bug: Validation weaknesses concerning X.509 Key Usage #7
Description
Dear Sigcheck Developers,
We are a research group analyzing the compliance of code-signing certificates and related verification tools. During our empirical study, we identified that Sigcheck seems to have validation weaknesses concerning X.509 Key Usage enforcement.
Summary of Findings
Our findings indicate that Sigcheck:
- Does Not Verify Presence of the Key Usage Extension
- Certificates lacking a Key Usage extension are accepted for code-signing verification.
- This implicitly assumes signing authorization when it is not explicitly granted.
- Does Not Require Key Usage to Be Marked as Critical
- The verifier does not enforce the criticality of the Key Usage extension.
- This allows authorization constraints to be ignored without triggering validation failure.
These behaviors were observed across multiple real-world certificates from different certificate authorities.
Security Impact
As a result, certificates that are:
- Not intended for code signing
- Issued for identity or authentication purposes
- Missing or misconfigured authorization constraints
can still successfully pass verification, expanding the potential for certificate misuse and abuse.
These observations are part of an academic study on the code-signing ecosystem and reflect our current understanding of the verification logic. Any clarification or feedback would be greatly appreciated. We would also be happy to provide additional details or supporting evidence upon request.
Thank you for your continued work on Sigcheck.
Sincerely,
Hanqing Zhao and Zi-Quan You