1 2#------------------------------------------------------------------------------ 3# $File: pgp,v 1.25 2021/04/26 15:56:00 christos Exp $ 4# pgp: file(1) magic for Pretty Good Privacy 5 6# Handling of binary PGP keys is in pgp-binary-keys. 7# see https://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html 8# 90 beshort 0xa600 PGP encrypted data 10#!:mime application/pgp-encrypted 11#0 string -----BEGIN\040PGP text/PGP armored data 12!:mime text/PGP # encoding: armored data 13#>15 string PUBLIC\040KEY\040BLOCK- public key block 14#>15 string MESSAGE- message 15#>15 string SIGNED\040MESSAGE- signed message 16#>15 string PGP\040SIGNATURE- signature 17 18# Update: Joerg Jenderek 19# URL: http://en.wikipedia.org/wiki/Pretty_Good_Privacy 20# Reference: https://reposcope.com/mimetype/application/pgp-keys 212 string ---BEGIN\040PGP\040PRIVATE\040KEY\040BLOCK- PGP private key block 22#!:mime text/PGP 23!:mime application/pgp-keys 24!:ext asc 252 string ---BEGIN\040PGP\040PUBLIC\040KEY\040BLOCK- PGP public key block 26!:mime application/pgp-keys 27!:ext asc 28>10 search/100 \n\n 29>>&0 use pgp 300 string -----BEGIN\040PGP\040MESSAGE- PGP message 31# https://reposcope.com/mimetype/application/pgp-encrypted 32#!:mime application/pgp 33!:mime application/pgp-encrypted 34!:ext asc 35#!:ext asc/pgp/gpg 36>10 search/100 \n\n 37>>&0 use pgp 38# Reference: https://www.gnupg.org/gph/en/manual/x135.html 390 string -----BEGIN\040PGP\040SIGNED\040MESSAGE- PGP signed message 40#!:mime text/plain 41!:mime text/PGP 42#!:mime application/pgp 43!:ext asc 440 string -----BEGIN\040PGP\040SIGNATURE- PGP signature 45# https://reposcope.com/mimetype/application/pgp-signature 46!:mime application/pgp-signature 47!:ext asc 48>10 search/100 \n\n 49>>&0 use pgp 50 51# Decode the type of the packet based on it's base64 encoding. 52# Idea from Mark Martinec 53# The specification is in RFC 4880, section 4.2 and 4.3: 54# https://tools.ietf.org/html/rfc4880#section-4.2 55 560 name pgp 57>0 byte 0x67 Reserved (old) 58>0 byte 0x68 Public-Key Encrypted Session Key (old) 59>0 byte 0x69 Signature (old) 60>0 byte 0x6a Symmetric-Key Encrypted Session Key (old) 61>0 byte 0x6b One-Pass Signature (old) 62>0 byte 0x6c Secret-Key (old) 63>0 byte 0x6d Public-Key (old) 64>0 byte 0x6e Secret-Subkey (old) 65>0 byte 0x6f Compressed Data (old) 66>0 byte 0x70 Symmetrically Encrypted Data (old) 67>0 byte 0x71 Marker (old) 68>0 byte 0x72 Literal Data (old) 69>0 byte 0x73 Trust (old) 70>0 byte 0x74 User ID (old) 71>0 byte 0x75 Public-Subkey (old) 72>0 byte 0x76 Unused (old) 73>0 byte 0x77 74>>1 byte&0xc0 0x00 Reserved 75>>1 byte&0xc0 0x40 Public-Key Encrypted Session Key 76>>1 byte&0xc0 0x80 Signature 77>>1 byte&0xc0 0xc0 Symmetric-Key Encrypted Session Key 78>0 byte 0x78 79>>1 byte&0xc0 0x00 One-Pass Signature 80>>1 byte&0xc0 0x40 Secret-Key 81>>1 byte&0xc0 0x80 Public-Key 82>>1 byte&0xc0 0xc0 Secret-Subkey 83>0 byte 0x79 84>>1 byte&0xc0 0x00 Compressed Data 85>>1 byte&0xc0 0x40 Symmetrically Encrypted Data 86>>1 byte&0xc0 0x80 Marker 87>>1 byte&0xc0 0xc0 Literal Data 88>0 byte 0x7a 89>>1 byte&0xc0 0x00 Trust 90>>1 byte&0xc0 0x40 User ID 91>>1 byte&0xc0 0x80 Public-Subkey 92>>1 byte&0xc0 0xc0 Unused [z%x] 93>0 byte 0x30 94>>1 byte&0xc0 0x00 Unused [0%x] 95>>1 byte&0xc0 0x40 User Attribute 96>>1 byte&0xc0 0x80 Sym. Encrypted and Integrity Protected Data 97>>1 byte&0xc0 0xc0 Modification Detection Code 98 99# magic signatures to detect PGP crypto material (from stef) 100# detects and extracts metadata from: 101# - symmetric encrypted packet header 102# - RSA (e=65537) secret (sub-)keys 103 104# 1024b RSA encrypted data 105 1060 string \x84\x8c\x03 PGP RSA encrypted session key - 107>3 belong x keyid: %08X 108>7 belong x %08X 109>11 byte 0x01 RSA (Encrypt or Sign) 1024b 110>11 byte 0x02 RSA Encrypt-Only 1024b 111>12 string \x04\x00 112>12 string \x03\xff 113>12 string \x03\xfe 114>12 string \x03\xfd 115>12 string \x03\xfc 116>12 string \x03\xfb 117>12 string \x03\xfa 118>12 string \x03\xf9 119>142 byte 0xd2 . 120 121# 2048b RSA encrypted data 122 1230 string \x85\x01\x0c\x03 PGP RSA encrypted session key - 124>4 belong x keyid: %08X 125>8 belong x %08X 126>12 byte 0x01 RSA (Encrypt or Sign) 2048b 127>12 byte 0x02 RSA Encrypt-Only 2048b 128>13 string \x08\x00 129>13 string \x07\xff 130>13 string \x07\xfe 131>13 string \x07\xfd 132>13 string \x07\xfc 133>13 string \x07\xfb 134>13 string \x07\xfa 135>13 string \x07\xf9 136>271 byte 0xd2 . 137 138# 3072b RSA encrypted data 139 1400 string \x85\x01\x8c\x03 PGP RSA encrypted session key - 141>4 belong x keyid: %08X 142>8 belong x %08X 143>12 byte 0x01 RSA (Encrypt or Sign) 3072b 144>12 byte 0x02 RSA Encrypt-Only 3072b 145>13 string \x0c\x00 146>13 string \x0b\xff 147>13 string \x0b\xfe 148>13 string \x0b\xfd 149>13 string \x0b\xfc 150>13 string \x0b\xfb 151>13 string \x0b\xfa 152>13 string \x0b\xf9 153>399 byte 0xd2 . 154 155# 4096b RSA encrypted data 156 1570 string \x85\x02\x0c\x03 PGP RSA encrypted session key - 158>4 belong x keyid: %08X 159>8 belong x %08X 160>12 byte 0x01 RSA (Encrypt or Sign) 4096b 161>12 byte 0x02 RSA Encrypt-Only 4096b 162>13 string \x10\x00 163>13 string \x0f\xff 164>13 string \x0f\xfe 165>13 string \x0f\xfd 166>13 string \x0f\xfc 167>13 string \x0f\xfb 168>13 string \x0f\xfa 169>13 string \x0f\xf9 170>527 byte 0xd2 . 171 172# 8192b RSA encrypted data 173 1740 string \x85\x04\x0c\x03 PGP RSA encrypted session key - 175>4 belong x keyid: %08X 176>8 belong x %08X 177>12 byte 0x01 RSA (Encrypt or Sign) 8192b 178>12 byte 0x02 RSA Encrypt-Only 8192b 179>13 string \x20\x00 180>13 string \x1f\xff 181>13 string \x1f\xfe 182>13 string \x1f\xfd 183>13 string \x1f\xfc 184>13 string \x1f\xfb 185>13 string \x1f\xfa 186>13 string \x1f\xf9 187>1039 byte 0xd2 . 188 189# 1024b Elgamal encrypted data 190 1910 string \x85\x01\x0e\x03 PGP Elgamal encrypted session key - 192>4 belong x keyid: %08X 193>8 belong x %08X 194>12 byte 0x10 Elgamal Encrypt-Only 1024b. 195>13 string \x04\x00 196>13 string \x03\xff 197>13 string \x03\xfe 198>13 string \x03\xfd 199>13 string \x03\xfc 200>13 string \x03\xfb 201>13 string \x03\xfa 202>13 string \x03\xf9 203 204# 2048b Elgamal encrypted data 205 2060 string \x85\x02\x0e\x03 PGP Elgamal encrypted session key - 207>4 belong x keyid: %08X 208>8 belong x %08X 209>12 byte 0x10 Elgamal Encrypt-Only 2048b. 210>13 string \x08\x00 211>13 string \x07\xff 212>13 string \x07\xfe 213>13 string \x07\xfd 214>13 string \x07\xfc 215>13 string \x07\xfb 216>13 string \x07\xfa 217>13 string \x07\xf9 218 219# 3072b Elgamal encrypted data 220 2210 string \x85\x03\x0e\x03 PGP Elgamal encrypted session key - 222>4 belong x keyid: %08X 223>8 belong x %08X 224>12 byte 0x10 Elgamal Encrypt-Only 3072b. 225>13 string \x0c\x00 226>13 string \x0b\xff 227>13 string \x0b\xfe 228>13 string \x0b\xfd 229>13 string \x0b\xfc 230>13 string \x0b\xfb 231>13 string \x0b\xfa 232>13 string \x0b\xf9 233 234# crypto algo mapper 235 2360 name crypto 237>0 byte 0x00 Plaintext or unencrypted data 238>0 byte 0x01 IDEA 239>0 byte 0x02 TripleDES 240>0 byte 0x03 CAST5 (128 bit key) 241>0 byte 0x04 Blowfish (128 bit key, 16 rounds) 242>0 byte 0x07 AES with 128-bit key 243>0 byte 0x08 AES with 192-bit key 244>0 byte 0x09 AES with 256-bit key 245>0 byte 0x0a Twofish with 256-bit key 246 247# hash algo mapper 248 2490 name hash 250>0 byte 0x01 MD5 251>0 byte 0x02 SHA-1 252>0 byte 0x03 RIPE-MD/160 253>0 byte 0x08 SHA256 254>0 byte 0x09 SHA384 255>0 byte 0x0a SHA512 256>0 byte 0x0b SHA224 257 258# display public key algorithms as human readable text 2590 name key_algo 260>0 byte 0x01 RSA (Encrypt or Sign) 261# keep old look of version 5.28 without parentheses 262>0 byte 0x02 RSA Encrypt-Only 263>0 byte 0x03 RSA (Sign-Only) 264>0 byte 16 ElGamal (Encrypt-Only) 265>0 byte 17 DSA 266>0 byte 18 Elliptic Curve 267>0 byte 19 ECDSA 268>0 byte 20 ElGamal (Encrypt or Sign) 269>0 byte 21 Diffie-Hellman 270>0 default x 271>>0 ubyte <22 unknown (pub %d) 272# this should never happen 273>>0 ubyte >21 invalid (%d) 274 275# pgp symmetric encrypted data 276 2770 byte 0x8c PGP symmetric key encrypted data - 278>1 byte 0x0d 279>1 byte 0x0c 280>2 byte 0x04 281>3 use crypto 282>4 byte 0x01 salted - 283>>5 use hash 284>>14 byte 0xd2 . 285>>14 byte 0xc9 . 286>4 byte 0x03 salted & iterated - 287>>5 use hash 288>>15 byte 0xd2 . 289>>15 byte 0xc9 . 290 291# encrypted keymaterial needs s2k & can be checksummed/hashed 292 2930 name chkcrypto 294>0 use crypto 295>1 byte 0x00 Simple S2K 296>1 byte 0x01 Salted S2K 297>1 byte 0x03 Salted&Iterated S2K 298>2 use hash 299 300# all PGP keys start with this prolog 301# containing version, creation date, and purpose 302 3030 name keyprolog 304>0 byte 0x04 305>1 beldate x created on %s - 306>5 byte 0x01 RSA (Encrypt or Sign) 307>5 byte 0x02 RSA Encrypt-Only 308 309# end of secret keys known signature 310# contains e=65537 and the prolog to 311# the encrypted parameters 312 3130 name keyend 314>0 string \x00\x11\x01\x00\x01 e=65537 315>5 use crypto 316>5 byte 0xff checksummed 317>>6 use chkcrypto 318>5 byte 0xfe hashed 319>>6 use chkcrypto 320 321# PGP secret keys contain also the public parts 322# these vary by bitsize of the key 323 3240 name x1024 325>0 use keyprolog 326>6 string \x03\xfe 327>6 string \x03\xff 328>6 string \x04\x00 329>136 use keyend 330 3310 name x2048 332>0 use keyprolog 333>6 string \x80\x00 334>6 string \x07\xfe 335>6 string \x07\xff 336>264 use keyend 337 3380 name x3072 339>0 use keyprolog 340>6 string \x0b\xfe 341>6 string \x0b\xff 342>6 string \x0c\x00 343>392 use keyend 344 3450 name x4096 346>0 use keyprolog 347>6 string \x10\x00 348>6 string \x0f\xfe 349>6 string \x0f\xff 350>520 use keyend 351 352# \x00|\x1f[\xfe\xff]).{1024})' 3530 name x8192 354>0 use keyprolog 355>6 string \x20\x00 356>6 string \x1f\xfe 357>6 string \x1f\xff 358>1032 use keyend 359 360# depending on the size of the pkt 361# we branch into the proper key size 362# signatures defined as x{keysize} 363 3640 name pgpkey 365>0 string \x01\xd8 1024b 366>>2 use x1024 367>0 string \x01\xeb 1024b 368>>2 use x1024 369>0 string \x01\xfb 1024b 370>>2 use x1024 371>0 string \x01\xfd 1024b 372>>2 use x1024 373>0 string \x01\xf3 1024b 374>>2 use x1024 375>0 string \x01\xee 1024b 376>>2 use x1024 377>0 string \x01\xfe 1024b 378>>2 use x1024 379>0 string \x01\xf4 1024b 380>>2 use x1024 381>0 string \x02\x0d 1024b 382>>2 use x1024 383>0 string \x02\x03 1024b 384>>2 use x1024 385>0 string \x02\x05 1024b 386>>2 use x1024 387>0 string \x02\x15 1024b 388>>2 use x1024 389>0 string \x02\x00 1024b 390>>2 use x1024 391>0 string \x02\x10 1024b 392>>2 use x1024 393>0 string \x02\x04 1024b 394>>2 use x1024 395>0 string \x02\x06 1024b 396>>2 use x1024 397>0 string \x02\x16 1024b 398>>2 use x1024 399>0 string \x03\x98 2048b 400>>2 use x2048 401>0 string \x03\xab 2048b 402>>2 use x2048 403>0 string \x03\xbb 2048b 404>>2 use x2048 405>0 string \x03\xbd 2048b 406>>2 use x2048 407>0 string \x03\xcd 2048b 408>>2 use x2048 409>0 string \x03\xb3 2048b 410>>2 use x2048 411>0 string \x03\xc3 2048b 412>>2 use x2048 413>0 string \x03\xc5 2048b 414>>2 use x2048 415>0 string \x03\xd5 2048b 416>>2 use x2048 417>0 string \x03\xae 2048b 418>>2 use x2048 419>0 string \x03\xbe 2048b 420>>2 use x2048 421>0 string \x03\xc0 2048b 422>>2 use x2048 423>0 string \x03\xd0 2048b 424>>2 use x2048 425>0 string \x03\xb4 2048b 426>>2 use x2048 427>0 string \x03\xc4 2048b 428>>2 use x2048 429>0 string \x03\xc6 2048b 430>>2 use x2048 431>0 string \x03\xd6 2048b 432>>2 use x2048 433>0 string \x05X 3072b 434>>2 use x3072 435>0 string \x05k 3072b 436>>2 use x3072 437>0 string \x05{ 3072b 438>>2 use x3072 439>0 string \x05} 3072b 440>>2 use x3072 441>0 string \x05\x8d 3072b 442>>2 use x3072 443>0 string \x05s 3072b 444>>2 use x3072 445>0 string \x05\x83 3072b 446>>2 use x3072 447>0 string \x05\x85 3072b 448>>2 use x3072 449>0 string \x05\x95 3072b 450>>2 use x3072 451>0 string \x05n 3072b 452>>2 use x3072 453>0 string \x05\x7e 3072b 454>>2 use x3072 455>0 string \x05\x80 3072b 456>>2 use x3072 457>0 string \x05\x90 3072b 458>>2 use x3072 459>0 string \x05t 3072b 460>>2 use x3072 461>0 string \x05\x84 3072b 462>>2 use x3072 463>0 string \x05\x86 3072b 464>>2 use x3072 465>0 string \x05\x96 3072b 466>>2 use x3072 467>0 string \x07[ 4096b 468>>2 use x4096 469>0 string \x07\x18 4096b 470>>2 use x4096 471>0 string \x07+ 4096b 472>>2 use x4096 473>0 string \x07; 4096b 474>>2 use x4096 475>0 string \x07= 4096b 476>>2 use x4096 477>0 string \x07M 4096b 478>>2 use x4096 479>0 string \x073 4096b 480>>2 use x4096 481>0 string \x07C 4096b 482>>2 use x4096 483>0 string \x07E 4096b 484>>2 use x4096 485>0 string \x07U 4096b 486>>2 use x4096 487>0 string \x07. 4096b 488>>2 use x4096 489>0 string \x07> 4096b 490>>2 use x4096 491>0 string \x07@ 4096b 492>>2 use x4096 493>0 string \x07P 4096b 494>>2 use x4096 495>0 string \x074 4096b 496>>2 use x4096 497>0 string \x07D 4096b 498>>2 use x4096 499>0 string \x07F 4096b 500>>2 use x4096 501>0 string \x07V 4096b 502>>2 use x4096 503>0 string \x0e[ 8192b 504>>2 use x8192 505>0 string \x0e\x18 8192b 506>>2 use x8192 507>0 string \x0e+ 8192b 508>>2 use x8192 509>0 string \x0e; 8192b 510>>2 use x8192 511>0 string \x0e= 8192b 512>>2 use x8192 513>0 string \x0eM 8192b 514>>2 use x8192 515>0 string \x0e3 8192b 516>>2 use x8192 517>0 string \x0eC 8192b 518>>2 use x8192 519>0 string \x0eE 8192b 520>>2 use x8192 521>0 string \x0eU 8192b 522>>2 use x8192 523>0 string \x0e. 8192b 524>>2 use x8192 525>0 string \x0e> 8192b 526>>2 use x8192 527>0 string \x0e@ 8192b 528>>2 use x8192 529>0 string \x0eP 8192b 530>>2 use x8192 531>0 string \x0e4 8192b 532>>2 use x8192 533>0 string \x0eD 8192b 534>>2 use x8192 535>0 string \x0eF 8192b 536>>2 use x8192 537>0 string \x0eV 8192b 538>>2 use x8192 539 540# PGP RSA (e=65537) secret (sub-)key header 541 5420 byte 0x97 PGP Secret Sub-key - 543>1 use pgpkey 5440 byte 0x9d 545# Update: Joerg Jenderek 546# secret subkey packet (tag 7) with same structure as secret key packet (tag 5) 547# skip Fetus.Sys16 CALIBUS.MAIN OrbFix.Sys16.Ex by looking for positive len 548>1 ubeshort >0 549#>1 ubeshort x \b, body length %#x 550# next packet type often 88h,89h~(tag 2)~Signature Packet 551#>>(1.S+3) ubyte x \b, next packet type %#x 552# skip Dragon.SHR DEMO.INIT by looking for positive version 553>>3 ubyte >0 554# skip BUISSON.13 GUITAR1 by looking for low version number 555>>>3 ubyte <5 PGP Secret Sub-key 556# sub-key are normally part of secret key. So it does not occur as standalone file 557#!:ext bin 558# version 2,3~old 4~new . Comment following line for version 5.28 look 559>>>>3 ubyte x (v%d) 560>>>>3 ubyte x - 561# old versions 2 or 3 but no real example found 562>>>>3 ubyte <4 563# 2 byte for key bits in version 5.28 look 564>>>>>11 ubeshort x %db 565>>>>>4 beldate x created on %s - 566# old versions use 2 additional bytes after time stamp 567#>>>>>8 ubeshort x %#x 568# display key algorithm 1~RSA Encrypt|Sign - 21~Diffie-Hellman 569>>>>>10 use key_algo 570>>>>>(11.S/8) ubequad x 571# look after first key 572>>>>>>&5 use keyend 573# new version 574>>>>3 ubyte >3 575>>>>>9 ubeshort x %db 576>>>>>4 beldate x created on %s - 577# display key algorithm 578>>>>>8 use key_algo 579>>>>>(9.S/8) ubequad x 580# look after first key for something like s2k 581>>>>>>&3 use keyend 582