[Cryptography-dev] Parsing DER from PE File

Robert Simmons rsimmons0 at gmail.com
Thu Dec 20 15:22:45 EST 2018 

Definitely. I've attached the DER data as extracted from the PE file using
the following code:

pe = pefile.PE(fname)
pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']])
sigoff = 0
siglen = 0
for s in pe.__structures__:
    if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
        sigoff = s.VirtualAddress
        siglen = s.Size
pe.close()
with open(fname, 'rb') as fh:
    fh.seek(sigoff)
    thesig = fh.read(siglen)
with open('extracted.der', 'wb') as fh:
    fh.write(thesig[8:])

I've attached extracted.der as a zip file to maintain integrity as an
attachment.

Thanks!

On Thu, Dec 20, 2018 at 11:12 AM Paul Kehrer <paul.l.kehrer at gmail.com>
wrote:

> Could you give us an example (in hex or b64 or something) so we can easily
> reproduce? Make sure any certs you're giving us don't contain sensitive
> data of course.
>
> -Paul
>
>
> On December 19, 2018 at 11:55:04 PM, Robert Simmons (rsimmons0 at gmail.com)
> wrote:
>
> I've asked this question on Stack Overflow here:
> https://stackoverflow.com/q/53862702/1033217
>
> I have compared my code to Dider Stevens's disitool here (examine the
> function ExtractDigitalSignature):
> https://github.com/DidierStevens/DidierStevensSuite/blob/master/disitool.py
>
> When I load that extracted file into a variable and try to parse it with
> cryptography, it fails. If I pipe the same file to openssl on the command
> line, it works.
>
> I am thinking this has to do with the number of certificates in the
> directory in the PE file. There can be three (cert, intermediate CA, and
> CA, etc).
>
> Any idea what's going on?
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20181220/225cac42/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: extracted.zip
Type: application/zip
Size: 3916 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20181220/225cac42/attachment.zip>

More information about the Cryptography-dev mailing list