Great! I have an idea of how to implement an API for this limited subset of pkcs7 as a utility function like the pkcs12 support we recently merged. Hopefully I or someone else can get to it soon.
-Paul > On Dec 23, 2018, at 6:32 PM, Robert Simmons <rsimmo...@gmail.com> wrote: > > This works great! Thanks! > >> On Sun, Dec 23, 2018 at 7:05 PM Paul Kehrer <paul.l.keh...@gmail.com> wrote: >> One day I will learn to run the code I write before I ask people to use it. >> The missing signers variable should go after the pkcs7 assignment. It looks >> like this: >> >> signers = backend._lib.PKCS7_get0_signers(pkcs7, backend._ffi.NULL, 0) >> >> With that in place and using the extracted.der you previously provided I can >> parse a cert, which has the following subject/issuer data: >> >> Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, >> CN=COMODO RSA Code Signing CA >> Validity >> Not Before: Oct 19 00:00:00 2018 GMT >> Not After : Sep 25 23:59:59 2019 GMT >> Subject: C=GB/postalCode=WA1 1RG, ST=UK, L=WARRINGTON/street=Brunel >> House, 340 Firecrest Court, O=TATIANA PUK, LIMITED, CN=TATIANA PUK, LIMITED >> >> I've also attached the cert. If this is what you're looking for then your >> use case is covered by the existing issue, although I still need to decide >> on an API for this. >> >> -Paul >> >> >> >>> On December 23, 2018 at 2:17:54 AM, Robert Simmons (rsimmo...@gmail.com) >>> wrote: >>> >>> import os >>> import pathlib >>> import pefile >>> >>> target = >>> pathlib.Path().home().joinpath('Desktop').joinpath('HWID_4_0_6YMBWX.exe') >>> fname = str(target) >>> totsize = os.path.getsize(target) >>> pe = pefile.PE(fname) >>> pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']]) >>> sigoff = 0 >>> siglen = 0 >>> for s in pe.__structures__: >>> if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY': >>> sigoff = s.VirtualAddress >>> siglen = s.Size >>> pe.close() >>> with open(fname, 'rb') as fh: >>> fh.seek(sigoff) >>> thesig = fh.read(siglen) >>> >>> from cryptography.hazmat.backends.openssl.backend import backend >>> from cryptography.hazmat.backends.openssl import x509 >>> >>> bio = backend._bytes_to_bio(thesig[8:]) >>> pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL) >>> certs = [] >>> for i in range(backend._lib.sk_X509_num(signers)): >>> x509_ptr = backend._lib.sk_X509_value(signers, i) >>> certs.append(x509._Certificate(backend, x509_ptr)) >>> >>> That's the exact code I'm trying to run with the provided code snippet at >>> the end. If you want to follow along with the exact file I'm working with: >>> hxxps://dangerous[.]link/d9b72c43-1bdd-415b-b15f-3a436b26bca8 >>> >>> The password to that file is "infected" and btw: it is live malware, so >>> please treat it accordingly. Run code on it in a safe environment for >>> handling malware. >>> >>>> On Sun, Dec 23, 2018 at 4:10 AM Robert Simmons <rsimmo...@gmail.com> wrote: >>>> I've added the use case to the issue as requested. I tried the code >>>> snippet, but the contents of signers is missing. What should that be? >>>> >>>> NameError: name 'signers' is not defined >>>> >>>>> On Fri, Dec 21, 2018 at 11:21 AM Paul Kehrer <paul.l.keh...@gmail.com> >>>>> wrote: >>>>> Out of curiosity, does the following code load the cert you expect? der >>>>> should be the bytes of extracted.der: >>>>> >>>>> from cryptography.hazmat.backends.openssl.backend import backend >>>>> from cryptography.hazmat.backends.openssl import x509 >>>>> >>>>> bio = backend._bytes_to_bio(der) >>>>> pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL) >>>>> certs = [] >>>>> for i in range(backend._lib.sk_X509_num(signers)): >>>>> x509_ptr = backend._lib.sk_X509_value(signers, i) >>>>> certs.append(x509._Certificate(backend, x509_ptr)) >>>>> >>>>> Certs will be a list of signer certificates -- in this case, just one >>>>> cert in the list. Please note that this code does not manage memory >>>>> correctly so it should strictly be used to test if the cert you need is >>>>> being properly extracted :) >>>>> >>>>> -Paul (reaperhulk) >>>>> >>>>> >>>>>> On December 21, 2018 at 8:02:13 AM, Paul Kehrer >>>>>> (paul.l.keh...@gmail.com) wrote: >>>>>> >>>>>> Thanks, that's perfect. Looking at this data it's actually a PKCS7 >>>>>> envelope holding multiple certificates and at the moment cryptography >>>>>> unfortunately has no interface for parsing PKCS7. If you wouldn't mind >>>>>> sharing your use case directly on >>>>>> https://github.com/pyca/cryptography/issues/3983 then it will help me >>>>>> when I'm prioritizing features for upcoming releases. >>>>>> >>>>>> -Paul >>>>>> >>>>>> >>>>>>> On December 20, 2018 at 2:23:11 PM, Robert Simmons >>>>>>> (rsimmo...@gmail.com) wrote: >>>>>>> >>>>>>> Definitely. I've attached the DER data as extracted from the PE file >>>>>>> using the following code: >>>>>>> >>>>>>> pe = pefile.PE(fname) >>>>>>> pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']]) >>>>>>> sigoff = 0 >>>>>>> siglen = 0 >>>>>>> for s in pe.__structures__: >>>>>>> if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY': >>>>>>> sigoff = s.VirtualAddress >>>>>>> siglen = s.Size >>>>>>> pe.close() >>>>>>> with open(fname, 'rb') as fh: >>>>>>> fh.seek(sigoff) >>>>>>> thesig = fh.read(siglen) >>>>>>> with open('extracted.der', 'wb') as fh: >>>>>>> fh.write(thesig[8:]) >>>>>>> >>>>>>> I've attached extracted.der as a zip file to maintain integrity as an >>>>>>> attachment. >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>>> On Thu, Dec 20, 2018 at 11:12 AM Paul Kehrer <paul.l.keh...@gmail.com> >>>>>>>> wrote: >>>>>>>> Could you give us an example (in hex or b64 or something) so we can >>>>>>>> easily reproduce? Make sure any certs you're giving us don't contain >>>>>>>> sensitive data of course. >>>>>>>> >>>>>>>> -Paul >>>>>>>> >>>>>>>> >>>>>>>>> On December 19, 2018 at 11:55:04 PM, Robert Simmons >>>>>>>>> (rsimmo...@gmail.com) wrote: >>>>>>>>> >>>>>>>>> I've asked this question on Stack Overflow here: >>>>>>>>> https://stackoverflow.com/q/53862702/1033217 >>>>>>>>> >>>>>>>>> I have compared my code to Dider Stevens's disitool here (examine the >>>>>>>>> function ExtractDigitalSignature): >>>>>>>>> https://github.com/DidierStevens/DidierStevensSuite/blob/master/disitool.py >>>>>>>>> >>>>>>>>> When I load that extracted file into a variable and try to parse it >>>>>>>>> with cryptography, it fails. If I pipe the same file to openssl on >>>>>>>>> the command line, it works. >>>>>>>>> >>>>>>>>> I am thinking this has to do with the number of certificates in the >>>>>>>>> directory in the PE file. There can be three (cert, intermediate CA, >>>>>>>>> and CA, etc). >>>>>>>>> >>>>>>>>> Any idea what's going on? >>>>>>>>> _______________________________________________ >>>>>>>>> Cryptography-dev mailing list >>>>>>>>> Cryptography-dev@python.org >>>>>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>>>>>> _______________________________________________ >>>>>>>> Cryptography-dev mailing list >>>>>>>> Cryptography-dev@python.org >>>>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>>>>> _______________________________________________ >>>>>>> Cryptography-dev mailing list >>>>>>> Cryptography-dev@python.org >>>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>>> _______________________________________________ >>>>> Cryptography-dev mailing list >>>>> Cryptography-dev@python.org >>>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>> _______________________________________________ >>> Cryptography-dev mailing list >>> Cryptography-dev@python.org >>> https://mail.python.org/mailman/listinfo/cryptography-dev >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev@python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev