Hello trid users,
some days ago i must handle an old CD-ROM. This contains some older
Microsoft Publisher files with file name suffix pub. These are not
recognized correctly. So i send definition some days ago. Now i found
"oldest" Microsoft Publisher samples. Unfortunately the PUB file name
suffix is also used for public keys by different software. So i also
look for such samples.
When i run the file format identification utility TrID it identifies
some SSH public keys with text/plain mime type and PUB file name
suffix. Some samples (like id_dsa.pub) are described as "SSH-DSS
Public key" by pub-ssh-dss.trid.xml and others (like id_rsa.pub) are
described as "SSH-RSA Public key" by pub-ssh-rsa.trid.xml. Some ssh
keys (like ssh_host_ed25519_key.pub id_ecdsa384.pub) are here not
recognized. The sample localhost.priv is described as "ASCII armored
RSA Private Key" with mime type text/plain and KEY name suffix whereas
the counterpart (localhost.pub) with public key is not recognized (See
appended trid-v-pub.txt).
For comparison reason i also run file command (version 5.45) on such
samples. Here more SSH keys are recognized. A few samples (like id_ecdsa384.pub
id_ecdsa521.pub ssh_host_ecdsa_key.pub) which are not recognized by TrID are
here described as "OpenSSH ECDSA public key". The ssh_host_ed25519_key.pub
sample is described as "OpenSSH ED25519 public key" (see appended
file-5.45.txt in output). As mime type only generic text/plain is shown (see
appended file-i-5.45.txt in output). No file name suffix is here shown (see
appended file-ext-5.45.txt in output). With newest database more examples are
recognized (see appended file-new.txt in output). For most samples now the
correct file name suffix is here shown (see appended file-ext-new.txt
On Linux according to shared MIME-info database none of these examples
are described.
For comparison reason i also run the file format identification
utility DROID (See
https://sourceforge.net/projects/droid/). This
identifies MSPublisherv1.PUB correctly as "Microsoft Publisher" with
version 1 and mime type application/x-mspublisher by PUID fmt/1511.
Other PUB samples are also described wrong as "Microsoft Publisher"
because recognition is based on file name suffix pub (See appended
droid-pub-key.csv).
Luckily with information given by the other tools i also found a
section about ECC Public Key Algorithm in Request for Comments 5656.
That information is expressed inside pub-ssh-ecdsa.trid.xml by
reference URL line. That looks like:
<RefURL>
https://www.rfc-editor.org/rfc/rfc5656#section-6.2 </RefURL>
As mime i choose instead of generic mime type text/plain an user
defined one. That is expressed by line like:
<Mime>text/x-ssh-public-key</Mime>
According to reference such key start with phrase ecdsa-sha2- followed by
elliptic curve domain parameter identifier (with sizes 256 384 521). Based on
my examples this is expressed inside front block by XML construct like:
<Bytes>65636473612D736861322D6E69737470</Bytes>
<ASCII> e c d s a - s h a 2 - n i s t p</ASCII>
<Pos>0</Pos>
In principal also file command use this phrase to identify such keys.
Luckily with information given by the other tools i also found a page about
Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol in
Request for Comments 8709. That information is expressed inside
pub-ssh-ed25519.trid.xml by reference URL line. That looks like:
<RefURL>
https://www.rfc-editor.org/rfc/rfc8709</RefURL>
As mime i choose instead of generic mime type text/plain an user
defined one. That is expressed by line like:
<Mime>text/x-ssh-public-key</Mime>
According to reference and file command such key start with phrase
ssh-ed25519. Based on my example this is expressed inside front block by XML
construct like:
<Bytes>7373682D6564323535313920</Bytes>
<ASCII> s s h - e d 2 5 5 1 9</ASCII>
<Pos>0</Pos>
Samples (like rfc7468.pub format_gen.pub format_gen.key; later found in qemu
version 9.0.0 source) are described by file command as public or private key
(without password) of OpenSSH. But i believe this description is wrong because
i can verify such samples with command like:
openssl asn1parse -i -in format_gen.pub
0:d=0 hl=3 l= 159 cons: SEQUENCE
3:d=1 hl=2 l= 13 cons: SEQUENCE
5:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
16:d=2 hl=2 l= 0 prim: NULL
18:d=1 hl=3 l= 141 prim: BIT STRING
openssl asn1parse -i -in format_gen.key
0:d=0 hl=4 l= 629 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :00
7:d=1 hl=2 l= 13 cons: SEQUENCE
9:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
20:d=2 hl=2 l= 0 prim: NULL
22:d=1 hl=4 l= 607 prim: OCTET STRING [HEX DUMP]:foo
openssl asn1parse -i -in rfc7468.pub
0:d=0 hl=2 l= 118 cons: SEQUENCE
2:d=1 hl=2 l= 16 cons: SEQUENCE
4:d=2 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
13:d=2 hl=2 l= 5 prim: OBJECT :secp384r1
20:d=1 hl=2 l= 98 prim: BIT STRING
Furthermore i can generate such samples by commands like:
openssl genrsa -out ./privkey.pem 1024
openssl rsa -pubout -in ./privkey.pem -outform PEM
Luckily with information given by the other tools i also found a page about
Asymmetric Key Packages in Request for Comments 5958. That information is
expressed inside key-ssl-nopassword.trid.xml by reference URL line. That looks
like:
<RefURL>
https://www.rfc-editor.org/rfc/rfc5958</RefURL>
As mime i choose instead of generic mime type text/plain an user defined
one. That is expressed by line like:
<Mime>text/x-ssl-private-key</Mime>
According to reference and file command such keys start with phrase
"-----BEGIN PRIVATE KEY-----". Based on my example format_gen.key this is
expressed inside front block of key-ssl-nopassword.trid.xml by XML construct
like:
<Bytes>2D2D2D2D2D424547494E2050524956415445204B45592D2D2D2D2D0A</Bytes>
<ASCII> - - - - - B E G I N P R I V A T E K E Y - - - - -</ASCII>
<Pos>0</Pos>
In the counter part (public key) the phrase PUBLIC instead of PRIVATE is used
in starting pattern.
Based on my examples like format_gen.pub this is expressed inside front block
of pub-ssl.trid.xml by XML construct like:
<Bytes>2D2D2D2D2D424547494E205055424C4943204B45592D2D2D2D2D0A4D</Bytes>
<ASCII> - - - - - B E G I N P U B L I C K E Y - - - - - . M</ASCII>
<Pos>0</Pos>
Luckily with information given by the other tools i also found a header pem.h
on SSL page on GitHub web site. That information is expressed inside
pub-ssl-rsa.trid.xml by reference URL. That looks like:
<RefURL>
https://github.com/openssl/openssl/blob/master/include/openssl/pem.h </RefURL>
As mime i choose instead of generic mime type text/plain an user defined
one. That is expressed by line like:
<Mime>text/x-ssl-public-key</Mime>
When looking in output of other tools and comparing with counter part (that is
the private key) the main characteristic is done by starting constant phrase
"-----BEGIN RSA PUBLIC KEY-----" like in localhost.pub. So this is expressed
by XML construct like:
<Bytes>2D2D2D2D2D424547494E20525341205055424C4943204B45592D2D2D2D2D0A</Bytes>
<ASCII> - - - - - B E G I N R S A P U B L I C K E Y - - - - -</ASCII>
<Pos>0</Pos>
With the new definitions then most of my inspected examples with PUB name
suffix are now described (see appended trid-v-new.txt trid-new.txt in
output). Unfortunately the pub suffix is also used for a few PGP/GPG
keys. Here i also found some exceptions which are not recognized. So i need
some time to inspect what is exactly going wrong there. I will try to handle
this in a future session.
Unfortunately i am not sure if "PEM" is is the only and correct format
description in definitions.
TrID definitions, few samples and output are stored in pub_key.zip. I hope
that my definitions can be used in future version of triddefs.
With best wishes
J?rg Jenderek
