diff options
Diffstat (limited to 'usr/bin/cryptosmartcard.sh')
| -rwxr-xr-x | usr/bin/cryptosmartcard.sh | 73 |
1 files changed, 55 insertions, 18 deletions
diff --git a/usr/bin/cryptosmartcard.sh b/usr/bin/cryptosmartcard.sh index 9d03f2c..f7ca6d9 100755 --- a/usr/bin/cryptosmartcard.sh +++ b/usr/bin/cryptosmartcard.sh @@ -10,7 +10,7 @@ # # Updated by TJ <linux@tjworld.net> 7 July 2008 # For use with Ubuntu Hardy, usplash, automatic detection of USB devices, -# detection and examination of *all* partitions on the device (not just partition #1), +# detection and examination of *all* partitions on the device (not just partition #1), # automatic detection of partition type, refactored, commented, debugging code. # # Update by Timothy Pearson <kb9vqf@pearsoncomputing.net> 8/28/2008 @@ -18,6 +18,9 @@ # # Updated by Timothy Pearson <kb9vqf@pearsoncomputing.net> 4/19/2010 # Added Plymouth detection and support +# +# Updated by Timothy Pearson <kb9vqf@pearsoncomputing.net> 9/15/2015 +# Rewrite to use on-card RSA encryption # define counter-intuitive shell logic values (based on /bin/true & /bin/false) TRUE=0 @@ -85,24 +88,62 @@ if [ $USBLOAD -gt 0 ]; then modprobe usb_storage >/dev/null 2>&1 fi -killall pcscd & +# Terminate the PC/SC subsystem +killall pcscd > /dev/null 2>&1 || true -# give the system time to settle and open the USB devices +# Give the system time to settle and open the USB devices sleep 5 -cd /bin/ -/bin/smartauth.sh > /dev/null 2>&1 -SMARTCARDFILE=/bin/smart.key -if [ -e $SMARTCARDFILE ] -then - OPENED=$TRUE - cat $SMARTCARDFILE -else - OPENED=$FALSE +# Relaunch the PC/SC subsystem +pcscd > /dev/null 2>&1 + +CARD_INSERTED=$FALSE +OPENED=$FALSE +LUKS_KEY_DIR=/tde_luks_keys +LUKS_KEY_COUNT=$(ls -1 $LUKS_KEY_DIR/ 2> /dev/null | wc -l) + +DISK_UUID=$(blkid -s UUID -o value $CRYPTTAB_SOURCE) + +if [ $LUKS_KEY_COUNT -gt 0 ]; then + if [ "$DISK_UUID" != "" ]; then + # Disk UUID found and LUKS keys are present + # Check for card presence... + pkcs15-tool --list-certificates > /dev/null 2>&1 + RET=$? + if [ $RET -eq 0 ]; then + # Card present + CARD_INSERTED=$TRUE + msg "SmartCard inserted, attempting to authenticate" + PIN=$(cardpincheck /usr/lib/opensc-pkcs11.so) + RET=$? + if [ $RET -eq 0 ]; then + # PIN valid + msg "SmartCard unlocked" + for KEYFILE in ${LUKS_KEY_DIR}/${DISK_UUID}_slot*; do + # Try decrypting + echo "$PIN" | cardpincheck /usr/lib/opensc-pkcs11.so $KEYFILE 2> /dev/null + RET=$? + if [ $RET -eq 0 ]; then + OPENED=$TRUE + break + fi + done + else + msg "SmartCard authentication failed" + fi + fi + fi fi +killall pcscd > /dev/null 2>&1 || true + if [ $OPENED -eq $FALSE ]; then - msg "SmartCard LUKS keyfile invalid or incorrect SmartCard inserted" + if [ $CARD_INSERTED -eq $TRUE ]; then + msg "SmartCard LUKS keyfile invalid or incorrect SmartCard inserted" + exit 0 + else + msg "No SmartCard inserted or no LUKS keyfiles available on this system" + fi if [ $HAS_PLYMOUTH -eq 1 ]; then plymouth ask-for-password --prompt="Please enter the LUKS password" else @@ -111,10 +152,6 @@ if [ $OPENED -eq $FALSE ]; then echo -n "$A" msg "Attempting to authenticate..." fi -else - msg "SmartCard authenticated and LUKS keyfile loaded" fi -killall pcscd & - - +exit 0 |