[Cryptography-dev] Parsing DER from PE File
Paul Kehrer
paul.l.kehrer at gmail.com
Fri Dec 21 11:21:41 EST 2018
Out of curiosity, does the following code load the cert you expect? der
should be the bytes of extracted.der:
from cryptography.hazmat.backends.openssl.backend import backend
from cryptography.hazmat.backends.openssl import x509
bio = backend._bytes_to_bio(der)
pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL)
certs = []
for i in range(backend._lib.sk_X509_num(signers)):
x509_ptr = backend._lib.sk_X509_value(signers, i)
certs.append(x509._Certificate(backend, x509_ptr))
Certs will be a list of signer certificates -- in this case, just one cert
in the list. Please note that this code does not manage memory correctly so
it should strictly be used to test if the cert you need is being properly
extracted :)
-Paul (reaperhulk)
On December 21, 2018 at 8:02:13 AM, Paul Kehrer (paul.l.kehrer at gmail.com)
wrote:
Thanks, that's perfect. Looking at this data it's actually a PKCS7 envelope
holding multiple certificates and at the moment cryptography unfortunately
has no interface for parsing PKCS7. If you wouldn't mind sharing your use
case directly on https://github.com/pyca/cryptography/issues/3983 then it
will help me when I'm prioritizing features for upcoming releases.
-Paul
On December 20, 2018 at 2:23:11 PM, Robert Simmons (rsimmons0 at gmail.com)
wrote:
Definitely. I've attached the DER data as extracted from the PE file using
the following code:
pe = pefile.PE(fname)
pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']])
sigoff = 0
siglen = 0
for s in pe.__structures__:
if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
sigoff = s.VirtualAddress
siglen = s.Size
pe.close()
with open(fname, 'rb') as fh:
fh.seek(sigoff)
thesig = fh.read(siglen)
with open('extracted.der', 'wb') as fh:
fh.write(thesig[8:])
I've attached extracted.der as a zip file to maintain integrity as an
attachment.
Thanks!
On Thu, Dec 20, 2018 at 11:12 AM Paul Kehrer <paul.l.kehrer at gmail.com>
wrote:
> Could you give us an example (in hex or b64 or something) so we can easily
> reproduce? Make sure any certs you're giving us don't contain sensitive
> data of course.
>
> -Paul
>
>
> On December 19, 2018 at 11:55:04 PM, Robert Simmons (rsimmons0 at gmail.com)
> wrote:
>
> I've asked this question on Stack Overflow here:
> https://stackoverflow.com/q/53862702/1033217
>
> I have compared my code to Dider Stevens's disitool here (examine the
> function ExtractDigitalSignature):
> https://github.com/DidierStevens/DidierStevensSuite/blob/master/disitool.py
>
> When I load that extracted file into a variable and try to parse it with
> cryptography, it fails. If I pipe the same file to openssl on the command
> line, it works.
>
> I am thinking this has to do with the number of certificates in the
> directory in the PE file. There can be three (cert, intermediate CA, and
> CA, etc).
>
> Any idea what's going on?
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev at python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20181221/6580de9e/attachment.html>
More information about the Cryptography-dev
mailing list