pgp-binary-keys 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388
  1. #------------------------------------------------------------------------------
  2. # $File: pgp-binary-keys,v 1.2 2021/04/26 15:56:00 christos Exp $
  3. # pgp-binary-keys: This file handles pgp binary keys.
  4. #
  5. # An PGP certificate or message doesn't have a fixed header. Instead,
  6. # they are sequences of packets:
  7. #
  8. # https://tools.ietf.org/html/rfc4880#section-4.3
  9. #
  10. # whose order conforms to a grammar:
  11. #
  12. # https://tools.ietf.org/html/rfc4880#section-11
  13. #
  14. # Happily most packets have a few fields that are constrained, which
  15. # allow us to fingerprint them with relatively high certainty.
  16. #
  17. # A PGP packet is described by a single byte: the so-called CTB. The
  18. # high-bit is always set. If bit 6 is set, then it is a so-called
  19. # new-style CTB; if bit 6 is clear, then it is a so-called old-style
  20. # CTB. Old-style CTBs have only four bits of type information; bits
  21. # 1-0 are used to describe the length. New-style CTBs have 6 bits of
  22. # type information.
  23. #
  24. # Following the CTB is the packet's length in bytes. If we blindly
  25. # advance the file cursor by this amount past the end of the length
  26. # information we come to the next packet.
  27. #
  28. # Data Structures
  29. # ===============
  30. #
  31. # New Style CTB
  32. # -------------
  33. #
  34. # https://tools.ietf.org/html/rfc4880#section-4.2.2
  35. #
  36. # 76543210
  37. # ||\----/
  38. # || tag
  39. # |always 1
  40. # always 1
  41. #
  42. # Tag bits 7 and 6 set
  43. # 0 0xC0 -- Reserved - a packet tag MUST NOT have this value
  44. # 1 0xC1 -- Public-Key Encrypted Session Key Packet
  45. # 2 0xC2 -- Signature Packet
  46. # 3 0xC3 -- Symmetric-Key Encrypted Session Key Packet
  47. # 4 0xC4 -- One-Pass Signature Packet
  48. # 5 0xC5 -- Secret-Key Packet
  49. # 6 0xC6 -- Public-Key Packet
  50. # 7 0xC7 -- Secret-Subkey Packet
  51. # 8 0xC8 -- Compressed Data Packet
  52. # 9 0xC9 -- Symmetrically Encrypted Data Packet
  53. # 10 0xCA -- Marker Packet
  54. # 11 0xCB -- Literal Data Packet
  55. # 12 0xCC -- Trust Packet
  56. # 13 0xCD -- User ID Packet
  57. # 14 0xCE -- Public-Subkey Packet
  58. # 17 0xD1 -- User Attribute Packet
  59. # 18 0xD2 -- Sym. Encrypted and Integrity Protected Data Packet
  60. # 19 0xD3 -- Modification Detection Code Packet
  61. # 60 to 63 -- Private or Experimental Values
  62. #
  63. # The CTB is followed by the length header, which is densely encoded:
  64. #
  65. # if length[0] is:
  66. # 0..191: one byte length (length[0])
  67. # 192..223: two byte length ((length[0] - 192) * 256 + length[2] + 192
  68. # 224..254: four byte length (big endian interpretation of length[1..5])
  69. # 255: partial body encoding
  70. #
  71. # The partial body encoding is similar to HTTP's chunk encoding. It
  72. # is only allowed for container packets (SEIP, Compressed Data and
  73. # Literal).
  74. #
  75. # Old Style CTB
  76. # -------------
  77. #
  78. # https://tools.ietf.org/html/rfc4880#section-4.2.1
  79. #
  80. # CTB:
  81. #
  82. # 76543210
  83. # ||\--/\/
  84. # || | length encoding
  85. # || tag
  86. # |always 0
  87. # always 1
  88. #
  89. # Tag:
  90. #
  91. # Tag bit 7 set, bits 6, 1, 0 clear
  92. # 0 0x80 -- Reserved - a packet tag MUST NOT have this value
  93. # 1 0x84 -- Public-Key Encrypted Session Key Packet
  94. # 2 0x88 -- Signature Packet
  95. # 3 0x8C -- Symmetric-Key Encrypted Session Key Packet
  96. # 4 0x90 -- One-Pass Signature Packet
  97. # 5 0x94 -- Secret-Key Packet
  98. # 6 0x98 -- Public-Key Packet
  99. # 7 0x9C -- Secret-Subkey Packet
  100. # 8 0xA0 -- Compressed Data Packet
  101. # 9 0xA4 -- Symmetrically Encrypted Data Packet
  102. # 10 0xA8 -- Marker Packet
  103. # 11 0xAC -- Literal Data Packet
  104. # 12 0xB0 -- Trust Packet
  105. # 13 0xB4 -- User ID Packet
  106. # 14 0xB8 -- Public-Subkey Packet
  107. #
  108. # Length encoding:
  109. #
  110. # Value
  111. # 0 1 byte length (following byte is the length)
  112. # 1 2 byte length (following two bytes are the length)
  113. # 2 4 byte length (following four bytes are the length)
  114. # 3 indeterminate length: natural end of packet, e.g., EOF
  115. #
  116. # An indeterminate length is only allowed for container packets
  117. # (SEIP, Compressed Data and Literal).
  118. #
  119. # Certificates
  120. # ------------
  121. #
  122. # We check the first three packets to determine if a sequence of
  123. # OpenPGP packets is likely to be a certificate. The grammar allows
  124. # the following prefixes:
  125. #
  126. # [Primary Key] [SIG] (EOF or another certificate)
  127. # [Primary Key] [SIG] [User ID] [SIG]...
  128. # [Primary Key] [SIG] [User Attribute] [SIG]...
  129. # [Primary Key] [SIG] [Subkey] [SIG]...
  130. # [Primary Key] [User ID] [SIG]...
  131. # [Primary Key] [User Attribute] [SIG]...
  132. # [Primary Key] [Subkey] [SIG]...
  133. #
  134. # Any number of marker packets are also allowed between each packet,
  135. # but they are not normally used and we don't currently check for
  136. # them.
  137. #
  138. # The keys and subkeys may be public or private.
  139. #
  140. # Key packets and signature packets are versioned. There are two
  141. # packet versions that we need to worry about in practice: v3 and v4.
  142. # v4 packets were introduced in RFC 2440, which was published in 1998.
  143. # It also deprecated v3 packets. There are no actively used v3
  144. # certificates (GnuPG removed the code to support them in November
  145. # 2014). But there are v3 keys lying around and it is useful to
  146. # identify them. The next version of OpenPGP will introduce v5 keys.
  147. # The document has not yet been standardized so changes are still
  148. # possible. But, for our purposes, it appears that v5 data structures
  149. # will be identical to v4 data structures modulo the version number.
  150. #
  151. # https://tools.ietf.org/html/rfc2440
  152. # https://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000358.html
  153. # https://www.ietf.org/id/draft-ietf-openpgp-rfc4880bis-09.html#name-key-material-packet
  154. # The first packet has to be a public key or a secret key.
  155. #
  156. # New-Style Public Key
  157. 0 ubyte =0xC6 OpenPGP Public Key
  158. >&0 use primary_key_length_new
  159. # New-Style Secret Key
  160. 0 ubyte =0xC5 OpenPGP Secret Key
  161. >&0 use primary_key_length_new
  162. # Old-Style Public Key
  163. 0 ubyte&0xFC =0x98 OpenPGP Public Key
  164. >&-1 use primary_key_length_old
  165. # Old-Style Secret Key
  166. 0 ubyte&0xFC =0x94 OpenPGP Secret Key
  167. >&-1 use primary_key_length_old
  168. # Parse the length, check the packet's body and finally advance to the
  169. # next packet.
  170. # There are 4 different new-style length encodings, but the partial
  171. # body encoding is only acceptable for the SEIP, Compressed Data, and
  172. # Literal packets, which isn't valid for any packets in a certificate
  173. # so we ignore it.
  174. 0 name primary_key_length_new
  175. >&0 ubyte <192
  176. #>>&0 ubyte x (1 byte length encoding, %d bytes)
  177. >>&0 use pgp_binary_key_pk_check
  178. >>>&(&-1.B) use sig_or_component_1
  179. >&0 ubyte >191
  180. >>&-1 ubyte <225
  181. # offset = ((offset[0] - 192) << 8) + offset[1] + 192 (for the length header)
  182. # raw - (192 * 256 - 192)
  183. # = 48960
  184. #>>>&0 ubeshort x (2 byte length encoding, %d bytes)
  185. >>>&1 use pgp_binary_key_pk_check
  186. >>>>&(&-2.S-48960) use sig_or_component_1
  187. >&0 ubyte =255
  188. #>>&0 belong x (5 byte length encoding, %d bytes)
  189. >>&4 use pgp_binary_key_pk_check
  190. >>>&(&-4.L) use sig_or_component_1
  191. # Partial body encoding (only valid for container packets).
  192. # >&0 ubyte >224
  193. # >>&0 ubyte <255 partial body encoding
  194. # There are 4 different old-style length encodings, but the
  195. # indeterminate length encoding is only acceptable for the SEIP,
  196. # Compressed Data, and Literal packets, which isn't valid for any
  197. # packets in a certificate.
  198. 0 name primary_key_length_old
  199. #>&0 ubyte x (ctb: %x)
  200. >&0 ubyte&0x3 =0
  201. #>>&0 ubyte x (1 byte length encoding, %d bytes)
  202. >>&1 use pgp_binary_key_pk_check
  203. >>>&(&-1.B) use sig_or_component_1
  204. >&0 ubyte&0x3 =1
  205. #>>&0 ubeshort x (2 byte length encoding, %d bytes)
  206. >>&2 use pgp_binary_key_pk_check
  207. >>>&(&-2.S) use sig_or_component_1
  208. >&0 ubyte&0x3 =2
  209. #>>&0 ubelong x (4 byte length encoding, %d bytes)
  210. >>&4 use pgp_binary_key_pk_check
  211. >>>&(&-4.L) use sig_or_component_1
  212. # Check the Key.
  213. #
  214. # https://tools.ietf.org/html/rfc4880#section-5.5.2
  215. 0 name pgp_binary_key_pk_check
  216. # Valid versions are: 2, 3, 4. 5 is proposed in RFC 4880bis.
  217. # Anticipate a v6 / v7 format that like v5 is compatible with v4.
  218. # key format in a decade or so :D.
  219. >&0 ubyte >1
  220. >>&-1 ubyte <8
  221. >>>&-1 byte x Version %d
  222. # Check that keys were created after 1990.
  223. # (1990 - 1970) * 365.2524 * 24 * 60 * 60 = 631156147
  224. >>>&0 bedate >631156147 \b, Created %s
  225. >>>>&-5 ubyte >3
  226. >>>>>&4 use pgp_binary_key_algo
  227. >>>>&-5 ubyte <4
  228. >>>>>&6 use pgp_binary_key_algo
  229. # Print out the key's algorithm and the number of bits, if this is
  230. # relevant (ECC keys are a fixed size).
  231. 0 name pgp_binary_key_algo
  232. >0 clear x
  233. >&0 ubyte =1 \b, RSA (Encrypt or Sign,
  234. >>&0 ubeshort x \b %d bits)
  235. >&0 ubyte =2 \b, RSA (Encrypt,
  236. >>&0 ubeshort x \b %d bits)
  237. >&0 ubyte =3 \b, RSA (Sign,
  238. >>&0 ubeshort x \b %d bits)
  239. >&0 ubyte =16 \b, El Gamal (Encrypt,
  240. >>&0 ubeshort x \b %d bits)
  241. >&0 ubyte =17 \b, DSA
  242. >>&0 ubeshort x \b (%d bits)
  243. >&0 ubyte =18 \b, ECDH
  244. >&0 ubyte =19 \b, ECDSA
  245. >&0 ubyte =20 \b, El Gamal (Encrypt or Sign,
  246. >>&0 ubeshort x \b %d bits)
  247. >&0 ubyte =22 \b, EdDSA
  248. >&0 default x
  249. >>&0 ubyte x \b, Unknown Algorithm (%#x)
  250. # Match all possible second packets.
  251. 0 name sig_or_component_1
  252. #>0 ubyte x (ctb: %x)
  253. >&0 ubyte =0xC2
  254. >>0 ubyte x \b; Signature
  255. >>&0 use sig_or_component_1_length_new
  256. >&0 ubyte =0xCD
  257. >>0 ubyte x \b; User ID
  258. >>&0 use sig_or_component_1_length_new
  259. >&0 ubyte =0xCE
  260. >>0 ubyte x \b; Public Subkey
  261. >>&0 use sig_or_component_1_length_new
  262. >&0 ubyte =0xC7
  263. >>0 ubyte x \b; Secret Subkey
  264. >>&0 use sig_or_component_1_length_new
  265. >&0 ubyte =0xD1
  266. >>0 ubyte x \b; User Attribute
  267. >>&0 use sig_or_component_1_length_new
  268. >&0 ubyte&0xFC =0x88
  269. >>0 ubyte x \b; Signature
  270. >>&-1 use sig_or_component_1_length_old
  271. >&0 ubyte&0xFC =0xB4
  272. >>0 ubyte x \b; User ID
  273. >>&-1 use sig_or_component_1_length_old
  274. >&0 ubyte&0xFC =0xB8
  275. >>0 ubyte x \b; Public Subkey
  276. >>&-1 use sig_or_component_1_length_old
  277. >&0 ubyte&0xFC =0x9C
  278. >>0 ubyte x \b; Secret Subkey
  279. >>&-1 use sig_or_component_1_length_old
  280. # Copy of 'primary_key_length_new', but calls cert_packet_3.
  281. 0 name sig_or_component_1_length_new
  282. >&0 ubyte <192
  283. #>>&0 ubyte x (1 byte new length encoding, %d bytes)
  284. >>&(&-1.B) use cert_packet_3
  285. >&0 ubyte >191
  286. >>&-1 ubyte <225
  287. # offset = ((offset[0] - 192) << 8) + offset[1] + 192 + 1 (for the length header)
  288. # raw - (192 * 256 - 192 - 1)
  289. # = 48959
  290. #>>>&-1 ubeshort x (2 byte new length encoding, %d bytes)
  291. >>>&(&-1.S-48959) use cert_packet_3
  292. >&0 ubyte =255
  293. #>>&0 belong x (5 byte new length encoding, %d bytes)
  294. >>&(&-4.L) use cert_packet_3
  295. # Partial body encoding (only valid for container packets).
  296. # >&0 ubyte >224
  297. # >>&0 ubyte <255 partial body encoding
  298. 0 name sig_or_component_1_length_old
  299. #>&0 ubyte x (ctb: %x)
  300. >&0 ubyte&0x3 =0
  301. #>>&0 ubyte x (1 byte old length encoding, %d bytes)
  302. >>&(&0.B+1) use cert_packet_3
  303. >&0 ubyte&0x3 =1
  304. #>>&0 ubeshort x (2 byte old length encoding, %d bytes)
  305. >>&(&0.S+2) use cert_packet_3
  306. >&0 ubyte&0x3 =2
  307. #>>&0 ubelong x (4 byte old length encoding, %d bytes)
  308. >>&(&0.L+4) use cert_packet_3
  309. # Copy of above.
  310. 0 name cert_packet_3
  311. #>0 ubyte x (ctb: %x)
  312. >&0 ubyte =0xC2
  313. >>0 ubyte x \b; Signature
  314. >>&0 use cert_packet_3_length_new
  315. >&0 ubyte =0xCD
  316. >>0 ubyte x \b; User ID
  317. >>&0 use cert_packet_3_length_new
  318. >&0 ubyte =0xCE
  319. >>0 ubyte x \b; Public Subkey
  320. >>&0 use cert_packet_3_length_new
  321. >&0 ubyte =0xC7
  322. >>0 ubyte x \b; Secret Subkey
  323. >>&0 use cert_packet_3_length_new
  324. >&0 ubyte =0xD1
  325. >>0 ubyte x \b; User Attribute
  326. >>&0 use cert_packet_3_length_new
  327. >&0 ubyte&0xFC =0x88
  328. >>0 ubyte x \b; Signature
  329. >>&-1 use cert_packet_3_length_old
  330. >&0 ubyte&0xFC =0xB4
  331. >>0 ubyte x \b; User ID
  332. >>&-1 use cert_packet_3_length_old
  333. >&0 ubyte&0xFC =0xB8
  334. >>0 ubyte x \b; Public Subkey
  335. >>&-1 use cert_packet_3_length_old
  336. >&0 ubyte&0xFC =0x9C
  337. >>0 ubyte x \b; Secret Subkey
  338. >>&-1 use cert_packet_3_length_old
  339. # Copy of above.
  340. 0 name cert_packet_3_length_new
  341. >&0 ubyte <192
  342. #>>&0 ubyte x (1 byte new length encoding, %d bytes)
  343. >>&(&-1.B) use pgp_binary_keys_end
  344. >&0 ubyte >191
  345. >>&-1 ubyte <225
  346. # offset = ((offset[0] - 192) << 8) + offset[1] + 192 + 1 (for the length header)
  347. # raw - (192 * 256 - 192 - 1)
  348. # = 48959
  349. #>>>&-1 ubeshort x (2 byte new length encoding, %d bytes)
  350. >>>&(&-1.S-48959) use pgp_binary_keys_end
  351. >&0 ubyte =255
  352. #>>&0 belong x (5 byte new length encoding, %d bytes)
  353. >>&(&-4.L) use pgp_binary_keys_end
  354. 0 name cert_packet_3_length_old
  355. #>&0 ubyte x (ctb: %x)
  356. >&0 ubyte&0x3 =0
  357. #>>&0 ubyte x (1 byte old length encoding, %d bytes)
  358. >>&(&0.B+1) use pgp_binary_keys_end
  359. >&0 ubyte&0x3 =1
  360. #>>&0 ubeshort x (2 byte old length encoding, %d bytes)
  361. >>&(&0.S+2) use pgp_binary_keys_end
  362. >&0 ubyte&0x3 =2
  363. #>>&0 ubelong x (4 byte old length encoding, %d bytes)
  364. >>&(&0.L+4) use pgp_binary_keys_end
  365. # We managed to parse the first three packets of the certificate. Declare
  366. # victory.
  367. 0 name pgp_binary_keys_end
  368. >0 byte x \b; OpenPGP Certificate
  369. !:mime application/pgp-keys
  370. !:ext pgp/gpg/pkr/asd