使用 Python 从 PE 文件中提取软件签名证书

Question

当尝试使用从 PE 文件中提取证书时cryptography，失败并显示ValueError: Unable to load certificate. 我可以使用命令行从同一个 PE 文件中正确提取subprocess证书openssl。我想了解使用的代码版本出了什么问题cryptography。

我使用的是Python 3.7.1、加密2.4.2和pefile 2018.8.8

import pefile
from cryptography import x509
from cryptography.hazmat.backends import default_backend

pe = pefile.PE(fname)
pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']])
sigoff = 0
siglen = 0
for s in pe.__structures__:
    if s.name == 'IMAGE_DIRECTORY_ENTRY_SECURITY':
        sigoff = s.VirtualAddress
        siglen = s.Size
pe.close()
with open(fname, 'rb') as fh:
    fh.seek(sigoff)
    thesig = fh.read(siglen)
cert = x509.load_der_x509_certificate(thesig[8:], default_backend())

这失败了ValueError: Unable to load certificate

Answer 1

问题是签名是 PKCS7 对象。MS 已将其记录在Word中。我还没找到PDF版本...

所以你需要先解析PKCS7对象。我为此使用asn1crypto 。

这对我有用：

import pefile
from cryptography import x509
from cryptography.hazmat.backends import default_backend

from asn1crypto import cms

pe = pefile.PE(fname)
sigoff = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_SECURITY"]].VirtualAddress
siglen = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_SECURITY"]].Size
pe.close()

with open(fname, 'rb') as fh:
    fh.seek(sigoff)
    thesig = fh.read(siglen)

signature = cms.ContentInfo.load(thesig[8:])

for cert in signature["content"]["certificates"]:
    parsed_cert = x509.load_der_x509_certificate(cert.dump(), default_backend())
    print(parsed_cert)