41
Recent Posts
42
TrID File Identifier / Re: pub-ss[hl]-*.trid.xml,key-ssl*.trid.xml for missing public/private keys
« Last post by Mark0 on June 21, 2024, 12:27:53 AM »Thanks!
43
Definitions DB change log / Re: Current - Year 2024
« Last post by Mark0 on June 19, 2024, 02:14:18 PM »Added:
- DataCrypt II Super Encrypted data ()
- AngryDuck encrypted (ransomware) (ADK)
- CAMtastic Aperture Wizard template (AWR)
- Home Plan Pro 5 Clip (CLP)
- Install Project (v3.0) (IPJ)
- Irie Pascal Project (v2) (IPJ)
- Profi Install Project (v2.0a) (IPJ)
- Profi Install Project (v3.0c) (IPJ)
- JMeter XML test plan (v1.x) (JMX)
- Home Plan Pro 5 Plan (PLN)
- Waterworld Mission (MIS)
- Cryo S3D game data (S3D)
- Aegis Sonix music (SNX)
- DiskDigger custom filter (XML)
44
TrID File Identifier / pub-ss[hl]-*.trid.xml,key-ssl*.trid.xml for missing public/private keys
« Last post by jenderek on June 15, 2024, 05:28:01 PM »Hello trid users,
some days ago i must handle an old CD-ROM. This contains some older
Microsoft Publisher files with file name suffix pub. These are not
recognized correctly. So i send definition some days ago. Now i found
"oldest" Microsoft Publisher samples. Unfortunately the PUB file name
suffix is also used for public keys by different software. So i also
look for such samples.
When i run the file format identification utility TrID it identifies
some SSH public keys with text/plain mime type and PUB file name
suffix. Some samples (like id_dsa.pub) are described as "SSH-DSS
Public key" by pub-ssh-dss.trid.xml and others (like id_rsa.pub) are
described as "SSH-RSA Public key" by pub-ssh-rsa.trid.xml. Some ssh
keys (like ssh_host_ed25519_key.pub id_ecdsa384.pub) are here not
recognized. The sample localhost.priv is described as "ASCII armored
RSA Private Key" with mime type text/plain and KEY name suffix whereas
the counterpart (localhost.pub) with public key is not recognized (See
appended trid-v-pub.txt).
For comparison reason i also run file command (version 5.45) on such
samples. Here more SSH keys are recognized. A few samples (like id_ecdsa384.pub
id_ecdsa521.pub ssh_host_ecdsa_key.pub) which are not recognized by TrID are
here described as "OpenSSH ECDSA public key". The ssh_host_ed25519_key.pub
sample is described as "OpenSSH ED25519 public key" (see appended
file-5.45.txt in output). As mime type only generic text/plain is shown (see
appended file-i-5.45.txt in output). No file name suffix is here shown (see
appended file-ext-5.45.txt in output). With newest database more examples are
recognized (see appended file-new.txt in output). For most samples now the
correct file name suffix is here shown (see appended file-ext-new.txt
On Linux according to shared MIME-info database none of these examples
are described.
For comparison reason i also run the file format identification
utility DROID (See https://sourceforge.net/projects/droid/). This
identifies MSPublisherv1.PUB correctly as "Microsoft Publisher" with
version 1 and mime type application/x-mspublisher by PUID fmt/1511.
Other PUB samples are also described wrong as "Microsoft Publisher"
because recognition is based on file name suffix pub (See appended
droid-pub-key.csv).
Luckily with information given by the other tools i also found a
section about ECC Public Key Algorithm in Request for Comments 5656.
That information is expressed inside pub-ssh-ecdsa.trid.xml by
reference URL line. That looks like:
<RefURL>
https://www.rfc-editor.org/rfc/rfc5656#section-6.2
</RefURL>
As mime i choose instead of generic mime type text/plain an user
defined one. That is expressed by line like:
<Mime>text/x-ssh-public-key</Mime>
According to reference such key start with phrase ecdsa-sha2- followed by
elliptic curve domain parameter identifier (with sizes 256 384 521). Based on
my examples this is expressed inside front block by XML construct like:
<Bytes>65636473612D736861322D6E69737470</Bytes>
<ASCII> e c d s a - s h a 2 - n i s t p</ASCII>
<Pos>0</Pos>
In principal also file command use this phrase to identify such keys.
Luckily with information given by the other tools i also found a page about
Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol in
Request for Comments 8709. That information is expressed inside
pub-ssh-ed25519.trid.xml by reference URL line. That looks like:
<RefURL>https://www.rfc-editor.org/rfc/rfc8709</RefURL>
As mime i choose instead of generic mime type text/plain an user
defined one. That is expressed by line like:
<Mime>text/x-ssh-public-key</Mime>
According to reference and file command such key start with phrase
ssh-ed25519. Based on my example this is expressed inside front block by XML
construct like:
<Bytes>7373682D6564323535313920</Bytes>
<ASCII> s s h - e d 2 5 5 1 9</ASCII>
<Pos>0</Pos>
Samples (like rfc7468.pub format_gen.pub format_gen.key; later found in qemu
version 9.0.0 source) are described by file command as public or private key
(without password) of OpenSSH. But i believe this description is wrong because
i can verify such samples with command like:
openssl asn1parse -i -in format_gen.pub
0:d=0 hl=3 l= 159 cons: SEQUENCE
3:d=1 hl=2 l= 13 cons: SEQUENCE
5:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
16:d=2 hl=2 l= 0 prim: NULL
18:d=1 hl=3 l= 141 prim: BIT STRING
openssl asn1parse -i -in format_gen.key
0:d=0 hl=4 l= 629 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :00
7:d=1 hl=2 l= 13 cons: SEQUENCE
9:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
20:d=2 hl=2 l= 0 prim: NULL
22:d=1 hl=4 l= 607 prim: OCTET STRING [HEX DUMP]:foo
openssl asn1parse -i -in rfc7468.pub
0:d=0 hl=2 l= 118 cons: SEQUENCE
2:d=1 hl=2 l= 16 cons: SEQUENCE
4:d=2 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
13:d=2 hl=2 l= 5 prim: OBJECT :secp384r1
20:d=1 hl=2 l= 98 prim: BIT STRING
Furthermore i can generate such samples by commands like:
openssl genrsa -out ./privkey.pem 1024
openssl rsa -pubout -in ./privkey.pem -outform PEM
Luckily with information given by the other tools i also found a page about
Asymmetric Key Packages in Request for Comments 5958. That information is
expressed inside key-ssl-nopassword.trid.xml by reference URL line. That looks
like:
<RefURL> https://www.rfc-editor.org/rfc/rfc5958</RefURL>
As mime i choose instead of generic mime type text/plain an user defined
one. That is expressed by line like:
<Mime>text/x-ssl-private-key</Mime>
According to reference and file command such keys start with phrase
"-----BEGIN PRIVATE KEY-----". Based on my example format_gen.key this is
expressed inside front block of key-ssl-nopassword.trid.xml by XML construct
like:
<Bytes>2D2D2D2D2D424547494E2050524956415445204B45592D2D2D2D2D0A</Bytes>
<ASCII> - - - - - B E G I N P R I V A T E K E Y - - - - -</ASCII>
<Pos>0</Pos>
In the counter part (public key) the phrase PUBLIC instead of PRIVATE is used
in starting pattern.
Based on my examples like format_gen.pub this is expressed inside front block
of pub-ssl.trid.xml by XML construct like:
<Bytes>2D2D2D2D2D424547494E205055424C4943204B45592D2D2D2D2D0A4D</Bytes>
<ASCII> - - - - - B E G I N P U B L I C K E Y - - - - - . M</ASCII>
<Pos>0</Pos>
Luckily with information given by the other tools i also found a header pem.h
on SSL page on GitHub web site. That information is expressed inside
pub-ssl-rsa.trid.xml by reference URL. That looks like:
<RefURL>
https://github.com/openssl/openssl/blob/master/include/openssl/pem.h
</RefURL>
As mime i choose instead of generic mime type text/plain an user defined
one. That is expressed by line like:
<Mime>text/x-ssl-public-key</Mime>
When looking in output of other tools and comparing with counter part (that is
the private key) the main characteristic is done by starting constant phrase
"-----BEGIN RSA PUBLIC KEY-----" like in localhost.pub. So this is expressed
by XML construct like:
<Bytes>2D2D2D2D2D424547494E20525341205055424C4943204B45592D2D2D2D2D0A</Bytes>
<ASCII> - - - - - B E G I N R S A P U B L I C K E Y - - - - -</ASCII>
<Pos>0</Pos>
With the new definitions then most of my inspected examples with PUB name
suffix are now described (see appended trid-v-new.txt trid-new.txt in
output). Unfortunately the pub suffix is also used for a few PGP/GPG
keys. Here i also found some exceptions which are not recognized. So i need
some time to inspect what is exactly going wrong there. I will try to handle
this in a future session.
Unfortunately i am not sure if "PEM" is is the only and correct format
description in definitions.
TrID definitions, few samples and output are stored in pub_key.zip. I hope
that my definitions can be used in future version of triddefs.
With best wishes
J?rg Jenderek
some days ago i must handle an old CD-ROM. This contains some older
Microsoft Publisher files with file name suffix pub. These are not
recognized correctly. So i send definition some days ago. Now i found
"oldest" Microsoft Publisher samples. Unfortunately the PUB file name
suffix is also used for public keys by different software. So i also
look for such samples.
When i run the file format identification utility TrID it identifies
some SSH public keys with text/plain mime type and PUB file name
suffix. Some samples (like id_dsa.pub) are described as "SSH-DSS
Public key" by pub-ssh-dss.trid.xml and others (like id_rsa.pub) are
described as "SSH-RSA Public key" by pub-ssh-rsa.trid.xml. Some ssh
keys (like ssh_host_ed25519_key.pub id_ecdsa384.pub) are here not
recognized. The sample localhost.priv is described as "ASCII armored
RSA Private Key" with mime type text/plain and KEY name suffix whereas
the counterpart (localhost.pub) with public key is not recognized (See
appended trid-v-pub.txt).
For comparison reason i also run file command (version 5.45) on such
samples. Here more SSH keys are recognized. A few samples (like id_ecdsa384.pub
id_ecdsa521.pub ssh_host_ecdsa_key.pub) which are not recognized by TrID are
here described as "OpenSSH ECDSA public key". The ssh_host_ed25519_key.pub
sample is described as "OpenSSH ED25519 public key" (see appended
file-5.45.txt in output). As mime type only generic text/plain is shown (see
appended file-i-5.45.txt in output). No file name suffix is here shown (see
appended file-ext-5.45.txt in output). With newest database more examples are
recognized (see appended file-new.txt in output). For most samples now the
correct file name suffix is here shown (see appended file-ext-new.txt
On Linux according to shared MIME-info database none of these examples
are described.
For comparison reason i also run the file format identification
utility DROID (See https://sourceforge.net/projects/droid/). This
identifies MSPublisherv1.PUB correctly as "Microsoft Publisher" with
version 1 and mime type application/x-mspublisher by PUID fmt/1511.
Other PUB samples are also described wrong as "Microsoft Publisher"
because recognition is based on file name suffix pub (See appended
droid-pub-key.csv).
Luckily with information given by the other tools i also found a
section about ECC Public Key Algorithm in Request for Comments 5656.
That information is expressed inside pub-ssh-ecdsa.trid.xml by
reference URL line. That looks like:
<RefURL>
https://www.rfc-editor.org/rfc/rfc5656#section-6.2
</RefURL>
As mime i choose instead of generic mime type text/plain an user
defined one. That is expressed by line like:
<Mime>text/x-ssh-public-key</Mime>
According to reference such key start with phrase ecdsa-sha2- followed by
elliptic curve domain parameter identifier (with sizes 256 384 521). Based on
my examples this is expressed inside front block by XML construct like:
<Bytes>65636473612D736861322D6E69737470</Bytes>
<ASCII> e c d s a - s h a 2 - n i s t p</ASCII>
<Pos>0</Pos>
In principal also file command use this phrase to identify such keys.
Luckily with information given by the other tools i also found a page about
Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol in
Request for Comments 8709. That information is expressed inside
pub-ssh-ed25519.trid.xml by reference URL line. That looks like:
<RefURL>https://www.rfc-editor.org/rfc/rfc8709</RefURL>
As mime i choose instead of generic mime type text/plain an user
defined one. That is expressed by line like:
<Mime>text/x-ssh-public-key</Mime>
According to reference and file command such key start with phrase
ssh-ed25519. Based on my example this is expressed inside front block by XML
construct like:
<Bytes>7373682D6564323535313920</Bytes>
<ASCII> s s h - e d 2 5 5 1 9</ASCII>
<Pos>0</Pos>
Samples (like rfc7468.pub format_gen.pub format_gen.key; later found in qemu
version 9.0.0 source) are described by file command as public or private key
(without password) of OpenSSH. But i believe this description is wrong because
i can verify such samples with command like:
openssl asn1parse -i -in format_gen.pub
0:d=0 hl=3 l= 159 cons: SEQUENCE
3:d=1 hl=2 l= 13 cons: SEQUENCE
5:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
16:d=2 hl=2 l= 0 prim: NULL
18:d=1 hl=3 l= 141 prim: BIT STRING
openssl asn1parse -i -in format_gen.key
0:d=0 hl=4 l= 629 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :00
7:d=1 hl=2 l= 13 cons: SEQUENCE
9:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
20:d=2 hl=2 l= 0 prim: NULL
22:d=1 hl=4 l= 607 prim: OCTET STRING [HEX DUMP]:foo
openssl asn1parse -i -in rfc7468.pub
0:d=0 hl=2 l= 118 cons: SEQUENCE
2:d=1 hl=2 l= 16 cons: SEQUENCE
4:d=2 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
13:d=2 hl=2 l= 5 prim: OBJECT :secp384r1
20:d=1 hl=2 l= 98 prim: BIT STRING
Furthermore i can generate such samples by commands like:
openssl genrsa -out ./privkey.pem 1024
openssl rsa -pubout -in ./privkey.pem -outform PEM
Luckily with information given by the other tools i also found a page about
Asymmetric Key Packages in Request for Comments 5958. That information is
expressed inside key-ssl-nopassword.trid.xml by reference URL line. That looks
like:
<RefURL> https://www.rfc-editor.org/rfc/rfc5958</RefURL>
As mime i choose instead of generic mime type text/plain an user defined
one. That is expressed by line like:
<Mime>text/x-ssl-private-key</Mime>
According to reference and file command such keys start with phrase
"-----BEGIN PRIVATE KEY-----". Based on my example format_gen.key this is
expressed inside front block of key-ssl-nopassword.trid.xml by XML construct
like:
<Bytes>2D2D2D2D2D424547494E2050524956415445204B45592D2D2D2D2D0A</Bytes>
<ASCII> - - - - - B E G I N P R I V A T E K E Y - - - - -</ASCII>
<Pos>0</Pos>
In the counter part (public key) the phrase PUBLIC instead of PRIVATE is used
in starting pattern.
Based on my examples like format_gen.pub this is expressed inside front block
of pub-ssl.trid.xml by XML construct like:
<Bytes>2D2D2D2D2D424547494E205055424C4943204B45592D2D2D2D2D0A4D</Bytes>
<ASCII> - - - - - B E G I N P U B L I C K E Y - - - - - . M</ASCII>
<Pos>0</Pos>
Luckily with information given by the other tools i also found a header pem.h
on SSL page on GitHub web site. That information is expressed inside
pub-ssl-rsa.trid.xml by reference URL. That looks like:
<RefURL>
https://github.com/openssl/openssl/blob/master/include/openssl/pem.h
</RefURL>
As mime i choose instead of generic mime type text/plain an user defined
one. That is expressed by line like:
<Mime>text/x-ssl-public-key</Mime>
When looking in output of other tools and comparing with counter part (that is
the private key) the main characteristic is done by starting constant phrase
"-----BEGIN RSA PUBLIC KEY-----" like in localhost.pub. So this is expressed
by XML construct like:
<Bytes>2D2D2D2D2D424547494E20525341205055424C4943204B45592D2D2D2D2D0A</Bytes>
<ASCII> - - - - - B E G I N R S A P U B L I C K E Y - - - - -</ASCII>
<Pos>0</Pos>
With the new definitions then most of my inspected examples with PUB name
suffix are now described (see appended trid-v-new.txt trid-new.txt in
output). Unfortunately the pub suffix is also used for a few PGP/GPG
keys. Here i also found some exceptions which are not recognized. So i need
some time to inspect what is exactly going wrong there. I will try to handle
this in a future session.
Unfortunately i am not sure if "PEM" is is the only and correct format
description in definitions.
TrID definitions, few samples and output are stored in pub_key.zip. I hope
that my definitions can be used in future version of triddefs.
With best wishes
J?rg Jenderek
45
Definitions DB change log / Re: Current - Year 2024
« Last post by Mark0 on June 15, 2024, 02:12:52 PM »Updated:
- Advanced Authoring Format (AAF)
- Microsoft Windows Installer (MSI)
- OLE Custom / ActiveX Control (32bit) (OCX)
- Visual Basic eXtension/Custom Control (VBX)
- MADE engine game data archive (BLK)
- Degenerate Geometry CSV (CSV)
- MADE engine DB (DAT)
- ASEAM 2 Loads Input Screen/Data (LIS)
- OpenTTD Language strings (LNG)
- LInk System Application Data Format (LSD)
- LiveStage Pro project (v1) (LSD)
- LiveStage Pro project (v2-4) (LSD)
- RPG Maker 2000/2003 Save Data (LSD)
- ASEAM 2 Main Menu Screen/Data (MIS)
- OLE Custom Control (16bit) (OCX)
- ASEAM 2 Plant Input Screen/Data (PIS)
- MADE Engine Video (PMV)
- MADE Project/game (PRJ)
- ASEAM 2 System Input Screen/Data (SIS)
- Tetra Color Palette format (v1.0) (TET)
- RealStorm Engine object (TXT)
- VisualTools VT Spell Dictionary (VTD)
- OpenTTD Graphics Resource (GRF)
46
Definitions DB change log / Re: Current - Year 2024
« Last post by Mark0 on June 12, 2024, 01:43:06 AM »Updated:
- LZDiet compressed data ()
- Apple Img3 encrypted signed container (IMG3/DFU)
- Microsoft Developer Studio Project (MDP)
- TrID defs package (TRD)
- TrIDNet serialized definitions package (TRS)
- PADS Parts Library ASCII format (generic) ()
- 3DFX texture format (v1.x) (3DF)
- Apple Archive (generic) (AAR)
- Apple Archive (LZ4) (AAR)
- Apple Archive (LZFSE) (AAR)
- Apple Archive (LZMA) (AAR)
- Apple Archive (raw) (AAR)
- Apple Archive (zlib) (AAR)
- Apple Encrypted Archive (AEA)
- PADS Parts Library Schematic Decals (v4) (C)
- PADS Parts Library Schematic Decals (v9) (C)
- Gerber CAM Processor job (CAM)
- PADS Parts Library PCB Decals (v4) (D)
- PADS Parts Library PCB Decals (v9) (D)
- HaxBall Replay (v2) (HBR2)
- Apple 8900 encrypted signed container (IMG2/DFU)
- Apple iPod Software firmware update (IPSW)
- PADS Parts Library Part Types (v4) (P)
- PADS Parts Library Part Types (v9) (P)
- Visual Studio Project build log (PLG)
- PADS Layout ASCII Format (TXT/ASC)
47
Definitions DB change log / Re: Current - Year 2024
« Last post by Mark0 on June 09, 2024, 11:16:38 PM »48
Definitions DB change log / Re: Current - Year 2024
« Last post by Mark0 on June 05, 2024, 04:40:41 PM »Updated:
Added:
Added:
- Open Access II Chart (CHT)
- Open Access III Chart (CHT)
- Open Access II Data base (DF)
- Open Access II spreadsheet (FMD)
- Lytro image Stack info (LFP)
- Lytro Raw image (LFP/LFR)
- Materialise AM Exchange (MATAMX)
- Overhead Express Presentation (PRE)
- Microsoft Publisher document (v1) (PUB)
- Microsoft Publisher document (v2) (PUB)
- Microsoft Publisher document (v4) (PUB)
- Sonic Factory Song (SFS)
49
TrID File Identifier / Re: 3 variants pub-v?.trid.xml for Microsoft Publisher document
« Last post by Mark0 on June 03, 2024, 11:08:27 PM »Thanks for the new/updated defs and the info.
50
Definitions DB change log / Re: Current - Year 2024
« Last post by Mark0 on June 02, 2024, 02:40:58 PM »Updated:
Added:
Added:
- TwinCAT Compiled-Library (COMPILED-LIBRARY)
- TwinCAT PLC Project (PLCPROJ)
- TwinCAT PLC Project (UTF-8) (PLCPROJ)
- TwinCAT PLC Data Type (TCDUT)
- TwinCAT PLC Global Texts List (TCGTLO)
- TwinCAT PLC Global Variable List (TCGVL)
- TwinCAT License info (TCLRS)
- TwinCAT PLC Program Organization Unit (TCPOU)
- TwinCAT PLC Task Object (TCTTO)
- TwinCAT PLC Visualization (TCVIS)
- TwinCAT PLC Visualization Manager (TCVMO)
- TwinCAT Compile Info container (TIZIP)
- TwinCAT Module Class (TMC)
- TwinCAT Module Class (UTF-8) (TMC)
- TSAC compressed audio (TSAC)
- TwinCAT Project (TSPROJ)
- TwinCAT project archive (TSZIP)
- TwinCAT Current Configuration (XML)
- TwinCAT Target Description (XML)
- TwinCAT Multi Project/Export (XTI)