使用 Python 从 PE 文件中提取软件签名证书
Extract Software Signing Cert using Python from a PE File
当尝试使用 cryptography 从 PE 文件中提取证书时,失败 ValueError: Unable to load certificate。我能够使用 subprocess 和 openssl 命令行从同一个 PE 文件中正确提取证书。我想了解使用 cryptography.
的代码版本出了什么问题
我正在使用 Python 3.7.1、密码学 2.4.2 和 pefile 2018.8.8
import pefile
from cryptography import x509
from cryptography.hazmat.backends import default_backend
pe = pefile.PE(fname)
pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']])
sigoff = 0
siglen = 0
for s in pe.__structures__:
if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
sigoff = s.VirtualAddress
siglen = s.Size
pe.close()
with open(fname, 'rb') as fh:
fh.seek(sigoff)
thesig = fh.read(siglen)
cert = x509.load_der_x509_certificate(thesig[8:], default_backend())
失败 ValueError: Unable to load certificate
问题是签名是 PKCS7 对象。 MS 已将其记录在 Word 中。我还没有找到 PDF 版本...
所以需要先解析PKCS7对象。我为此使用 asn1crypto。
这对我有用:
import pefile
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from asn1crypto import cms
pe = pefile.PE(fname)
sigoff = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_SECURITY"]].VirtualAddress
siglen = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_SECURITY"]].Size
pe.close()
with open(fname, 'rb') as fh:
fh.seek(sigoff)
thesig = fh.read(siglen)
signature = cms.ContentInfo.load(thesig[8:])
for cert in signature["content"]["certificates"]:
parsed_cert = x509.load_der_x509_certificate(cert.dump(), default_backend())
print(parsed_cert)
当尝试使用 cryptography 从 PE 文件中提取证书时,失败 ValueError: Unable to load certificate。我能够使用 subprocess 和 openssl 命令行从同一个 PE 文件中正确提取证书。我想了解使用 cryptography.
我正在使用 Python 3.7.1、密码学 2.4.2 和 pefile 2018.8.8
import pefile
from cryptography import x509
from cryptography.hazmat.backends import default_backend
pe = pefile.PE(fname)
pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']])
sigoff = 0
siglen = 0
for s in pe.__structures__:
if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
sigoff = s.VirtualAddress
siglen = s.Size
pe.close()
with open(fname, 'rb') as fh:
fh.seek(sigoff)
thesig = fh.read(siglen)
cert = x509.load_der_x509_certificate(thesig[8:], default_backend())
失败 ValueError: Unable to load certificate
问题是签名是 PKCS7 对象。 MS 已将其记录在 Word 中。我还没有找到 PDF 版本...
所以需要先解析PKCS7对象。我为此使用 asn1crypto。
这对我有用:
import pefile
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from asn1crypto import cms
pe = pefile.PE(fname)
sigoff = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_SECURITY"]].VirtualAddress
siglen = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_SECURITY"]].Size
pe.close()
with open(fname, 'rb') as fh:
fh.seek(sigoff)
thesig = fh.read(siglen)
signature = cms.ContentInfo.load(thesig[8:])
for cert in signature["content"]["certificates"]:
parsed_cert = x509.load_der_x509_certificate(cert.dump(), default_backend())
print(parsed_cert)