From 1195a1a76207ce211ff0003a99c0bcd7bdb03d69 Mon Sep 17 00:00:00 2001 From: Alex Date: Mon, 5 Apr 2021 09:51:47 +0200 Subject: [PATCH] [feat] Allow custom commands * Decipher command * Smartcard presence test --- README.md | 2 ++ decrypt_pkcs | 24 ++++++++++++++++-------- decrypt_pkcs_default | 27 +++++++++++++++++++++++++++ decrypt_pkcs_hook | 13 +++++++++++-- 4 files changed, 56 insertions(+), 10 deletions(-) create mode 100644 decrypt_pkcs_default diff --git a/README.md b/README.md index 55616d5..1941ac5 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,8 @@ The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/Debian ```sudo cp decrypt_pkcs_hook /etc/initramfs-tools/hooks && chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs_hook ``` + ```sudo cp decrypt_pkcs_default /etc/default/decrypt_pkcs ``` + ```sudo update-initramfs -u``` 10. Test smartcard (without USB Key) diff --git a/decrypt_pkcs b/decrypt_pkcs index ff0661d..ab46e7c 100755 --- a/decrypt_pkcs +++ b/decrypt_pkcs @@ -9,6 +9,14 @@ # Although opensc-tool --help reports that there is a --wait option, it doesn't # seem to be implemented. +# Load configuration and test set default value if missing +. /etc/default/decrypt_pkcs +SMARTCARD_PRESENCE_COMMAND=${SMARTCARD_PRESENCE_COMMAND:-/usr/bin/opensc-tool} +SMARTCARD_PRESENCE_ARGS=${SMARTCARD_PRESENCE_ARGS:-'-n'} +DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt} +DECIPHER_ARGS=${DECIPHER_ARGS:-'--decipher --pkcs1 --raw --input'} +DECIPHER_ASK_PIN=${DECIPHER_ASK_PIN:-'--pin'} + check_plymouth() { plymouth=0 if [ -x /bin/plymouth ] && plymouth --ping > /dev/null ; then @@ -27,7 +35,7 @@ check_osk_sdl() { check_card() { cardfound=0 - if /usr/bin/opensc-tool -n >/dev/null 2>&1; then + if $SMARTCARD_PRESENCE_COMMAND $SMARTCARD_PRESENCE_ARGS >/dev/null 2>&1; then cardfound=1 fi } @@ -102,22 +110,22 @@ if [ $plymouth = 1 ] ; then if [ $osk_sdl = 1 ] ; then # Get pin number from osk_sdl plymouth hide-splash 2>/dev/null - /usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw \ - --pin "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)" + ${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \ + $DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)" plymouth show-splash 2>/dev/null else # Get pin number from plymouth - /usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw \ - --pin "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")" + ${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \ + $DECIPHER_ASK_PIN "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")" fi else if [ $osk_sdl = 1 ] ; then # Get pin number from osk_sdl - /usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw \ - --pin "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)" + ${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \ + $DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)" else # Get pin number from console - /usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw /dev/console + ${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS /dev/console fi fi diff --git a/decrypt_pkcs_default b/decrypt_pkcs_default new file mode 100644 index 0000000..1ed6559 --- /dev/null +++ b/decrypt_pkcs_default @@ -0,0 +1,27 @@ +# Decrypt_PKCS initramfs configuration + +# Smartcard presence test +SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool +SMARTCARD_PRESENCE_ARGS='-n' + +# PKCS decipher command default to pkcs15-crypt +#DECIPHER_COMMAND=/usr/bin/pkcs15-crypt +DECIPHER_COMMAND=/usr/bin/pkcs15-crypt + +# PKCS decipher extra library (usefull with pkcs11 or custom command) +# The initramfs hook will search in the multiarch default library path +# eg where the libc is stored and its subfolders. +# Wildcard is allowed by using the find command +DECIPHER_EXTRA_LIBS= + +# Define command parameters +# DECIPHER_ARGS is followed by the data to decipher +# DECIPHER_EXTRA_ARGS allow customization +# DECIPHER_ASKPIN is followed by the PIN input from user +# Default value for pkcs15-crypt +#DECIPHER_ARGS='--decipher --pkcs1 --raw --input' +#DECIPHER_EXTRA_ARGS= +#DECIPHER_ASK_PIN='--pin' +DECIPHER_ARGS='--decipher --pkcs1 --raw --input' +DECIPHER_EXTRA_ARGS= +DECIPHER_ASK_PIN='--pin' diff --git a/decrypt_pkcs_hook b/decrypt_pkcs_hook index 2007467..3d61613 100755 --- a/decrypt_pkcs_hook +++ b/decrypt_pkcs_hook @@ -23,6 +23,13 @@ if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_pkcs" ] || [ ! -f "$TABFILE" exit 0 fi +# Fetching local parameters +if [ -f /etc/default/decrypt_pkcs ] ; then + . /etc/default/decrypt_pkcs +fi +DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt} +SMARTCARD_PRESENCE_COMMAND=${SMARTCARD_PRESENCE_COMMAND:-/usr/bin/opensc-tool} + # Hooks for loading smartcard reading software into the initramfs copy_keys() { crypttab_parse_options @@ -45,7 +52,7 @@ crypttab_foreach_entry copy_keys # Install directories needed by smartcard reading daemon, command, and # key-script -mkdir -p -- "$DESTDIR/etc/opensc" "$DESTDIR/usr/lib/pcsc" "$DESTDIR/var/run" "$DESTDIR/tmp" +mkdir -p -- "$DESTDIR/etc/opensc" "$DESTDIR/usr/lib/pcsc" "$DESTDIR/var/run" "$DESTDIR/tmp" "$DESTDIR/etc/default" # Install pcscd daemon, drivers, conf file copy_exec /usr/sbin/pcscd @@ -60,7 +67,9 @@ cp -t "$DESTDIR/etc" /etc/libccid_Info.plist # Install opensc commands and conf file copy_exec /usr/bin/opensc-tool -copy_exec /usr/bin/pkcs15-crypt +copy_exec $SMARTCARD_PRESENCE_COMMAND +copy_exec $DECIPHER_COMMAND cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf +cp -t "$DESTDIR/etc/default" /etc/default/decrypt_pkcs exit $RV