This works great! Thanks! On Sun, Dec 23, 2018 at 7:05 PM Paul Kehrer <paul.l.keh...@gmail.com> wrote:
> One day I will learn to run the code I write before I ask people to use > it. The missing signers variable should go after the pkcs7 assignment. It > looks like this: > > signers = backend._lib.PKCS7_get0_signers(pkcs7, backend._ffi.NULL, 0) > > With that in place and using the extracted.der you previously provided I > can parse a cert, which has the following subject/issuer data: > > Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA > Limited, CN=COMODO RSA Code Signing CA > Validity > Not Before: Oct 19 00:00:00 2018 GMT > Not After : Sep 25 23:59:59 2019 GMT > Subject: C=GB/postalCode=WA1 1RG, ST=UK, > L=WARRINGTON/street=Brunel House, 340 Firecrest Court, O=TATIANA PUK, > LIMITED, CN=TATIANA PUK, LIMITED > > I've also attached the cert. If this is what you're looking for then your > use case is covered by the existing issue, although I still need to decide > on an API for this. > > -Paul > > > > On December 23, 2018 at 2:17:54 AM, Robert Simmons (rsimmo...@gmail.com) > wrote: > > import os > import pathlib > import pefile > > target = > pathlib.Path().home().joinpath('Desktop').joinpath('HWID_4_0_6YMBWX.exe') > fname = str(target) > totsize = os.path.getsize(target) > pe = pefile.PE(fname) > > pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']]) > sigoff = 0 > siglen = 0 > for s in pe.__structures__: > if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY': > sigoff = s.VirtualAddress > siglen = s.Size > pe.close() > with open(fname, 'rb') as fh: > fh.seek(sigoff) > thesig = fh.read(siglen) > > from cryptography.hazmat.backends.openssl.backend import backend > from cryptography.hazmat.backends.openssl import x509 > > bio = backend._bytes_to_bio(thesig[8:]) > pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL) > certs = [] > for i in range(backend._lib.sk_X509_num(signers)): > x509_ptr = backend._lib.sk_X509_value(signers, i) > certs.append(x509._Certificate(backend, x509_ptr)) > > That's the exact code I'm trying to run with the provided code snippet at > the end. If you want to follow along with the exact file I'm working with: > hxxps://dangerous[.]link/d9b72c43-1bdd-415b-b15f-3a436b26bca8 > > The password to that file is "infected" and btw: it is live malware, so > please treat it accordingly. Run code on it in a safe environment for > handling malware. > > On Sun, Dec 23, 2018 at 4:10 AM Robert Simmons <rsimmo...@gmail.com> > wrote: > >> I've added the use case to the issue as requested. I tried the code >> snippet, but the contents of signers is missing. What should that be? >> >> NameError: name 'signers' is not defined >> >> On Fri, Dec 21, 2018 at 11:21 AM Paul Kehrer <paul.l.keh...@gmail.com> >> wrote: >> >>> Out of curiosity, does the following code load the cert you expect? der >>> should be the bytes of extracted.der: >>> >>> from cryptography.hazmat.backends.openssl.backend import backend >>> from cryptography.hazmat.backends.openssl import x509 >>> >>> bio = backend._bytes_to_bio(der) >>> pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL) >>> certs = [] >>> for i in range(backend._lib.sk_X509_num(signers)): >>> x509_ptr = backend._lib.sk_X509_value(signers, i) >>> certs.append(x509._Certificate(backend, x509_ptr)) >>> >>> Certs will be a list of signer certificates -- in this case, just one >>> cert in the list. Please note that this code does not manage memory >>> correctly so it should strictly be used to test if the cert you need is >>> being properly extracted :) >>> >>> -Paul (reaperhulk) >>> >>> >>> On December 21, 2018 at 8:02:13 AM, Paul Kehrer (paul.l.keh...@gmail.com) >>> wrote: >>> >>> Thanks, that's perfect. Looking at this data it's actually a PKCS7 >>> envelope holding multiple certificates and at the moment cryptography >>> unfortunately has no interface for parsing PKCS7. If you wouldn't mind >>> sharing your use case directly on >>> https://github.com/pyca/cryptography/issues/3983 then it will help me >>> when I'm prioritizing features for upcoming releases. >>> >>> -Paul >>> >>> >>> On December 20, 2018 at 2:23:11 PM, Robert Simmons (rsimmo...@gmail.com) >>> wrote: >>> >>> Definitely. I've attached the DER data as extracted from the PE file >>> using the following code: >>> >>> pe = pefile.PE(fname) >>> >>> pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']]) >>> sigoff = 0 >>> siglen = 0 >>> for s in pe.__structures__: >>> if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY': >>> sigoff = s.VirtualAddress >>> siglen = s.Size >>> pe.close() >>> with open(fname, 'rb') as fh: >>> fh.seek(sigoff) >>> thesig = fh.read(siglen) >>> with open('extracted.der', 'wb') as fh: >>> fh.write(thesig[8:]) >>> >>> I've attached extracted.der as a zip file to maintain integrity as an >>> attachment. >>> >>> Thanks! >>> >>> On Thu, Dec 20, 2018 at 11:12 AM Paul Kehrer <paul.l.keh...@gmail.com> >>> wrote: >>> >>>> Could you give us an example (in hex or b64 or something) so we can >>>> easily reproduce? Make sure any certs you're giving us don't contain >>>> sensitive data of course. >>>> >>>> -Paul >>>> >>>> >>>> On December 19, 2018 at 11:55:04 PM, Robert Simmons ( >>>> rsimmo...@gmail.com) wrote: >>>> >>>> I've asked this question on Stack Overflow here: >>>> https://stackoverflow.com/q/53862702/1033217 >>>> >>>> I have compared my code to Dider Stevens's disitool here (examine the >>>> function ExtractDigitalSignature): >>>> >>>> https://github.com/DidierStevens/DidierStevensSuite/blob/master/disitool.py >>>> >>>> When I load that extracted file into a variable and try to parse it >>>> with cryptography, it fails. If I pipe the same file to openssl on the >>>> command line, it works. >>>> >>>> I am thinking this has to do with the number of certificates in the >>>> directory in the PE file. There can be three (cert, intermediate CA, and >>>> CA, etc). >>>> >>>> Any idea what's going on? >>>> _______________________________________________ >>>> Cryptography-dev mailing list >>>> Cryptography-dev@python.org >>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>> >>>> _______________________________________________ >>>> Cryptography-dev mailing list >>>> Cryptography-dev@python.org >>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>> >>> _______________________________________________ >>> Cryptography-dev mailing list >>> Cryptography-dev@python.org >>> https://mail.python.org/mailman/listinfo/cryptography-dev >>> >>> _______________________________________________ >>> Cryptography-dev mailing list >>> Cryptography-dev@python.org >>> https://mail.python.org/mailman/listinfo/cryptography-dev >>> >> _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev >
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev