[Cryptography-dev] Parsing DER from PE File
Paul Kehrer
paul.l.kehrer at gmail.com
Fri Dec 21 09:02:13 EST 2018
Thanks, that's perfect. Looking at this data it's actually a PKCS7 envelope
holding multiple certificates and at the moment cryptography unfortunately
has no interface for parsing PKCS7. If you wouldn't mind sharing your use
case directly on https://github.com/pyca/cryptography/issues/3983 then it
will help me when I'm prioritizing features for upcoming releases.
-Paul
On December 20, 2018 at 2:23:11 PM, Robert Simmons (rsimmons0 at gmail.com)
wrote:
Definitely. I've attached the DER data as extracted from the PE file using
the following code:
pe = pefile.PE(fname)
pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']])
sigoff = 0
siglen = 0
for s in pe.__structures__:
if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
sigoff = s.VirtualAddress
siglen = s.Size
pe.close()
with open(fname, 'rb') as fh:
fh.seek(sigoff)
thesig = fh.read(siglen)
with open('extracted.der', 'wb') as fh:
fh.write(thesig[8:])
I've attached extracted.der as a zip file to maintain integrity as an
attachment.
Thanks!
On Thu, Dec 20, 2018 at 11:12 AM Paul Kehrer <paul.l.kehrer at gmail.com>
wrote:
> Could you give us an example (in hex or b64 or something) so we can easily
> reproduce? Make sure any certs you're giving us don't contain sensitive
> data of course.
>
> -Paul
>
>
> On December 19, 2018 at 11:55:04 PM, Robert Simmons (rsimmons0 at gmail.com)
> wrote:
>
> I've asked this question on Stack Overflow here:
> https://stackoverflow.com/q/53862702/1033217
>
> I have compared my code to Dider Stevens's disitool here (examine the
> function ExtractDigitalSignature):
> https://github.com/DidierStevens/DidierStevensSuite/blob/master/disitool.py
>
> When I load that extracted file into a variable and try to parse it with
> cryptography, it fails. If I pipe the same file to openssl on the command
> line, it works.
>
> I am thinking this has to do with the number of certificates in the
> directory in the PE file. There can be three (cert, intermediate CA, and
> CA, etc).
>
> Any idea what's going on?
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev at python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20181221/2ef7d31e/attachment-0001.html>
More information about the Cryptography-dev
mailing list