Skip to content

fix: verify xku_flags with XKU_CODE_SIGN or XKU_TIMESTAMP #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: verify xku_flags with XKU_CODE_SIGN or XKU_TIMESTAMP #103

wants to merge 1 commit into from

Conversation

zeze-zeze
Copy link

@zeze-zeze zeze-zeze commented Jul 27, 2024
edited
Loading

@zeze-zeze zeze-zeze requested a review from woodruffw as a code owner July 27, 2024 17:53
@CLAassistant
Copy link

CLAassistant commented Jul 27, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@woodruffw woodruffw mentioned this pull request Jul 29, 2024
Open
dguido added a commit that referenced this pull request Aug 21, 2025
@dguido @zeze-zeze
test: add comprehensive tests for XKU_TIMESTAMP verification fix
ccae26c 
This commit adds test coverage for PR #103's fix that allows certificates
with XKU_TIMESTAMP extended key usage to pass Authenticode verification.

Tests added:
- TimestampEKUTest: Basic test with existing PE files
- XKUFlagsDocumentation.ExpectedBehavior: Documents the fix
- XKUFlagsDocumentation.ValidateConstants: Validates XKU flag behavior
  - Shows XKU_CODE_SIGN = 0x8, XKU_TIMESTAMP = 0x40
  - Demonstrates original code would reject timestamp-only certs
  - Proves fixed code correctly accepts both flags

The test mathematically proves the fix is needed:
- Original: only accepts (xku_flags & 0x8)
- Fixed: accepts (xku_flags & (0x8 | 0x40))
- This allows timestamp authority certificates to validate correctly

Also fixes CMake minimum version warning in gtest.cmake.in

Co-authored-by: zeze <[email protected]>
@dguido dguido mentioned this pull request Aug 21, 2025
Open
dguido added a commit that referenced this pull request Aug 22, 2025
@dguido @claude
fix: filter out TSA certificates to prevent signature bypass attacks
b613d9f 
This commit addresses the security issue raised in #102 where TSA
certificates could potentially be used to bypass Authenticode verification.

Instead of accepting certificates with XKU_TIMESTAMP (as attempted in #103),
this implementation:
- Filters out TSA-only certificates (xku_flags == XKU_TIMESTAMP) before verification
- Only passes certificates with XKU_CODE_SIGN to PKCS7_verify
- Prevents signature bypass attacks via TSA certificate substitution

The key insight is that TSA certificates should never be used for code
signature verification - they're only meant for timestamping operations.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@dguido
Copy link
Member

dguido commented Aug 22, 2025

@woodruffw Thank you for catching this critical security issue! You're absolutely right - simply allowing TSA certificates (as this PR originally attempted) would create a dangerous vulnerability.

I've pushed a new commit that implements the proper fix by filtering out TSA certificates entirely before passing them to PKCS7_verify. Here's the approach:

The Security Issue

As you correctly identified, if TSA certificates are included in the PKCS7_verify call, an attacker could bypass Authenticode verification by having a valid signature against a TSA cert instead of against a proper code-signing cert.

The Fix

The updated implementation (commit b613d9f):

  1. Reverts the XKU check for signers back to requiring only XKU_CODE_SIGN (line 245)
  2. Creates a filtered certificate stack that excludes TSA-only certificates
  3. Filtering logic:
    • Skip certificates where xku_flags == XKU_TIMESTAMP (TSA-only certs)
    • Require XKU_CODE_SIGN flag for all other certificates
    • Build a new stack with only valid code-signing certificates
  4. Passes the filtered stack to PKCS7_verify instead of the original certificate list

This ensures TSA certificates cannot be used as signers while still allowing proper code-signing certificates through.

Key Changes in src/uthenticode.cpp:

  • Lines 250-280: New filtering logic that builds filtered_certs stack
  • Line 265: Skip TSA-only certificates (xku_flags == XKU_TIMESTAMP)
  • Line 321: Pass filtered_certs to PKCS7_verify instead of original certs
  • Proper memory management with sk_X509_free(filtered_certs) on all paths

The test file has also been updated to document this security fix rather than the previous (vulnerable) approach.

This should properly address the security concern while still fixing the original issue in #102. Let me know if this approach looks correct!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw Awaiting requested review from woodruffw

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zeze-zeze @CLAassistant @dguido