Trying to extract my keyfile (Private Object 3) from Cryptostick ver 1.2 using TrueCrypt 7.1a via OpenPGP11_32.dll module in Windows 8 x64. No success. After entering a PIN, I get an error “Security token error: FUNCTION FAILED”.
Sorry, I can’t. Have no access to Windows 8 Pro x64 desktop at the moment. But I notified the developer about possible driver’s incompatibility. He told he’ll be able to verify the problem by himself no sooner than the end of the year.
still no luck.
I installed it and browsed to the dll, gives this error:
TrueCrypt
Failed to initialize PKCS #11 security token library.
Please make sure the specified path and filename refer to a valid PKCS #11 library. To specify a PKCS #11 library path and filename, select ‘Settings’ > ‘Security Tokens’.
OK
also if I try autodetect, it detects nothing.
TrueCrypt
No PKCS #11 library has been found in the Windows system directory.
Please make sure that a PKCS #11 library for your security token (or for your smart card) is installed (such a library may be supplied with the token/card or it may be available for download from the website of the vendor or other third parties). If it is installed in a directory other than the Windows system directory, click ‘Select Library’ to locate the library (e.g. in the folder where the software for the token/card is installed).
FYI, I installed OpenSC 0.13.0 x64 on Win7 x64 and got the same error in Truecrypt. It simply can’t find x64 dll no matter what path you enter. But you can install OpenSC 0.13.0 x32 on your x64 system, and it would work. But then the other problem appears in TrueCrypt: OpenSC PKCS#11 module asks for a PIN twice in a row (User one and undetermined one) and always returns an error “Incorrect PIN”. Firefox demonstrates the very same behavior.
So, still no working solution for Win8 x64 (and OpenSC driver doesn’t work properly, at least straight out of the box).
Did you try to enter the User PIN twice? You can verify which PIN you entered wrongly by executing “gpg --card-status” afterwards and see if either the User or Admin PIN counter has been decreased from 3. The PKCS#11 dialog boxes may ask for different PIN identifiers than used by the Crypto Stick and this method may reveal which PIN is actually required. Be carefull not to lock your Crypto Stick irrecoverably by entering a wrong Admin PIN three times.
It seem that OSC x64 dll module can’t be loaded in any Windows x32 application, that makes sense.
As for PINs, I tried what you’d suggested. Both PINs are actually the same User PIN. I downloaded and installed the latest OSC x32 build again, and the ‘Incorrect PIN’ error disappeared (don’t know why, did nothing with my OS). BUT after entering the correct User PIN in both prompts, TrueCrypt shows that there is no existing keyfile (token object) on my CryptoStick. All works fine with dll module by Peter Koch, though.
If it matters, the first PIN prompt (spelling preserved ) is Enter password/PIN for token 'OpenPGP card (User PIN
the second one is Enter password/PIN for token 'OpenPGP card (User PIN):
I’m not a very sophisticated IT guy, may be it’d be better if someone of CryptoStick or OpenSC developers will try to reproduce and solve this issue.
To me it seems to be a TrueCrypt “issue” - which may not be an issue. AFAIK TrueCrypt doesn’t use the proper encryption feature of smart cards (and the Crypto Stick). Instead it stores the password in plain on the password protected device. This may be the “keyfile” you are mentioning. I suggest you search how to use TrueCrypt with smart cards and it should teach you how to setup and use the device with TrueCrypt.
TrueCrypt stores a keyfile within CryptoStick DO3 (Data object 3), which can be extracted (and eavesdropped by malware) in “plain” format only after entering a User PIN. Till then it’s encrypted and not accessible. It suits my needs well enough.
As I mentioned before, Peter’s dll works fine. I generated TrueCrypt keyfile filled with randoms and saved it to CryptoStick exactly by its (TrueCrypt) manual. It works just like it should be. One of the OSC console utilities also says that DO3 (my keyfile) do exist onto my stick. The only problem’s with OSC PKCS#11 dll. I don’t have any expertise in debugging stuff like that, it will be more easier if you just try to reproduce and (not)confirm the issue by yourself.
And, yeah, Firefox 17/18 do the same thing: 2 PINs to enter, no X.509 certificate on the stick found (although I have AUTH one to authorize on some websites which, again, works with Peter’s dll like a charm).
Jans, may be this forum isn’t the right place for troubleshooting a third party software, like OpenSC? Wouldn’t it be more efficient to report a bug directly to OpenSC Project, how do you think? Or do the CryptoStick developers have a special relationship with OSC Project, through having a commercial agreement for adapting OSC with CryptoStick for instance? What’s the best, fastest way to draw the developers in digging into this issue?
Guys, you have a pretty nice hardware here, but without end-user software essentials it’s just an iron rock. I mean, you still don’t even have a fully functional PKCS#11 cross-platform software support - the vital stuff, but have already been trying to assemble the next version of SC - v2. What about users and money they paid for your previous work?
Jans, I’ve filed the issue here github.com/OpenSC/OpenSC/issues/125, but don’t see any progress there, not even a bit of attention at all. Is it possible I chose the wrong place again?
Indeed some development is needed to fix this issue. Our developer is working on it. Communication will be done in the issue github.com/OpenSC/OpenSC/issues/125