summaryrefslogtreecommitdiffstats
path: root/usr/bin/cryptosmartcard.sh
diff options
context:
space:
mode:
Diffstat (limited to 'usr/bin/cryptosmartcard.sh')
-rwxr-xr-xusr/bin/cryptosmartcard.sh73
1 files changed, 55 insertions, 18 deletions
diff --git a/usr/bin/cryptosmartcard.sh b/usr/bin/cryptosmartcard.sh
index 9d03f2c..f7ca6d9 100755
--- a/usr/bin/cryptosmartcard.sh
+++ b/usr/bin/cryptosmartcard.sh
@@ -10,7 +10,7 @@
#
# Updated by TJ <[email protected]> 7 July 2008
# For use with Ubuntu Hardy, usplash, automatic detection of USB devices,
-# detection and examination of *all* partitions on the device (not just partition #1),
+# detection and examination of *all* partitions on the device (not just partition #1),
# automatic detection of partition type, refactored, commented, debugging code.
#
# Update by Timothy Pearson <[email protected]> 8/28/2008
@@ -18,6 +18,9 @@
#
# Updated by Timothy Pearson <[email protected]> 4/19/2010
# Added Plymouth detection and support
+#
+# Updated by Timothy Pearson <[email protected]> 9/15/2015
+# Rewrite to use on-card RSA encryption
# define counter-intuitive shell logic values (based on /bin/true & /bin/false)
TRUE=0
@@ -85,24 +88,62 @@ if [ $USBLOAD -gt 0 ]; then
modprobe usb_storage >/dev/null 2>&1
fi
-killall pcscd &
+# Terminate the PC/SC subsystem
+killall pcscd > /dev/null 2>&1 || true
-# give the system time to settle and open the USB devices
+# Give the system time to settle and open the USB devices
sleep 5
-cd /bin/
-/bin/smartauth.sh > /dev/null 2>&1
-SMARTCARDFILE=/bin/smart.key
-if [ -e $SMARTCARDFILE ]
-then
- OPENED=$TRUE
- cat $SMARTCARDFILE
-else
- OPENED=$FALSE
+# Relaunch the PC/SC subsystem
+pcscd > /dev/null 2>&1
+
+CARD_INSERTED=$FALSE
+OPENED=$FALSE
+LUKS_KEY_DIR=/tde_luks_keys
+LUKS_KEY_COUNT=$(ls -1 $LUKS_KEY_DIR/ 2> /dev/null | wc -l)
+
+DISK_UUID=$(blkid -s UUID -o value $CRYPTTAB_SOURCE)
+
+if [ $LUKS_KEY_COUNT -gt 0 ]; then
+ if [ "$DISK_UUID" != "" ]; then
+ # Disk UUID found and LUKS keys are present
+ # Check for card presence...
+ pkcs15-tool --list-certificates > /dev/null 2>&1
+ RET=$?
+ if [ $RET -eq 0 ]; then
+ # Card present
+ CARD_INSERTED=$TRUE
+ msg "SmartCard inserted, attempting to authenticate"
+ PIN=$(cardpincheck /usr/lib/opensc-pkcs11.so)
+ RET=$?
+ if [ $RET -eq 0 ]; then
+ # PIN valid
+ msg "SmartCard unlocked"
+ for KEYFILE in ${LUKS_KEY_DIR}/${DISK_UUID}_slot*; do
+ # Try decrypting
+ echo "$PIN" | cardpincheck /usr/lib/opensc-pkcs11.so $KEYFILE 2> /dev/null
+ RET=$?
+ if [ $RET -eq 0 ]; then
+ OPENED=$TRUE
+ break
+ fi
+ done
+ else
+ msg "SmartCard authentication failed"
+ fi
+ fi
+ fi
fi
+killall pcscd > /dev/null 2>&1 || true
+
if [ $OPENED -eq $FALSE ]; then
- msg "SmartCard LUKS keyfile invalid or incorrect SmartCard inserted"
+ if [ $CARD_INSERTED -eq $TRUE ]; then
+ msg "SmartCard LUKS keyfile invalid or incorrect SmartCard inserted"
+ exit 0
+ else
+ msg "No SmartCard inserted or no LUKS keyfiles available on this system"
+ fi
if [ $HAS_PLYMOUTH -eq 1 ]; then
plymouth ask-for-password --prompt="Please enter the LUKS password"
else
@@ -111,10 +152,6 @@ if [ $OPENED -eq $FALSE ]; then
echo -n "$A"
msg "Attempting to authenticate..."
fi
-else
- msg "SmartCard authenticated and LUKS keyfile loaded"
fi
-killall pcscd &
-
-
+exit 0