I do need all three certs. I do see what PKCS7_get0_signers does now. On Wed, Dec 26, 2018 at 11:27 AM Paul Kehrer <paul.l.keh...@gmail.com> wrote:
> We haven't had anyone request support for those legacy extension types, > but if you think you need it feel free to file an issue and we can discuss > adding it. The data can be parsed out of the UnknownExtension type right > now of course. > > So you need all 3 certs? Only one of them is used for signing which is why > the PKCS7_get0_signers call only returns that one. To obtain the rest we'll > need to de-opaque two PKCS7 structs in cryptography: PKCS7_ENVELOPE > and PKCS7_SIGN_ENVELOPE. Your use case should only require SIGN_ENVELOPE > de-opaqued but might as well get them both. > > -Paul > > > > On December 25, 2018 at 9:15:10 PM, Robert Simmons (rsimmo...@gmail.com) > wrote: > > On a side note: there is one oid in the extensions of this cert that is > listed as unknown, but openssl parses it as: > Netscape Cert Type: > Object Signing > > Is this something to submit a bug for? > > Also, happy holidays! > > On Tue, Dec 25, 2018 at 9:41 PM Robert Simmons <rsimmo...@gmail.com> > wrote: > >> Thanks for the help above. However, I think I'm still missing something. >> When piping the DER binary data to openssl on the command line, the output >> appears to have three certificates in the example DER early in this thread. >> The code above has a list for certs, but it appears to only contain one >> cert at the end of the for loop. Is there a way to view the data from the >> other two? I've attached the output from openssl command line. >> >> On Mon, Dec 24, 2018 at 11:51 AM Paul Kehrer <paul.l.keh...@gmail.com> >> wrote: >> >>> Great! I have an idea of how to implement an API for this limited subset >>> of pkcs7 as a utility function like the pkcs12 support we recently merged. >>> Hopefully I or someone else can get to it soon. >>> >>> -Paul >>> >>> On Dec 23, 2018, at 6:32 PM, Robert Simmons <rsimmo...@gmail.com> wrote: >>> >>> This works great! Thanks! >>> >>> On Sun, Dec 23, 2018 at 7:05 PM Paul Kehrer <paul.l.keh...@gmail.com> >>> wrote: >>> >>>> One day I will learn to run the code I write before I ask people to use >>>> it. The missing signers variable should go after the pkcs7 assignment. It >>>> looks like this: >>>> >>>> signers = backend._lib.PKCS7_get0_signers(pkcs7, backend._ffi.NULL, 0) >>>> >>>> With that in place and using the extracted.der you previously provided >>>> I can parse a cert, which has the following subject/issuer data: >>>> >>>> Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA >>>> Limited, CN=COMODO RSA Code Signing CA >>>> Validity >>>> Not Before: Oct 19 00:00:00 2018 GMT >>>> Not After : Sep 25 23:59:59 2019 GMT >>>> Subject: C=GB/postalCode=WA1 1RG, ST=UK, >>>> L=WARRINGTON/street=Brunel House, 340 Firecrest Court, O=TATIANA PUK, >>>> LIMITED, CN=TATIANA PUK, LIMITED >>>> >>>> I've also attached the cert. If this is what you're looking for then >>>> your use case is covered by the existing issue, although I still need to >>>> decide on an API for this. >>>> >>>> -Paul >>>> >>>> >>>> >>>> On December 23, 2018 at 2:17:54 AM, Robert Simmons (rsimmo...@gmail.com) >>>> wrote: >>>> >>>> import os >>>> import pathlib >>>> import pefile >>>> >>>> target = >>>> pathlib.Path().home().joinpath('Desktop').joinpath('HWID_4_0_6YMBWX.exe') >>>> fname = str(target) >>>> totsize = os.path.getsize(target) >>>> pe = pefile.PE(fname) >>>> >>>> pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']]) >>>> sigoff = 0 >>>> siglen = 0 >>>> for s in pe.__structures__: >>>> if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY': >>>> sigoff = s.VirtualAddress >>>> siglen = s.Size >>>> pe.close() >>>> with open(fname, 'rb') as fh: >>>> fh.seek(sigoff) >>>> thesig = fh.read(siglen) >>>> >>>> from cryptography.hazmat.backends.openssl.backend import backend >>>> from cryptography.hazmat.backends.openssl import x509 >>>> >>>> bio = backend._bytes_to_bio(thesig[8:]) >>>> pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL) >>>> certs = [] >>>> for i in range(backend._lib.sk_X509_num(signers)): >>>> x509_ptr = backend._lib.sk_X509_value(signers, i) >>>> certs.append(x509._Certificate(backend, x509_ptr)) >>>> >>>> That's the exact code I'm trying to run with the provided code snippet >>>> at the end. If you want to follow along with the exact file I'm working >>>> with: >>>> hxxps://dangerous[.]link/d9b72c43-1bdd-415b-b15f-3a436b26bca8 >>>> >>>> The password to that file is "infected" and btw: it is live malware, so >>>> please treat it accordingly. Run code on it in a safe environment for >>>> handling malware. >>>> >>>> On Sun, Dec 23, 2018 at 4:10 AM Robert Simmons <rsimmo...@gmail.com> >>>> wrote: >>>> >>>>> I've added the use case to the issue as requested. I tried the code >>>>> snippet, but the contents of signers is missing. What should that be? >>>>> >>>>> NameError: name 'signers' is not defined >>>>> >>>>> On Fri, Dec 21, 2018 at 11:21 AM Paul Kehrer <paul.l.keh...@gmail.com> >>>>> wrote: >>>>> >>>>>> Out of curiosity, does the following code load the cert you expect? >>>>>> der should be the bytes of extracted.der: >>>>>> >>>>>> from cryptography.hazmat.backends.openssl.backend import backend >>>>>> from cryptography.hazmat.backends.openssl import x509 >>>>>> >>>>>> bio = backend._bytes_to_bio(der) >>>>>> pkcs7 = backend._lib.d2i_PKCS7_bio(bio.bio, backend._ffi.NULL) >>>>>> certs = [] >>>>>> for i in range(backend._lib.sk_X509_num(signers)): >>>>>> x509_ptr = backend._lib.sk_X509_value(signers, i) >>>>>> certs.append(x509._Certificate(backend, x509_ptr)) >>>>>> >>>>>> Certs will be a list of signer certificates -- in this case, just one >>>>>> cert in the list. Please note that this code does not manage memory >>>>>> correctly so it should strictly be used to test if the cert you need is >>>>>> being properly extracted :) >>>>>> >>>>>> -Paul (reaperhulk) >>>>>> >>>>>> >>>>>> On December 21, 2018 at 8:02:13 AM, Paul Kehrer ( >>>>>> paul.l.keh...@gmail.com) wrote: >>>>>> >>>>>> Thanks, that's perfect. Looking at this data it's actually a PKCS7 >>>>>> envelope holding multiple certificates and at the moment cryptography >>>>>> unfortunately has no interface for parsing PKCS7. If you wouldn't mind >>>>>> sharing your use case directly on >>>>>> https://github.com/pyca/cryptography/issues/3983 then it will help >>>>>> me when I'm prioritizing features for upcoming releases. >>>>>> >>>>>> -Paul >>>>>> >>>>>> >>>>>> On December 20, 2018 at 2:23:11 PM, Robert Simmons ( >>>>>> rsimmo...@gmail.com) wrote: >>>>>> >>>>>> Definitely. I've attached the DER data as extracted from the PE file >>>>>> using the following code: >>>>>> >>>>>> pe = pefile.PE(fname) >>>>>> >>>>>> pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']]) >>>>>> sigoff = 0 >>>>>> siglen = 0 >>>>>> for s in pe.__structures__: >>>>>> if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY': >>>>>> sigoff = s.VirtualAddress >>>>>> siglen = s.Size >>>>>> pe.close() >>>>>> with open(fname, 'rb') as fh: >>>>>> fh.seek(sigoff) >>>>>> thesig = fh.read(siglen) >>>>>> with open('extracted.der', 'wb') as fh: >>>>>> fh.write(thesig[8:]) >>>>>> >>>>>> I've attached extracted.der as a zip file to maintain integrity as an >>>>>> attachment. >>>>>> >>>>>> Thanks! >>>>>> >>>>>> On Thu, Dec 20, 2018 at 11:12 AM Paul Kehrer <paul.l.keh...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Could you give us an example (in hex or b64 or something) so we can >>>>>>> easily reproduce? Make sure any certs you're giving us don't contain >>>>>>> sensitive data of course. >>>>>>> >>>>>>> -Paul >>>>>>> >>>>>>> >>>>>>> On December 19, 2018 at 11:55:04 PM, Robert Simmons ( >>>>>>> rsimmo...@gmail.com) wrote: >>>>>>> >>>>>>> I've asked this question on Stack Overflow here: >>>>>>> https://stackoverflow.com/q/53862702/1033217 >>>>>>> >>>>>>> I have compared my code to Dider Stevens's disitool here (examine >>>>>>> the function ExtractDigitalSignature): >>>>>>> >>>>>>> https://github.com/DidierStevens/DidierStevensSuite/blob/master/disitool.py >>>>>>> >>>>>>> When I load that extracted file into a variable and try to parse it >>>>>>> with cryptography, it fails. If I pipe the same file to openssl on the >>>>>>> command line, it works. >>>>>>> >>>>>>> I am thinking this has to do with the number of certificates in the >>>>>>> directory in the PE file. There can be three (cert, intermediate CA, and >>>>>>> CA, etc). >>>>>>> >>>>>>> Any idea what's going on? >>>>>>> _______________________________________________ >>>>>>> Cryptography-dev mailing list >>>>>>> Cryptography-dev@python.org >>>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Cryptography-dev mailing list >>>>>>> Cryptography-dev@python.org >>>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>>>>> >>>>>> _______________________________________________ >>>>>> Cryptography-dev mailing list >>>>>> Cryptography-dev@python.org >>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>>>> >>>>>> _______________________________________________ >>>>>> Cryptography-dev mailing list >>>>>> Cryptography-dev@python.org >>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>>>> >>>>> _______________________________________________ >>>> Cryptography-dev mailing list >>>> Cryptography-dev@python.org >>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>> >>>> _______________________________________________ >>>> Cryptography-dev mailing list >>>> Cryptography-dev@python.org >>>> https://mail.python.org/mailman/listinfo/cryptography-dev >>>> >>> _______________________________________________ >>> Cryptography-dev mailing list >>> Cryptography-dev@python.org >>> https://mail.python.org/mailman/listinfo/cryptography-dev >>> >>> _______________________________________________ >>> Cryptography-dev mailing list >>> Cryptography-dev@python.org >>> https://mail.python.org/mailman/listinfo/cryptography-dev >>> >> _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev >
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev