From e0b3a1782363feb835e75f695419cb5458923b19 Mon Sep 17 00:00:00 2001 From: olszomal Date: Tue, 16 Dec 2025 14:40:36 +0100 Subject: [PATCH 1/2] Add keyUsage digitalSignature validation for signer certificate --- osslsigncode.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/osslsigncode.c b/osslsigncode.c index 071b223..94961c3 100644 --- a/osslsigncode.c +++ b/osslsigncode.c @@ -2535,9 +2535,17 @@ static int verify_authenticode(FILE_FORMAT_CTX *ctx, PKCS7 *p7, time_t time, X50 if (!crlok) goto out; } - /* check extended key usage flag XKU_CODE_SIGN */ + /* + * Verify that: + * - extendedKeyUsage, if present, permits codeSigning (RFC 5280 section 4.2.1.12) + * - keyUsage, if present, permits digitalSignature (RFC 5280 section 4.2.1.3) + */ if (!(X509_get_extended_key_usage(signer) & XKU_CODE_SIGN)) { - fprintf(stderr, "Unsupported Signer's certificate purpose XKU_CODE_SIGN\n"); + fprintf(stderr, "Signer certificate rejected: extendedKeyUsage does not permit codeSigning\n"); + goto out; + } + if (!(X509_get_key_usage(signer) & X509v3_KU_DIGITAL_SIGNATURE)) { + fprintf(stderr, "Signer certificate rejected: keyUsage does not permit digitalSignature\n"); goto out; } From 074ec47cc0ddf7fd64fd596696154445d7f09c82 Mon Sep 17 00:00:00 2001 From: olszomal Date: Tue, 16 Dec 2025 14:40:54 +0100 Subject: [PATCH 2/2] tests: add digitalSignature keyUsage to leaf certificate --- tests/make_certificates.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/make_certificates.py b/tests/make_certificates.py index 823ff19..e457a1f 100644 --- a/tests/make_certificates.py +++ b/tests/make_certificates.py @@ -338,6 +338,17 @@ def make_cert(self, public_key, not_before, days) -> Certificate: authority_key = AuthorityKeyIdentifier.from_issuer_subject_key_identifier( self.issuer_cert.extensions.get_extension_for_class(SubjectKeyIdentifier).value ) + key_usage = KeyUsage( + digital_signature=True, + content_commitment=False, + key_encipherment=False, + data_encipherment=False, + key_agreement=False, + key_cert_sign=False, + crl_sign=False, + encipher_only=False, + decipher_only=False + ) extended_key_usage = ExtendedKeyUsage( [ExtendedKeyUsageOID.CODE_SIGNING] ) @@ -352,6 +363,7 @@ def make_cert(self, public_key, not_before, days) -> Certificate: .add_extension(BasicConstraints(ca=False, path_length=None), critical=False) .add_extension(SubjectKeyIdentifier.from_public_key(public_key), critical=False) .add_extension(authority_key, critical=False) + .add_extension(key_usage, critical=False) .add_extension(extended_key_usage, critical=False) .add_extension(self.create_x509_crldp(), critical=False) .sign(self.issuer_key, SHA256())