#!/bin/bash

# Smart Card Authentication Helper (c) 2009 Timothy Pearson
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.

get_file () {
	if [[ $COMMAND_MODE == "acos" ]]; then
		# Select EF $1 under DF 1000
		echo "$SELECT_FILE $1" > query
		scriptor_standalone query 1> response2
		echo $(cat response2)

		# Read binary
		echo "$READ_BINARY" > query
		scriptor_standalone query 1> response2
		authokresponse="90 00 : Normal processing"
		response1=$(cat response2 | grep "$authokresponse")
		if [[ $response1 != "" ]]; then
			cat response2 | tr -d '\n' > response4
			stringtoreplace="Using T=0 protocol00 B0 00 00 FF> 00 B0 00 00 FF< "
			newstring=""
			sed -i "s#${stringtoreplace}#${newstring}#g" response4
			stringtoreplace=" 90 00 : Normal processing."
			newstring=""
			sed -i "s#${stringtoreplace}#${newstring}#g" response4
			if [[ $2 == "text" ]]; then
				stringtoreplace=" 00"
				newstring=""
				sed -i "s#${stringtoreplace}#${newstring}#g" response4
			fi
			echo $(cat response4)
			rm -f lukskey
			xxd -r -p response4 lukskey
			RESPONSE=lukskey
		fi
	fi

	if [[ $COMMAND_MODE == "cryptoflex" ]]; then
		echo "get $1" | opensc-explorer
		RESPONSE="3F00_$1"
	fi
}

# Initialize pcscd
killall pcscd &
sleep 1
pcscd &
sleep 1

# Get card ATR
echo "RESET" > query
scriptor_standalone query 1> response2
authokresponse="OK: "
response1=$(cat response2 | grep "$authokresponse")
if [[ $response1 != "" ]]; then
	cat response2 | tr -d '\n' > response4
	stringtoreplace="Using T=0 protocolRESET> RESET< OK: "
	newstring=""
	sed -i "s#${stringtoreplace}#${newstring}#g" response4
	smartatr=$(cat response4)
	echo "Got ATR: $smartatr"
	if [[ $smartatr == "3B BE 18 00 00 41 05 10 00 00 00 00 00 00 00 00 00 90 00 " ]]; then
		echo "Detected ACOS5 card"
		COMMAND_MODE="acos"
	fi
	if [[ $smartatr == "3B 02 14 50 " ]]; then
		echo "Detected Schlumberger CryptoFlex card"
		COMMAND_MODE="cryptoflex"
	fi
else
	echo "No card detected!"
	exit 1
fi

if [[ $COMMAND_MODE == "cryptoflex" ]]; then
	GET_CHALLENGE="C0 84 00 00 08"
	EXTERNAL_AUTH="C0 82 00 00 07 01"
	SELECT_FILE="C0 A4 00 00 02"
	DELETE_FILE="F0 E4 00 00 02"
fi

if [[ $COMMAND_MODE == "acos" ]]; then
	GET_CHALLENGE="00 84 00 00 08"
	EXTERNAL_AUTH="00 82 00 83 08"		# Key 3
	SELECT_FILE="00 A4 00 00 02"
	DELETE_FILE="00 E4 00 00 00"
	READ_BINARY="00 B0 00 00 FF"
	UPDATE_BINARY="00 D6 00 00 FF"
	ACTIVATE_FILE="00 44 00 00 02"
fi

# Authenticate card
if [[ $COMMAND_MODE == "acos" ]]; then
	# Select MF
	echo "00 A4 00 00 00" > query
	scriptor_standalone query 1> response2
	echo $(cat response2)

	# Select DF 1000 under MF
	echo "$SELECT_FILE 10 00" > query
	scriptor_standalone query 1> response2
	echo $(cat response2)
fi

echo $GET_CHALLENGE > authscript

scriptor_standalone authscript | grep 'Normal processing' > challenge
perl -pi -e 's/ //g' challenge
perl -pi -e 's/:Normalprocessing.//g' challenge
perl -pi -e 's/<//g' challenge
xxd -r -p challenge challenge

# Now DES encrypt the challenge
# Later, change the initialization vector to random if possible
openssl des-ecb -in challenge -out response -K <your key in hexidecimal> -iv 1

if [[ $COMMAND_MODE == "acos" ]]; then
	# Truncate to 8 bytes
	dd if=response of=response2 bs=1 count=8

	# Expand to standard hex listing format
	xxd -g 1 response2 response
	dd if=response of=response2 bs=1 count=23 skip=9
fi

if [[ $COMMAND_MODE == "cryptoflex" ]]; then
	# Truncate to 6 bytes
	dd if=response of=response2 bs=1 count=6

	# Expand to standard hex listing format
	xxd -g 1 response2 response
	dd if=response of=response2 bs=1 count=17 skip=9
fi

# Assemble the response file
response2=$(cat response2)
response1="$EXTERNAL_AUTH ${response2}"
echo $response1 > response

# Send the response!
scriptor_standalone response > response2

# Get the result
authokresponse="< 90 00 : Normal processing"
response1=$(cat response2 | grep "$authokresponse")
echo $response1
if [[ $response1 != "" ]]; then
	echo "Smart card validation successfull!"
	# Get encryption key
	if [[ $COMMAND_MODE == "acos" ]]; then
		get_file "10 01"
	fi

	if [[ $COMMAND_MODE == "cryptoflex" ]]; then
		get_file "1001"
	fi
	mv $RESPONSE smart.key
else
	echo "Authentication failed!"
fi

rm authscript &
rm response &
rm response2 &
rm challenge &