Signature verification doesn't check certificate keyUsage

[airtower-luna]

While working on the tests included in #229 I noticed that signature validation passes even if the signing certificate includes a keyUsage extension that does not allow signing.

This test in the PR demonstrates the problem: https://github.com/airtower-luna/xades4j/blob/030bb98aa0785cae035ab34b78bc675d02e5e985/src/test/java/xades4j/production/UncheckedSignerBESTest.java#L112-L119

The certificate used for signing in the test is this one: https://github.com/airtower-luna/xades4j/blob/unchecked-signer/src/test/cert/unchecked/noSignKeyUsage.pem

I believe this is a security issue, because it makes signatures appear valid even if the certificate is not valid for signing.

[luisgoncalves]

I guess you're right: for the verification process to be symmetric, the key usage should be checked. However, adding it now could be a breaking change... I'll have to think if it should be behind a configuration flag. Anyway, lets get back at this after those other changes are done.

[luisgoncalves]

For reference: this check was added and SignatureSpecificVerificationOptions now includes an option to disable it.