vpnkit w/ yubikey tools and opensc

make-vpnkit.sh

#!/bin/bash
#########################################################
# Configuration
#########################################################

# PKG_NAME is the actual name of the package "NAME-x.y.z.pkg"
PKG_NAME=vpnkit

# PKG_VERSION is the x.y.z above.
PKG_VERSION=1.2.3

# This is an identifier "tld.orgname.vpnkit" would work.
PKG_BUNDLE_ID=net.pcable.vpnkit

# Where should this be installed on the system?
INSTALLED_PREFIX="/usr/local/vpnkit"

# Deps
OPENSSL_VERSION=1.1.1l        # https://www.openssl.org/source/
LIBYUBIKEY_VERSION=1.13       # https://github.com/Yubico/yubico-c/releases
JSONC_VERSION=0.13.1-20180305 # https://github.com/json-c/json-c/releases - later versions of jsonc incompatable w/ ykpers
YKPERS_VERSION=1.20.0         # https://github.com/Yubico/yubikey-personalization/releases
YKPIV_VERSION=2.2.1           # https://github.com/Yubico/yubico-piv-tool/releases

# Arch specific env vars
case $(uname -m) in
"x86_64")
  BREW_PATH="/usr/local/bin/brew"
  ;;
"arm64")
  BREW_PATH="/opt/homebrew/bin/brew"
  ;;
*)
  BREW_PATH=""
  ;;
esac

#########################################################
# End Configuration
#########################################################

function error() {
  echo "*** failure: $1"
  if [[ $2 != "pre" ]]; then
    echo "Scratch exists at $SCRATCH_DIR. You can rerun."
    echo "To try again from nothing, `rm .scratch_dir`"
  fi
  exit 1
}

if [[ ! -d "/Library/OpenSC" ]]; then
  error "You should have OpenSC installed - grab that from https://github.com/OpenSC/OpenSC/wiki" "pre"
fi

if [[ ! -a $BREW_PATH ]]; then 
  error "You'll need homebrew - grab that from https://brew.sh" "pre"
fi

# Saves a bit of time if we have an error during the build.
if [[ -a .scratch_dir ]]; then
  SCRATCH_DIR=$(cat .scratch_dir)
else
  SCRATCH_DIR=$(mktemp -d)
  echo "$SCRATCH_DIR" > .scratch_dir
fi

brew install check cmake gengetopt help2man libtool pkg-config asciidoc libxml2 gsed automake docbook-xsl
export XML_CATALOG_FILES=/opt/homebrew/etc/xml/catalog
export MAINDIR=$(pwd)

#########################################################
# Build the things
#########################################################

#### OpenSSL
if [[ ! -d "$MAINDIR/openssl-${OPENSSL_VERSION}" ]]; then
  curl -L https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz -o openssl-${OPENSSL_VERSION}.tar.gz
  tar -zxvf openssl-${OPENSSL_VERSION}.tar.gz 
fi
cd openssl-${OPENSSL_VERSION}
./Configure --prefix=${INSTALLED_PREFIX} darwin64-$(uname -m)-cc
if [[ $? != 0 ]]; then
  error "openssl configure"
fi
make -j4
if [[ $? != 0 ]]; then
  error "openssl build"
fi
echo "*** make install for openssl takes a bit. its fine."
make install DESTDIR=$SCRATCH_DIR >/dev/null
if [[ $? != 0 ]]; then
  error "openssl install"
fi

export PKG_CONFIG_PATH=${SCRATCH_DIR}/usr/local/tsvpnkit/lib/pkgconfig
cd $MAINDIR

#### libyubikey
if [[ ! -d "$MAINDIR/yubico-c-libyubikey-${LIBYUBIKEY_VERSION}" ]]; then
  curl -L https://github.com/Yubico/yubico-c/archive/libyubikey-${LIBYUBIKEY_VERSION}.tar.gz -o libyubikey-${LIBYUBIKEY_VERSION}.tar.gz
  tar -zxvf libyubikey-${LIBYUBIKEY_VERSION}.tar.gz
fi
cd yubico-c-libyubikey-${LIBYUBIKEY_VERSION}
autoreconf --install
./configure --prefix=${INSTALLED_PREFIX}
if [[ $? != 0 ]]; then
  error "libyubikey configure"
fi
gsed -i '/^A2X/ s/$/ --no-xmllint/' Makefile
make install DESTDIR=$SCRATCH_DIR
if [[ $? != 0 ]]; then
  error "libyubikey build/install"
fi
cd $MAINDIR

#### json-c 0.13.1 (later doesnt work w/ ykpers)
if [[ ! -d "$MAINDIR/json-c-json-c-${JSONC_VERSION}" ]]; then
  curl -L https://github.com/json-c/json-c/archive/json-c-${JSONC_VERSION}.tar.gz -o json-c-${JSONC_VERSION}.tar.gz
  tar -zxvf json-c-${JSONC_VERSION}.tar.gz
fi
cd json-c-json-c-${JSONC_VERSION}
./configure --prefix=${INSTALLED_PREFIX}
if [[ $? != 0 ]]; then
  error "json-c configure"
fi
make install DESTDIR=$SCRATCH_DIR
if [[ $? != 0 ]]; then
  error "json-c build/install"
fi
cd $MAINDIR

#### yubikey-personalization (for managing OTP app on the card)
if [[ ! -d "$MAINDIR/yubikey-personalization-${YKPERS_VERSION}" ]]; then
  curl -L https://github.com/Yubico/yubikey-personalization/archive/v${YKPERS_VERSION}.tar.gz -o yubikey-personalization-${YKPERS_VERSION}.tar.gz
  tar -zxvf yubikey-personalization-${YKPERS_VERSION}.tar.gz
fi
cd yubikey-personalization-${YKPERS_VERSION}
autoreconf --install
LDFLAGS="-L${SCRATCH_DIR}/usr/local/tsvpnkit/lib" CFLAGS="-I${SCRATCH_DIR}/usr/local/tsvpnkit/include -I${SCRATCH_DIR}/usr/local/tsvpnkit/include/json-c" ./configure --prefix=${INSTALLED_PREFIX}
if [[ $? != 0 ]]; then
  error "yubikey-personalization configure"
fi
make install DESTDIR=$SCRATCH_DIR
if [[ $? != 0 ]]; then
  error "yubikey-personalization build/install"
fi
cd $MAINDIR

#### piv-tool (manages the certificates on the card)
if [[ ! -d "$MAINDIR/yubico-piv-tool-yubico-piv-tool-${YKPIV_VERSION}" ]]; then
  curl -L https://github.com/Yubico/yubico-piv-tool/archive/yubico-piv-tool-${YKPIV_VERSION}.tar.gz -o yubico-piv-tool-${YKPIV_VERSION}.tar.gz
  tar -zxvf yubico-piv-tool-${YKPIV_VERSION}.tar.gz
fi
cd yubico-piv-tool-yubico-piv-tool-${YKPIV_VERSION}
mkdir build
cd build
LDFLAGS="-L$SCRATCH_DIR/usr/local/tsvpnkit/lib" cmake -DCMAKE_INSTALL_PREFIX=${INSTALLED_PREFIX} -DCMAKE_C_FLAGS="-I$SCRATCH_DIR/usr/local/tsvpnkit/include" -DGENERATE_MAN_PAGES=off ..
if [[ $? != 0 ]]; then
  error "piv-tool cmake"
fi
make install DESTDIR=$SCRATCH_DIR
if [[ $? != 0 ]]; then
  error "piv-tool build/install"
fi
cd $MAINDIR

#########################################################
#### Build package
mkdir -p $SCRATCH_DIR/Library
cp -a /Library/OpenSC $SCRATCH_DIR/Library
cd $MAINDIR
pkgbuild --root $SCRATCH_DIR --identifier $PKG_BUNDLE_ID --version $PKG_VERSION --install-location / ${PKG_NAME}-${PKG_VERSION}.pkg
rm -Rf $SCRATCH_DIR
rm .scratch_dir