mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
133 lines
4.6 KiB
Plaintext
133 lines
4.6 KiB
Plaintext
|
|
|
|
* For packet version 3 we calculate the keyids this way:
|
|
RSA := low 64 bits of n
|
|
ELGAMAL := build a v3 pubkey packet (with CTB 0x99) and calculate
|
|
a rmd160 hash value from it. This is used as the
|
|
fingerprint and the low 64 bits are the keyid.
|
|
|
|
|
|
|
|
|
|
Layout of the TrustDB
|
|
=====================
|
|
The TrustDB is build from fixed length records, where the first bytes
|
|
describes the record type. All numeric values are stored in network
|
|
byte order. The length of each record is 40 bytes. The first record of
|
|
the DB is always of type 1 and this is the only record of this type.
|
|
|
|
Record type 0:
|
|
--------------
|
|
Unused record, can be reused for any purpose.
|
|
|
|
Record type 1:
|
|
--------------
|
|
Version information for this TrustDB. This is always the first
|
|
record of the DB and the onyl one with type 1.
|
|
1 byte value 1
|
|
3 bytes 'g10' magic value
|
|
1 byte Version of the TrustDB
|
|
3 byte reserved
|
|
1 u32 locked by (pid) 0 = not locked.
|
|
1 u32 timestamp of trustdb creation
|
|
1 u32 timestamp of last modification
|
|
1 u32 timestamp of last validation
|
|
(Used to keep track of the time, when this TrustDB was checked
|
|
against the pubring)
|
|
1 u32 Local-Id-Counter. Used to keep track of Local-IDs.
|
|
32 bits are enough numbers for all practial purposes; if this
|
|
counter rolls over (due to deleted keyblock and new ones),
|
|
the software should reassign new Local-Ids to the whole
|
|
database (not expected to ever occur).
|
|
1 byte marginals needed
|
|
1 byte completes needed
|
|
1 byte max. cert depth
|
|
If any of this 3 values are changed, all cache records
|
|
muts be invalidated.
|
|
9 bytes reserved
|
|
|
|
Record type 2:
|
|
--------------
|
|
Informations about a public key certificate.
|
|
These are static values which are never changed without user interaction.
|
|
|
|
1 byte value 2
|
|
1 byte reserved
|
|
1 u32 Local-Id. This is used to bind all records for
|
|
a given certificate together. It is valid only in this TrustDB
|
|
and usefull if we have duplicate keyids
|
|
It is not defined, how an implementaion selects such
|
|
a Local-Id, but it may use the local-ID counter from
|
|
record type 1, or simply use the offset of Record type 2
|
|
8 bytes keyid (of the primary key)
|
|
1 byte pubkey algorithm
|
|
1 byte reserved
|
|
20 bytes fingerprint of the public key
|
|
1 byte ownertrust:
|
|
Bits 2-0:
|
|
0 = undefined (not yet initialized)
|
|
1 = unknown owner (could not initialize it)
|
|
2 = do not trust this owner
|
|
4 = usually trust this owner
|
|
5 = always trust this owner
|
|
7 = ultimately trust this owner. This can only be set if
|
|
we have control over the secret key too.
|
|
Bit 3: set if key is revoked; do not use it.
|
|
Bit 7-4: reserved
|
|
3 byte reserved
|
|
|
|
|
|
Record type 3: (cache record)
|
|
--------------
|
|
Used to bind the trustDB to the concrete instance of keyblock in
|
|
a pubring. This is used to cache informations.
|
|
|
|
1 byte value 3
|
|
1 byte reserved
|
|
1 u32 Local-Id.
|
|
8 bytes keyid of the primary key (needed?)
|
|
1 byte cache-is-valid the following stuff is only
|
|
valid if this is set.
|
|
1 byte reserved
|
|
20 bytes rmd160 hash value over the complete keyblock
|
|
This is used to detect any changes of the keyblock with all
|
|
CTBs and lengths headers. Calculation is easy if the keyblock
|
|
is optained from a keyserved: simply create the hash from all
|
|
received data bytes.
|
|
|
|
1 byte number of untrusted signatures.
|
|
1 byte number of marginal trusted signatures.
|
|
1 byte number of fully trusted signatures.
|
|
(255 is stored for all values greater than 254)
|
|
1 byte Trustlevel
|
|
0 = undefined (not calculated)
|
|
1 = unknown
|
|
2 = not trusted
|
|
3 = marginally trusted
|
|
4 = fully trusted
|
|
5 = ultimately trusted (have secret key too).
|
|
|
|
Record type 4 (sigrec)
|
|
-------------
|
|
Used to keep track of valid key signatures. Self-signatures are not
|
|
stored.
|
|
|
|
1 byte value 4
|
|
1 byte reserved
|
|
1 u32 Local-Id of owners (pubkey record)
|
|
1 u32 chain: next sigrec of this owner or 0 to indicate the
|
|
last sigrec.
|
|
6 times
|
|
1 u32 Local_id of signators pubkey record
|
|
1 byte reserved
|
|
|
|
Record type 5 (next-sigrec)
|
|
-------------
|
|
This is the same as record type 4 but the record type is 5 and the
|
|
local-id is only used to verify the internal db structure. You can
|
|
not search for such a record; access is done based on the chain field
|
|
in segrec or netx-sigrec. This is, so that we can handle sigrecords
|
|
more easier - there is no need to handle multiple sigrecs when searching
|
|
for such a record.
|
|
|