ch4: restructure packet splitting text sections

This commit is contained in:
Heiko Schaefer 2023-10-11 20:37:31 +02:00
parent 1aa4696f3e
commit 3688054f4f
No known key found for this signature in database
GPG key ID: 4A849A1904CCBD7D

View file

@ -321,13 +321,16 @@ Note that the secret key material we're using in this chapter is not password pr
In this section, we use the Sequoia-PGP tool `sq` to handle and transform our example OpenPGP key, and to inspect internal OpenPGP packet data. In this section, we use the Sequoia-PGP tool `sq` to handle and transform our example OpenPGP key, and to inspect internal OpenPGP packet data.
One way to produce this minimal version of Alice's key is: (split_alice)=
#### Splitting an OpenPGP key into packets
One way to produce a very minimal version of Alice's key is to split her full key into its component packets, and join only the relevant ones back together into a variant of the key.
```text ```text
$ sq packet split alice.priv $ sq packet split alice.priv
``` ```
With this command, `sq` generates a set of files, one for each packet in `alice.priv`: With this command, `sq` generates a set of files, each containing an individual OpenPGP packet of the original full key in `alice.priv`:
```text ```text
alice.priv-0--SecretKey alice.priv-0--SecretKey
@ -342,12 +345,32 @@ alice.priv-8--SecretSubkey
alice.priv-9--Signature alice.priv-9--Signature
``` ```
```{admonition} VISUAL
:class: warning
Show a very abstract diagram of the packets of Alice's OpenPGP key (above):
- Secret-Key packet
- Direct Key Signature
- User ID
- Certifying self-signature for User ID
- Secret-Subkey packet
- Subkey binding signature
- Secret-Subkey packet
- Subkey binding signature
- Secret-Subkey packet
- Subkey binding signature
```
#### Joining packets into an OpenPGP key
For our first step, we'll use just the first two of these packets, and join them together as a private key: For our first step, we'll use just the first two of these packets, and join them together as a private key:
```text ```text
$ sq packet join alice.priv-0--SecretKey alice.priv-1--Signature --output alice_minimal.priv $ sq packet join alice.priv-0--SecretKey alice.priv-1--Signature --output alice_minimal.priv
``` ```
#### Inspecting this key
This version of Alice's key contains just two packets: This version of Alice's key contains just two packets:
- The [*Secret-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats) for the primary key, and - The [*Secret-Key packet*](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-packet-formats) for the primary key, and
@ -649,31 +672,18 @@ Now we'll look at a subkey in Alice's key. An OpenPGP subkey, when it is linked
- a key packet that contains the component key itself, and - a key packet that contains the component key itself, and
- a signature packet that links this component key to the primary key (and thus implicitly to the full OpenPGP certificate). - a signature packet that links this component key to the primary key (and thus implicitly to the full OpenPGP certificate).
In this section, we'll use the files that contain individual packets of Alice's key, which we generated above. In this split representation of Alice's key, the encryption subkey happens to be stored in `alice.priv-4--SecretSubkey`, and the associated binding self-signature for the subkey in `alice.priv-5--Signature`. In this section, we'll use the files that contain individual packets of Alice's key, which we split apart above. In this split representation of Alice's key, the encryption subkey happens to be stored in `alice.priv-4--SecretSubkey`, and the associated binding self-signature for the subkey in `alice.priv-5--Signature`.
````{note} ````{note}
It's common to look at a packet dump for a full OpenPGP key (not split apart), like this: It's common to look at a packet dump for a full OpenPGP key, like this:
```text ```text
$ sq packet dump --hex alice.priv $ sq packet dump --hex alice.priv
``` ```
That output shows a much longer series of packets (as shown in the diagram below). This output will contain the two packets we now look at, with the exact same data, but they would be a bit harder to locate visually. That command shows the details for the full series of packets in an OpenPGP certificate (recall the list of [packets of Alice's key](split_alice)). Finding a particular packet in that list can take a moment.
```{admonition} VISUAL In the following sections we're making it a bit easier for ourselves, and directly look at individual packets, from the files we created with `sq packet split`, above.
:class: warning
Show a very abstract diagram of packets in a typical full OpenPGP key:
- Secret-Key packet
- Direct Key Signature
- User ID
- Certifying self-signature for User ID
- Secret-Subkey packet
- Subkey binding signature
- Secret-Subkey packet
- Subkey binding signature
```
```` ````
#### Secret-Subkey packet #### Secret-Subkey packet