2

I am currently using openSSL commands to parse a signed file, extract .clrs and convert to .pem at last.

to parse the signed file into asn1parse_content.txt
openssl asn1parse -inform DER -in signed.p7s >> asn1parse_content.txt

to extract crl content from signed.p7s using offsets and lengths got from asn1parse_content.txt
dd if=signed.p7s of=crl1.crl bs=1 count=5000 skip=4000

convert to pem from crl
openssl crl -inform DER -in crl1.crl -outform PEM -out crl1_pem.pem

I need to do the same things using python pyOpenSSL module in windows, have checked SO for related posts, but none matches my requirement, most of the posts are related to RSA keys, private/public keys, and direct extraction of .pem from .p7s etc.

I am very much new to python and OpenSSL and have come up with a small program going through this

Below is the program to get asn1parse data from the p7s file.

import sys
from OpenSSL import crypto
from OpenSSL._util import (
    ffi as _ffi,
    lib as _lib,
)
p7s_file = sys.argv[1]
with open(p7s_file, 'rb') as f:
    p7data = f.read()
p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7data)
print p7

Actual Output

C:\Python27\lib\site-packages\OpenSSL\crypto.py:14: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography and will be removed in a future release.
from cryptography import utils, x509
<OpenSSL.crypto.PKCS7 object at 0x000000000359DE48>

But was expecting a series of lines like below

0:d=0 hl=2 l=inf cons: SEQUENCE
2:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData 13:d=1 hl=2 l=inf cons: cont [ 0 ]
15:d=2 hl=2 l=inf cons: SEQUENCE
17:d=3 hl=2 l= 1 prim: INTEGER :01 20:d=3 hl=2 l= 15 cons: SET
22:d=4 hl=2 l= 13 cons: SEQUENCE
24:d=5 hl=2 l= 9 prim: OBJECT :sha256 35:d=5 hl=2 l= 0 prim: NULL
37:d=3 hl=2 l=inf cons: SEQUENCE
39:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 50:d=4 hl=2 l= 0 prim: EOC
and many other lines

I am extracting the crl content using dd command by using the offset i.e the first value, hl and l

I would appreciate any help with references and examples in this regard.

following are the post i have checked already
1
2
3

and many others

Update 1:

to the above code, I have added the below lines

pkcs7_PEM = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, p7data)
pkcs7_crl = pkcs7_PEM.get_crls()
print pkcs7_crl

then I got this error

C:\Python27\lib\site-packages\OpenSSL\crypto.py:14: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography and will be removed in a future release. from cryptography import utils, x509
<OpenSSL.crypto.PKCS7 object at 0x000000000360EE80>
Traceback (most recent call last):
File "asn1_check.py", line 51, in
pkcs7_PEM = crypto.load_pkcs7_data(crypto.FILETYPE_PEM, p7data)
File "C:\Python27\lib\site-packages\OpenSSL\crypto.py", line 3131, in load_pkcs7_data _raise_current_error()
File "C:\Python27\lib\site-packages\OpenSSL_util.py", line 57, in exception_from_error_queue raise exception_type(errors)
OpenSSL.crypto.Error: [('PEM routines', 'get_name', 'no start line')]

GGberry
  • 929
  • 5
  • 21
IrAM
  • 1,720
  • 5
  • 18
  • 1
    Although [this Q](https://stackoverflow.com/questions/45104923/pyopenssls-pkcs7-object-provide-very-little-information-how-can-i-get-the-sha1) asks about something rather different, the A links to [a pull request](https://github.com/pyca/pyopenssl/pull/367) that (in the Files changed tab) includes code for `get_crls` – dave_thompson_085 Dec 08 '20 at 20:02
  • @dave_thompson_085, i think i have alreay used the right function `load_pkcs7_data`, but output it produces it not what i am expecting, i have updated my question with more details, can you please check once. and when i added code for `get_crls()`, then i got different set of errors. – IrAM Dec 09 '20 at 03:32
  • Your file is apparently 'ASN1' format (what OpenSSL usually calls DER) and not PEM. You previously loaded it successfully as ASN1; continue to do that. – dave_thompson_085 Dec 10 '20 at 06:18
  • @dave_thompson_085 thanks ,after `p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7data)` , now p7 is an object of `OpenSSL.crypto.PKCS7`, how will we get the `crl` data out of that, which functions to use? – IrAM Dec 10 '20 at 10:26
  • I tried using `pkcs7_crl = p7.get_crls() print pkcs7_crl`, but getting error `AttributeError: 'PKCS7' object has no attribute 'get_crls'` – IrAM Dec 10 '20 at 11:01
  • Are you sure you are getting `<(type) object at (address)>` AND the traceback with `no start line`? That's inconsistent and illogical. If you're getting _only_ the traceback, check your file; it has apparently been damaged (perhaps truncated). – dave_thompson_085 Dec 12 '20 at 05:05
  • @dave_thompson_085, that _<(type) object at (address)>_ is coming from `p7 = crypto.load_pkcs7_data(crypto.FILETYPE_ASN1, p7data)` `print p7`, after that i used `get_crl()` on `pkcs7_PEM` as mentioned in the **Update1**, that is causing the traceback and which seems its not correct way of using – IrAM Dec 12 '20 at 05:15
  • And why am i not getting replies, not sure i am asking it correctly or there is very less crowd out there about the subject(i doubt the second), but still i would like to receive inputs even if it is -ve, so that i can improve myself. – IrAM Dec 12 '20 at 05:27
  • 1
    Your file is apparently DER not PEM, so `load_pkcs7_data` with `FILETYPE_ASN1` does work and doing it with `FILETYPE_PEM` does NOT work. Don't do the approach which does not work. Do the approach which does work. Once you have the `pkcs7` object how you process it does not depend on how it was read. The pull request I linked to was apparently not accepted into the project, so you can't just use `p7.get_crls`, you need to either 'monkeypatch' your object to add it, or write it as separate code (what C++ would call a 'friend' routine, but python doesn't have a term for this that I know of). – dave_thompson_085 Dec 14 '20 at 04:48
  • thanks @dave_thompson_085, but I feet really strange that we have no way to read p7s file using pyopenssl – IrAM Dec 14 '20 at 04:54
  • @dave_thompson_085, can you please help in migrating this post to _crypto.stackexchange.com_, hope i may get some more responses there. I couldn't find a way to migrate this by self. – IrAM Dec 15 '20 at 14:09
  • I am voting to close this question here and request to migrate this to other site such as serverfault, crypto, security or other sites where more **active OpenSSL** discussions happen. – IrAM Dec 17 '20 at 19:18

0 Answers0