You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While working on the tests included in #229 I noticed that signature validation passes even if the signing certificate includes a keyUsage extension that does not allow signing.
I guess you're right: for the verification process to be symmetric, the key usage should be checked. However, adding it now could be a breaking change... I'll have to think if it should be behind a configuration flag. Anyway, lets get back at this after those other changes are done.
While working on the tests included in #229 I noticed that signature validation passes even if the signing certificate includes a keyUsage extension that does not allow signing.
This test in the PR demonstrates the problem: https://github.com/airtower-luna/xades4j/blob/030bb98aa0785cae035ab34b78bc675d02e5e985/src/test/java/xades4j/production/UncheckedSignerBESTest.java#L112-L119
The certificate used for signing in the test is this one: https://github.com/airtower-luna/xades4j/blob/unchecked-signer/src/test/cert/unchecked/noSignKeyUsage.pem
I believe this is a security issue, because it makes signatures appear valid even if the certificate is not valid for signing.
The text was updated successfully, but these errors were encountered: