security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-30 16:17:02 +01:00
Code Activity

doc: Update description of the key format.

Browse Source 
--
This commit is contained in:
Werner Koch 2022-08-16 12:33:26 +02:00
parent 1908fa8b83
commit 7046001b07
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
agent/findkey.c
View File

@ -49,7 +49,7 @@ struct try_unprotect_arg_s
}; };
/* Repalce all linefeeds in STRING by "%0A" and return a new malloced /* Replace all linefeeds in STRING by "%0A" and return a new malloced
* string. May return NULL on memory error. */ * string. May return NULL on memory error. */
static char * static char *
linefeed_to_percent0A (const char *string) linefeed_to_percent0A (const char *string)

30
agent/keyformat.txt
View File

@ -29,8 +29,8 @@ convention. Example (here indented with two spaces):
Use-for-ssh: yes Use-for-ssh: yes
OpenSSH-cert: long base64 encoded string wrapped so that this OpenSSH-cert: long base64 encoded string wrapped so that this
key file can be easily edited with a standard editor. key file can be easily edited with a standard editor.
Token: D2760001240102000005000011730000 OPENPGP.1 Token: D2760001240102000005000011730000 OPENPGP.1 -
Token: FF020001008A77C1 PIV.9C Token: FF020001008A77C1 PIV.9C -
Key: (shadowed-private-key Key: (shadowed-private-key
(rsa (rsa
(n #00AA1AD2A55FD8C8FDE9E1941772D9CC903FA43B268CB1B5A1BAFDC900 (n #00AA1AD2A55FD8C8FDE9E1941772D9CC903FA43B268CB1B5A1BAFDC900
@ -48,7 +48,7 @@ convention. Example (here indented with two spaces):
))) )))
GnuPG 2.2 is also able to read and write keys using the new format GnuPG 2.2 is also able to read and write keys using the new format
However, it only makes use of the value stored under the name 'Key:'. However, it only makes use of some of the values.
Keys in the extended format can be recognized by looking at the first Keys in the extended format can be recognized by looking at the first
byte of the file. If it starts with a '(' it is a naked S-expression, byte of the file. If it starts with a '(' it is a naked S-expression,
@ -72,8 +72,7 @@ of a continuation line encodes a newline.
Lines containing only whitespace, and lines starting with whitespace Lines containing only whitespace, and lines starting with whitespace
followed by '#' are considered to be comments and are ignored. followed by '#' are considered to be comments and are ignored.
** Well defined names ** Well known names
*** Description *** Description
This is a human readable string describing the key. This is a human readable string describing the key.
@ -106,12 +105,18 @@ items can be used.
If such an item exists it overrides the info given by the "shadow" If such an item exists it overrides the info given by the "shadow"
parameter in the S-expression. Using this item makes it possible to parameter in the S-expression. Using this item makes it possible to
describe a key which is stored on several tokens and also makes it describe a key which is stored on several tokens and also makes it
easy to update this info using a standard editor. The syntax is the easy to update this info using a standard editor. The syntax is
same as with the "shadow" parameter: similar to the "shadow" parameter:
- Serialnumber of the token.
- Key reference from the token in full format (e.g. "OpenPGP.2").
- An optional fixed length of the PIN or "-".
- The human readable serial number of a card. This is usually what is
printed on the actual card. This value is taken directly from the
card but when asking to insert a card it is useful to have this
value available. GnuPG takes care of creating and possibly updating
this entry. This is percent-plus-escaped.
- Serialnumber of the token
- Key reference from the token in full format (e.g. "OpenPGP.2")
- An optional fixed length of the PIN.
*** Use-for-ssh *** Use-for-ssh
If given and the value is "yes" or "1" the key is allowed for use by If given and the value is "yes" or "1" the key is allowed for use by
@ -119,6 +124,11 @@ gpg-agent's ssh-agent implementation. This is thus the same as
putting the keygrip into the 'sshcontrol' file. Only one such item putting the keygrip into the 'sshcontrol' file. Only one such item
should exist. should exist.
*** Use-for-p11
If given and the value is "yes" or "1" the key is allowed for use by
GnuPG's PKCS#11 interface (Scute). Note that Scute needs to be
configured to use this optimization.
*** Confirm *** Confirm
If given and the value is "yes", a user will be asked confirmation by If given and the value is "yes", a user will be asked confirmation by
a dialog window when the key is about to be used for a dialog window when the key is about to be used for