diff options
Diffstat (limited to 'usr')
-rwxr-xr-x | usr/bin/cryptosmartcard.sh | 73 | ||||
-rwxr-xr-x | usr/bin/setupcard.sh | 1016 | ||||
-rwxr-xr-x | usr/bin/setupslavecard.sh | 501 | ||||
-rw-r--r-- | usr/bin/smartauth.sh | 74 | ||||
-rw-r--r-- | usr/share/applications/smartcardauth.desktop | 10 | ||||
-rw-r--r-- | usr/share/applications/smartcardrestrict.desktop | 10 | ||||
-rw-r--r-- | usr/share/icons/hicolor/16x16/apps/smartcardauth.png | bin | 595 -> 0 bytes | |||
-rw-r--r-- | usr/share/icons/hicolor/32x32/apps/smartcardauth.png | bin | 1807 -> 0 bytes | |||
-rwxr-xr-x | usr/share/initramfs-tools/hooks/cryptlukssc | 95 |
9 files changed, 121 insertions, 1658 deletions
diff --git a/usr/bin/cryptosmartcard.sh b/usr/bin/cryptosmartcard.sh index 9d03f2c..f7ca6d9 100755 --- a/usr/bin/cryptosmartcard.sh +++ b/usr/bin/cryptosmartcard.sh @@ -10,7 +10,7 @@ # # Updated by TJ <[email protected]> 7 July 2008 # For use with Ubuntu Hardy, usplash, automatic detection of USB devices, -# detection and examination of *all* partitions on the device (not just partition #1), +# detection and examination of *all* partitions on the device (not just partition #1), # automatic detection of partition type, refactored, commented, debugging code. # # Update by Timothy Pearson <[email protected]> 8/28/2008 @@ -18,6 +18,9 @@ # # Updated by Timothy Pearson <[email protected]> 4/19/2010 # Added Plymouth detection and support +# +# Updated by Timothy Pearson <[email protected]> 9/15/2015 +# Rewrite to use on-card RSA encryption # define counter-intuitive shell logic values (based on /bin/true & /bin/false) TRUE=0 @@ -85,24 +88,62 @@ if [ $USBLOAD -gt 0 ]; then modprobe usb_storage >/dev/null 2>&1 fi -killall pcscd & +# Terminate the PC/SC subsystem +killall pcscd > /dev/null 2>&1 || true -# give the system time to settle and open the USB devices +# Give the system time to settle and open the USB devices sleep 5 -cd /bin/ -/bin/smartauth.sh > /dev/null 2>&1 -SMARTCARDFILE=/bin/smart.key -if [ -e $SMARTCARDFILE ] -then - OPENED=$TRUE - cat $SMARTCARDFILE -else - OPENED=$FALSE +# Relaunch the PC/SC subsystem +pcscd > /dev/null 2>&1 + +CARD_INSERTED=$FALSE +OPENED=$FALSE +LUKS_KEY_DIR=/tde_luks_keys +LUKS_KEY_COUNT=$(ls -1 $LUKS_KEY_DIR/ 2> /dev/null | wc -l) + +DISK_UUID=$(blkid -s UUID -o value $CRYPTTAB_SOURCE) + +if [ $LUKS_KEY_COUNT -gt 0 ]; then + if [ "$DISK_UUID" != "" ]; then + # Disk UUID found and LUKS keys are present + # Check for card presence... + pkcs15-tool --list-certificates > /dev/null 2>&1 + RET=$? + if [ $RET -eq 0 ]; then + # Card present + CARD_INSERTED=$TRUE + msg "SmartCard inserted, attempting to authenticate" + PIN=$(cardpincheck /usr/lib/opensc-pkcs11.so) + RET=$? + if [ $RET -eq 0 ]; then + # PIN valid + msg "SmartCard unlocked" + for KEYFILE in ${LUKS_KEY_DIR}/${DISK_UUID}_slot*; do + # Try decrypting + echo "$PIN" | cardpincheck /usr/lib/opensc-pkcs11.so $KEYFILE 2> /dev/null + RET=$? + if [ $RET -eq 0 ]; then + OPENED=$TRUE + break + fi + done + else + msg "SmartCard authentication failed" + fi + fi + fi fi +killall pcscd > /dev/null 2>&1 || true + if [ $OPENED -eq $FALSE ]; then - msg "SmartCard LUKS keyfile invalid or incorrect SmartCard inserted" + if [ $CARD_INSERTED -eq $TRUE ]; then + msg "SmartCard LUKS keyfile invalid or incorrect SmartCard inserted" + exit 0 + else + msg "No SmartCard inserted or no LUKS keyfiles available on this system" + fi if [ $HAS_PLYMOUTH -eq 1 ]; then plymouth ask-for-password --prompt="Please enter the LUKS password" else @@ -111,10 +152,6 @@ if [ $OPENED -eq $FALSE ]; then echo -n "$A" msg "Attempting to authenticate..." fi -else - msg "SmartCard authenticated and LUKS keyfile loaded" fi -killall pcscd & - - +exit 0 diff --git a/usr/bin/setupcard.sh b/usr/bin/setupcard.sh deleted file mode 100755 index 34e9c4b..0000000 --- a/usr/bin/setupcard.sh +++ /dev/null @@ -1,1016 +0,0 @@ -#!/bin/bash - -# Smart Card Management Tool (c) 2009 Timothy Pearson -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -# The [secure] temporary directory for authentication -SECURE_DIRECTORY=/tmp/smartauth - -# Create the secure directory and lock it down -mkdir -p $SECURE_DIRECTORY -chown root $SECURE_DIRECTORY -chgrp root $SECURE_DIRECTORY -chmod 600 $SECURE_DIRECTORY -SECURE_DIRECTORY=$(mktemp /tmp/smartauth/setupcard.XXXXXXXXXX) -rm -rf $SECURE_DIRECTORY -mkdir -p $SECURE_DIRECTORY -chown root $SECURE_DIRECTORY -chgrp root $SECURE_DIRECTORY -chmod 600 $SECURE_DIRECTORY - -# See if required programs are installed -scriptor=$(whereis scriptor) -if [[ $scriptor == "scriptor:" ]]; then - echo "ERROR: scriptor is not installed! This program cannot continue!" - zenity --error --text "ERROR: scriptor is not installed!\nThis program cannot continue!\n\nUsually, scriptor is part of the pcsc-tools package." - exit -fi -opensc=$(whereis opensc-explorer) -if [[ $opensc == "opensc-explorer:" ]]; then - echo "ERROR: opensc-explorer is not installed! This program cannot continue!" - zenity --error --text "ERROR: opensc-explorer is not installed!\nThis program cannot continue!\n\nUsually, opensc-explorer is part of the opensc package." - exit -fi - -if [[ $# -eq 0 ]]; then - # Get card ATR - FOUND_SUPPORTED_CARD=0 - echo "RESET" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - authokresponse="OK: " - response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse") - if [[ $response1 != "" ]]; then - cat $SECURE_DIRECTORY/response2 | tr -d '\n' > $SECURE_DIRECTORY/response4 - stringtoreplace="Using T=0 protocolRESET> RESET< OK: " - newstring="" - sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4 - smartatr=$(cat $SECURE_DIRECTORY/response4) - echo "Got ATR: $smartatr" - if [[ $smartatr == "3B BE 18 00 00 41 05 10 00 00 00 00 00 00 00 00 00 90 00 " ]]; then - echo "Detected ACOS5 card" - COMMAND_MODE="acos" - CARD_NICE_NAME="ACOS5" - FOUND_SUPPORTED_CARD=1 - fi - if [[ $smartatr == "3B 02 14 50 " ]]; then - echo "Detected Schlumberger CryptoFlex card" - COMMAND_MODE="cryptoflex" - CARD_NICE_NAME="Schlumberger CryptoFlex" - FOUND_SUPPORTED_CARD=1 - fi - else - echo "No card detected!" - zenity --error --text "ERROR: No SmartCard detected!" - exit 1 - fi - - if [[ $FOUND_SUPPORTED_CARD -eq 0 ]]; then - echo "Unsupported SmartCard detected! ATR: $smartatr" - zenity --error --text "ERROR: Unsupported SmartCard detected!\n\nATR: $smartatr" - exit 1 - fi - - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - GET_CHALLENGE="C0 84 00 00 08" - EXTERNAL_AUTH="C0 82 00 00 07 01" - SELECT_FILE="C0 A4 00 00 02" - DELETE_FILE="F0 E4 00 00 02" - fi - - if [[ $COMMAND_MODE == "acos" ]]; then - GET_CHALLENGE="00 84 00 00 08" - EXTERNAL_AUTH1="00 82 00 81 08" - EXTERNAL_AUTH2="00 82 00 82 08" - EXTERNAL_AUTH3="00 82 00 83 08" - SELECT_FILE="00 A4 00 00 02" - DELETE_FILE="00 E4 00 00 00" - READ_BINARY="00 B0 00 00 FF" - UPDATE_BINARY="00 D6 00 00 FF" - ACTIVATE_FILE="00 44 00 00 02" - fi -fi - -CREATE_LIFE_CYCLE="01" - -createfile () -{ - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - # Create transparent file with permissions: - # delete, terminate, activate, deactivate, update, read for Key 1 and Key 2 only - echo "F0 E0 00 FF 10 FF FF 00 $1 $2 01 3F 44 FF 44 01 03 11 FF 11" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null - fi - - if [[ $COMMAND_MODE == "acos" ]]; then - # Create transparent file with permissions: - # delete, terminate, activate, deactivate, update, read for Key 1, Key 2, and Key 3 only (SE 04) - # created in DF 1000 under MF, SE file is 10FE - # SIZE TRANSPARENT - - echo "00 E0 00 00 1A 62 18 80 02 00 $1 82 01 01 83 02 $2 8A 01 $CREATE_LIFE_CYCLE 8C 08 7F 04 04 04 04 04 04 04" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null - echo $(cat $SECURE_DIRECTORY/response2) - fi -} - -updatekey () -{ - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - echo "$SELECT_FILE 00 11" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null - echo "C0 D6 00 0D 0C 08 00 $1 05 05" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null - fi -} - -hexcvt () -{ - echo ""$1" "16" o p" | dc -} - -initializeacos () { - if [[ $COMMAND_MODE == "acos" ]]; then - # Set MF Offset - echo "00 D6 30 86 02 80 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Set EEPROM Limit - echo "00 D6 30 8C 02 FF FF" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Enable Clear Card - echo "00 D6 30 88 01 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Create MF - echo "00 E0 00 00 0A 62 08 82 02 3F FF 83 02 3F 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Select MF - echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Create DF 1000 under MF, SE file is 10FE - echo "00 E0 00 00 2C 62 2A 82 01 38 83 02 10 00 84 10 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8A 01 $CREATE_LIFE_CYCLE 8C 08 7F 04 04 04 04 04 04 04 8D 02 10 FE" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Select DF 1000 under MF - echo "$SELECT_FILE 10 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Under DF 1000, create Key File EF2, file ID 10FD, read access never, SFI 02 - echo "00 E0 00 00 1D 62 1B 82 05 0C 01 00 15 04 83 02 10 FD 88 01 02 8A 01 $CREATE_LIFE_CYCLE 8C 08 7F 04 04 04 04 04 04 FF" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Select EF 10FD under DF 1000 - echo "$SELECT_FILE 10 FD" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Initialize key records in file 10FD - # Key 1, 8-byte 1DES authentication only - autkey="" - while [[ ${#autkey} != 16 ]]; do - autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT1] in hexidecimal. Example: 0123456789abcdef") - done - autkey2=${autkey:0:2} - autkey2="${autkey2} ${autkey:2:2}" - autkey2="${autkey2} ${autkey:4:2}" - autkey2="${autkey2} ${autkey:6:2}" - autkey2="${autkey2} ${autkey:8:2}" - autkey2="${autkey2} ${autkey:10:2}" - autkey2="${autkey2} ${autkey:12:2}" - autkey2="${autkey2} ${autkey:14:2}" - echo "00 DC 00 00 0C 81 01 55 05 $autkey2" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - # Key 2, 8-byte 1DES authentication only - autkey="" - while [[ ${#autkey} != 16 ]]; do - autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT2] in hexidecimal. Example: 0123456789abcdef") - done - autkey2=${autkey:0:2} - autkey2="${autkey2} ${autkey:2:2}" - autkey2="${autkey2} ${autkey:4:2}" - autkey2="${autkey2} ${autkey:6:2}" - autkey2="${autkey2} ${autkey:8:2}" - autkey2="${autkey2} ${autkey:10:2}" - autkey2="${autkey2} ${autkey:12:2}" - autkey2="${autkey2} ${autkey:14:2}" - echo "00 DC 00 02 0C 82 01 55 05 $autkey2" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - # Key 3, 8-byte 1DES authentication only - autkey="" - while [[ ${#autkey} != 16 ]]; do - autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT3] in hexidecimal. Example: 0123456789abcdef") - done - autkey2=${autkey:0:2} - autkey2="${autkey2} ${autkey:2:2}" - autkey2="${autkey2} ${autkey:4:2}" - autkey2="${autkey2} ${autkey:6:2}" - autkey2="${autkey2} ${autkey:8:2}" - autkey2="${autkey2} ${autkey:10:2}" - autkey2="${autkey2} ${autkey:12:2}" - autkey2="${autkey2} ${autkey:14:2}" - echo "00 DC 00 02 0C 83 01 55 05 $autkey2" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Create SE file 10FE, SFI 03 - echo "00 E0 00 00 1C 62 1A 82 05 0C 01 00 11 04 83 02 10 FE 88 01 03 8A 01 $CREATE_LIFE_CYCLE 8C 07 7E 04 04 04 04 04 04" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Select MF - echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Select DF 1000 under MF - echo "$SELECT_FILE 10 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Select EF 10FE under DF 1000 - echo "$SELECT_FILE 10 FE" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Initialize SE file 10FE - # SE 01: External authentication of local key 1 - echo "00 DC 00 00 0B 80 01 01 A4 06 83 01 81 95 01 80" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - # SE 02: External authentication of local key 2 - echo "00 DC 00 02 0B 80 01 02 A4 06 83 01 82 95 01 80" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - # SE 03: External authentication of local key 3 - echo "00 DC 00 02 0B 80 01 03 A4 06 83 01 83 95 01 80" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - # SE 04: External authentication of local key 1, 2, or 3 - echo "00 DC 00 02 11 80 01 04 A4 0C 83 01 81 83 01 82 83 01 83 95 01 80" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Create authentication files - createfile "FF" "10 01" - createfile "FF" "10 02" - createfile "FF" "10 03" - createfile "FF" "10 04" - createfile "FF" "10 05" - createfile "FF" "10 06" - createfile "FF" "10 07" - createfile "FF" "10 08" - createfile "FF" "10 09" - createfile "FF" "10 0A" - - # Activate security on files - echo "$ACTIVATE_FILE 10 01" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - echo "$ACTIVATE_FILE 10 02" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - echo "$ACTIVATE_FILE 10 03" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - echo "$ACTIVATE_FILE 10 04" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - echo "$ACTIVATE_FILE 10 05" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - echo "$ACTIVATE_FILE 10 06" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - echo "$ACTIVATE_FILE 10 07" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - echo "$ACTIVATE_FILE 10 08" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - echo "$ACTIVATE_FILE 10 09" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - echo "$ACTIVATE_FILE 10 0A" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - echo "$ACTIVATE_FILE 10 FD" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - echo "$ACTIVATE_FILE 10 FE" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - fi -} - -authenticatecard () { - if [[ $authenticated != "1" ]]; then - autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the 16-character Smart Card transport key [$1] in hexidecimal. Example: 0123456789abcdef") - if [[ ${#autkey} -eq 16 ]]; then - if [[ $COMMAND_MODE == "acos" ]]; then - # Select MF - echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - # Make sure DF 1000 is selected - echo "$SELECT_FILE 10 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - fi - - # Authenticate card - echo $GET_CHALLENGE > $SECURE_DIRECTORY/authscript - - scriptor $SECURE_DIRECTORY/authscript | grep 'Normal processing' > $SECURE_DIRECTORY/challenge - perl -pi -e 's/ //g' $SECURE_DIRECTORY/challenge - perl -pi -e 's/:Normalprocessing.//g' $SECURE_DIRECTORY/challenge - perl -pi -e 's/<//g' $SECURE_DIRECTORY/challenge - xxd -r -p $SECURE_DIRECTORY/challenge $SECURE_DIRECTORY/challenge - - # Now DES encrypt the challenge - # Later, change the initialization vector to random if possible - openssl des-ecb -in $SECURE_DIRECTORY/challenge -out $SECURE_DIRECTORY/response -K $autkey -iv 1 - - if [[ $COMMAND_MODE == "acos" ]]; then - # Truncate to 8 bytes - dd if=$SECURE_DIRECTORY/response of=$SECURE_DIRECTORY/response2 bs=1 count=8 - - # Expand to standard hex listing format - xxd -g 1 $SECURE_DIRECTORY/response2 $SECURE_DIRECTORY/response - dd if=$SECURE_DIRECTORY/response of=$SECURE_DIRECTORY/response2 bs=1 count=23 skip=9 - fi - - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - # Truncate to 6 bytes - dd if=$SECURE_DIRECTORY/response of=$SECURE_DIRECTORY/response2 bs=1 count=6 - - # Expand to standard hex listing format - xxd -g 1 $SECURE_DIRECTORY/response2 $SECURE_DIRECTORY/response - dd if=$SECURE_DIRECTORY/response of=$SECURE_DIRECTORY/response2 bs=1 count=17 skip=9 - fi - - # Assemble the response file - response2=$(cat $SECURE_DIRECTORY/response2) - if [[ $COMMAND_MODE == "acos" ]]; then - if [[ $1 == "AUT1" ]]; then - response1="$EXTERNAL_AUTH1 ${response2}" - fi - if [[ $1 == "AUT2" ]]; then - response1="$EXTERNAL_AUTH2 ${response2}" - fi - if [[ $1 == "AUT3" ]]; then - response1="$EXTERNAL_AUTH3 ${response2}" - fi - fi - - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - response1="$EXTERNAL_AUTH ${response2}" - fi - echo $response1 > $SECURE_DIRECTORY/response - - # Send the response! - scriptor $SECURE_DIRECTORY/response > $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Get the result - authokresponse="< 90 00 : Normal processing" - response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse") - echo $response1 - if [[ $response1 != "" ]]; then - echo "Smart card validation successfull!" - echo "Smart card login successfull!" - authenticated="1" - else - echo "Login failed" - zenity --error --text "That transport key is incorrect!\n\nPlease remember that there are a limited number\nof failed login attempts for this key,\nafter which your SmartCard will become useless." - fi - else - echo "AUT1 key not 16 characters!" - zenity --error --text "That transport key is invalid!" - fi - fi -} - -get_file () { - if [[ $COMMAND_MODE == "acos" ]]; then - # Select EF $1 under DF 1000 - echo "$SELECT_FILE $1" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Read binary - echo "$READ_BINARY" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - authokresponse="90 00 : Normal processing" - response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse") - if [[ $response1 != "" ]]; then - cat $SECURE_DIRECTORY/response2 | tr -d '\n' > $SECURE_DIRECTORY/response4 - stringtoreplace="Using T=0 protocol00 B0 00 00 FF> 00 B0 00 00 FF< " - newstring="" - sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4 - stringtoreplace=" 90 00 : Normal processing." - newstring="" - sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4 - if [[ $2 == "text" ]]; then - stringtoreplace=" 00" - newstring="" - sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4 - fi - echo $(cat $SECURE_DIRECTORY/response4) - rm -f $SECURE_DIRECTORY/lukskey - xxd -r -p $SECURE_DIRECTORY/response4 $SECURE_DIRECTORY/lukskey - RESPONSE=$SECURE_DIRECTORY/lukskey - fi - fi - - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - FILE=${1/ /} - echo "get $FILE" | opensc-explorer - RESPONSE="3F00_$FILE" - fi -} - -update_file () { - if [[ $COMMAND_MODE == "acos" ]]; then - # Select EF $1 under DF 1000 - echo "$SELECT_FILE $1" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Update existing file - # Zero pad input file - dd if=/dev/zero of=$SECURE_DIRECTORY/response2 bs=1 count=255 - dd if=$2 of=$SECURE_DIRECTORY/response2 bs=1 count=255 conv=notrunc - - # Truncate to 255 bytes and expand to standard hex listing format - xxd -l 255 -ps -c 1 $SECURE_DIRECTORY/response2 > $SECURE_DIRECTORY/response - cat $SECURE_DIRECTORY/response | tr '\n' ' ' > $SECURE_DIRECTORY/hexready - echo "$UPDATE_BINARY $(cat $SECURE_DIRECTORY/hexready)" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null - echo $(cat $SECURE_DIRECTORY/response2) - fi - - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - # Delete old file - echo "$DELETE_FILE $1" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null - echo $(cat $SECURE_DIRECTORY/response2) - - # Create new file - createfile "FF" $1 - FILE=${1/ /} - echo "put $FILE $2" | opensc-explorer - fi -} - -insertnewtext () { - FOUNDTEXT=$(cat $2 | grep $1) - echo $FOUNDTEXT; - if [[ $FOUNDTEXT != "" ]]; then - echo "$1 already exists in $2" - else - echo $1 >> $2 - fi -} - -getcolumn () { - perl -ne '@cols = split; print "$cols['$1']\n"' ; -} - -function createlukskey { - ROOTPARTITION=$(mount | grep 'on / ' | getcolumn 0) - if [ -e $ROOTPARTITION ]; then - ROOTPARTITION=$(echo $ROOTPARTITION | sed 's/\/dev\/mapper\///') - CRYPTPARTITION=$(cat /etc/crypttab | grep $ROOTPARTITION | getcolumn 1) - if [ -e $CRYPTPARTITION ]; then - zenity --question --ok-label="Yes" --cancel-label="No" --text="I have detected that $ROOTPARTITION is your root partition, \nand therefore $CRYPTPARTITION is your encrypted root partition. \nIs this correct?" - correct=$? - if [[ correct -eq 0 ]] ; then - echo "Confirmed--proceeding" - insertnewtext dm_mod /etc/initramfs-tools/modules - insertnewtext dm_crypt /etc/initramfs-tools/modules - insertnewtext aes_x86_64 /etc/initramfs-tools/modules - insertnewtext sha256 /etc/initramfs-tools/modules - insertnewtext vfat /etc/initramfs-tools/modules - insertnewtext fat /etc/initramfs-tools/modules - insertnewtext nls_cp437 /etc/initramfs-tools/modules - insertnewtext nls_iso8859_1 /etc/initramfs-tools/modules - insertnewtext hci_usb /etc/initramfs-tools/modules - insertnewtext usb_storage /etc/initramfs-tools/modules - insertnewtext libusual /etc/initramfs-tools/modules - insertnewtext ehci_hcd /etc/initramfs-tools/modules - insertnewtext uhci_hcd /etc/initramfs-tools/modules - insertnewtext usbcore /etc/initramfs-tools/modules - insertnewtext ext2 /etc/initramfs-tools/modules - insertnewtext reiserfs /etc/initramfs-tools/modules - echo "/etc/initramfs-tools/modules updated" - mkdir -p /etc/crypto - head -c 255 /dev/urandom > /etc/crypto/smart.key - chown -R root /etc/crypto - chgrp -R root /etc/crypto - chmod -R 600 /etc/crypto - echo "$(zenity --entry --hide-text --title="LUKS Password" --text="Please enter the LUKS password for $CRYPTPARTITION")" > $SECURE_DIRECTORY/lukspass - cat $SECURE_DIRECTORY/lukspass | cryptsetup luksAddKey $CRYPTPARTITION /etc/crypto/smart.key - rm $SECURE_DIRECTORY/lukspass - correct=$? - if [[ correct -eq 0 ]] ; then - echo "OK!" - OLDCRYPTLINE=$(cat /etc/crypttab | grep $ROOTPARTITION) - NEWCRYPTLINE="$ROOTPARTITION $CRYPTPARTITION smart.key luks,keyscript=/usr/bin/cryptosmartcard.sh" - sed -i "s#${OLDCRYPTLINE}#${NEWCRYPTLINE}#g" /etc/crypttab - echo "Crypttab updated" - cp -Rp /etc/smartauth/smartauth.sh.in /usr/bin/smartauth.sh - OLDKEY="<your key in hexidecimal>" - authenticatecard "AUT3" - if [[ $authenticated = "1" ]]; then - NEWKEY=$autkey - echo $NEWKEY > /etc/smartauth/smartauth.key - sed -i "s#${OLDKEY}#${NEWKEY}#g" /usr/bin/smartauth.sh - chmod 600 /usr/bin/smartauth.sh - chmod a+x /usr/bin/smartauth.sh - echo "Updating initramfs" - update-initramfs -u -k all - echo "Securing directories..." - chmod 600 "/boot/initrd.img-$(uname -r)" - chmod -R 600 /etc/smartauth - else - rm -rf /etc/crypto/smart.key - rm -rf /usr/share/initramfs-tools/hooks/cryptlukssc - rm -f /usr/bin/smartauth.sh - fi - else - echo "LUKS add key failed!" - zenity --error --text "Failed to add LUKS key!\nReverting all changes..." - rm -rf /etc/crypto/smart.key - rm -rf /usr/share/initramfs-tools/hooks/cryptlukssc - fi - fi - else - zenity --error --text "Either I am unable to properly detect your encrypted partition,\nor your hard disk is not encrypted.\nNo changes to your system have been made." - fi - else - zenity --error --text "I am unable to properly detect your root partition.\nNo changes to your system have been made." - fi -} - -function importlukskey { - ROOTPARTITION=$(mount | grep 'on / ' | getcolumn 0) - if [ -e $ROOTPARTITION ]; then - ROOTPARTITION=$(echo $ROOTPARTITION | sed 's/\/dev\/mapper\///') - CRYPTPARTITION=$(cat /etc/crypttab | grep $ROOTPARTITION | getcolumn 1) - if [ -e $CRYPTPARTITION ]; then - zenity --question --ok-label="Yes" --cancel-label="No" --text="I have detected that $ROOTPARTITION is your root partition, \nand therefore $CRYPTPARTITION is your encrypted root partition. \nIs this correct?" - correct=$? - if [[ correct -eq 0 ]] ; then - echo "Confirmed--proceeding" - FILE=$(zenity --file-selection --title="Select the new LUKS encryption key file") - case $? in - 0) - continueluksupdate=1;; - 1) - continueluksupdate=0;; - -1) - continueluksupdate=0;; - esac - if [[ $continueluksupdate -eq 1 ]]; then - echo "File selected--proceeding" - insertnewtext dm_mod /etc/initramfs-tools/modules - insertnewtext dm_crypt /etc/initramfs-tools/modules - insertnewtext aes_x86_64 /etc/initramfs-tools/modules - insertnewtext sha256 /etc/initramfs-tools/modules - insertnewtext vfat /etc/initramfs-tools/modules - insertnewtext fat /etc/initramfs-tools/modules - insertnewtext nls_cp437 /etc/initramfs-tools/modules - insertnewtext nls_iso8859_1 /etc/initramfs-tools/modules - insertnewtext hci_usb /etc/initramfs-tools/modules - insertnewtext usb_storage /etc/initramfs-tools/modules - insertnewtext libusual /etc/initramfs-tools/modules - insertnewtext ehci_hcd /etc/initramfs-tools/modules - insertnewtext uhci_hcd /etc/initramfs-tools/modules - insertnewtext usbcore /etc/initramfs-tools/modules - insertnewtext ext2 /etc/initramfs-tools/modules - insertnewtext reiserfs /etc/initramfs-tools/modules - echo "/etc/initramfs-tools/modules updated" - mkdir -p /etc/crypto - cp -Rp $FILE /etc/crypto/smart.key - chown -R root /etc/crypto - chgrp -R root /etc/crypto - chmod -R 600 /etc/crypto - echo "$(zenity --entry --hide-text --title="LUKS Password" --text="Please enter the LUKS password for $CRYPTPARTITION")" > $SECURE_DIRECTORY/lukspass - cat $SECURE_DIRECTORY/lukspass | cryptsetup luksAddKey $CRYPTPARTITION /etc/crypto/smart.key - rm $SECURE_DIRECTORY/lukspass - correct=$? - if [[ correct -eq 0 ]] ; then - echo "OK!" - OLDCRYPTLINE=$(cat /etc/crypttab | grep $ROOTPARTITION) - NEWCRYPTLINE="$ROOTPARTITION $CRYPTPARTITION smart.key luks,keyscript=/usr/bin/cryptosmartcard.sh" - sed -i "s#${OLDCRYPTLINE}#${NEWCRYPTLINE}#g" /etc/crypttab - echo "Crypttab updated" - cp -Rp /etc/smartauth/smartauth.sh.in /usr/bin/smartauth.sh - OLDKEY="<your key in hexidecimal>" - authenticatecard "AUT3" - if [[ $authenticated = "1" ]]; then - NEWKEY=$autkey - echo $NEWKEY > /etc/smartauth/smartauth.key - sed -i "s#${OLDKEY}#${NEWKEY}#g" /usr/bin/smartauth.sh - chmod 600 /usr/bin/smartauth.sh - chmod a+x /usr/bin/smartauth.sh - echo "Updating initramfs" - update-initramfs -u -k all - echo "Securing directories..." - chmod 600 "/boot/initrd.img-$(uname -r)" - chmod -R 600 /etc/smartauth - else - rm -rf /etc/crypto/smart.key - rm -rf /usr/share/initramfs-tools/hooks/cryptlukssc - rm -f /usr/bin/smartauth.sh - fi - else - echo "LUKS add key failed!" - zenity --error --text "Failed to add LUKS key!\nReverting all changes..." - rm -rf /etc/crypto/smart.key - rm -rf /usr/share/initramfs-tools/hooks/cryptlukssc - fi - else - zenity --error --text "No changes to your system have been made." - fi - fi - else - zenity --error --text "Either I am unable to properly detect your encrypted partition,\nor your hard disk is not encrypted.\nNo changes to your system have been made." - fi - else - zenity --error --text "I am unable to properly detect your root partition.\nNo changes to your system have been made." - fi -} - -function loadlukskey { - echo "Loading LUKS key..." - authenticatecard "AUT1" - if [[ $authenticated = "1" ]]; then - update_file "10 01" "/etc/crypto/smart.key" - fi -} - -function clearlukskey { - echo "Clearing LUKS key..." - authenticatecard "AUT1" - if [[ $authenticated = "1" ]]; then - dd if=/dev/zero of=$SECURE_DIRECTORY/smart.key.blank bs=255 count=1 - update_file "10 01" "$SECURE_DIRECTORY/smart.key.blank" - rm -f $SECURE_DIRECTORY/smart.key.blank - fi -} - -function loadusername { - echo "Loading username..." - authenticatecard "AUT1" - if [[ $authenticated = "1" ]]; then - zenity --entry --title="SmartCard Username" --text="Please enter the username of the account to be associated with this SmartCard" > $SECURE_DIRECTORY/username - update_file "10 02" "$SECURE_DIRECTORY/username" - rm -f $SECURE_DIRECTORY/username - fi -} - -function loadpassword { - echo "Loading password..." - authenticatecard "AUT1" - if [[ $authenticated = "1" ]]; then - zenity --entry --hide-text --title="SmartCard Password" --text="Please enter the password of the account that is associated with this SmartCard" > $SECURE_DIRECTORY/password - update_file "10 03" "$SECURE_DIRECTORY/password" - rm -f $SECURE_DIRECTORY/password - fi -} - -GREETER="Welcome to the SmartCard authentication setup utility!\n\nAUT1 is the manual update key\nAUT2 is the login key\nAUT3 is the LUKS decrypt key\n\nCard ATR: $smartatr\nDetected: $CARD_NICE_NAME\n\nPlease select an action from the list below:" - -while [[ 1 -eq 1 ]]; do - if [ -e "/etc/smartauth/smartauthmon.key" ]; then - LOGINOPTION="Disable automatic login for TDE" - else - LOGINOPTION="Enable automatic login for TDE" - fi - - if [[ $COMMAND_MODE == "acos" ]]; then - ACOS_INIT_OPTION="FALSE Initialize-blank-ACOS" - - # See if the card has an MF yet - # Select MF - echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - authokresponse="< 61 " - response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse") - echo $response1 - if [[ $response1 != "" ]]; then - echo "MF exists, checking for DF 1000" - # MF exists, check for DF 1000 - echo "00 A4 00 00 02 10 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - authokresponse="< 61 " - response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse") - echo $response1 - if [[ $response1 != "" ]]; then - echo "DF 1000 exists, this card was already initialized!" - ACOS_INIT_OPTION="" - fi - fi - fi - - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - ACOS_INIT_OPTION="" - fi - - if [[ $# -eq 0 ]]; then - if [ -e "/etc/crypto/smart.key" ]; then - selection=$(zenity --width=400 --height=550 --list --radiolist --title="SmartCard Authentication Setup" \ - --text="$GREETER" \ - --column="" --column="Action" \ - TRUE "Update LUKS Initramfs Transport Key [AUT3]" \ - FALSE "Import LUKS encryption key from file to system" \ - FALSE "Get LUKS encryption key from Smart Card [File 1001]" \ - FALSE "Load LUKS encryption key into Smart Card [File 1001]" \ - FALSE "Clear LUKS encryption key from Smart Card [File 1001]" \ - FALSE "Load username into Smart Card [File 1002]" \ - FALSE "Load password into Smart Card [File 1003]" \ - FALSE "Update Smart Card Transport Keys [AUT1-AUT3]" \ - FALSE "$LOGINOPTION" \ - $ACOS_INIT_OPTION); - else - selection=$(zenity --width=400 --height=550 --list --radiolist --title="SmartCard Authentication Setup" \ - --text="$GREETER" \ - --column="" --column="Action" \ - TRUE "First-Time Setup Wizard" \ - FALSE "Create New LUKS Key" \ - FALSE "Update LUKS Initramfs Transport Key [AUT3]" \ - FALSE "Import LUKS encryption key from file to system" \ - FALSE "Get LUKS encryption key from Smart Card [File 1001]" \ - FALSE "Load LUKS encryption key into Smart Card [File 1001]" \ - FALSE "Clear LUKS encryption key from Smart Card [File 1001]" \ - FALSE "Load username into Smart Card [File 1002]" \ - FALSE "Load password into Smart Card [File 1003]" \ - FALSE "Update Smart Card Transport Keys [AUT1-AUT3]" \ - FALSE "$LOGINOPTION" \ - $ACOS_INIT_OPTION); - fi - else - if [[ $1 = "upgrade" ]]; then - echo "Upgrade mode" - if [ -e "/etc/smartauth/smartauth.key" ]; then - OLDKEY="<your key in hexidecimal>" - NEWKEY=$(cat /etc/smartauth/smartauth.key) - cp -Rp /etc/smartauth/smartauth.sh.in /usr/bin/smartauth.sh - sed -i "s#${OLDKEY}#${NEWKEY}#g" /usr/bin/smartauth.sh - chmod 600 /usr/bin/smartauth.sh - chmod a+x /usr/bin/smartauth.sh - echo "Updating initramfs" - update-initramfs -u -k all - echo "Securing directories..." - chmod 600 "/boot/initrd.img-$(uname -r)" - chmod -R 600 /etc/smartauth - fi - - if [ -e "/etc/smartauth/smartauthmon.key" ]; then - OLDKEY="<your key in hexadecimal>" - NEWKEY=$(cat /etc/smartauth/smartauthmon.key) - fi - fi - fi - - if [[ $selection = "Import LUKS encryption key from file to system" ]]; then - importlukskey - fi - - if [[ $selection = "First-Time Setup Wizard" ]]; then - echo "Running first-time setup wizard..." - zenity --info --text "This setup wizard will prepare your encrypted computer for automatic LUKS unlock and login via SmartCard" - createlukskey - if [[ $authenticated = "1" ]]; then - loadlukskey - loadusername - loadpassword - fi - fi - - if [[ $selection = "Create New LUKS Key" ]]; then - echo "Creating new LUKS key..." - createlukskey - fi - - if [[ $selection = "Get LUKS encryption key from Smart Card [File 1001]" ]]; then - echo "Getting LUKS key..." - authenticatecard "AUT1" - if [[ $authenticated = "1" ]]; then - get_file "10 01" - zenity --info --text "LUKS key is currently in file:\n$RESPONSE\n\nThis file will be deleted upon completion of this script." - fi - fi - - if [[ $selection = "Load LUKS encryption key into Smart Card [File 1001]" ]]; then - loadlukskey - fi - - if [[ $selection = "Clear LUKS encryption key from Smart Card [File 1001]" ]]; then - clearlukskey - fi - - if [[ $selection = "Load username into Smart Card [File 1002]" ]]; then - loadusername - fi - - if [[ $selection = "Load password into Smart Card [File 1003]" ]]; then - loadpassword - fi - - if [[ $selection = "Update LUKS Initramfs Transport Key [AUT3]" ]]; then - cp -Rp /etc/smartauth/smartauth.sh.in /usr/bin/smartauth.sh - OLDKEY="<your key in hexidecimal>" - authenticatecard "AUT3" - if [[ $authenticated = "1" ]]; then - NEWKEY=$autkey - echo $NEWKEY > /etc/smartauth/smartauth.key - sed -i "s#${OLDKEY}#${NEWKEY}#g" /usr/bin/smartauth.sh - chmod 600 /usr/bin/smartauth.sh - chmod a+x /usr/bin/smartauth.sh - echo "Updating initramfs" - update-initramfs -u -k all - echo "Securing directories..." - chmod 600 "/boot/initrd.img-$(uname -r)" - chmod -R 600 /etc/smartauth - if [ -e "/etc/smartauth/smartauthmon.key" ]; then - echo "TDE login disabled; not altering" - else - selection="Enable automatic login for TDE" - fi - else - zenity --error --text "A SmartCard authentication error has occurred.\nNo changes have been made to your system." - fi - fi - - if [[ $selection = "Update Smart Card Transport Keys [AUT1-AUT3]" ]]; then - echo "Updating AUT1..." - authenticatecard "AUT1" - if [[ $authenticated = "1" ]]; then - if [[ $COMMAND_MODE == "acos" ]]; then - # Select EF 10FD under DF 1000 - echo "$SELECT_FILE 10 FD" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Initialize key records in file 10FD - # Key 1, 8-byte 1DES authentication only - autkey="" - while [[ ${#autkey} != 16 ]]; do - autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT1] in hexidecimal. Example: 0123456789abcdef") - done - autkey2=${autkey:0:2} - autkey2="${autkey2} ${autkey:2:2}" - autkey2="${autkey2} ${autkey:4:2}" - autkey2="${autkey2} ${autkey:6:2}" - autkey2="${autkey2} ${autkey:8:2}" - autkey2="${autkey2} ${autkey:10:2}" - autkey2="${autkey2} ${autkey:12:2}" - autkey2="${autkey2} ${autkey:14:2}" - echo "00 DC 00 00 0C 81 01 55 05 $autkey2" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - # Key 2, 8-byte 1DES authentication only - autkey="" - while [[ ${#autkey} != 16 ]]; do - autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT2] in hexidecimal. Example: 0123456789abcdef") - done - autkey2=${autkey:0:2} - autkey2="${autkey2} ${autkey:2:2}" - autkey2="${autkey2} ${autkey:4:2}" - autkey2="${autkey2} ${autkey:6:2}" - autkey2="${autkey2} ${autkey:8:2}" - autkey2="${autkey2} ${autkey:10:2}" - autkey2="${autkey2} ${autkey:12:2}" - autkey2="${autkey2} ${autkey:14:2}" - echo "00 DC 00 02 0C 82 01 55 05 $autkey2" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - # Key 3, 8-byte 1DES authentication only - autkey="" - while [[ ${#autkey} != 16 ]]; do - autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT3] in hexidecimal. Example: 0123456789abcdef") - done - autkey2=${autkey:0:2} - autkey2="${autkey2} ${autkey:2:2}" - autkey2="${autkey2} ${autkey:4:2}" - autkey2="${autkey2} ${autkey:6:2}" - autkey2="${autkey2} ${autkey:8:2}" - autkey2="${autkey2} ${autkey:10:2}" - autkey2="${autkey2} ${autkey:12:2}" - autkey2="${autkey2} ${autkey:14:2}" - echo "00 DC 00 02 0C 83 01 55 05 $autkey2" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - fi - - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - autkey4=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT1] in hexidecimal. Example: 0123456789abcdef") - if [[ ${#autkey4} -eq 16 ]]; then - autkey2=${autkey4:0:2} - autkey2="${autkey2} ${autkey4:2:2}" - autkey2="${autkey2} ${autkey4:4:2}" - autkey2="${autkey2} ${autkey4:6:2}" - autkey2="${autkey2} ${autkey4:8:2}" - autkey2="${autkey2} ${autkey4:10:2}" - autkey2="${autkey2} ${autkey4:12:2}" - autkey2="${autkey2} ${autkey4:14:2}" - echo "Attempting Smart Card key update..." - updatekey ${autkey2} - autkey=$autkey4 - if [[ $authenticated = "1" ]]; then - cp -Rp /etc/smartauth/smartauth.sh.in /usr/bin/smartauth.sh - OLDKEY="<your key in hexidecimal>" - authenticatecard "AUT3" - if [[ $authenticated = "1" ]]; then - NEWKEY=$autkey - echo $NEWKEY > /etc/smartauth/smartauth.key - sed -i "s#${OLDKEY}#${NEWKEY}#g" /usr/bin/smartauth.sh - chmod 600 /usr/bin/smartauth.sh - chmod a+x /usr/bin/smartauth.sh - echo "Updating initramfs" - update-initramfs -u -k all - echo "Securing directories..." - chmod 600 "/boot/initrd.img-$(uname -r)" - chmod -R 600 /etc/smartauth - if [ -e "/etc/smartauth/smartauthmon.key" ]; then - selection="Enable automatic login for TDE" - else - echo "TDE login disabled; not altering" - fi - else - zenity --error --text "A SmartCard authentication error has occurred." - fi - else - zenity --error --text "A SmartCard authentication error has occurred." - fi - else - echo "AUT1 key not 16 characters!" - zenity --error --text "The new transport key is invalid!" - fi - fi - fi - fi - - if [[ $selection = "Enable automatic login for TDE" ]]; then - OLDKEY="<your key in hexadecimal>" - authenticatecard "AUT2" - if [[ $authenticated = "1" ]]; then - NEWKEY=$autkey - echo $NEWKEY > /etc/smartauth/smartauthmon.key - update-rc.d smartauthlogin defaults - /etc/init.d/smartauthlogin stop - /etc/init.d/smartauthlogin start - fi - fi - - if [[ $selection = "Disable automatic login for TDE" ]]; then - /etc/init.d/smartauthlogin stop - rm -rf /etc/smartauth/smartauthmon.key - update-rc.d -f smartauthlogin remove - fi - - #if [[ $selection = "Initialize blank ACOS card" ]]; then - if [[ $selection = "Initialize-blank-ACOS" ]]; then - initializeacos - fi - - if [[ $selection = "" ]]; then - echo "Exiting!" - rm -rf $SECURE_DIRECTORY - chmod -R 600 /etc/smartauth - chown -R root /etc/smartauth - chmod a+x /usr/bin/smartauth.sh - chmod 600 "/boot/initrd.img-$(uname -r)" - chown root "/boot/initrd.img-$(uname -r)" - exit - fi -done diff --git a/usr/bin/setupslavecard.sh b/usr/bin/setupslavecard.sh deleted file mode 100755 index 4d43318..0000000 --- a/usr/bin/setupslavecard.sh +++ /dev/null @@ -1,501 +0,0 @@ -#!/bin/bash - -# Smart Card Management Tool (c) 2009 Timothy Pearson -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -# The [secure] temporary directory for authentication -SECURE_DIRECTORY=/tmp/smartauth - -# Create the secure directory and lock it down -mkdir -p $SECURE_DIRECTORY -chown root $SECURE_DIRECTORY -chgrp root $SECURE_DIRECTORY -chmod 600 $SECURE_DIRECTORY -SECURE_DIRECTORY=$(mktemp /tmp/smartauth/setupcard.XXXXXXXXXX) -rm -rf $SECURE_DIRECTORY -mkdir -p $SECURE_DIRECTORY -chown root $SECURE_DIRECTORY -chgrp root $SECURE_DIRECTORY -chmod 600 $SECURE_DIRECTORY - -# See if required programs are installed -scriptor=$(whereis scriptor) -if [[ $scriptor == "scriptor:" ]]; then - echo "ERROR: scriptor is not installed! This program cannot continue!" - zenity --error --text "ERROR: scriptor is not installed!\nThis program cannot continue!\n\nUsually, scriptor is part of the pcsc-tools package." - exit -fi -opensc=$(whereis opensc-explorer) -if [[ $opensc == "opensc-explorer:" ]]; then - echo "ERROR: opensc-explorer is not installed! This program cannot continue!" - zenity --error --text "ERROR: opensc-explorer is not installed!\nThis program cannot continue!\n\nUsually, opensc-explorer is part of the opensc package." - exit -fi - -# Get card ATR -FOUND_SUPPORTED_CARD=0 -echo "RESET" > $SECURE_DIRECTORY/query -scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 -authokresponse="OK: " -response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse") -if [[ $response1 != "" ]]; then - cat $SECURE_DIRECTORY/response2 | tr -d '\n' > $SECURE_DIRECTORY/response4 - stringtoreplace="Using T=0 protocolRESET> RESET< OK: " - newstring="" - sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4 - smartatr=$(cat $SECURE_DIRECTORY/response4) - echo "Got ATR: $smartatr" - if [[ $smartatr == "3B BE 18 00 00 41 05 10 00 00 00 00 00 00 00 00 00 90 00 " ]]; then - echo "Detected ACOS5 card" - COMMAND_MODE="acos" - CARD_NICE_NAME="ACOS5" - FOUND_SUPPORTED_CARD=1 - fi - if [[ $smartatr == "3B 02 14 50 " ]]; then - echo "Detected Schlumberger CryptoFlex card" - COMMAND_MODE="cryptoflex" - CARD_NICE_NAME="Schlumberger CryptoFlex" - FOUND_SUPPORTED_CARD=1 - fi -else - echo "No card detected!" - zenity --error --text "ERROR: No SmartCard detected!" - exit 1 -fi - -if [[ $FOUND_SUPPORTED_CARD -eq 0 ]]; then - echo "Unsupported SmartCard detected! ATR: $smartatr" - zenity --error --text "ERROR: Unsupported SmartCard detected!\n\nATR: $smartatr" - exit 1 -fi - - -if [[ $COMMAND_MODE == "cryptoflex" ]]; then - GET_CHALLENGE="C0 84 00 00 08" - EXTERNAL_AUTH="C0 82 00 00 07 01" - SELECT_FILE="C0 A4 00 00 02" - DELETE_FILE="F0 E4 00 00 02" -fi - -if [[ $COMMAND_MODE == "acos" ]]; then - GET_CHALLENGE="00 84 00 00 08" - EXTERNAL_AUTH="00 82 00 81 08" - SELECT_FILE="00 A4 00 00 02" - DELETE_FILE="00 E4 00 00 00" - READ_BINARY="00 B0 00 00 FF" - UPDATE_BINARY="00 D6 00 00 FF" - ACTIVATE_FILE="00 44 00 00 02" -fi - -CREATE_LIFE_CYCLE="01" - -createfile () -{ - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - # Create transparent file with permissions: - # delete, terminate, activate, deactivate, update, read for Key 1 and Key 2 only - echo "F0 E0 00 FF 10 FF FF 00 $1 $2 01 3F 44 FF 44 01 03 11 FF 11" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null - fi - - if [[ $COMMAND_MODE == "acos" ]]; then - # Select MF - echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Select DF 1000 under MF - echo "$SELECT_FILE 10 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - # Create transparent file with permissions: - # delete, terminate, activate, deactivate, update, read for Key 1, Key 2, and Key 3 only (SE 04) - # created in DF 1000 under MF, SE file is 10FE - # SIZE TRANSPARENT - - echo "00 E0 00 00 1A 62 18 80 02 00 $1 82 01 01 83 02 $2 8A 01 $CREATE_LIFE_CYCLE 8C 08 7F 04 04 04 04 04 04 04" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null - echo $(cat $SECURE_DIRECTORY/response2) - fi -} - -updatekey () -{ - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - echo "$SELECT_FILE 00 11" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null - echo "C0 D6 00 0D 0C 08 00 $1 05 05" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null - fi -} - -hexcvt () -{ - echo ""$1" "16" o p" | dc -} - -authenticatecard () { - if [[ $authenticated != "1" ]]; then - if [[ -e /etc/smartauth/slave.key ]]; then - autkey=$(cat /etc/smartauth/slave.key) - else - autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the 16-character Smart Card transport key [AUT1] in hexidecimal. Example: 0123456789abcdef") - fi - if [[ ${#autkey} -eq 16 ]]; then - if [[ $COMMAND_MODE == "acos" ]]; then - # Select MF - echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - # Make sure DF 1000 is selected - echo "$SELECT_FILE 10 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - fi - - # Authenticate card - echo $GET_CHALLENGE > $SECURE_DIRECTORY/authscript - - scriptor $SECURE_DIRECTORY/authscript | grep 'Normal processing' > $SECURE_DIRECTORY/challenge - perl -pi -e 's/ //g' $SECURE_DIRECTORY/challenge - perl -pi -e 's/:Normalprocessing.//g' $SECURE_DIRECTORY/challenge - perl -pi -e 's/<//g' $SECURE_DIRECTORY/challenge - xxd -r -p $SECURE_DIRECTORY/challenge $SECURE_DIRECTORY/challenge - - # Now DES encrypt the challenge - # Later, change the initialization vector to random if possible - openssl des-ecb -in $SECURE_DIRECTORY/challenge -out $SECURE_DIRECTORY/response -K $autkey -iv 1 - - if [[ $COMMAND_MODE == "acos" ]]; then - # Truncate to 8 bytes - dd if=$SECURE_DIRECTORY/response of=$SECURE_DIRECTORY/response2 bs=1 count=8 - - # Expand to standard hex listing format - xxd -g 1 $SECURE_DIRECTORY/response2 $SECURE_DIRECTORY/response - dd if=$SECURE_DIRECTORY/response of=$SECURE_DIRECTORY/response2 bs=1 count=23 skip=9 - fi - - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - # Truncate to 6 bytes - dd if=$SECURE_DIRECTORY/response of=$SECURE_DIRECTORY/response2 bs=1 count=6 - - # Expand to standard hex listing format - xxd -g 1 $SECURE_DIRECTORY/response2 $SECURE_DIRECTORY/response - dd if=$SECURE_DIRECTORY/response of=$SECURE_DIRECTORY/response2 bs=1 count=17 skip=9 - fi - - # Assemble the response file - response2=$(cat $SECURE_DIRECTORY/response2) - response1="$EXTERNAL_AUTH ${response2}" - echo $response1 > $SECURE_DIRECTORY/response - - # Send the response! - scriptor $SECURE_DIRECTORY/response > $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Get the result - authokresponse="< 90 00 : Normal processing" - response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse") - echo $response1 - if [[ $response1 != "" ]]; then - echo "Smart card validation successfull!" - echo "Smart card login successfull!" - echo $autkey > /etc/smartauth/slave.key - authenticated="1" - else - echo "Login failed" - if [[ -e /etc/smartauth/slave.key ]]; then - rm -f /etc/smartauth/slave.key - authenticatecard - else - zenity --error --text "That transport key is incorrect!\n\nPlease remember that there are a limited number\nof failed login attempts for this key,\nafter which your SmartCard will become useless." - fi - fi - else - echo "AUT1 key not 16 characters!" - zenity --error --text "That transport key is invalid!" - fi - fi -} - -get_file () { - if [[ $COMMAND_MODE == "acos" ]]; then - # Select EF $1 under DF 1000 - echo "$SELECT_FILE $1" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Read binary - echo "$READ_BINARY" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - authokresponse="90 00 : Normal processing" - response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse") - if [[ $response1 != "" ]]; then - cat $SECURE_DIRECTORY/response2 | tr -d '\n' > $SECURE_DIRECTORY/response4 - stringtoreplace="Using T=0 protocol00 B0 00 00 FF> 00 B0 00 00 FF< " - newstring="" - sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4 - stringtoreplace=" 90 00 : Normal processing." - newstring="" - sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4 - if [[ $2 == "text" ]]; then - stringtoreplace=" 00" - newstring="" - sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4 - fi - echo $(cat $SECURE_DIRECTORY/response4) - rm -f $SECURE_DIRECTORY/lukskey - xxd -r -p $SECURE_DIRECTORY/response4 $SECURE_DIRECTORY/lukskey - RESPONSE=$SECURE_DIRECTORY/lukskey - fi - fi - - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - FILE=${1/ /} - echo "get $FILE" | opensc-explorer - RESPONSE="3F00_$FILE" - fi -} - -update_file () { - if [[ $COMMAND_MODE == "acos" ]]; then - # Select EF $1 under DF 1000 - echo "$SELECT_FILE $1" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Update existing file - # Zero pad input file - dd if=/dev/zero of=$SECURE_DIRECTORY/response2 bs=1 count=255 - dd if=$2 of=$SECURE_DIRECTORY/response2 bs=1 count=255 conv=notrunc - - # Truncate to 255 bytes and expand to standard hex listing format - xxd -l 255 -ps -c 1 $SECURE_DIRECTORY/response2 > $SECURE_DIRECTORY/response - cat $SECURE_DIRECTORY/response | tr '\n' ' ' > $SECURE_DIRECTORY/hexready - echo "$UPDATE_BINARY $(cat $SECURE_DIRECTORY/hexready)" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null - echo $(cat $SECURE_DIRECTORY/response2) - fi - - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - # Delete old file - echo "$DELETE_FILE $1" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null - echo $(cat $SECURE_DIRECTORY/response2) - - # Create new file - createfile "FF" $1 - FILE=${1/ /} - echo "put $FILE $2" | opensc-explorer - fi -} - -insertnewtext () { - FOUNDTEXT=$(cat $2 | grep $1) - echo $FOUNDTEXT; - if [[ $FOUNDTEXT != "" ]]; then - echo "$1 already exists in $2" - else - echo $1 >> $2 - fi -} - -getcolumn () { - perl -ne '@cols = split; print "$cols['$1']\n"' ; -} - -function loadusername { - echo "Loading username..." - authenticatecard - if [[ $authenticated = "1" ]]; then - zenity --entry --title="SmartCard Username" --text="Please enter the username of the account to be associated with this SmartCard" > $SECURE_DIRECTORY/username - update_file "10 02" "$SECURE_DIRECTORY/username" - rm -f $SECURE_DIRECTORY/username - fi -} - -function loadpassword { - echo "Loading password..." - authenticatecard - if [[ $authenticated = "1" ]]; then - zenity --entry --hide-text --title="SmartCard Password" --text="Please enter the password of the account that is associated with this SmartCard" > $SECURE_DIRECTORY/password - update_file "10 03" "$SECURE_DIRECTORY/password" - rm -f $SECURE_DIRECTORY/password - fi -} - -function loadminutes { - echo "Loading minutes..." - authenticatecard - if [[ $authenticated = "1" ]]; then - echo "$(zenity --entry --hide-text --title="SmartCard Computer Minutes" --text="Please enter the number of computer minutes for this SmartCard")" > $SECURE_DIRECTORY/password - update_file "10 05" "$SECURE_DIRECTORY/password" - rm -f $SECURE_DIRECTORY/password - fi -} - -function enablerestrictedmode { - echo "Enabling restricted mode..." - authenticatecard - if [[ $authenticated = "1" ]]; then - echo "SLAVE" > $SECURE_DIRECTORY/password - update_file "10 04" "$SECURE_DIRECTORY/password" - rm -f $SECURE_DIRECTORY/password - fi -} - -function disablerestrictedmode { - echo "Disabling restricted mode..." - authenticatecard - if [[ $authenticated = "1" ]]; then - echo "NORMAL" > $SECURE_DIRECTORY/password - update_file "10 04" "$SECURE_DIRECTORY/password" - rm -f $SECURE_DIRECTORY/password - fi -} - -GREETER="Welcome to the SmartCard slave authentication setup utility!\n\nCard ATR: $smartatr\nDetected: $CARD_NICE_NAME\n\nPlease select an action from the list below:" - -while [[ 1 -eq 1 ]]; do - if [[ $# -eq 0 ]]; then - selection=$(zenity --width=400 --height=400 --list --radiolist --title="SmartCard Authentication Setup" \ - --text="$GREETER" \ - --column="" --column="Action" \ - TRUE "Load Computer Minutes into Smart Card [File 1005]" \ - FALSE "Enable Restricted Mode [File 1004]" \ - FALSE "Disable Restricted Mode [File 1004]" \ - FALSE "Load username into Smart Card [File 1002]" \ - FALSE "Load password into Smart Card [File 1003]" \ - FALSE "Update Smart Card Transport Key [AUT1]"); - fi - - if [[ $selection = "Load username into Smart Card [File 1002]" ]]; then - loadusername - fi - - if [[ $selection = "Load password into Smart Card [File 1003]" ]]; then - loadpassword - fi - - if [[ $selection = "Load Computer Minutes into Smart Card [File 1005]" ]]; then - loadminutes - fi - - if [[ $selection = "Enable Restricted Mode [File 1004]" ]]; then - enablerestrictedmode - fi - - if [[ $selection = "Disable Restricted Mode [File 1004]" ]]; then - disablerestrictedmode - fi - - if [[ $selection = "Update Smart Card Transport Key [AUT1]" ]]; then - echo "Updating AUT1..." - authenticatecard - if [[ $authenticated = "1" ]]; then - if [[ $COMMAND_MODE == "acos" ]]; then - # Select MF - echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Select DF 1000 under MF - echo "$SELECT_FILE 10 00" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Select EF 10FD under DF 1000 - echo "$SELECT_FILE 10 FD" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - - # Initialize first key record in file 10FD - # Key 1, 8-byte 1DES authentication only - autkey="" - while [[ ${#autkey} != 16 ]]; do - autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT1] in hexidecimal. Example: 0123456789abcdef") - done - autkey2=${autkey:0:2} - autkey2="${autkey2} ${autkey:2:2}" - autkey2="${autkey2} ${autkey:4:2}" - autkey2="${autkey2} ${autkey:6:2}" - autkey2="${autkey2} ${autkey:8:2}" - autkey2="${autkey2} ${autkey:10:2}" - autkey2="${autkey2} ${autkey:12:2}" - autkey2="${autkey2} ${autkey:14:2}" - echo "00 DC 00 00 0C 81 01 55 05 $autkey2" > $SECURE_DIRECTORY/query - scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 - echo $(cat $SECURE_DIRECTORY/response2) - fi - - if [[ $COMMAND_MODE == "cryptoflex" ]]; then - autkey4=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT1] in hexidecimal. Example: 0123456789abcdef") - if [[ ${#autkey4} -eq 16 ]]; then - autkey2=${autkey4:0:2} - autkey2="${autkey2} ${autkey4:2:2}" - autkey2="${autkey2} ${autkey4:4:2}" - autkey2="${autkey2} ${autkey4:6:2}" - autkey2="${autkey2} ${autkey4:8:2}" - autkey2="${autkey2} ${autkey4:10:2}" - autkey2="${autkey2} ${autkey4:12:2}" - autkey2="${autkey2} ${autkey4:14:2}" - echo "Attempting Smart Card key update..." - updatekey ${autkey2} - autkey=$autkey4 - if [[ $authenticated = "1" ]]; then - cp -Rp /etc/smartauth/smartauth.sh.in /usr/bin/smartauth.sh - OLDKEY="<your key in hexidecimal>" - authenticatecard - if [[ $authenticated = "1" ]]; then - NEWKEY=$autkey - echo $NEWKEY > /etc/smartauth/smartauth.key - sed -i "s#${OLDKEY}#${NEWKEY}#g" /usr/bin/smartauth.sh - chmod 600 /usr/bin/smartauth.sh - chmod a+x /usr/bin/smartauth.sh - echo "Updating initramfs" - update-initramfs -u -k all - echo "Securing directories..." - chmod 600 "/boot/initrd.img-$(uname -r)" - chmod -R 600 /etc/smartauth - if [ -e "/etc/smartauth/smartauthmon.key" ]; then - selection="Enable automatic login for TDE" - else - echo "TDE login disabled; not altering" - fi - else - zenity --error --text "A SmartCard authentication error has occurred." - fi - else - zenity --error --text "A SmartCard authentication error has occurred." - fi - else - echo "AUT1 key not 16 characters!" - zenity --error --text "The new transport key is invalid!" - fi - fi - fi - fi - - if [[ $selection = "" ]]; then - echo "Exiting!" - rm -rf $SECURE_DIRECTORY - chmod -R 600 /etc/smartauth - chown -R root /etc/smartauth - chmod a+x /usr/bin/smartauth.sh - chmod 600 "/boot/initrd.img-$(uname -r)" - chown root "/boot/initrd.img-$(uname -r)" - exit - fi -done diff --git a/usr/bin/smartauth.sh b/usr/bin/smartauth.sh deleted file mode 100644 index d0ab03a..0000000 --- a/usr/bin/smartauth.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/sh - -# Smart Card Authentication Helper (c) 2008 Timothy Pearson -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - - -authscript="C0 84 00 00 08" -echo $authscript > authscript - -scriptor_standalone authscript | grep 'Normal processing' > challenge -perl -pi -e 's/ //g' challenge -perl -pi -e 's/:Normalprocessing.//g' challenge -perl -pi -e 's/<//g' challenge -xxd -r -p challenge challenge - -# Now DES encrypt the challenge -openssl des-ecb -in challenge -out response -K 0000000000000000 -iv 1 - -# Truncate to 6 bytes -dd if=response of=response2 bs=1 count=6 - -# Expand to standard hex listing format -xxd -g 1 response2 response -dd if=response of=response2 bs=1 count=17 skip=9 - -# Assemble the response file -response2=$(cat response2) -response1="C0 82 00 00 07 01 ${response2}" -echo $response1 > response - -# Send the response! -scriptor_standalone response > response2 - -# Get the result -dd if=response2 of=response bs=1 count=5 skip=95 -perl -pi -e 's/ //g' response -response1=$(cat response) -authokresponse="9000" -if [ "$response1" = "$authokresponse" ]; then - echo "Smart card validation successfull!" - # Get encryption key - authscript="C0 A4 00 00 02 10 01" - echo $authscript > authscript - scriptor_standalone authscript - #authscript="C0 B0 00 00 00" - authscript="" - echo $authscript > authscript - scriptor_standalone authscript > smart - mkdir smartcard - cd smartcard - echo "get 1001" | opensc-explorer - cd .. - rm smart - mv smartcard/*_1001 smart.key -else - echo "Authentication failed!" -fi - -rm authscript & -rm response & -rm response2 & -rm challenge & diff --git a/usr/share/applications/smartcardauth.desktop b/usr/share/applications/smartcardauth.desktop deleted file mode 100644 index 8fd77c9..0000000 --- a/usr/share/applications/smartcardauth.desktop +++ /dev/null @@ -1,10 +0,0 @@ -[Desktop Entry] -Type=Application -Exec=gksudo /usr/bin/setupcard.sh -Icon=smartcardauth -Terminal=false -X-TDE-StartupNotify=true - -Name=SmartCard Authentication Setup -GenericName=SmartCard Authentication Setup -Categories=TDE;System; diff --git a/usr/share/applications/smartcardrestrict.desktop b/usr/share/applications/smartcardrestrict.desktop deleted file mode 100644 index d8419e8..0000000 --- a/usr/share/applications/smartcardrestrict.desktop +++ /dev/null @@ -1,10 +0,0 @@ -[Desktop Entry] -Type=Application -Exec=gksudo /usr/bin/setupslavecard.sh -Icon=smartcardauth -Terminal=false -X-TDE-StartupNotify=true - -Name=SmartCard Restriction Setup -GenericName=SmartCard Restriction Setup -Categories=TDE;System; diff --git a/usr/share/icons/hicolor/16x16/apps/smartcardauth.png b/usr/share/icons/hicolor/16x16/apps/smartcardauth.png Binary files differdeleted file mode 100644 index ffb6269..0000000 --- a/usr/share/icons/hicolor/16x16/apps/smartcardauth.png +++ /dev/null diff --git a/usr/share/icons/hicolor/32x32/apps/smartcardauth.png b/usr/share/icons/hicolor/32x32/apps/smartcardauth.png Binary files differdeleted file mode 100644 index 1b68a02..0000000 --- a/usr/share/icons/hicolor/32x32/apps/smartcardauth.png +++ /dev/null diff --git a/usr/share/initramfs-tools/hooks/cryptlukssc b/usr/share/initramfs-tools/hooks/cryptlukssc index 577fc96..ea1048d 100755 --- a/usr/share/initramfs-tools/hooks/cryptlukssc +++ b/usr/share/initramfs-tools/hooks/cryptlukssc @@ -6,14 +6,14 @@ PREREQ="cryptroot" prereqs() { - echo "$PREREQ" + echo "$PREREQ" } case $1 in - prereqs) - prereqs - exit 0 - ;; + prereqs) + prereqs + exit 0 + ;; esac . /usr/share/initramfs-tools/hook-functions @@ -22,45 +22,77 @@ esac # Install directories needed by smartcard reading daemon, command, and # key-script -for dir in etc/opensc usr/lib/pcsc var/run tmp ; do - if [ ! -d ${DESTDIR}/${dir} ] ; then mkdir -p ${DESTDIR}/${dir} ; fi +for dir in etc/opensc usr/lib var/run tmp ; do + if [ ! -d ${DESTDIR}/${dir} ] ; + then + mkdir -p ${DESTDIR}/${dir} + fi done # Install pcscd daemon, drivers, conf file, and include libgcc as well since # pcscd utilizes pthread_cancel mkdir -p ${DESTDIR}/lib copy_exec /usr/sbin/pcscd /sbin -if [ -e /lib/*`uname -i`*/libgcc_s.so.1 ] + +ARCHDIR=$(uname -i) +if [ "$ARCHDIR" = "unknown" ]; then + ARCHDIR=$(uname -m) +fi + +if [ -e /lib/*${ARCHDIR}*/libgcc_s.so.1 ] then - copy_exec /lib/*`uname -i`*/libgcc_s.so.1 /lib + cp -L /lib/*${ARCHDIR}*/libgcc_s.so.1 ${DESTDIR}/lib else - copy_exec /lib/libgcc_s.so.1 /lib + cp -L /lib/libgcc_s.so.1 ${DESTDIR}/lib fi -if [ -e /lib/*`uname -i`*/libpcsclite.so.1 ] + +if [ -e /lib/*${ARCHDIR}*/libpcsclite.so.1 ] then - copy_exec /lib/*`uname -i`*/libpcsclite.so.1 /lib + cp -L /lib/*${ARCHDIR}*/libpcsclite.so.1 ${DESTDIR}/lib +elif [ -e /usr/lib/*${ARCHDIR}*/libpcsclite.so.1 ] +then + cp -L /usr/lib/*${ARCHDIR}*/libpcsclite.so.1 ${DESTDIR}/lib else - copy_exec /lib/libpcsclite.so.1 /lib + cp -L /lib/libpcsclite.so.1 ${DESTDIR}/lib fi -if [ -e /usr/lib/*`uname -i`*/libusb-1.0.so.0 ] + +if [ -e /usr/lib/*${ARCHDIR}*/libusb-1.0.so.0 ] then - copy_exec /usr/lib/*`uname -i`*/libusb-1.0.so.0 /usr/lib -else if [ -e /usr/lib/libusb-1.0.so.0 ] + cp -L /usr/lib/*${ARCHDIR}*/libusb-1.0.so.0 ${DESTDIR}/usr/lib +elif [ -e /lib/*${ARCHDIR}*/libusb-1.0.so.0 ] then - copy_exec /usr/lib/libusb-1.0.so.0 /usr/lib + cp -L /lib/*${ARCHDIR}*/libusb-1.0.so.0 ${DESTDIR}/usr/lib +elif [ -e /usr/lib/libusb-1.0.so.0 ] +then + cp -L /usr/lib/libusb-1.0.so.0 ${DESTDIR}/usr/lib +else + echo "Unable to locate libusb-1.0" + exit 1 fi -cp -r /usr/lib/pcsc ${DESTDIR}/usr/lib + +cp -LRp /usr/lib/pcsc ${DESTDIR}/usr/lib/ + if [ -e /etc/reader.conf.d ] then - cp -Rp /etc/reader.conf.d ${DESTDIR}/etc/ + cp -L -Rp /etc/reader.conf.d ${DESTDIR}/etc/ else - cp /etc/reader.conf ${DESTDIR}/etc + cp -L /etc/reader.conf ${DESTDIR}/etc/ fi # Install opensc commands and conf file -copy_exec /usr/bin/opensc-tool /bin -copy_exec /usr/bin/pkcs15-crypt /bin -cp /etc/opensc/opensc.conf ${DESTDIR}/etc/opensc +copy_exec /usr/bin/opensc-tool /bin/ +copy_exec /usr/bin/pkcs15-crypt /bin/ +copy_exec /usr/bin/pkcs15-tool /bin/ +cp -L /etc/opensc/opensc.conf ${DESTDIR}/etc/opensc/ + +# Install opensc interface library +if [ -e /usr/lib/*${ARCHDIR}*/opensc-pkcs11.so ] +then + cp -L /usr/lib/*${ARCHDIR}*/opensc-pkcs11.so ${DESTDIR}/usr/lib +elif [ -e /usr/lib/opensc-pkcs11.so ] +then + cp -L /usr/lib/opensc-pkcs11.so ${DESTDIR}/usr/lib +fi # Install other required utilities copy_exec /bin/grep /bin @@ -78,15 +110,20 @@ copy_exec /usr/bin/tr /bin copy_exec /bin/bash /bin # Main scripts -copy_exec /usr/bin/scriptor_standalone /bin copy_exec /usr/bin/smartauth.sh /bin +copy_exec /usr/bin/cardpincheck /bin # Libraries -# cp /usr/lib/libltdl.so* ${DESTDIR}/usr/lib -# cp /lib/libncurses.so.5 ${DESTDIR}/lib -if [ -e /lib/*`uname -i`*/libncursesw.so.5 ] +# cp -L /usr/lib/libltdl.so* ${DESTDIR}/usr/lib +# cp -L /lib/libncurses.so.5 ${DESTDIR}/lib +if [ -e /lib/*${ARCHDIR}*/libncursesw.so.5 ] then - cp /lib/*`uname -i`*/libncursesw.so.5 ${DESTDIR}/lib + cp -L /lib/*${ARCHDIR}*/libncursesw.so.5 ${DESTDIR}/lib else - cp /lib/libncursesw.so.5 ${DESTDIR}/lib + cp -L /lib/libncursesw.so.5 ${DESTDIR}/lib fi + +# LUKS keys +cp -LRp /etc/trinity/luks/card ${DESTDIR}/tde_luks_keys + +exit 0 |