Great! I have an idea of how to implement an API for this limited subset of
pkcs7 as a utility function like the pkcs12 support we recently merged.
Hopefully I or someone else can get to it soon.
-Paul
> On Dec 23, 2018, at 6:32 PM, Robert Simmons <rsimmo...@gmail.com> wrote:
>
> This works great! Thanks!
>
>> On Sun, Dec 23, 2018 at 7:05 PM Paul Kehrer <paul.l.keh...@gmail.com> wrote:
>> One day I will learn to run the code I write before I ask people to use it.
>> The missing signers variable should go after the pkcs7 assignment. It looks
>> like this:
>>
>> signers = backend._lib.PKCS7_get0_signers(pkcs7, backend._ffi.NULL, 0)
>>
>> With that in place and using the extracted.der you previously provided I can
>> parse a cert, which has the following subject/issuer data:
>>
>> Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited,
>> CN=COMODO RSA Code Signing CA
>> Validity
>> Not Before: Oct 19 00:00:00 2018 GMT
>> Not After : Sep 25 23:59:59 2019 GMT
>> Subject: C=GB/postalCode=WA1 1RG, ST=UK, L=WARRINGTON/street=Brunel
>> House, 340 Firecrest Court, O=TATIANA PUK, LIMITED, CN=TATIANA PUK, LIMITED
>>
>> I've also attached the cert. If this is what you're looking for then your
>> use case is covered by the existing issue, although I still need to decide
>> on an API for this.
>>
>> -Paul
>>
>>
>>
>>> On December 23, 2018 at 2:17:54 AM, Robert Simmons (rsimmo...@gmail.com)
>>> wrote:
>>>
>>> import os
>>> import pathlib
>>> import pefile
>>>
>>> target =
>>> pathlib.Path().home().joinpath('Desktop').joinpath('HWID_4_0_6YMBWX.exe')
>>> fname = str(target)
>>> totsize = os.path.getsize(target)
>>> pe = pefile.PE(fname)
>>> pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']])
>>> sigoff = 0
>>> siglen = 0
>>> for s in pe.__structures__:
>>> if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
>>> sigoff = s.VirtualAddress
>>> siglen = s.Size
>>> pe.close()
>>> with open(fname, 'rb') as fh:
>>> fh.seek(sigoff)
>>> thesig = fh.read(siglen)
>>>
>>> from cryptography.hazmat.backends.openssl.backend import backend
>>> from cryptography.hazmat.backends.openssl import x509
>>>
>>> bio = backend._bytes_to_bio(thesig[8:])
>>> pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL)
>>> certs = []
>>> for i in range(backend._lib.sk_X509_num(signers)):
>>> x509_ptr = backend._lib.sk_X509_value(signers, i)
>>> certs.append(x509._Certificate(backend, x509_ptr))
>>>
>>> That's the exact code I'm trying to run with the provided code snippet at
>>> the end. If you want to follow along with the exact file I'm working with:
>>> hxxps://dangerous[.]link/d9b72c43-1bdd-415b-b15f-3a436b26bca8
>>>
>>> The password to that file is "infected" and btw: it is live malware, so
>>> please treat it accordingly. Run code on it in a safe environment for
>>> handling malware.
>>>
>>>> On Sun, Dec 23, 2018 at 4:10 AM Robert Simmons <rsimmo...@gmail.com> wrote:
>>>> I've added the use case to the issue as requested. I tried the code
>>>> snippet, but the contents of signers is missing. What should that be?
>>>>
>>>> NameError: name 'signers' is not defined
>>>>
>>>>> On Fri, Dec 21, 2018 at 11:21 AM Paul Kehrer <paul.l.keh...@gmail.com>
>>>>> wrote:
>>>>> Out of curiosity, does the following code load the cert you expect? der
>>>>> should be the bytes of extracted.der:
>>>>>
>>>>> from cryptography.hazmat.backends.openssl.backend import backend
>>>>> from cryptography.hazmat.backends.openssl import x509
>>>>>
>>>>> bio = backend._bytes_to_bio(der)
>>>>> pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL)
>>>>> certs = []
>>>>> for i in range(backend._lib.sk_X509_num(signers)):
>>>>> x509_ptr = backend._lib.sk_X509_value(signers, i)
>>>>> certs.append(x509._Certificate(backend, x509_ptr))
>>>>>
>>>>> Certs will be a list of signer certificates -- in this case, just one
>>>>> cert in the list. Please note that this code does not manage memory
>>>>> correctly so it should strictly be used to test if the cert you need is
>>>>> being properly extracted :)
>>>>>
>>>>> -Paul (reaperhulk)
>>>>>
>>>>>
>>>>>> On December 21, 2018 at 8:02:13 AM, Paul Kehrer
>>>>>> (paul.l.keh...@gmail.com) wrote:
>>>>>>
>>>>>> Thanks, that's perfect. Looking at this data it's actually a PKCS7
>>>>>> envelope holding multiple certificates and at the moment cryptography
>>>>>> unfortunately has no interface for parsing PKCS7. If you wouldn't mind
>>>>>> sharing your use case directly on
>>>>>> https://github.com/pyca/cryptography/issues/3983 then it will help me
>>>>>> when I'm prioritizing features for upcoming releases.
>>>>>>
>>>>>> -Paul
>>>>>>
>>>>>>
>>>>>>> On December 20, 2018 at 2:23:11 PM, Robert Simmons
>>>>>>> (rsimmo...@gmail.com) wrote:
>>>>>>>
>>>>>>> Definitely. I've attached the DER data as extracted from the PE file
>>>>>>> using the following code:
>>>>>>>
>>>>>>> pe = pefile.PE(fname)
>>>>>>> pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']])
>>>>>>> sigoff = 0
>>>>>>> siglen = 0
>>>>>>> for s in pe.__structures__:
>>>>>>> if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
>>>>>>> sigoff = s.VirtualAddress
>>>>>>> siglen = s.Size
>>>>>>> pe.close()
>>>>>>> with open(fname, 'rb') as fh:
>>>>>>> fh.seek(sigoff)
>>>>>>> thesig = fh.read(siglen)
>>>>>>> with open('extracted.der', 'wb') as fh:
>>>>>>> fh.write(thesig[8:])
>>>>>>>
>>>>>>> I've attached extracted.der as a zip file to maintain integrity as an
>>>>>>> attachment.
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>>> On Thu, Dec 20, 2018 at 11:12 AM Paul Kehrer <paul.l.keh...@gmail.com>
>>>>>>>> wrote:
>>>>>>>> Could you give us an example (in hex or b64 or something) so we can
>>>>>>>> easily reproduce? Make sure any certs you're giving us don't contain
>>>>>>>> sensitive data of course.
>>>>>>>>
>>>>>>>> -Paul
>>>>>>>>
>>>>>>>>
>>>>>>>>> On December 19, 2018 at 11:55:04 PM, Robert Simmons
>>>>>>>>> (rsimmo...@gmail.com) wrote:
>>>>>>>>>
>>>>>>>>> I've asked this question on Stack Overflow here:
>>>>>>>>> https://stackoverflow.com/q/53862702/1033217
>>>>>>>>>
>>>>>>>>> I have compared my code to Dider Stevens's disitool here (examine the
>>>>>>>>> function ExtractDigitalSignature):
>>>>>>>>> https://github.com/DidierStevens/DidierStevensSuite/blob/master/disitool.py
>>>>>>>>>
>>>>>>>>> When I load that extracted file into a variable and try to parse it
>>>>>>>>> with cryptography, it fails. If I pipe the same file to openssl on
>>>>>>>>> the command line, it works.
>>>>>>>>>
>>>>>>>>> I am thinking this has to do with the number of certificates in the
>>>>>>>>> directory in the PE file. There can be three (cert, intermediate CA,
>>>>>>>>> and CA, etc).
>>>>>>>>>
>>>>>>>>> Any idea what's going on?
>>>>>>>>> _______________________________________________
>>>>>>>>> Cryptography-dev mailing list
>>>>>>>>> Cryptography-dev@python.org
>>>>>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>>>>>>> _______________________________________________
>>>>>>>> Cryptography-dev mailing list
>>>>>>>> Cryptography-dev@python.org
>>>>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>>>>>> _______________________________________________
>>>>>>> Cryptography-dev mailing list
>>>>>>> Cryptography-dev@python.org
>>>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>>>> _______________________________________________
>>>>> Cryptography-dev mailing list
>>>>> Cryptography-dev@python.org
>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>> _______________________________________________
>>> Cryptography-dev mailing list
>>> Cryptography-dev@python.org
>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>> _______________________________________________
>> Cryptography-dev mailing list
>> Cryptography-dev@python.org
>> https://mail.python.org/mailman/listinfo/cryptography-dev
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev@python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
