gnupg/agent/keyformat.txt

keyformat.txt (wk 2001-12-18)
-----------------------------


Some notes on the format of the secret keys used with gpg-agent.

Location of keys
================
The secret keys[1] are stored on a per file basis in a directory below
the ~/.gnupg home directory.  This directory is named

   private-keys-v1.d

and should have permissions 700.

The secret keys are stored in files with a name matching the
hexadecimal representation of the keygrip[2].

Unprotected Private Key Format
==============================
The content of the file is an S-Expression like the ones used with
Libgcrypt.  Here is an example of an unprotected file:

(private-key
 (rsa
  (n #00e0ce9..[some bytes not shown]..51#)
  (e #010001#)
  (d #046129F..[some bytes not shown]..81#)
  (p #00e861b..[some bytes not shown]..f1#)
  (q #00f7a7c..[some bytes not shown]..61#)
  (u #304559a..[some bytes not shown]..9b#)
 )
 (uri http://foo.bar x-foo:whatever_you_want)
)

Actually this form should not be used for regular purposes and only
accepted by gpg-agent with the configuration option:
--allow-non-canonical-key-format.  The regular way to represent the
keys is in canonical representation[3]:

(private-key
   (rsa
    (n #00e0ce9..[some bytes not shown]..51#)
    (e #010001#)
    (d #046129F..[some bytes not shown]..81#)
    (p #00e861b..[some bytes not shown]..f1#)
    (q #00f7a7c..[some bytes not shown]..61#)
    (u #304559a..[some bytes not shown]..9b#)
   )
   (uri http://foo.bar x-foo:whatever_you_want)
)  


Protected Private Key Format
==============================
A protected key is like this:

(protected-private-key
   (rsa
    (n #00e0ce9..[some bytes not shown]..51#)
    (e #010001#)
    (protected mode (parms) encrypted_octet_string)
   )
   (uri http://foo.bar x-foo:whatever_you_want)
)  


In this scheme the encrypted_octet_string is encrypted according to
the algorithm described after the keyword protected; most protection
algorithms need some parameters, which are given in a list before the
encrypted_octet_string.  The result of the decryption process is a
list of the secret key parameters.

The only available protection mode for now is

  openpgp-s2k3-sha1-aes-cbc

which describes an algorithm using using AES in CBC mode for
encryption, SHA-1 for integrity protection and the String to Key
algorithm 3 from OpenPGP (rfc2440).

Example:

(protected openpgp-s2k3-sha1-aes-cbc
  ((sha1 16byte_salt no_of_iterations) 16byte_iv)
  encrypted_octet_string
)

The encrypted_octet string should yield this S-Exp (in canonical
representation) after decryption:

(
 (
  (d #046129F..[some bytes not shown]..81#)
  (p #00e861b..[some bytes not shown]..f1#)
  (q #00f7a7c..[some bytes not shown]..61#)
  (u #304559a..[some bytes not shown]..9b#) 
 ) 
 (hash sha1 #...[hashvalue]...#)
)

For padding reasons, random bytes are appended to this list - they can
easily be stripped by looking for the end of the list.

The hash is calculated on the concatenation of the public key and
secret key parameter lists: i.e it is required to hash the
concatenation of these 6 canonical encoded lists for RSA, including
the parenthesis and the algorithm keyword.

(rsa
 (n #00e0ce9..[some bytes not shown]..51#)
 (e #010001#)
 (d #046129F..[some bytes not shown]..81#)
 (p #00e861b..[some bytes not shown]..f1#)
 (q #00f7a7c..[some bytes not shown]..61#)
 (u #304559a..[some bytes not shown]..9b#)
)

After decryption the hash must be recalculated and compared against
the stored one - If they don't match the integrity of the key is not
given.


Shadowed Private Key Format
============================
To keep track of keys stored on IC cards we use a third format for
private kyes which are called shadow keys as they are only a reference
to keys stored on a token:

(shadowed-private-key
   (rsa
    (n #00e0ce9..[some bytes not shown]..51#)
    (e #010001#)
    (shadowed protocol (info))
   )
   (uri http://foo.bar x-foo:whatever_you_want)
)  

The currently used protocol is "ti-v1" (token info version 1).  The
second list with the information has this layout:

(card_serial_number id_string_of_key)

More items may be added to the list.


Notes:
======
[1] I usually use the terms private and secret key exchangeable but prefer the
term secret key because it can be visually be better distinguished
from the term public key.

[2] The keygrip is a unique identifier for a key pair, it is
independent of any protocol, so that the same key can be ised with
different protocols.  PKCS-15 calls this a subjectKeyHash; it can be
calculate using Libgcrypt's gcry_pk_get_keygrip().

[3] Even when canonical representation are required we will show the
S-expression here in a more readable representation.
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00			`keyformat.txt (wk 2001-12-18)`
			`-----------------------------`


			`Some notes on the format of the secret keys used with gpg-agent.`

Changes needed to support smartcards. Well, only _support_. There is no real code yet. 2002-02-28 12:07:59 +01:00			`Location of keys`
			`================`
* genkey.c: Store the secret part and return the public part. 2002-01-10 20:45:32 +01:00			`The secret keys[1] are stored on a per file basis in a directory below`
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`the ~/.gnupg home directory. This directory is named`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00
			`private-keys-v1.d`

			`and should have permissions 700.`

			`The secret keys are stored in files with a name matching the`
Changes needed to support smartcards. Well, only _support_. There is no real code yet. 2002-02-28 12:07:59 +01:00			`hexadecimal representation of the keygrip[2].`

			`Unprotected Private Key Format`
			`==============================`
			`The content of the file is an S-Expression like the ones used with`
			`Libgcrypt. Here is an example of an unprotected file:`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00
			`(private-key`
			`(rsa`
			`(n #00e0ce9..[some bytes not shown]..51#)`
			`(e #010001#)`
			`(d #046129F..[some bytes not shown]..81#)`
			`(p #00e861b..[some bytes not shown]..f1#)`
			`(q #00f7a7c..[some bytes not shown]..61#)`
			`(u #304559a..[some bytes not shown]..9b#)`
			`)`
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`(uri http://foo.bar x-foo:whatever_you_want)`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00			`)`

			`Actually this form should not be used for regular purposes and only`
			`accepted by gpg-agent with the configuration option:`
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`--allow-non-canonical-key-format. The regular way to represent the`
			`keys is in canonical representation[3]:`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`(private-key`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00			`(rsa`
			`(n #00e0ce9..[some bytes not shown]..51#)`
			`(e #010001#)`
			`(d #046129F..[some bytes not shown]..81#)`
			`(p #00e861b..[some bytes not shown]..f1#)`
			`(q #00f7a7c..[some bytes not shown]..61#)`
			`(u #304559a..[some bytes not shown]..9b#)`
			`)`
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`(uri http://foo.bar x-foo:whatever_you_want)`
			`)`

* keyformat.txt: New. 2001-12-19 16:03:35 +01:00
Changes needed to support smartcards. Well, only _support_. There is no real code yet. 2002-02-28 12:07:59 +01:00			`Protected Private Key Format`
			`==============================`
			`A protected key is like this:`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`(protected-private-key`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00			`(rsa`
			`(n #00e0ce9..[some bytes not shown]..51#)`
			`(e #010001#)`
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`(protected mode (parms) encrypted_octet_string)`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00			`)`
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`(uri http://foo.bar x-foo:whatever_you_want)`
			`)`

* keyformat.txt: New. 2001-12-19 16:03:35 +01:00
			`In this scheme the encrypted_octet_string is encrypted according to`
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`the algorithm described after the keyword protected; most protection`
			`algorithms need some parameters, which are given in a list before the`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00			`encrypted_octet_string. The result of the decryption process is a`
			`list of the secret key parameters.`

* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`The only available protection mode for now is`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`openpgp-s2k3-sha1-aes-cbc`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00
* protect-tool.c (rsa_key_check): New. (import_p12_file): New. (main): New command --p12-import. * minip12.c, minip12.h: New. 2002-06-25 19:50:59 +02:00			`which describes an algorithm using using AES in CBC mode for`
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`encryption, SHA-1 for integrity protection and the String to Key`
			`algorithm 3 from OpenPGP (rfc2440).`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00
			`Example:`

* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`(protected openpgp-s2k3-sha1-aes-cbc`
			`((sha1 16byte_salt no_of_iterations) 16byte_iv)`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00			`encrypted_octet_string`
			`)`

			`The encrypted_octet string should yield this S-Exp (in canonical`
			`representation) after decryption:`

* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`(`
			`(`
			`(d #046129F..[some bytes not shown]..81#)`
			`(p #00e861b..[some bytes not shown]..f1#)`
			`(q #00f7a7c..[some bytes not shown]..61#)`
			`(u #304559a..[some bytes not shown]..9b#)`
			`)`
			`(hash sha1 #...[hashvalue]...#)`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00			`)`

* genkey.c: Store the secret part and return the public part. 2002-01-10 20:45:32 +01:00			`For padding reasons, random bytes are appended to this list - they can`
			`easily be stripped by looking for the end of the list.`

* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`The hash is calculated on the concatenation of the public key and`
			`secret key parameter lists: i.e it is required to hash the`
			`concatenation of these 6 canonical encoded lists for RSA, including`
			`the parenthesis and the algorithm keyword.`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`(rsa`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00			`(n #00e0ce9..[some bytes not shown]..51#)`
			`(e #010001#)`
			`(d #046129F..[some bytes not shown]..81#)`
			`(p #00e861b..[some bytes not shown]..f1#)`
			`(q #00f7a7c..[some bytes not shown]..61#)`
			`(u #304559a..[some bytes not shown]..9b#)`
* genkey.c (store_key): Protect the key. (agent_genkey): Ask for the passphrase. * findkey.c (unprotect): Actually unprotect the key. * query.c (agent_askpin): Add an optional start_err_text. 2002-01-31 17:38:45 +01:00			`)`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00
			`After decryption the hash must be recalculated and compared against`
			`the stored one - If they don't match the integrity of the key is not`
			`given.`


Changes needed to support smartcards. Well, only _support_. There is no real code yet. 2002-02-28 12:07:59 +01:00			`Shadowed Private Key Format`
			`============================`
			`To keep track of keys stored on IC cards we use a third format for`
			`private kyes which are called shadow keys as they are only a reference`
			`to keys stored on a token:`

			`(shadowed-private-key`
			`(rsa`
			`(n #00e0ce9..[some bytes not shown]..51#)`
			`(e #010001#)`
			`(shadowed protocol (info))`
			`)`
			`(uri http://foo.bar x-foo:whatever_you_want)`
			`)`

			`The currently used protocol is "ti-v1" (token info version 1). The`
			`second list with the information has this layout:`

			`(card_serial_number id_string_of_key)`

			`More items may be added to the list.`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00




Changes needed to support smartcards. Well, only _support_. There is no real code yet. 2002-02-28 12:07:59 +01:00
			`Notes:`
			`======`
* keyformat.txt: New. 2001-12-19 16:03:35 +01:00			`[1] I usually use the terms private and secret key exchangeable but prefer the`
			`term secret key because it can be visually be better distinguished`
			`from the term public key.`

			`[2] The keygrip is a unique identifier for a key pair, it is`
			`independent of any protocol, so that the same key can be ised with`
			`different protocols. PKCS-15 calls this a subjectKeyHash; it can be`
			`calculate using Libgcrypt's gcry_pk_get_keygrip().`

* protect-tool.c (rsa_key_check): New. (import_p12_file): New. (main): New command --p12-import. * minip12.c, minip12.h: New. 2002-06-25 19:50:59 +02:00			`[3] Even when canonical representation are required we will show the`
* genkey.c: Store the secret part and return the public part. 2002-01-10 20:45:32 +01:00			`S-expression here in a more readable representation.`