* For packet version 3 we calculate the keyids this way: RSA := low 64 bits of n ELGAMAL := build a v3 pubkey packet (with CTB 0x99) and calculate a rmd160 hash value from it. This is used as the fingerprint and the low 64 bits are the keyid. * Revocation certificates consist only of the signature packet; "import" knows how to handle this. The rationale behind it is to keep them small. Key generation shows progress by printing different characters to stderr: "." Last 10 Miller-Rabin tests failed "+" Miller-Rabin test succeeded "!" Reloading the pool with fresh prime numbers "^" Checking a new value for the generator "<" Size of one factor decreased ">" Size of one factor increased The prime number for ElGamal is generated this way: 1) Make a prime number q of 160, 200, 240 bits (depending on the keysize) 2) Select the length of the other prime factors to be at least the size of q and calculate the number of prime factors needed 3) Make a pool of prime numbers, each of the length determined in step 2 4) Get a new permutation out of the pool or continue with step 3 if we have tested all permutations. 5) Calculate a candidate prime p = 2 * q * p[1] * ... * p[n] + 1 6) Check that this prime has the correct length (this may change q if it seems not to be possible to make a prime of the desired length) 7) Check whether this is a prime using trial divisions and the Miller-Rabin test. 8) Continue with step 4 if we did not find a prime in step 7. 9) Find a generator for that prime. Layout of the TrustDB ===================== FIXME: use a directory record as top node instead of the pubkey record The TrustDB is built from fixed length records, where the first byte describes the record type. All numeric values are stored in network byte order. The length of each record is 40 bytes. The first record of the DB is always of type 1 and this is the only record of this type. Record type 0: -------------- Unused record, can be reused for any purpose. Record type 1: -------------- Version information for this TrustDB. This is always the first record of the DB and the only one with type 1. 1 byte value 1 3 bytes 'gpg' magic value 1 byte Version of the TrustDB 3 byte reserved 1 u32 locked by (pid) 0 = not locked. 1 u32 timestamp of trustdb creation 1 u32 timestamp of last modification 1 u32 timestamp of last validation (Used to keep track of the time, when this TrustDB was checked against the pubring) 1 u32 reserved 1 byte marginals needed 1 byte completes needed 1 byte max. cert depth If any of this 3 values are changed, all cache records muts be invalidated. 9 bytes reserved Record type 2: (directory record) -------------- Informations about a public key certificate. These are static values which are never changed without user interaction. 1 byte value 2 1 byte reserved 8 bytes keyid (We keep it here to speed up searching by keyid) 1 u32 Local-Id. This is simply the record number of this record. 1 u32 pubkey (record number of it) 1 u32 cache record 1 u32 sigrecord 1 byte No signatures flag (used to avoid duplicate building). 13 byte reserved Record type 3: -------------- Informations about a public key certificate. These are static values which are never changed without user interaction. 1 byte value 3 1 byte reserved 1 u32 owner This is used to bind all records for a given certificate together. It is valid only in this TrustDB and useful if we have duplicate keyids It points back to the directory node. 1 byte pubkey algorithm 1 byte length of the fingerprint (in bytes) 20 bytes fingerprint of the public key 1 byte ownertrust: 3 byte reserved Record type 4: (cache record) -------------- Used to bind the trustDB to the concrete instance of keyblock in a pubring. This is used to cache information. 1 byte value 4 1 byte reserved 1 u32 Local-Id. 8 bytes keyid of the primary key (needed?) 1 byte cache-is-valid the following stuff is only valid if this is set. 1 byte reserved 20 bytes rmd160 hash value over the complete keyblock This is used to detect any changes of the keyblock with all CTBs and lengths headers. Calculation is easy if the keyblock is optained from a keyserved: simply create the hash from all received data bytes. 1 byte number of untrusted signatures. 1 byte number of marginal trusted signatures. 1 byte number of fully trusted signatures. (255 is stored for all values greater than 254) 1 byte Trustlevel 0 = undefined (not calculated) 1 = unknown 2 = not trusted 3 = marginally trusted 4 = fully trusted 5 = ultimately trusted (have secret key too). Record type 5 (sigrec) ------------- Used to keep track of valid key signatures. Self-signatures are not stored. 1 byte value 5 1 byte reserved 1 u32 For Local-Id (points back to the directory record) 1 u32 chain: next sigrec of this owner or 0 to indicate the last sigrec. 6 times 1 u32 Local_id of signators pubkey record 1 byte reserved Record Type 6 (hash table) ------------- Due to the fact that we use the keyid to lookup keys, we can implement quick access by some simple hash methods, and avoid the overhead of gdbm. A property of keyids is that they can be used directly as hash values. (They can be considered as strong random numbers.) What we use is a dynamic multilevel architecture, which combines Hashtables, record lists, and linked lists. This record is a hashtable of 256 entries; a special property is that all these records are stored consecutively to make one big table. The hash value is simple the 1st, 2nd, ... byte of the keyid (depending on the indirection level). 1 byte value 5 1 byte reserved n u32 recnum; n depends on th record length: n = (reclen-2)/4 which yields 9 for the current record length of 40 bytes. the total number of surch record which makes up the table is: m = (256+n-1) / n which is 29 for a record length of 40. To look up a key we use its lsb to get the recnum from this hashtable and look up the addressed record: - If this record is another hashtable, we use 2nd lsb to index this hast table and so on. - if this record is a hashlist, we walk thru the reclist records until we found one whose hash field matches the MSB of our keyid, and lookup this record - if this record is a dir record, we compare the keyid and if this is correct, we get the keyrecod and compare the fingerprint to decide whether it is the requested key; if this is not the correct dir record, we look at the next dir record which is linked by the link field. Record type 7 (hash list) ------------- see hash table for an explanation. 1 byte value 6 1 byte reserved 1 u32 chain next hash list record n times n = (reclen-6)/5 1 byte hash 1 u32 recnum For the current record length of 40, n is 6 Packet Headers =============== GNUPG uses PGP 2 packet headers and also understands OpenPGP packet header. There is one enhancement used with the old style packet headers: CTB bits 10, the "packet-length length bits", have values listed in the following table: 00 - 1-byte packet-length field 01 - 2-byte packet-length field 10 - 4-byte packet-length field 11 - no packet length supplied, unknown packet length As indicated in this table, depending on the packet-length length bits, the remaining 1, 2, 4, or 0 bytes of the packet structure field are a "packet-length field". The packet-length field is a whole number field. The value of the packet-length field is defined to be the value of the whole number field. A value of 11 is currently used in one place: on compressed data. That is, a compressed data block currently looks like , where , binary 10 1000 11, is an indefinite-length packet. The proper interpretation is "until the end of the enclosing structure", although it should never appear outermost (where the enclosing structure is a file). + This will be changed with another version, where the new meaning of + the value 11 (see below) will also take place. + + A value of 11 for other packets enables a special length encoding, + which is used in case, where the length of the following packet can + not be determined prior to writing the packet; especially this will + be used if large amounts of data are processed in filter mode. + + It works like this: After the CTB (with a length field of 11) a + marker field is used, which gives the length of the following datablock. + This is a simple 2 byte field (MSB first) containig the amount of data + following this field, not including this length field. After this datablock + another length field follows, which gives the size of the next datablock. + A value of 0 indicates the end of the packet. The maximum size of a + data block is limited to 65534, thereby reserving a value of 0xffff for + future extensions. These length markers must be insereted into the data + stream just before writing the data out. + + This 2 byte filed is large enough, because the application must buffer + this amount of data to prepend the length marker before writing it out. + Data block sizes larger than about 32k doesn't make any sense. Note + that this may also be used for compressed data streams, but we must use + another packet version to tell the application that it can not assume, + that this is the last packet. Keyserver Message Format ------------------------- The keyserver may be contacted by a Unix Domain socket or via TCP. The format of a request is: ---- command-tag "Content-length:" digits CRLF ------ Where command-tag is NOOP GET PUT DELETE The format of a response is: ------ "GNUPG/1.0" status-code status-text "Content-length:" digits CRLF ------------ followed by bytes of data Status codes are: o 1xx: Informational - Request received, continuing process o 2xx: Success - The action was successfully received, understood, and accepted o 4xx: Client Error - The request contains bad syntax or cannot be fulfilled o 5xx: Server Error - The server failed to fulfill an apparently valid request Ich werde jetzt doch das HKP Protokoll implementieren: Naja, die Doku ist so gut wie nichtexistent, da gebe ich Dir recht. In kurzen Worten: (Minimal-)HTTP-Server auf Port 11371, versteht ein GET auf /pks/lookup, wobei die Query-Parameter (Key-Value-Paare mit = zwischen Key und Value; die Paare sind hinter ? und durch & getrennt). Gültige Operationen sind: - - op (Operation) mit den Möglichkeiten index (gleich wie -kv bei PGP), vindex (-kvv) und get (-kxa) - - search: Liste der Worte, die im Key vorkommen müssen. Worte sind mit Worttrennzeichen wie Space, Punkt, @, ... getrennt, Worttrennzeichen werden nicht betrachtet, die Reihenfolge der Worte ist egal. - - exact: (on=aktiv, alles andere inaktiv) Nur die Schlüssel zurückgeben, die auch den "search"-String beinhalten (d.h. Wortreihenfolge und Sonderzeichen sind wichtig) - - fingerprint (Bei [v]index auch den Fingerprint ausgeben), "on" für aktiv, alles andere inaktiv Neu (wird von GNUPG benutzt): /pks/lookup/?op= Zusätzlich versteht der Keyserver auch ein POST auf /pks/add, womit man Keys hochladen kann.