Programmatically getting an executable's Certificate Details
Super User Asked by Claudiu Dragan on November 27, 2020
It is possible to somehow programmatically export a file’s digital certificate’s subject if the certificate itself is not installed on the workstation but is only used to sign that specific file?
I need to somehow extract that information from a file and check if it’s correct. Preferably using Python/CMD/PowerShell
EDIT:
Sorry for the lack of details.
I’m currently using this python script (which I modified to run on Python 3.6): http://www.zedwood.com/article/python-openssl-x509-parse-certificate to parse a .cer file that I extracted from the original executable file with this little tool I’ve found (which I also modified to work with Python 3): https://blog.didierstevens.com/programs/disitool/ but only after I convert it from a DER-encoded binary to a base-64 with the Windows certutil.
The problem with the disitool script, though, is that it literally CUTS a ‘signature’ bytearray from the executable itself using the pefile python module, which makes the extracted .cer file invalid, as per the python error that I keep getting when trying to load the certificate with the OpenSSL.crypto module:
[('asn1 encoding routines', 'asn1_check_tlen', 'wrong tag'), ('asn1 encoding routines', 'asn1_item_embed_d2i', 'nested asn1 error'), ('asn1 encoding routines', 'asn1_template_noexp_d2i', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')]
But parsing a good extracted certificate (with the first script I posted above) works, as you can see here:
![Parsing works just fine]](https://i.stack.imgur.com/4HtQ6.png)
So, I just need a way to extract the certificate from an executable, I guess. Or, if you’ve found my solution too complicated, If you have any idea how I could get that “Redmond” text from the certificate’s Subject field, I’m very open to ideas 🙂
2 Answers
In Powershell:
Get-AuthenticodeSignature C:PathTOFile.exe
So, using your example of explorer.exe this would get Redmond:
(Get-AuthenticodeSignature C:Windowsexplorer.exe).SignerCertificate.subject.split(',')[2].split('=')[1]
Since you asked for elaboration, Get-AuthenticodeSignature returns a System.Management.Automation.Signature object. You can find this out a few ways. Personally I prefer to assign it to a variable so I can play around with the returned object further. Once you have it assigned to a variable you can learn things about it. Get-Member should be one of your go to cmdlets in Powershell. In this case:
$foo = Get-AuthenticodeSignature C:Windowsexplorer.exe
Get-Member -InputObject $foo
TypeName: System.Management.Automation.Signature
Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
ToString Method string ToString()
IsOSBinary Property bool IsOSBinary {get;}
Path Property string Path {get;}
SignatureType Property System.Management.Automation.SignatureType SignatureType {get;}
SignerCertificate Property System.Security.Cryptography.X509Certificates.X509Certificate2 SignerCertificate {...
Status Property System.Management.Automation.SignatureStatus Status {get;}
StatusMessage Property string StatusMessage {get;}
TimeStamperCertificate Property System.Security.Cryptography.X509Certificates.X509Certificate2 TimeStamperCertific...
So you can see that the object has some methods and some properties (I know, all objects do). In this case the methods are all the standard ones that are inherited from System.Object. The properties though are interesting. The SignerCertificate looks like what you wanted so let's see what that looks like:
$foo.SignerCertificate
Thumbprint Subject
---------- -------
419E77AED546A1A6CF4DC23C1F977542FE289CF7 CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
The thumbrint is obviously important because it is what identifies the cert but you had asked about the Redmond that is in the subject. So now we know how to get to that as a string:
$foo.SignerCertificate.Subject
So it is just straight string parsing from here.
One more tidbit that I will throw in since it seems you may be learning Powershell. Another cmdlet that you should try regularly is Get-Command. In this case I did not even know that the Get-AuthenticodeSignature cmdlet existed before you asked the question. So I did this:
Get-Command *signature*
CommandType Name Version Source
----------- ---- ------- ------
Function Update-MpSignature 1.0 Defender
Cmdlet Get-AuthenticodeSignature 3.0.0.0 Microsoft.PowerShell.Security
Cmdlet Save-VolumeSignatureCatalog 1.0.0.0 ShieldedVMDataFile
Cmdlet Set-AuthenticodeSignature 3.0.0.0 Microsoft.PowerShell.Security
Correct answer by EBGreen on November 27, 2020
in powershell: you can have comma in CN, then whis worked for me:
(Get-AuthenticodeSignature C:Windowsexplorer.exe).SignerCertificate.subject.split('=')[1].split('"=')[1]
Answered by Jan on November 27, 2020
Add your own answers!
Ask a Question
Get help from others!
Recent Answers
- haakon.io on Why fry rice before boiling?
- Jon Church on Why fry rice before boiling?
- Lex on Does Google Analytics track 404 page responses as valid page views?
- Peter Machado on Why fry rice before boiling?
- Joshua Engel on Why fry rice before boiling?
Recent Questions
- How can I transform graph image into a tikzpicture LaTeX code?
- How Do I Get The Ifruit App Off Of Gta 5 / Grand Theft Auto 5
- Iv’e designed a space elevator using a series of lasers. do you know anybody i could submit the designs too that could manufacture the concept and put it to use
- Need help finding a book. Female OP protagonist, magic
- Why is the WWF pending games (“Your turn”) area replaced w/ a column of “Bonus & Reward”gift boxes?