[guardian-dev] Format of exported subkeys from gnupg

Abel Luck abel at guardianproject.info
Fri Aug 3 18:19:22 CEST 2012


Tom Ritter:

> I think what you're looking for is the OpenPGP specification.  That
> should allow you to create an ASCII-armored or binary representation
> of the data to import into GPG, and tells you the format that GPG
> outputs. http://tools.ietf.org/html/rfc4880#section-5.5.3  Fortunetly,
> it's much easier than working with S-Expressions (IMO at least.)

So, I've dived into parsing OpenPGP packets as per the spec, and all is
well, until I get to parsing the actual secret key data (the MPI values).

In 99% of cases these secret values are encrypted. As I see it these are
my options for getting at the unencrypted values.

1. Implement all possible ciphers in my library, ask the user for their
key and decrypt
2. Only support plaintext exported keys, decryption is handled by GnuPG
during export.

The first will require implementation of the entire pgp cipher suite,
which is beyond our calling. The second will leak unprotected secret key
data to disk.

Remember, the use case for this is exporting secret-subkeys used as OTR
keys for interoperability with OTR clients. Most (all?) OTR apps store
the private OTR key material unencrypted anyways, so leaking this data
to disk is not an issue. (Though, yes later on, I'll be pushing the line
over on otr-dev that we need to start encrypting the private keys)

Thus the question is: how can I --export-secret-subkeys with
unprotected/plaintext secret key values?

~abel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120803/1e75d4ad/attachment.pgp>


More information about the Gnupg-devel mailing list