpdir" + "${dwbWithPlugin}/bin/dwb" -t https://karte.santanderbank.de/ + exit $? + else + echo "Unable to create temporary profile directory." >&2 + exit 1 + fi +'' -- cgit 1.4.1