Great! I have an idea of how to implement an API for this limited subset of 
pkcs7 as a utility function like the pkcs12 support we recently merged. 
Hopefully I or someone else can get to it soon.

-Paul

> On Dec 23, 2018, at 6:32 PM, Robert Simmons <rsimmo...@gmail.com> wrote:
> 
> This works great! Thanks!
> 
>> On Sun, Dec 23, 2018 at 7:05 PM Paul Kehrer <paul.l.keh...@gmail.com> wrote:
>> One day I will learn to run the code I write before I ask people to use it. 
>> The missing signers variable should go after the pkcs7 assignment. It looks 
>> like this:
>> 
>> signers = backend._lib.PKCS7_get0_signers(pkcs7, backend._ffi.NULL, 0)
>> 
>> With that in place and using the extracted.der you previously provided I can 
>> parse a cert, which has the following subject/issuer data:
>> 
>>         Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, 
>> CN=COMODO RSA Code Signing CA
>>         Validity
>>             Not Before: Oct 19 00:00:00 2018 GMT
>>             Not After : Sep 25 23:59:59 2019 GMT
>>         Subject: C=GB/postalCode=WA1 1RG, ST=UK, L=WARRINGTON/street=Brunel 
>> House, 340 Firecrest Court, O=TATIANA PUK, LIMITED, CN=TATIANA PUK, LIMITED
>> 
>> I've also attached the cert. If this is what you're looking for then your 
>> use case is covered by the existing issue, although I still need to decide 
>> on an API for this.
>> 
>> -Paul
>> 
>> 
>> 
>>> On December 23, 2018 at 2:17:54 AM, Robert Simmons (rsimmo...@gmail.com) 
>>> wrote:
>>> 
>>> import os
>>> import pathlib
>>> import pefile
>>> 
>>> target = 
>>> pathlib.Path().home().joinpath('Desktop').joinpath('HWID_4_0_6YMBWX.exe')
>>> fname = str(target)
>>> totsize = os.path.getsize(target)
>>> pe = pefile.PE(fname)
>>> pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']])
>>> sigoff = 0
>>> siglen = 0
>>> for s in pe.__structures__:
>>>     if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
>>>         sigoff = s.VirtualAddress
>>>         siglen = s.Size
>>> pe.close()
>>> with open(fname, 'rb') as fh:
>>>     fh.seek(sigoff)
>>>     thesig = fh.read(siglen)
>>> 
>>> from cryptography.hazmat.backends.openssl.backend import backend
>>> from cryptography.hazmat.backends.openssl import x509
>>> 
>>> bio = backend._bytes_to_bio(thesig[8:])
>>> pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL)
>>> certs = []
>>> for i in range(backend._lib.sk_X509_num(signers)):
>>>     x509_ptr = backend._lib.sk_X509_value(signers, i)
>>>     certs.append(x509._Certificate(backend, x509_ptr))
>>> 
>>> That's the exact code I'm trying to run with the provided code snippet at 
>>> the end. If you want to follow along with the exact file I'm working with:
>>> hxxps://dangerous[.]link/d9b72c43-1bdd-415b-b15f-3a436b26bca8
>>> 
>>> The password to that file is "infected" and btw: it is live malware, so 
>>> please treat it accordingly. Run code on it in a safe environment for 
>>> handling malware.
>>> 
>>>> On Sun, Dec 23, 2018 at 4:10 AM Robert Simmons <rsimmo...@gmail.com> wrote:
>>>> I've added the use case to the issue as requested. I tried the code 
>>>> snippet, but the contents of signers is missing. What should that be?
>>>> 
>>>> NameError: name 'signers' is not defined
>>>> 
>>>>> On Fri, Dec 21, 2018 at 11:21 AM Paul Kehrer <paul.l.keh...@gmail.com> 
>>>>> wrote:
>>>>> Out of curiosity, does the following code load the cert you expect? der 
>>>>> should be the bytes of extracted.der:
>>>>> 
>>>>> from cryptography.hazmat.backends.openssl.backend import backend
>>>>> from cryptography.hazmat.backends.openssl import x509
>>>>> 
>>>>> bio = backend._bytes_to_bio(der)
>>>>> pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL)
>>>>> certs = []
>>>>> for i in range(backend._lib.sk_X509_num(signers)):
>>>>>     x509_ptr = backend._lib.sk_X509_value(signers, i)
>>>>>     certs.append(x509._Certificate(backend, x509_ptr))
>>>>> 
>>>>> Certs will be a list of signer certificates -- in this case, just one 
>>>>> cert in the list. Please note that this code does not manage memory 
>>>>> correctly so it should strictly be used to test if the cert you need is 
>>>>> being properly extracted :)
>>>>> 
>>>>> -Paul (reaperhulk)
>>>>> 
>>>>> 
>>>>>> On December 21, 2018 at 8:02:13 AM, Paul Kehrer 
>>>>>> (paul.l.keh...@gmail.com) wrote:
>>>>>> 
>>>>>> Thanks, that's perfect. Looking at this data it's actually a PKCS7 
>>>>>> envelope holding multiple certificates and at the moment cryptography 
>>>>>> unfortunately has no interface for parsing PKCS7. If you wouldn't mind 
>>>>>> sharing your use case directly on 
>>>>>> https://github.com/pyca/cryptography/issues/3983 then it will help me 
>>>>>> when I'm prioritizing features for upcoming releases.
>>>>>> 
>>>>>> -Paul
>>>>>> 
>>>>>> 
>>>>>>> On December 20, 2018 at 2:23:11 PM, Robert Simmons 
>>>>>>> (rsimmo...@gmail.com) wrote:
>>>>>>> 
>>>>>>> Definitely. I've attached the DER data as extracted from the PE file 
>>>>>>> using the following code:
>>>>>>> 
>>>>>>> pe = pefile.PE(fname)
>>>>>>> pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']])
>>>>>>> sigoff = 0
>>>>>>> siglen = 0
>>>>>>> for s in pe.__structures__:
>>>>>>>     if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
>>>>>>>         sigoff = s.VirtualAddress
>>>>>>>         siglen = s.Size
>>>>>>> pe.close()
>>>>>>> with open(fname, 'rb') as fh:
>>>>>>>     fh.seek(sigoff)
>>>>>>>     thesig = fh.read(siglen)
>>>>>>> with open('extracted.der', 'wb') as fh:
>>>>>>>     fh.write(thesig[8:])
>>>>>>> 
>>>>>>> I've attached extracted.der as a zip file to maintain integrity as an 
>>>>>>> attachment.
>>>>>>> 
>>>>>>> Thanks!
>>>>>>> 
>>>>>>>> On Thu, Dec 20, 2018 at 11:12 AM Paul Kehrer <paul.l.keh...@gmail.com> 
>>>>>>>> wrote:
>>>>>>>> Could you give us an example (in hex or b64 or something) so we can 
>>>>>>>> easily reproduce? Make sure any certs you're giving us don't contain 
>>>>>>>> sensitive data of course.
>>>>>>>> 
>>>>>>>> -Paul
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> On December 19, 2018 at 11:55:04 PM, Robert Simmons 
>>>>>>>>> (rsimmo...@gmail.com) wrote:
>>>>>>>>> 
>>>>>>>>> I've asked this question on Stack Overflow here:
>>>>>>>>> https://stackoverflow.com/q/53862702/1033217
>>>>>>>>> 
>>>>>>>>> I have compared my code to Dider Stevens's disitool here (examine the 
>>>>>>>>> function ExtractDigitalSignature):
>>>>>>>>> https://github.com/DidierStevens/DidierStevensSuite/blob/master/disitool.py
>>>>>>>>> 
>>>>>>>>> When I load that extracted file into a variable and try to parse it 
>>>>>>>>> with cryptography, it fails. If I pipe the same file to openssl on 
>>>>>>>>> the command line, it works.
>>>>>>>>> 
>>>>>>>>> I am thinking this has to do with the number of certificates in the 
>>>>>>>>> directory in the PE file. There can be three (cert, intermediate CA, 
>>>>>>>>> and CA, etc).
>>>>>>>>> 
>>>>>>>>> Any idea what's going on?
>>>>>>>>> _______________________________________________
>>>>>>>>> Cryptography-dev mailing list
>>>>>>>>> Cryptography-dev@python.org
>>>>>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>>>>>>> _______________________________________________
>>>>>>>> Cryptography-dev mailing list
>>>>>>>> Cryptography-dev@python.org
>>>>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>>>>>> _______________________________________________
>>>>>>> Cryptography-dev mailing list
>>>>>>> Cryptography-dev@python.org
>>>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>>>> _______________________________________________
>>>>> Cryptography-dev mailing list
>>>>> Cryptography-dev@python.org
>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>> _______________________________________________
>>> Cryptography-dev mailing list 
>>> Cryptography-dev@python.org 
>>> https://mail.python.org/mailman/listinfo/cryptography-dev 
>> _______________________________________________
>> Cryptography-dev mailing list
>> Cryptography-dev@python.org
>> https://mail.python.org/mailman/listinfo/cryptography-dev
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev@python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev

Reply via email to