[BUG] Certificate extend key usage check cause check failure

# What happened

There is a certificate type with `Ext Key Usage` of `XKU_TIMESTAMP`. This type of certificate is used to verify time stuffs, and it will **NOT** be showed as a PE file's signature under Windows's file property dialog. You can see picture below:

![Certificate](https://i.imgur.com/qK86LrO.png)

You can download file contains timestamp certificate from [THIS](https://www.virustotal.com/gui/file/120cd6e6f2e618aaa680c3398b34e1d353ffe323fa291e103126d8cf68807e64) URL.

With the check code of `uthenticode.cpp!SignedData::verify_signature` function, there is a valid check for each certificate's ext key usage:

```
  /* Check all embedded intermediates. */
  for (auto i = 0; i < sk_X509_num(certs); ++i) {
    auto *cert = sk_X509_value(certs, i);

    auto xku_flags = X509_get_extended_key_usage(cert);
    if (!(xku_flags & XKU_CODE_SIGN)) {
      return false;
    }
  }

```

This will cause a check failure, because the `ext key usage` of first 2 certificates are not in the certificate chain:

![Certificate](https://i.imgur.com/yU3DTTz.png)

Timestamp certificate is under `Counters Signatures` property:

![Certificate](https://i.imgur.com/Y3lroyZ.png)

# Solution

Check ext key usage within the chain.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[BUG] Certificate extend key usage check cause check failure #110

What happened

Solution

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[BUG] Certificate extend key usage check cause check failure #110

Description

What happened

Solution

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions