[feat] Allow custom commands

* Decipher command
  * Smartcard presence test
This commit is contained in:
Alex 2021-04-05 09:51:47 +02:00
parent 03e7e40d67
commit 1195a1a762
4 changed files with 56 additions and 10 deletions

View file

@ -66,6 +66,8 @@ The OSK-SDL parts are inspired by Mobian package https://salsa.debian.org/Debian
```sudo cp decrypt_pkcs_hook /etc/initramfs-tools/hooks && chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs_hook ``` ```sudo cp decrypt_pkcs_hook /etc/initramfs-tools/hooks && chmod +x /etc/initramfs-tools/hooks/decrypt_pkcs_hook ```
```sudo cp decrypt_pkcs_default /etc/default/decrypt_pkcs ```
```sudo update-initramfs -u``` ```sudo update-initramfs -u```
10. Test smartcard (without USB Key) 10. Test smartcard (without USB Key)

View file

@ -9,6 +9,14 @@
# Although opensc-tool --help reports that there is a --wait option, it doesn't # Although opensc-tool --help reports that there is a --wait option, it doesn't
# seem to be implemented. # seem to be implemented.
# Load configuration and test set default value if missing
. /etc/default/decrypt_pkcs
SMARTCARD_PRESENCE_COMMAND=${SMARTCARD_PRESENCE_COMMAND:-/usr/bin/opensc-tool}
SMARTCARD_PRESENCE_ARGS=${SMARTCARD_PRESENCE_ARGS:-'-n'}
DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt}
DECIPHER_ARGS=${DECIPHER_ARGS:-'--decipher --pkcs1 --raw --input'}
DECIPHER_ASK_PIN=${DECIPHER_ASK_PIN:-'--pin'}
check_plymouth() { check_plymouth() {
plymouth=0 plymouth=0
if [ -x /bin/plymouth ] && plymouth --ping > /dev/null ; then if [ -x /bin/plymouth ] && plymouth --ping > /dev/null ; then
@ -27,7 +35,7 @@ check_osk_sdl() {
check_card() { check_card() {
cardfound=0 cardfound=0
if /usr/bin/opensc-tool -n >/dev/null 2>&1; then if $SMARTCARD_PRESENCE_COMMAND $SMARTCARD_PRESENCE_ARGS >/dev/null 2>&1; then
cardfound=1 cardfound=1
fi fi
} }
@ -102,22 +110,22 @@ if [ $plymouth = 1 ] ; then
if [ $osk_sdl = 1 ] ; then if [ $osk_sdl = 1 ] ; then
# Get pin number from osk_sdl # Get pin number from osk_sdl
plymouth hide-splash 2>/dev/null plymouth hide-splash 2>/dev/null
/usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw \ ${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \
--pin "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)" $DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)"
plymouth show-splash 2>/dev/null plymouth show-splash 2>/dev/null
else else
# Get pin number from plymouth # Get pin number from plymouth
/usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw \ ${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \
--pin "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")" $DECIPHER_ASK_PIN "$(plymouth ask-for-password --prompt "Enter pin for $CRYPTTAB_NAME: ")"
fi fi
else else
if [ $osk_sdl = 1 ] ; then if [ $osk_sdl = 1 ] ; then
# Get pin number from osk_sdl # Get pin number from osk_sdl
/usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw \ ${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS \
--pin "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)" $DECIPHER_ASK_PIN "$(/usr/bin/osk-sdl -v -k -d "${CRYPTTAB_SOURCE}" -n "${CRYPTTAB_NAME}" -c /etc/osk.conf)"
else else
# Get pin number from console # Get pin number from console
/usr/bin/pkcs15-crypt --decipher --input "$1" --pkcs1 --raw </dev/console 2>/dev/console ${DECIPHER_COMMAND} $DECIPHER_ARGS "$1" $DECIPHER_EXTRA_ARGS </dev/console 2>/dev/console
fi fi
fi fi

27
decrypt_pkcs_default Normal file
View file

@ -0,0 +1,27 @@
# Decrypt_PKCS initramfs configuration
# Smartcard presence test
SMARTCARD_PRESENCE_COMMAND=/usr/bin/opensc-tool
SMARTCARD_PRESENCE_ARGS='-n'
# PKCS decipher command default to pkcs15-crypt
#DECIPHER_COMMAND=/usr/bin/pkcs15-crypt
DECIPHER_COMMAND=/usr/bin/pkcs15-crypt
# PKCS decipher extra library (usefull with pkcs11 or custom command)
# The initramfs hook will search in the multiarch default library path
# eg where the libc is stored and its subfolders.
# Wildcard is allowed by using the find command
DECIPHER_EXTRA_LIBS=
# Define command parameters
# DECIPHER_ARGS is followed by the data to decipher
# DECIPHER_EXTRA_ARGS allow customization
# DECIPHER_ASKPIN is followed by the PIN input from user
# Default value for pkcs15-crypt
#DECIPHER_ARGS='--decipher --pkcs1 --raw --input'
#DECIPHER_EXTRA_ARGS=
#DECIPHER_ASK_PIN='--pin'
DECIPHER_ARGS='--decipher --pkcs1 --raw --input'
DECIPHER_EXTRA_ARGS=
DECIPHER_ASK_PIN='--pin'

View file

@ -23,6 +23,13 @@ if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_pkcs" ] || [ ! -f "$TABFILE"
exit 0 exit 0
fi fi
# Fetching local parameters
if [ -f /etc/default/decrypt_pkcs ] ; then
. /etc/default/decrypt_pkcs
fi
DECIPHER_COMMAND=${DECIPHER_COMMAND:-/usr/bin/pkcs15-crypt}
SMARTCARD_PRESENCE_COMMAND=${SMARTCARD_PRESENCE_COMMAND:-/usr/bin/opensc-tool}
# Hooks for loading smartcard reading software into the initramfs # Hooks for loading smartcard reading software into the initramfs
copy_keys() { copy_keys() {
crypttab_parse_options crypttab_parse_options
@ -45,7 +52,7 @@ crypttab_foreach_entry copy_keys
# Install directories needed by smartcard reading daemon, command, and # Install directories needed by smartcard reading daemon, command, and
# key-script # key-script
mkdir -p -- "$DESTDIR/etc/opensc" "$DESTDIR/usr/lib/pcsc" "$DESTDIR/var/run" "$DESTDIR/tmp" mkdir -p -- "$DESTDIR/etc/opensc" "$DESTDIR/usr/lib/pcsc" "$DESTDIR/var/run" "$DESTDIR/tmp" "$DESTDIR/etc/default"
# Install pcscd daemon, drivers, conf file # Install pcscd daemon, drivers, conf file
copy_exec /usr/sbin/pcscd copy_exec /usr/sbin/pcscd
@ -60,7 +67,9 @@ cp -t "$DESTDIR/etc" /etc/libccid_Info.plist
# Install opensc commands and conf file # Install opensc commands and conf file
copy_exec /usr/bin/opensc-tool copy_exec /usr/bin/opensc-tool
copy_exec /usr/bin/pkcs15-crypt copy_exec $SMARTCARD_PRESENCE_COMMAND
copy_exec $DECIPHER_COMMAND
cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf cp -t "$DESTDIR/etc/opensc" /etc/opensc/opensc.conf
cp -t "$DESTDIR/etc/default" /etc/default/decrypt_pkcs
exit $RV exit $RV