On a side note: there is one oid in the extensions of this cert that is listed as unknown, but openssl parses it as: Netscape Cert Type: Object Signing
Is this something to submit a bug for? Also, happy holidays! On Tue, Dec 25, 2018 at 9:41 PM Robert Simmons <rsimmo...@gmail.com> wrote: > Thanks for the help above. However, I think I'm still missing something. > When piping the DER binary data to openssl on the command line, the output > appears to have three certificates in the example DER early in this thread. > The code above has a list for certs, but it appears to only contain one > cert at the end of the for loop. Is there a way to view the data from the > other two? I've attached the output from openssl command line. > > On Mon, Dec 24, 2018 at 11:51 AM Paul Kehrer <paul.l.keh...@gmail.com> > wrote: > >> Great! I have an idea of how to implement an API for this limited subset >> of pkcs7 as a utility function like the pkcs12 support we recently merged. >> Hopefully I or someone else can get to it soon. >> >> -Paul >> >> On Dec 23, 2018, at 6:32 PM, Robert Simmons <rsimmo...@gmail.com> wrote: >> >> This works great! Thanks! >> >> On Sun, Dec 23, 2018 at 7:05 PM Paul Kehrer <paul.l.keh...@gmail.com> >> wrote: >> >>> One day I will learn to run the code I write before I ask people to use >>> it. The missing signers variable should go after the pkcs7 assignment. It >>> looks like this: >>> >>> signers = backend._lib.PKCS7_get0_signers(pkcs7, backend._ffi.NULL, 0) >>> >>> With that in place and using the extracted.der you previously provided I >>> can parse a cert, which has the following subject/issuer data: >>> >>> Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA >>> Limited, CN=COMODO RSA Code Signing CA >>> Validity >>> Not Before: Oct 19 00:00:00 2018 GMT >>> Not After : Sep 25 23:59:59 2019 GMT >>> Subject: C=GB/postalCode=WA1 1RG, ST=UK, >>> L=WARRINGTON/street=Brunel House, 340 Firecrest Court, O=TATIANA PUK, >>> LIMITED, CN=TATIANA PUK, LIMITED >>> >>> I've also attached the cert. If this is what you're looking for then >>> your use case is covered by the existing issue, although I still need to >>> decide on an API for this. >>> >>> -Paul >>> >>> >>> >>> On December 23, 2018 at 2:17:54 AM, Robert Simmons (rsimmo...@gmail.com) >>> wrote: >>> >>> import os >>> import pathlib >>> import pefile >>> >>> target = >>> pathlib.Path().home().joinpath('Desktop').joinpath('HWID_4_0_6YMBWX.exe') >>> fname = str(target) >>> totsize = os.path.getsize(target) >>> pe = pefile.PE(fname) >>> >>> pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']]) >>> sigoff = 0 >>> siglen = 0 >>> for s in pe.__structures__: >>> if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY': >>> sigoff = s.VirtualAddress >>> siglen = s.Size >>> pe.close() >>> with open(fname, 'rb') as fh: >>> fh.seek(sigoff) >>> thesig = fh.read(siglen) >>> >>> from cryptography.hazmat.backends.openssl.backend import backend >>> from cryptography.hazmat.backends.openssl import x509 >>> >>> bio = backend._bytes_to_bio(thesig[8:]) >>> pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL) >>> certs = [] >>> for i in range(backend._lib.sk_X509_num(signers)): >>> x509_ptr = backend._lib.sk_X509_value(signers, i) >>> certs.append(x509._Certificate(backend, x509_ptr)) >>> >>> That's the exact code I'm trying to run with the provided code snippet >>> at the end. If you want to follow along with the exact file I'm working >>> with: >>> hxxps://dangerous[.]link/d9b72c43-1bdd-415b-b15f-3a436b26bca8 >>> >>> The password to that file is "infected" and btw: it is live malware, so >>> please treat it accordingly. Run code on it in a safe environment for >>> handling malware. >>> >>> On Sun, Dec 23, 2018 at 4:10 AM Robert Simmons <rsimmo...@gmail.com> >>> wrote: >>> >>>> I've added the use case to the issue as requested. I tried the code >>>> snippet, but the contents of signers is missing. What should that be? >>>> >>>> NameError: name 'signers' is not defined >>>> >>>> On Fri, Dec 21, 2018 at 11:21 AM Paul Kehrer <paul.l.keh...@gmail.com> >>>> wrote: >>>> >>>>> Out of curiosity, does the following code load the cert you expect? >>>>> der should be the bytes of extracted.der: >>>>> >>>>> from cryptography.hazmat.backends.openssl.backend import backend >>>>> from cryptography.hazmat.backends.openssl import x509 >>>>> >>>>> bio = backend._bytes_to_bio(der) >>>>> pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL) >>>>> certs = [] >>>>> for i in range(backend._lib.sk_X509_num(signers)): >>>>> x509_ptr = backend._lib.sk_X509_value(signers, i) >>>>> certs.append(x509._Certificate(backend, x509_ptr)) >>>>> >>>>> Certs will be a list of signer certificates -- in this case, just one >>>>> cert in the list. Please note that this code does not manage memory >>>>> correctly so it should strictly be used to test if the cert you need is >>>>> being properly extracted :) >>>>> >>>>> -Paul (reaperhulk) >>>>> >>>>> >>>>> On December 21, 2018 at 8:02:13 AM, Paul Kehrer ( >>>>> paul.l.keh...@gmail.com) wrote: >>>>> >>>>> Thanks, that's perfect. Looking at this data it's actually a PKCS7 >>>>> envelope holding multiple certificates and at the moment cryptography >>>>> unfortunately has no interface for parsing PKCS7. If you wouldn't mind >>>>> sharing your use case directly on >>>>> https://github.com/pyca/cryptography/issues/3983 then it will help me >>>>> when I'm prioritizing features for upcoming releases. >>>>> >>>>> -Paul >>>>> >>>>> >>>>> On December 20, 2018 at 2:23:11 PM, Robert Simmons ( >>>>> rsimmo...@gmail.com) wrote: >>>>> >>>>> Definitely. I've attached the DER data as extracted from the PE file >>>>> using the following code: >>>>> >>>>> pe = pefile.PE(fname) >>>>> >>>>> pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']]) >>>>> sigoff = 0 >>>>> siglen = 0 >>>>> for s in pe.__structures__: >>>>> if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY': >>>>> sigoff = s.VirtualAddress >>>>> siglen = s.Size >>>>> pe.close() >>>>> with open(fname, 'rb') as fh: >>>>> fh.seek(sigoff) >>>>> thesig = fh.read(siglen) >>>>> with open('extracted.der', 'wb') as fh: >>>>> fh.write(thesig[8:]) >>>>> >>>>> I've attached extracted.der as a zip file to maintain integrity as an >>>>> attachment. >>>>> >>>>> Thanks! >>>>> >>>>> On Thu, Dec 20, 2018 at 11:12 AM Paul Kehrer <paul.l.keh...@gmail.com> >>>>> wrote: >>>>> >>>>>> Could you give us an example (in hex or b64 or something) so we can >>>>>> easily reproduce? Make sure any certs you're giving us don't contain >>>>>> sensitive data of course. >>>>>> >>>>>> -Paul >>>>>> >>>>>> >>>>>> On December 19, 2018 at 11:55:04 PM, Robert Simmons ( >>>>>> rsimmo...@gmail.com) wrote: >>>>>> >>>>>> I've asked this question on Stack Overflow here: >>>>>> https://stackoverflow.com/q/53862702/1033217 >>>>>> >>>>>> I have compared my code to Dider Stevens's disitool here (examine the >>>>>> function ExtractDigitalSignature): >>>>>> >>>>>> https://github.com/DidierStevens/DidierStevensSuite/blob/master/disitool.py >>>>>> >>>>>> When I load that extracted file into a variable and try to parse it >>>>>> with cryptography, it fails. If I pipe the same file to openssl on the >>>>>> command line, it works. >>>>>> >>>>>> I am thinking this has to do with the number of certificates in the >>>>>> directory in the PE file. There can be three (cert, intermediate CA, and >>>>>> CA, etc). >>>>>> >>>>>> Any idea what's going on? >>>>>> _______________________________________________ >>>>>> Cryptography-dev mailing list >>>>>> Cryptography-dev@python.org >>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>>>> >>>>>> _______________________________________________ >>>>>> Cryptography-dev mailing list >>>>>> Cryptography-dev@python.org >>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>>>> >>>>> _______________________________________________ >>>>> Cryptography-dev mailing list >>>>> Cryptography-dev@python.org >>>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>>> >>>>> _______________________________________________ >>>>> Cryptography-dev mailing list >>>>> Cryptography-dev@python.org >>>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>>> >>>> _______________________________________________ >>> Cryptography-dev mailing list >>> Cryptography-dev@python.org >>> https://mail.python.org/mailman/listinfo/cryptography-dev >>> >>> _______________________________________________ >>> Cryptography-dev mailing list >>> Cryptography-dev@python.org >>> https://mail.python.org/mailman/listinfo/cryptography-dev >>> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev@python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev@python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> >
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev