1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
|
#!/bin/bash
# Smart Card Management Tool (c) 2009 Timothy Pearson
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# The [secure] temporary directory for authentication
SECURE_DIRECTORY=/tmp/smartauth
# Create the secure directory and lock it down
mkdir -p $SECURE_DIRECTORY
chown root $SECURE_DIRECTORY
chgrp root $SECURE_DIRECTORY
chmod 600 $SECURE_DIRECTORY
SECURE_DIRECTORY=$(mktemp /tmp/smartauth/setupcard.XXXXXXXXXX)
rm -rf $SECURE_DIRECTORY
mkdir -p $SECURE_DIRECTORY
chown root $SECURE_DIRECTORY
chgrp root $SECURE_DIRECTORY
chmod 600 $SECURE_DIRECTORY
# See if required programs are installed
scriptor=$(whereis scriptor)
if [[ $scriptor == "scriptor:" ]]; then
echo "ERROR: scriptor is not installed! This program cannot continue!"
zenity --error --text "ERROR: scriptor is not installed!\nThis program cannot continue!\n\nUsually, scriptor is part of the pcsc-tools package."
exit
fi
opensc=$(whereis opensc-explorer)
if [[ $opensc == "opensc-explorer:" ]]; then
echo "ERROR: opensc-explorer is not installed! This program cannot continue!"
zenity --error --text "ERROR: opensc-explorer is not installed!\nThis program cannot continue!\n\nUsually, opensc-explorer is part of the opensc package."
exit
fi
# Get card ATR
FOUND_SUPPORTED_CARD=0
echo "RESET" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2
authokresponse="OK: "
response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse")
if [[ $response1 != "" ]]; then
cat $SECURE_DIRECTORY/response2 | tr -d '\n' > $SECURE_DIRECTORY/response4
stringtoreplace="Using T=0 protocolRESET> RESET< OK: "
newstring=""
sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4
smartatr=$(cat $SECURE_DIRECTORY/response4)
echo "Got ATR: $smartatr"
if [[ $smartatr == "3B BE 18 00 00 41 05 10 00 00 00 00 00 00 00 00 00 90 00 " ]]; then
echo "Detected ACOS5 card"
COMMAND_MODE="acos"
CARD_NICE_NAME="ACOS5"
FOUND_SUPPORTED_CARD=1
fi
if [[ $smartatr == "3B 02 14 50 " ]]; then
echo "Detected Schlumberger CryptoFlex card"
COMMAND_MODE="cryptoflex"
CARD_NICE_NAME="Schlumberger CryptoFlex"
FOUND_SUPPORTED_CARD=1
fi
else
echo "No card detected!"
zenity --error --text "ERROR: No SmartCard detected!"
exit 1
fi
if [[ $FOUND_SUPPORTED_CARD -eq 0 ]]; then
echo "Unsupported SmartCard detected! ATR: $smartatr"
zenity --error --text "ERROR: Unsupported SmartCard detected!\n\nATR: $smartatr"
exit 1
fi
if [[ $COMMAND_MODE == "cryptoflex" ]]; then
GET_CHALLENGE="C0 84 00 00 08"
EXTERNAL_AUTH="C0 82 00 00 07 01"
SELECT_FILE="C0 A4 00 00 02"
DELETE_FILE="F0 E4 00 00 02"
fi
if [[ $COMMAND_MODE == "acos" ]]; then
GET_CHALLENGE="00 84 00 00 08"
EXTERNAL_AUTH="00 82 00 81 08"
SELECT_FILE="00 A4 00 00 02"
DELETE_FILE="00 E4 00 00 00"
READ_BINARY="00 B0 00 00 FF"
UPDATE_BINARY="00 D6 00 00 FF"
ACTIVATE_FILE="00 44 00 00 02"
fi
CREATE_LIFE_CYCLE="01"
createfile ()
{
if [[ $COMMAND_MODE == "cryptoflex" ]]; then
# Create transparent file with permissions:
# delete, terminate, activate, deactivate, update, read for Key 1 and Key 2 only
echo "F0 E0 00 FF 10 FF FF 00 $1 $2 01 3F 44 FF 44 01 03 11 FF 11" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null
fi
if [[ $COMMAND_MODE == "acos" ]]; then
# Select MF
echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2
echo $(cat $SECURE_DIRECTORY/response2)
# Select DF 1000 under MF
echo "$SELECT_FILE 10 00" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2
echo $(cat $SECURE_DIRECTORY/response2)
# Create transparent file with permissions:
# delete, terminate, activate, deactivate, update, read for Key 1, Key 2, and Key 3 only (SE 04)
# created in DF 1000 under MF, SE file is 10FE
# SIZE TRANSPARENT
echo "00 E0 00 00 1A 62 18 80 02 00 $1 82 01 01 83 02 $2 8A 01 $CREATE_LIFE_CYCLE 8C 08 7F 04 04 04 04 04 04 04" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null
echo $(cat $SECURE_DIRECTORY/response2)
fi
}
updatekey ()
{
if [[ $COMMAND_MODE == "cryptoflex" ]]; then
echo "$SELECT_FILE 00 11" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null
echo "C0 D6 00 0D 0C 08 00 $1 05 05" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null
fi
}
hexcvt ()
{
echo ""$1" "16" o p" | dc
}
authenticatecard () {
if [[ $authenticated != "1" ]]; then
if [[ -e /etc/smartauth/slave.key ]]; then
autkey=$(cat /etc/smartauth/slave.key)
else
autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the 16-character Smart Card transport key [AUT1] in hexidecimal. Example: 0123456789abcdef")
fi
if [[ ${#autkey} -eq 16 ]]; then
if [[ $COMMAND_MODE == "acos" ]]; then
# Select MF
echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2
echo $(cat $SECURE_DIRECTORY/response2)
# Make sure DF 1000 is selected
echo "$SELECT_FILE 10 00" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2
echo $(cat $SECURE_DIRECTORY/response2)
fi
# Authenticate card
echo $GET_CHALLENGE > $SECURE_DIRECTORY/authscript
scriptor $SECURE_DIRECTORY/authscript | grep 'Normal processing' > $SECURE_DIRECTORY/challenge
perl -pi -e 's/ //g' $SECURE_DIRECTORY/challenge
perl -pi -e 's/:Normalprocessing.//g' $SECURE_DIRECTORY/challenge
perl -pi -e 's/<//g' $SECURE_DIRECTORY/challenge
xxd -r -p $SECURE_DIRECTORY/challenge $SECURE_DIRECTORY/challenge
# Now DES encrypt the challenge
# Later, change the initialization vector to random if possible
openssl des-ecb -in $SECURE_DIRECTORY/challenge -out $SECURE_DIRECTORY/response -K $autkey -iv 1
if [[ $COMMAND_MODE == "acos" ]]; then
# Truncate to 8 bytes
dd if=$SECURE_DIRECTORY/response of=$SECURE_DIRECTORY/response2 bs=1 count=8
# Expand to standard hex listing format
xxd -g 1 $SECURE_DIRECTORY/response2 $SECURE_DIRECTORY/response
dd if=$SECURE_DIRECTORY/response of=$SECURE_DIRECTORY/response2 bs=1 count=23 skip=9
fi
if [[ $COMMAND_MODE == "cryptoflex" ]]; then
# Truncate to 6 bytes
dd if=$SECURE_DIRECTORY/response of=$SECURE_DIRECTORY/response2 bs=1 count=6
# Expand to standard hex listing format
xxd -g 1 $SECURE_DIRECTORY/response2 $SECURE_DIRECTORY/response
dd if=$SECURE_DIRECTORY/response of=$SECURE_DIRECTORY/response2 bs=1 count=17 skip=9
fi
# Assemble the response file
response2=$(cat $SECURE_DIRECTORY/response2)
response1="$EXTERNAL_AUTH ${response2}"
echo $response1 > $SECURE_DIRECTORY/response
# Send the response!
scriptor $SECURE_DIRECTORY/response > $SECURE_DIRECTORY/response2
echo $(cat $SECURE_DIRECTORY/response2)
# Get the result
authokresponse="< 90 00 : Normal processing"
response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse")
echo $response1
if [[ $response1 != "" ]]; then
echo "Smart card validation successfull!"
echo "Smart card login successfull!"
echo $autkey > /etc/smartauth/slave.key
authenticated="1"
else
echo "Login failed"
if [[ -e /etc/smartauth/slave.key ]]; then
rm -f /etc/smartauth/slave.key
authenticatecard
else
zenity --error --text "That transport key is incorrect!\n\nPlease remember that there are a limited number\nof failed login attempts for this key,\nafter which your SmartCard will become useless."
fi
fi
else
echo "AUT1 key not 16 characters!"
zenity --error --text "That transport key is invalid!"
fi
fi
}
get_file () {
if [[ $COMMAND_MODE == "acos" ]]; then
# Select EF $1 under DF 1000
echo "$SELECT_FILE $1" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2
echo $(cat $SECURE_DIRECTORY/response2)
# Read binary
echo "$READ_BINARY" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2
authokresponse="90 00 : Normal processing"
response1=$(cat $SECURE_DIRECTORY/response2 | grep "$authokresponse")
if [[ $response1 != "" ]]; then
cat $SECURE_DIRECTORY/response2 | tr -d '\n' > $SECURE_DIRECTORY/response4
stringtoreplace="Using T=0 protocol00 B0 00 00 FF> 00 B0 00 00 FF< "
newstring=""
sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4
stringtoreplace=" 90 00 : Normal processing."
newstring=""
sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4
if [[ $2 == "text" ]]; then
stringtoreplace=" 00"
newstring=""
sed -i "s#${stringtoreplace}#${newstring}#g" $SECURE_DIRECTORY/response4
fi
echo $(cat $SECURE_DIRECTORY/response4)
rm -f $SECURE_DIRECTORY/lukskey
xxd -r -p $SECURE_DIRECTORY/response4 $SECURE_DIRECTORY/lukskey
RESPONSE=$SECURE_DIRECTORY/lukskey
fi
fi
if [[ $COMMAND_MODE == "cryptoflex" ]]; then
FILE=${1/ /}
echo "get $FILE" | opensc-explorer
RESPONSE="3F00_$FILE"
fi
}
update_file () {
if [[ $COMMAND_MODE == "acos" ]]; then
# Select EF $1 under DF 1000
echo "$SELECT_FILE $1" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2
echo $(cat $SECURE_DIRECTORY/response2)
# Update existing file
# Zero pad input file
dd if=/dev/zero of=$SECURE_DIRECTORY/response2 bs=1 count=255
dd if=$2 of=$SECURE_DIRECTORY/response2 bs=1 count=255 conv=notrunc
# Truncate to 255 bytes and expand to standard hex listing format
xxd -l 255 -ps -c 1 $SECURE_DIRECTORY/response2 > $SECURE_DIRECTORY/response
cat $SECURE_DIRECTORY/response | tr '\n' ' ' > $SECURE_DIRECTORY/hexready
echo "$UPDATE_BINARY $(cat $SECURE_DIRECTORY/hexready)" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null
echo $(cat $SECURE_DIRECTORY/response2)
fi
if [[ $COMMAND_MODE == "cryptoflex" ]]; then
# Delete old file
echo "$DELETE_FILE $1" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2 2>/dev/null
echo $(cat $SECURE_DIRECTORY/response2)
# Create new file
createfile "FF" $1
FILE=${1/ /}
echo "put $FILE $2" | opensc-explorer
fi
}
insertnewtext () {
FOUNDTEXT=$(cat $2 | grep $1)
echo $FOUNDTEXT;
if [[ $FOUNDTEXT != "" ]]; then
echo "$1 already exists in $2"
else
echo $1 >> $2
fi
}
getcolumn () {
perl -ne '@cols = split; print "$cols['$1']\n"' ;
}
function loadusername {
echo "Loading username..."
authenticatecard
if [[ $authenticated = "1" ]]; then
zenity --entry --title="SmartCard Username" --text="Please enter the username of the account to be associated with this SmartCard" > $SECURE_DIRECTORY/username
update_file "10 02" "$SECURE_DIRECTORY/username"
rm -f $SECURE_DIRECTORY/username
fi
}
function loadpassword {
echo "Loading password..."
authenticatecard
if [[ $authenticated = "1" ]]; then
zenity --entry --hide-text --title="SmartCard Password" --text="Please enter the password of the account that is associated with this SmartCard" > $SECURE_DIRECTORY/password
update_file "10 03" "$SECURE_DIRECTORY/password"
rm -f $SECURE_DIRECTORY/password
fi
}
function loadminutes {
echo "Loading minutes..."
authenticatecard
if [[ $authenticated = "1" ]]; then
echo "$(zenity --entry --hide-text --title="SmartCard Computer Minutes" --text="Please enter the number of computer minutes for this SmartCard")" > $SECURE_DIRECTORY/password
update_file "10 05" "$SECURE_DIRECTORY/password"
rm -f $SECURE_DIRECTORY/password
fi
}
function enablerestrictedmode {
echo "Enabling restricted mode..."
authenticatecard
if [[ $authenticated = "1" ]]; then
echo "SLAVE" > $SECURE_DIRECTORY/password
update_file "10 04" "$SECURE_DIRECTORY/password"
rm -f $SECURE_DIRECTORY/password
fi
}
function disablerestrictedmode {
echo "Disabling restricted mode..."
authenticatecard
if [[ $authenticated = "1" ]]; then
echo "NORMAL" > $SECURE_DIRECTORY/password
update_file "10 04" "$SECURE_DIRECTORY/password"
rm -f $SECURE_DIRECTORY/password
fi
}
GREETER="Welcome to the SmartCard slave authentication setup utility!\n\nCard ATR: $smartatr\nDetected: $CARD_NICE_NAME\n\nPlease select an action from the list below:"
while [[ 1 -eq 1 ]]; do
if [[ $# -eq 0 ]]; then
selection=$(zenity --width=400 --height=400 --list --radiolist --title="SmartCard Authentication Setup" \
--text="$GREETER" \
--column="" --column="Action" \
TRUE "Load Computer Minutes into Smart Card [File 1005]" \
FALSE "Enable Restricted Mode [File 1004]" \
FALSE "Disable Restricted Mode [File 1004]" \
FALSE "Load username into Smart Card [File 1002]" \
FALSE "Load password into Smart Card [File 1003]" \
FALSE "Update Smart Card Transport Key [AUT1]");
fi
if [[ $selection = "Load username into Smart Card [File 1002]" ]]; then
loadusername
fi
if [[ $selection = "Load password into Smart Card [File 1003]" ]]; then
loadpassword
fi
if [[ $selection = "Load Computer Minutes into Smart Card [File 1005]" ]]; then
loadminutes
fi
if [[ $selection = "Enable Restricted Mode [File 1004]" ]]; then
enablerestrictedmode
fi
if [[ $selection = "Disable Restricted Mode [File 1004]" ]]; then
disablerestrictedmode
fi
if [[ $selection = "Update Smart Card Transport Key [AUT1]" ]]; then
echo "Updating AUT1..."
authenticatecard
if [[ $authenticated = "1" ]]; then
if [[ $COMMAND_MODE == "acos" ]]; then
# Select MF
echo "00 A4 00 00 00" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2
echo $(cat $SECURE_DIRECTORY/response2)
# Select DF 1000 under MF
echo "$SELECT_FILE 10 00" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2
echo $(cat $SECURE_DIRECTORY/response2)
# Select EF 10FD under DF 1000
echo "$SELECT_FILE 10 FD" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2
echo $(cat $SECURE_DIRECTORY/response2)
# Initialize first key record in file 10FD
# Key 1, 8-byte 1DES authentication only
autkey=""
while [[ ${#autkey} != 16 ]]; do
autkey=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT1] in hexidecimal. Example: 0123456789abcdef")
done
autkey2=${autkey:0:2}
autkey2="${autkey2} ${autkey:2:2}"
autkey2="${autkey2} ${autkey:4:2}"
autkey2="${autkey2} ${autkey:6:2}"
autkey2="${autkey2} ${autkey:8:2}"
autkey2="${autkey2} ${autkey:10:2}"
autkey2="${autkey2} ${autkey:12:2}"
autkey2="${autkey2} ${autkey:14:2}"
echo "00 DC 00 00 0C 81 01 55 05 $autkey2" > $SECURE_DIRECTORY/query
scriptor $SECURE_DIRECTORY/query 1> $SECURE_DIRECTORY/response2
echo $(cat $SECURE_DIRECTORY/response2)
fi
if [[ $COMMAND_MODE == "cryptoflex" ]]; then
autkey4=$(zenity --entry --hide-text --title="SmartCard Transport Key" --text="Please enter the new 16-character Smart Card transport key [AUT1] in hexidecimal. Example: 0123456789abcdef")
if [[ ${#autkey4} -eq 16 ]]; then
autkey2=${autkey4:0:2}
autkey2="${autkey2} ${autkey4:2:2}"
autkey2="${autkey2} ${autkey4:4:2}"
autkey2="${autkey2} ${autkey4:6:2}"
autkey2="${autkey2} ${autkey4:8:2}"
autkey2="${autkey2} ${autkey4:10:2}"
autkey2="${autkey2} ${autkey4:12:2}"
autkey2="${autkey2} ${autkey4:14:2}"
echo "Attempting Smart Card key update..."
updatekey ${autkey2}
autkey=$autkey4
if [[ $authenticated = "1" ]]; then
cp -Rp /etc/smartauth/smartauth.sh.in /usr/bin/smartauth.sh
OLDKEY="<your key in hexidecimal>"
authenticatecard
if [[ $authenticated = "1" ]]; then
NEWKEY=$autkey
echo $NEWKEY > /etc/smartauth/smartauth.key
sed -i "s#${OLDKEY}#${NEWKEY}#g" /usr/bin/smartauth.sh
chmod 600 /usr/bin/smartauth.sh
chmod a+x /usr/bin/smartauth.sh
echo "Updating initramfs"
update-initramfs -u -k all
echo "Securing directories..."
chmod 600 "/boot/initrd.img-$(uname -r)"
chmod -R 600 /etc/smartauth
if [ -e "/etc/smartauth/smartauthmon.key" ]; then
selection="Enable automatic login for TDE"
else
echo "TDE login disabled; not altering"
fi
else
zenity --error --text "A SmartCard authentication error has occurred."
fi
else
zenity --error --text "A SmartCard authentication error has occurred."
fi
else
echo "AUT1 key not 16 characters!"
zenity --error --text "The new transport key is invalid!"
fi
fi
fi
fi
if [[ $selection = "" ]]; then
echo "Exiting!"
rm -rf $SECURE_DIRECTORY
chmod -R 600 /etc/smartauth
chown -R root /etc/smartauth
chmod a+x /usr/bin/smartauth.sh
chmod 600 "/boot/initrd.img-$(uname -r)"
chown root "/boot/initrd.img-$(uname -r)"
exit
fi
done
|
