#!/bin/bash # Smart Card Management Tool (c) 2009 Timothy Pearson # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # The [secure] temporary directory for authentication SECURE_DIRECTORY=/tmp/smartauth # Create the secure directory and lock it down mkdir -p $SECURE_DIRECTORY chown root $SECURE_DIRECTORY chgrp root $SECURE_DIRECTORY chmod 600 $SECURE_DIRECTORY SECURE_DIRECTORY=$(mktemp /tmp/smartauth/setupcard.XXXXXXXXXX) rm -rf $SECURE_DIRECTORY mkdir -p $SECURE_DIRECTORY chown root $SECURE_DIRECTORY chgrp root $SECURE_DIRECTORY chmod 600 $SECURE_DIRECTORY # See if required programs are installed scriptor=$(whereis scriptor) if [[ $scriptor == "scriptor:" ]]; then echo "ERROR: scriptor is not installed! This program cannot continue!" zenity --error --text "ERROR: scriptor is not installed!\nThis program cannot continue!\n\nUsually, scriptor is part of the pcsc-tools package." exit fi opensc=$(whereis opensc-explorer) if [[ $opensc == "opensc-explorer:" ]]; then echo "ERROR: opensc-explorer is not installed! This program cannot continue!" zenity --error --text "ERROR: opensc-explorer is not installed!\nThis program cannot continue!\n\nUsually, opensc-explorer is part of the opensc package." exit fi # Get card ATR FOUND_SUPPORTED_CARD=0 echo "RESET" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 authokresponse="OK: " response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse") if [[ $response1 != "" ]]; then cat $SECURE_DIRECTORY/response2 | tr -d '\n' > $SECURE_DIRECTORY/response4 stringtoreplace="Using T=0 protocolRESET> RESET< OK: " newstring="" sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4 smartatr=$(cat $SECURE_DIRECTORY/response4) echo "Got ATR: $smartatr" if [[ $smartatr == "3B BE 18 00 00 41 05 10 00 00 00 00 00 00 00 00 00 90 00 " ]]; then echo "Detected ACOS5 card" COMMAND_MODE="acos" CARD_NICE_NAME="ACOS5" FOUND_SUPPORTED_CARD=1 fi if [[ $smartatr == "3B 02 14 50 " ]]; then echo "Detected Schlumberger CryptoFlex card" COMMAND_MODE="cryptoflex" CARD_NICE_NAME="Schlumberger CryptoFlex" FOUND_SUPPORTED_CARD=1 fi else echo "No card detected!" zenity --error --text "ERROR: No SmartCard detected!" exit 1 fi if [[ $FOUND_SUPPORTED_CARD -eq 0 ]]; then echo "Unsupported SmartCard detected! ATR: $smartatr" zenity --error --text "ERROR: Unsupported SmartCard detected!\n\nATR: $smartatr" exit 1 fi if [[ $COMMAND_MODE == "cryptoflex" ]]; then GET_CHALLENGE="C0 84 00 00 08" EXTERNAL_AUTH="C0 82 00 00 07 01" SELECT_FILE="C0 A4 00 00 02" DELETE_FILE="F0 E4 00 00 02" fi if [[ $COMMAND_MODE == "acos" ]]; then GET_CHALLENGE="00 84 00 00 08" EXTERNAL_AUTH="00 82 00 81 08" SELECT_FILE="00 A4 00 00 02" DELETE_FILE="00 E4 00 00 00" READ_BINARY="00 B0 00 00 FF" UPDATE_BINARY="00 D6 00 00 FF" ACTIVATE_FILE="00 44 00 00 02" fi CREATE_LIFE_CYCLE="01" createfile () { if [[ $COMMAND_MODE == "cryptoflex" ]]; then # Create transparent file with permissions: # delete, terminate, activate, deactivate, update, read for Key 1 and Key 2 only echo "F0 E0 00 FF 10 FF FF 00 $1 $2 01 3F 44 FF 44 01 03 11 FF 11" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null fi if [[ $COMMAND_MODE == "acos" ]]; then # Select MF echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 echo $(cat $SECURE_DIRECTORY/response2) # Select DF 1000 under MF echo "$SELECT_FILE 10 00" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 echo $(cat $SECURE_DIRECTORY/response2) # Create transparent file with permissions: # delete, terminate, activate, deactivate, update, read for Key 1, Key 2, and Key 3 only (SE 04) # created in DF 1000 under MF, SE file is 10FE # SIZE TRANSPARENT echo "00 E0 00 00 1A 62 18 80 02 00 $1 82 01 01 83 02 $2 8A 01 $CREATE_LIFE_CYCLE 8C 08 7F 04 04 04 04 04 04 04" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null echo $(cat $SECURE_DIRECTORY/response2) fi } updatekey () { if [[ $COMMAND_MODE == "cryptoflex" ]]; then echo "$SELECT_FILE 00 11" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null echo "C0 D6 00 0D 0C 08 00 $1 05 05" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null fi } hexcvt () { echo ""$1" "16" o p" | dc } authenticatecard () { if [[ $authenticated != "1" ]]; then if [[ -e /etc/smartauth/slave.key ]]; then autkey=$(cat /etc/smartauth/slave.key) else autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the 16-character Smart Card transport key [AUT1] in hexidecimal. Example: 0123456789abcdef") fi if [[ ${#autkey} -eq 16 ]]; then if [[ $COMMAND_MODE == "acos" ]]; then # Select MF echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 echo $(cat $SECURE_DIRECTORY/response2) # Make sure DF 1000 is selected echo "$SELECT_FILE 10 00" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 echo $(cat $SECURE_DIRECTORY/response2) fi # Authenticate card echo $GET_CHALLENGE > $SECURE_DIRECTORY/authscript scriptor $SECURE_DIRECTORY/authscript | grep 'Normal processing' > $SECURE_DIRECTORY/challenge perl -pi -e 's/ //g' $SECURE_DIRECTORY/challenge perl -pi -e 's/:Normalprocessing.//g' $SECURE_DIRECTORY/challenge perl -pi -e 's/ $SECURE_DIRECTORY/response # Send the response! scriptor $SECURE_DIRECTORY/response > $SECURE_DIRECTORY/response2 echo $(cat $SECURE_DIRECTORY/response2) # Get the result authokresponse="< 90 00 : Normal processing" response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse") echo $response1 if [[ $response1 != "" ]]; then echo "Smart card validation successfull!" echo "Smart card login successfull!" echo $autkey > /etc/smartauth/slave.key authenticated="1" else echo "Login failed" if [[ -e /etc/smartauth/slave.key ]]; then rm -f /etc/smartauth/slave.key authenticatecard else zenity --error --text "That transport key is incorrect!\n\nPlease remember that there are a limited number\nof failed login attempts for this key,\nafter which your SmartCard will become useless." fi fi else echo "AUT1 key not 16 characters!" zenity --error --text "That transport key is invalid!" fi fi } get_file () { if [[ $COMMAND_MODE == "acos" ]]; then # Select EF $1 under DF 1000 echo "$SELECT_FILE $1" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 echo $(cat $SECURE_DIRECTORY/response2) # Read binary echo "$READ_BINARY" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 authokresponse="90 00 : Normal processing" response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse") if [[ $response1 != "" ]]; then cat $SECURE_DIRECTORY/response2 | tr -d '\n' > $SECURE_DIRECTORY/response4 stringtoreplace="Using T=0 protocol00 B0 00 00 FF> 00 B0 00 00 FF< " newstring="" sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4 stringtoreplace=" 90 00 : Normal processing." newstring="" sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4 if [[ $2 == "text" ]]; then stringtoreplace=" 00" newstring="" sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4 fi echo $(cat $SECURE_DIRECTORY/response4) rm -f $SECURE_DIRECTORY/lukskey xxd -r -p $SECURE_DIRECTORY/response4 $SECURE_DIRECTORY/lukskey RESPONSE=$SECURE_DIRECTORY/lukskey fi fi if [[ $COMMAND_MODE == "cryptoflex" ]]; then FILE=${1/ /} echo "get $FILE" | opensc-explorer RESPONSE="3F00_$FILE" fi } update_file () { if [[ $COMMAND_MODE == "acos" ]]; then # Select EF $1 under DF 1000 echo "$SELECT_FILE $1" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 echo $(cat $SECURE_DIRECTORY/response2) # Update existing file # Zero pad input file dd if=/dev/zero of=$SECURE_DIRECTORY/response2 bs=1 count=255 dd if=$2 of=$SECURE_DIRECTORY/response2 bs=1 count=255 conv=notrunc # Truncate to 255 bytes and expand to standard hex listing format xxd -l 255 -ps -c 1 $SECURE_DIRECTORY/response2 > $SECURE_DIRECTORY/response cat $SECURE_DIRECTORY/response | tr '\n' ' ' > $SECURE_DIRECTORY/hexready echo "$UPDATE_BINARY $(cat $SECURE_DIRECTORY/hexready)" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null echo $(cat $SECURE_DIRECTORY/response2) fi if [[ $COMMAND_MODE == "cryptoflex" ]]; then # Delete old file echo "$DELETE_FILE $1" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null echo $(cat $SECURE_DIRECTORY/response2) # Create new file createfile "FF" $1 FILE=${1/ /} echo "put $FILE $2" | opensc-explorer fi } insertnewtext () { FOUNDTEXT=$(cat $2 | grep $1) echo $FOUNDTEXT; if [[ $FOUNDTEXT != "" ]]; then echo "$1 already exists in $2" else echo $1 >> $2 fi } getcolumn () { perl -ne '@cols = split; print "$cols['$1']\n"' ; } function loadusername { echo "Loading username..." authenticatecard if [[ $authenticated = "1" ]]; then zenity --entry --title="SmartCard Username" --text="Please enter the username of the account to be associated with this SmartCard" > $SECURE_DIRECTORY/username update_file "10 02" "$SECURE_DIRECTORY/username" rm -f $SECURE_DIRECTORY/username fi } function loadpassword { echo "Loading password..." authenticatecard if [[ $authenticated = "1" ]]; then zenity --entry --hide-text --title="SmartCard Password" --text="Please enter the password of the account that is associated with this SmartCard" > $SECURE_DIRECTORY/password update_file "10 03" "$SECURE_DIRECTORY/password" rm -f $SECURE_DIRECTORY/password fi } function loadminutes { echo "Loading minutes..." authenticatecard if [[ $authenticated = "1" ]]; then echo "$(zenity --entry --hide-text --title="SmartCard Computer Minutes" --text="Please enter the number of computer minutes for this SmartCard")" > $SECURE_DIRECTORY/password update_file "10 05" "$SECURE_DIRECTORY/password" rm -f $SECURE_DIRECTORY/password fi } function enablerestrictedmode { echo "Enabling restricted mode..." authenticatecard if [[ $authenticated = "1" ]]; then echo "SLAVE" > $SECURE_DIRECTORY/password update_file "10 04" "$SECURE_DIRECTORY/password" rm -f $SECURE_DIRECTORY/password fi } function disablerestrictedmode { echo "Disabling restricted mode..." authenticatecard if [[ $authenticated = "1" ]]; then echo "NORMAL" > $SECURE_DIRECTORY/password update_file "10 04" "$SECURE_DIRECTORY/password" rm -f $SECURE_DIRECTORY/password fi } GREETER="Welcome to the SmartCard slave authentication setup utility!\n\nCard ATR: $smartatr\nDetected: $CARD_NICE_NAME\n\nPlease select an action from the list below:" while [[ 1 -eq 1 ]]; do if [[ $# -eq 0 ]]; then selection=$(zenity --width=400 --height=400 --list --radiolist --title="SmartCard Authentication Setup" \ --text="$GREETER" \ --column="" --column="Action" \ TRUE "Load Computer Minutes into Smart Card [File 1005]" \ FALSE "Enable Restricted Mode [File 1004]" \ FALSE "Disable Restricted Mode [File 1004]" \ FALSE "Load username into Smart Card [File 1002]" \ FALSE "Load password into Smart Card [File 1003]" \ FALSE "Update Smart Card Transport Key [AUT1]"); fi if [[ $selection = "Load username into Smart Card [File 1002]" ]]; then loadusername fi if [[ $selection = "Load password into Smart Card [File 1003]" ]]; then loadpassword fi if [[ $selection = "Load Computer Minutes into Smart Card [File 1005]" ]]; then loadminutes fi if [[ $selection = "Enable Restricted Mode [File 1004]" ]]; then enablerestrictedmode fi if [[ $selection = "Disable Restricted Mode [File 1004]" ]]; then disablerestrictedmode fi if [[ $selection = "Update Smart Card Transport Key [AUT1]" ]]; then echo "Updating AUT1..." authenticatecard if [[ $authenticated = "1" ]]; then if [[ $COMMAND_MODE == "acos" ]]; then # Select MF echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 echo $(cat $SECURE_DIRECTORY/response2) # Select DF 1000 under MF echo "$SELECT_FILE 10 00" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 echo $(cat $SECURE_DIRECTORY/response2) # Select EF 10FD under DF 1000 echo "$SELECT_FILE 10 FD" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 echo $(cat $SECURE_DIRECTORY/response2) # Initialize first key record in file 10FD # Key 1, 8-byte 1DES authentication only autkey="" while [[ ${#autkey} != 16 ]]; do autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT1] in hexidecimal. Example: 0123456789abcdef") done autkey2=${autkey:0:2} autkey2="${autkey2} ${autkey:2:2}" autkey2="${autkey2} ${autkey:4:2}" autkey2="${autkey2} ${autkey:6:2}" autkey2="${autkey2} ${autkey:8:2}" autkey2="${autkey2} ${autkey:10:2}" autkey2="${autkey2} ${autkey:12:2}" autkey2="${autkey2} ${autkey:14:2}" echo "00 DC 00 00 0C 81 01 55 05 $autkey2" > $SECURE_DIRECTORY/query scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 echo $(cat $SECURE_DIRECTORY/response2) fi if [[ $COMMAND_MODE == "cryptoflex" ]]; then autkey4=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT1] in hexidecimal. Example: 0123456789abcdef") if [[ ${#autkey4} -eq 16 ]]; then autkey2=${autkey4:0:2} autkey2="${autkey2} ${autkey4:2:2}" autkey2="${autkey2} ${autkey4:4:2}" autkey2="${autkey2} ${autkey4:6:2}" autkey2="${autkey2} ${autkey4:8:2}" autkey2="${autkey2} ${autkey4:10:2}" autkey2="${autkey2} ${autkey4:12:2}" autkey2="${autkey2} ${autkey4:14:2}" echo "Attempting Smart Card key update..." updatekey ${autkey2} autkey=$autkey4 if [[ $authenticated = "1" ]]; then cp -Rp /etc/smartauth/smartauth.sh.in /usr/bin/smartauth.sh OLDKEY="" authenticatecard if [[ $authenticated = "1" ]]; then NEWKEY=$autkey echo $NEWKEY > /etc/smartauth/smartauth.key sed -i "s#${OLDKEY}#${NEWKEY}#g" /usr/bin/smartauth.sh chmod 600 /usr/bin/smartauth.sh chmod a+x /usr/bin/smartauth.sh echo "Updating initramfs" update-initramfs -u all echo "Securing directories..." chmod 600 "/boot/initrd.img-$(uname -r)" chmod -R 600 /etc/smartauth if [ -e "/usr/bin/smartauthmon.sh" ]; then selection="Enable automatic login for KDE3.5" else echo "KDE3.5 login disabled; not altering" fi else zenity --error --text "A SmartCard authentication error has occurred." fi else zenity --error --text "A SmartCard authentication error has occurred." fi else echo "AUT1 key not 16 characters!" zenity --error --text "The new transport key is invalid!" fi fi fi fi if [[ $selection = "" ]]; then echo "Exiting!" rm -rf $SECURE_DIRECTORY chmod -R 600 /etc/smartauth chown -R root /etc/smartauth chmod a+x /usr/bin/smartauth.sh chmod a+x /usr/bin/smartauthmon.sh chmod 600 "/boot/initrd.img-$(uname -r)" chown root "/boot/initrd.img-$(uname -r)" exit fi done