-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problems with OpenPGP CryptoStick smartcard and OpenSC PKCS#11 module #125
Comments
To sum up the problems with PKCS#11 driver on Windows 7:
I'm just an end-user, not a programmer. How can I draw the OpenSC devolopers in digging into these issues? Thanks in advance. |
Default behavior of OpenSC is to expose one slot per PIN and per on-card application. |
In both cases I used default opensc.conf, so it were 2 PINs in a row to enter. It seems "User PIN" and "User PIN (sig)" are different. The smart-card itself has two PINs - User and Admin. But I entered the same User PIN in both PIN prompts and still can successfully access my X.509 certificate in Firefox. Firefox shows a dialog which states that certificate was retrieved by using "User PIN" (not "User PIN (sig)"): http://imageshost.ru/photo/11766/id2826329.html I also tried to cut off "User PIN (sig)" by using option "create_slots_for_pins" in opensc.conf file and leave "User PIN" only to enter. No success. "User PIN (sig)" is always there, with or without "User PIN" depending of options I use:
Viktor, it seems you're Russian (or from one of ex-USSR regions). If so, we can use Russian language to communicate more productively. |
Hi Viktor and neuro18,
@viktorTarasov Do you have any idea where error may come from? Update: |
I found the cause: My PKCS15 binding for OpenPGP card does not support "DATA" object yet. This object type is used by TrueCrypt to store its own data. |
Thank you, Hongquan. And what about disabling "User PIN (sig)" to enter in the .conf file or somehow else? |
@neuro18 There is no way to disable "User PIN (sig)" slot. |
@neuro18 By default a PKCS#11 slot is created for any preset PKCS#15 PIN object. Look onto the comments in |
@viktorTarasov |
What is the output of
|
|
Ok, thanks. Try to remove 'local' flag from the UserPIN and AdminPIN -- all your PINs are defined at the MF level, so, for me they all are 'global'. Nevertheless, leave the 'local' flag for the SignPIN -- it will allow to PKCS#11 framework to distinguish UserPIN and SignPIN. (Probably we should introduce an explicit internal flag for that at the PKCS#15 level.) |
@viktorTarasov |
@neuro18 Finally, I think that we could introduce a new option into the OpenSC configuration to overwrite internal mechanism used to distinguish User and Sign PINs. |
@neuro18 Sorry for this limitation.
|
@viktorTarasov @hongquan |
OK. |
Hello. I have several problems under Windows 7 x64 using GPF CryptoStick v1.2 smart-card and OpenCS 0.13.0 (and below) opensc-pkcs11.dll module:
TRUECRYPT 7.1a
have a keyfile stored into CryptoStick DO3 by TrueCrypt itself via a proprietary pkcs11 module recommended by the manufacturer
http://imageshost.ru/photo/177858/id2747477.html
setting up TrueCrypt to use OpenSC PKCS#11 module
http://imageshost.ru/photo/177965/id2747476.html
when trying to mount a TrueCrypt volume with a keyfile I get a User PIN request twice it a row:
FIRST - http://imageshost.ru/photo/50551/id2747470.html
SECOND - http://imageshost.ru/photo/50539/id2747471.html
after entering User PIN twice I get either 'Security Token Error''
http://imageshost.ru/photo/41896/id2747473.html
or 'Keyfile not found' error
http://imageshost.ru/photo/50329/id2747472.html
Available keyfiles list is empty, TrueCrypt volume obviously is not mounted
http://imageshost.ru/photo/178020/id2747469.html
FIREFOX (and any app utilizing X.509 certificate stored into CryptoStick)
load OpenSC PKCS#11 module
http://imageshost.ru/photo/322098/id2747480.html
the same behavior of asking for a User PIN twice in a row:
http://imageshost.ru/photo/66486/id2747479.html
AND
http://imageshost.ru/photo/70470/id2747478.html)
certificate SUCCESSFULLY retrieved from a smart-card
Though, there is no any problems with using proprietary DLL mentioned above
http://smartcard-auth.de/download-en.html
PS. There is "pkcs11-tool --list-slots --module opensc-pkcs11.dll" execution result if needed:
The text was updated successfully, but these errors were encountered: