Imported Upstream version 6.12.0.200

Former-commit-id: 5d37e871f1f079ba2c8f4f56b825b1472165f061

mcs/class/Mono.Security/Mono.Security.Authenticode/AuthenticodeDeformatter.cs

@@ -356,6 +356,27 @@ namespace Mono.Security.Authenticode {
 				}
 			}
 
+			// validate Extended Key Usage extension contains OID for code signing
+			bool hasCodeSigningEKU = false;
+			X509Extension ekuExtension = coll.Count > 0 ? coll[0].Extensions["2.5.29.37"] : null;
+			if (ekuExtension == null)
+				return false;
+
+			ASN1 extensionValue = new ASN1(ekuExtension.Value.Value);
+			if (extensionValue.Tag != 0x30)
+				return false;
+
+			for (int i = 0; i < extensionValue.Count; i++) {
+				string oid = ASN1Convert.ToOid (extensionValue[i]);
+				if (oid == "1.3.6.1.5.5.7.3.3") {
+					hasCodeSigningEKU = true;
+					break;
+				}
+			}
+
+			if (!hasCodeSigningEKU)
+				return false;
+
 			// timestamp signature is optional
 			if (sd.SignerInfo.UnauthenticatedAttributes.Count == 0) {
 				trustedTimestampRoot = true;