pe icon indicating copy to clipboard operation
pe copied to clipboard
verified publisher icon saferwall

Returning multiple certificate chains in a PE file

Open acharyab15 opened this issue 2 years ago • 3 comments

Is there a way using this package to extract multiple certificate chains that are present in a PE file? I am currently looking at a PE file that has multiple certificate chains. However the Parse function seems to only result 1 of those chains with 2 certs, but seems to skip over the remaining cert chains. Is there a slight modification that can be made to get those? Or do you know of any other go packages that currently do that?

Finally, great job with this package! It was really easy to use compared to some other libraries that I found :)

acharyab15 avatar Nov 21 '23 01:11 acharyab15

Hey @acharyab15

Would it be possible to attach the sample here ?

Thanks.

ayoubfaouzi avatar Nov 21 '23 01:11 ayoubfaouzi

I have uploaded a sample file in https://github.com/acharyab15/pefile as it's an exe file and I couldn't do it directly here. (This is a sample file that has 2 cert chains)

When running the parse, I see these certs as output: ` Cert0: Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE ValidFrom: 2005-06-07 08:09:10 +0000 UTC ValidTo: 2020-05-30 10:48:38 +0000 UTC

Cert1: Subject: CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US ValidFrom: 2015-12-31 00:00:00 +0000 UTC ValidTo: 2019-07-09 18:40:36 +0000 UTC

Cert2: Subject: CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US ValidFrom: 2011-08-24 00:00:00 +0000 UTC ValidTo: 2020-05-30 10:48:38 +0000 UTC

Cert3: Subject: CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL Subject: CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB ValidFrom: 2014-09-12 00:00:00 +0000 UTC ValidTo: 2019-09-12 23:59:59 +0000 UTC `

When I run the osslsigncode tool, I get ` Signature Index: 0 (Primary Signature) Signer's certificate: Signer #0: Subject: /C=IL/postalCode=52583/ST=Gush Dan/L=Ramat Gan/street=5 Hashoshanim st./O=Nir Sofer/CN=Nir Sofer Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2 Serial : 1AF0660E837A35A2CD92EC613FC15DB8 Certificate expiration date: notBefore : Sep 12 00:00:00 2014 GMT notAfter : Sep 12 23:59:59 2019 GMT

Number of certificates: 4 Signer #0: Subject: /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object Issuer : /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root Serial : 421AF2940984191F520A4BC62426A74B Certificate expiration date: notBefore : Jun 7 08:09:10 2005 GMT notAfter : May 30 10:48:38 2020 GMT ------------------ Signer #1: Subject: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SHA-1 Time Stamping Signer Issuer : /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object Serial : 1688F039255E638E69143907E6330B Certificate expiration date: notBefore : Dec 31 00:00:00 2015 GMT notAfter : Jul 9 18:40:36 2019 GMT ------------------ Signer #2: Subject: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2 Issuer : /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object Serial : 10709D4FF55408D7306001D8EA9175BB Certificate expiration date: notBefore : Aug 24 00:00:00 2011 GMT notAfter : May 30 10:48:38 2020 GMT ------------------ Signer #3: Subject: /C=IL/postalCode=52583/ST=Gush Dan/L=Ramat Gan/street=5 Hashoshanim st./O=Nir Sofer/CN=Nir Sofer Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2 Serial : 1AF0660E837A35A2CD92EC613FC15DB8 Certificate expiration date: notBefore : Sep 12 00:00:00 2014 GMT notAfter : Sep 12 23:59:59 2019 GMT

Signature Index: 1 Signer's certificate: Signer #0: Subject: /C=IL/postalCode=52583/ST=Gush Dan/L=Ramat Gan/street=5 Hashoshanim st./O=Nir Sofer/CN=Nir Sofer Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA Serial : BD1B1E450BBDD5DF88678E7DDA223D17 Certificate expiration date: notBefore : Mar 30 00:00:00 2016 GMT notAfter : Jun 30 23:59:59 2019 GMT

Number of certificates: 2 Signer #0: Subject: /C=IL/postalCode=52583/ST=Gush Dan/L=Ramat Gan/street=5 Hashoshanim st./O=Nir Sofer/CN=Nir Sofer Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA Serial : BD1B1E450BBDD5DF88678E7DDA223D17 Certificate expiration date: notBefore : Mar 30 00:00:00 2016 GMT notAfter : Jun 30 23:59:59 2019 GMT ------------------ Signer #1: Subject: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Code Signing CA Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority Serial : 2E7C87CC0E934A52FE94FD1CB7CD34AF Certificate expiration date: notBefore : May 9 00:00:00 2013 GMT notAfter : May 8 23:59:59 2028 GMT

`

So seems like only the primary signature is read and returned?

acharyab15 avatar Nov 21 '23 14:11 acharyab15

Thanks for uploading the sample, I'll have a look.

ayoubfaouzi avatar Nov 22 '23 20:11 ayoubfaouzi