src: bump OpenSSL, EKU check

trailofbits / uthenticode

A cross-platform library for verifying Authenticode signatures

https://trailofbits.github.io/uthenticode/

MIT License

138 stars 33 forks source link

src: bump OpenSSL, EKU check #78

Closed woodruffw closed 1 year ago

woodruffw commented 1 year ago

We now use OpenSSL 3.0 or higher.

This also (partially) fixes a gap in our Authenticode compliance: we now reject signer certificates that lack the codeSigning EKU. This is a superset of Authenticode's specified behavior, as we lack the context (a full chain) needed to accept some certificates that don't have the codeSigning EKU. In practice, this shouldn't be a concern: most Authenticode CAs should be issuing EE certs with this EKU.

woodruffw commented 1 year ago

~~N.B.: This needs a unit test before merging.~~