Fix BasicConstraints extension validation

DEVSIX-8420

Autoported commit.
Original commit hash: [57a1bc81a]
Manual files:
sign/src/main/java/com/itextpdf/signatures/validation/v1/SignatureValidationProperties.java

Author: Eugene Bochilo

itext.tests/itext.sign.tests/itext/signatures/validation/v1/CertificateChainValidatorTest.cs

@@ -78,6 +78,47 @@ public virtual void ValidChainTest() {
                 GetSubjectDN()).WithCertificate(rootCert)));
         }
 
+        [NUnit.Framework.Test]
+        public virtual void ValidNumericBasicConstraintsTest() {
+            String chainName = CERTS_SRC + "signChainWithValidNumericBasicConstraints.pem";
+            IX509Certificate[] certificateChain = PemFileHelper.ReadFirstChain(chainName);
+            IX509Certificate signingCert = (IX509Certificate)certificateChain[0];
+            IX509Certificate intermediateCert = (IX509Certificate)certificateChain[1];
+            IX509Certificate rootCert = (IX509Certificate)certificateChain[2];
+            CertificateChainValidator validator = validatorChainBuilder.BuildCertificateChainValidator();
+            certificateRetriever.AddKnownCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(intermediateCert
+                ));
+            certificateRetriever.SetTrustedCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(rootCert));
+            ValidationReport report = validator.ValidateCertificate(baseContext, signingCert, TimeTestUtil.TEST_DATE_TIME
+                );
+            AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.VALID).HasNumberOfFailures
+                (0).HasNumberOfLogs(1).HasLogItem((la) => la.WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK
+                ).WithMessage("Certificate {0} is trusted, revocation data checks are not required.", (l) => rootCert.
+                GetSubjectDN()).WithCertificate(rootCert)));
+        }
+
+        [NUnit.Framework.Test]
+        public virtual void InvalidNumericBasicConstraintsTest() {
+            String chainName = CERTS_SRC + "signChainWithInvalidNumericBasicConstraints.pem";
+            IX509Certificate[] certificateChain = PemFileHelper.ReadFirstChain(chainName);
+            IX509Certificate signingCert = (IX509Certificate)certificateChain[0];
+            IX509Certificate intermediateCert = (IX509Certificate)certificateChain[1];
+            IX509Certificate rootCert = (IX509Certificate)certificateChain[2];
+            CertificateChainValidator validator = validatorChainBuilder.BuildCertificateChainValidator();
+            certificateRetriever.AddKnownCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(intermediateCert
+                ));
+            certificateRetriever.SetTrustedCertificates(JavaCollectionsUtil.SingletonList<IX509Certificate>(rootCert));
+            ValidationReport report = validator.ValidateCertificate(baseContext, signingCert, TimeTestUtil.TEST_DATE_TIME
+                );
+            AssertValidationReport.AssertThat(report, (a) => a.HasStatus(ValidationReport.ValidationResult.INVALID).HasNumberOfFailures
+                (2).HasNumberOfLogs(3).HasLogItem((la) => la.WithCheckName(CertificateChainValidator.CERTIFICATE_CHECK
+                ).WithMessage("Certificate {0} is trusted, revocation data checks are not required.", (l) => rootCert.
+                GetSubjectDN()).WithCertificate(rootCert)).HasLogItem((la) => la.WithCheckName(CertificateChainValidator
+                .EXTENSIONS_CHECK).WithMessage(CertificateChainValidator.EXTENSION_MISSING, (l) => "2.5.29.19").WithCertificate
+                (rootCert)).HasLogItem((la) => la.WithCheckName(CertificateChainValidator.EXTENSIONS_CHECK).WithMessage
+                (CertificateChainValidator.EXTENSION_MISSING, (l) => "2.5.29.19").WithCertificate(intermediateCert)));
+        }
+
         [NUnit.Framework.Test]
         public virtual void RevocationValidationCallTest() {
             String chainName = CERTS_SRC + "chain.pem";

itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/CertificateChainValidatorTest/signChainWithInvalidNumericBasicConstraints.pem

@@ -0,0 +1,63 @@
+-----BEGIN CERTIFICATE-----
+MIIDczCCAlugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MTUwMwYDVQQDDCxpVGV4dFRlc3RJbnZhbGlkQmFzaWND
+b25zdHJhaW50c0ludGVybWVkaWF0ZTAgFw0wMDAxMDEwMDAwMDBaGA8yNTAwMDEw
+MTAwMDAwMFowTzELMAkGA1UEBhMCQkUxDjAMBgNVBAoMBWlUZXh0MTAwLgYDVQQD
+DCdpVGV4dFRlc3RJbnZhbGlkQmFzaWNDb25zdHJhaW50c1NpZ25pbmcwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk0UKW8iOW/YPocIBpaICH96wbdhwd
+9O1spY/7LA6JHLVZgSRIB3if5sU3tNclN3uO2NPiQhZXCMDJP+ISdQGCCSeRCo0n
+OXu46984qB4+YrlT3ScpAQ0uZY943PYTcBVnUYMYA+nFRZhtJ8aLJpBl5ND08ye0
+TlEWTU0RmXNXhUbhAuwWdAHaDTDYGyJ+Bmr3ob/ktILtHwzS8rkGw+FRY+bty4BD
+mJTGiSNR/c2MdUikXOVzoybRX7BqvvHlU78XZTtGxwIJ17oorZBgk/8AUMSCe+xN
+2Zr13ucerbTnRLNBo1lbHIb4jWH5aq7BLdah9qEPOMTTc2aGow3yR9U1AgMBAAGj
+UjBQMB0GA1UdDgQWBBQkLmgOAQOWlcnrtVUv57Rj05TsRTAfBgNVHSMEGDAWgBQ3
+AGQi1plfpKj08MVTNx54NFkCczAOBgNVHQ8BAf8EBAMCBkAwDQYJKoZIhvcNAQEL
+BQADggEBADHWfy2/K8cd1P1ijelp/KOj92ESC1i1seo4tGfRreM5+VskkIbix2Dl
+8/Gpy1/Igw9jMoOdPyyqj72mBO2aiEikNL8+PQgKjK7WVF7MLdWPtE2h77fiQN3o
+J1ybtlrasOSmlSKxixyFHL2caBjLC/YiYU28wuAGkDqSb3bug6JKz0U+KP5bQr1Y
++irR91kcpiIAfdeDmN1NLa+IHcwAHzZNtc334map1vXy4AVbox1oee+pICkgyAgM
+XGuUMqts5sfBVCeZ4YXmtFEFhypo9sZgQ82yj8D/n53oyOfGok9sZtQO5d/KL523
+6UISiCz3koNIaqnFJejITnmHrE7SgvE=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAmygAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwTDELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MS0wKwYDVQQDDCRpVGV4dFRlc3RJbnZhbGlkQmFzaWND
+b25zdHJhaW50c1Jvb3QwIBcNMDAwMTAxMDAwMDAwWhgPMjUwMDAxMDEwMDAwMDBa
+MFQxCzAJBgNVBAYTAkJFMQ4wDAYDVQQKDAVpVGV4dDE1MDMGA1UEAwwsaVRleHRU
+ZXN0SW52YWxpZEJhc2ljQ29uc3RyYWludHNJbnRlcm1lZGlhdGUwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf1b92W/Yeitn6iwuZHmfF7cw740VaqHGO
+AavE6DhwVCrfVlWDvamF+Sewnf2KuIxeWaYciy5TQ/nIa8CcD3qDJsYjYUK6L+Ro
+E+Lb5YMKOEUpc2p4XZvLXmOIOl3AEe2AnIDxREk1gfu6BYFyzmju8rHLSy7ua/I5
+672qude/EPGG+jyb+ajIbyNSsL65hkOrJUcJtlRIhJQVCZ39hcNdA8lRBrVzq1NW
+gnExyFsqlIYpAuD1IsnS/r1kMOzjPai/AhPOqpnB6ogZp+Dr99wYY57Dv9BdfvKt
+guX608D5m0Rp3yrEQ/X5m9frTvp09MCHKMU+X9+14LZiaod3AtQVAgMBAAGjZjBk
+MB0GA1UdDgQWBBQ3AGQi1plfpKj08MVTNx54NFkCczAfBgNVHSMEGDAWgBTvssgF
+UYUg7luFw9zAr9tZuQouvDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
+AwICBDANBgkqhkiG9w0BAQsFAAOCAQEANzdFjm4iasZpvPwPEeoulmGr33Ofp0L+
+IQ03ZYjgUDSx3xuUhfpZHgmEcoovQz6IGw0wlp4W7HJ8rqaj3aLEte7ZXF2mpaTQ
+vGU3suY3SXTLTZq2TinA0KEToaObX9XLVTJTe6GNMcNf1uAQnQVzOgm3kNpnqcLp
+QyNZrUH+q4q6gO9EcdMAq4oFXvqPkxYy01B9eHChrASWV3/CsbuyLUDnY1ZduGGZ
+yXF8/NiAgsYQk12cryo5sbkHzpbH62zSwdvzf4s/dp95Tub9bxdta7NYVJL0eOe7
+nTMcY6TMT7FXFIkpZ3nr2zEonGMf+zM5qG2crqtteHGbWqmp3f8R/Q==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwTDELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MS0wKwYDVQQDDCRpVGV4dFRlc3RJbnZhbGlkQmFzaWND
+b25zdHJhaW50c1Jvb3QwIBcNMDAwMTAxMDAwMDAwWhgPMjUwMDAxMDEwMDAwMDBa
+MEwxCzAJBgNVBAYTAkJFMQ4wDAYDVQQKDAVpVGV4dDEtMCsGA1UEAwwkaVRleHRU
+ZXN0SW52YWxpZEJhc2ljQ29uc3RyYWludHNSb290MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA3ktft1LujBsmfphuvEC2LpRfz41pleSyi2NRQKK6wQZE
+SDMAn94fVS43+sJkiSGrJuc+5VGe0Cy17RU8SVVnXy4/AVBvr/YrLjGfNTuCW+A/
+pBJEyLJ/8dSkmT2jBX8KpcUyrjHi8Q7OIUae3Hu5WBz4hcmTYoXfcEQwamoiuqx4
+nKtH+CEOZ4rtG2zxDSRhw7HishUYc0U886txYVtZJ+PfCzblntecsNNaucJCCHZB
+H0aF9yHsleumVL2i24ELHY5izNHH75rM4kpWFPUXD9dMwU7UUDpL9RoW92HpG7X/
+CTDPZGzHRt8srUtFH4S2b0cI0lCW0eW7dkmIYleWQwIDAQABo2YwZDAdBgNVHQ4E
+FgQU77LIBVGFIO5bhcPcwK/bWbkKLrwwHwYDVR0jBBgwFoAU77LIBVGFIO5bhcPc
+wK/bWbkKLrwwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBAA3Nyit5cNUHE9hVpEZ4mkpYoHDiw7NfHqmuhRC4Gnsy
+oVaVgQmDJH52EwWLqpZkQCSr3gwJv+OZZ1oR+LW1qRSyXqIcoLzyuxj3sBclbwzE
+XCknvNT1D2Kbd2mubz37GwwdzN4T59lWO371aIT4uoYWaTIdkYFCiONydfsKzBsS
+uEGb1z94pZ71Kt00jwrG8CP841Cdw5RRsb39AAI9k8Gy4+g24HZeLI+Z4/ZlmsFG
+XNgx5PDZpNZ5W+xlEc5W7ksL675AoD51yoW9d/J7DXg7NI5ur5MxOUf+T0wQh/W5
+9uwx924xwDeeHdLBxdZHsN9v4eVIxELr9huFrN9SbRQ=
+-----END CERTIFICATE-----

itext.tests/itext.sign.tests/resources/itext/signatures/validation/v1/CertificateChainValidatorTest/signChainWithValidNumericBasicConstraints.pem

@@ -0,0 +1,63 @@
+-----BEGIN CERTIFICATE-----
+MIIDbzCCAlegAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MTMwMQYDVQQDDCppVGV4dFRlc3RWYWxpZEJhc2ljQ29u
+c3RyYWludHNJbnRlcm1lZGlhdGUwIBcNMDAwMTAxMDAwMDAwWhgPMjUwMDAxMDEw
+MDAwMDBaME0xCzAJBgNVBAYTAkJFMQ4wDAYDVQQKDAVpVGV4dDEuMCwGA1UEAwwl
+aVRleHRUZXN0VmFsaWRCYXNpY0NvbnN0cmFpbnRzU2lnbmluZzCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAOTRQpbyI5b9g+hwgGlogIf3rBt2HB307Wyl
+j/ssDokctVmBJEgHeJ/mxTe01yU3e47Y0+JCFlcIwMk/4hJ1AYIJJ5EKjSc5e7jr
+3zioHj5iuVPdJykBDS5lj3jc9hNwFWdRgxgD6cVFmG0nxosmkGXk0PTzJ7ROURZN
+TRGZc1eFRuEC7BZ0AdoNMNgbIn4Gavehv+S0gu0fDNLyuQbD4VFj5u3LgEOYlMaJ
+I1H9zYx1SKRc5XOjJtFfsGq+8eVTvxdlO0bHAgnXuiitkGCT/wBQxIJ77E3ZmvXe
+5x6ttOdEs0GjWVschviNYflqrsEt1qH2oQ84xNNzZoajDfJH1TUCAwEAAaNSMFAw
+HQYDVR0OBBYEFCQuaA4BA5aVyeu1VS/ntGPTlOxFMB8GA1UdIwQYMBaAFDcAZCLW
+mV+kqPTwxVM3Hng0WQJzMA4GA1UdDwEB/wQEAwIGQDANBgkqhkiG9w0BAQsFAAOC
+AQEAjRQhDitwg17vfnX+px6XnyebR15xYVNUEBIzY8r+ZSb6yGOQNQhBBikqGLYW
+iOAWcPoCGYdJh/yxg/dUpDYDXl5BEfRTnL/93NrdOaYJPv7WE4Vp0V+rasmthYwz
+e66gMXmFZdQ3OPkLQJg5asqTpus9/1XSts3eyawiuNfCvQDNmJJggaj0eog8iIj5
+KuSPDrapqUC7BCy8wm0riu/ExvkXOFYI66FVGy7NQoU+/C/rkEAKaMqNBklNm8nO
+gsr/IRaJkWOWgsK6HNq6bnxeQz4rEvSiVr65T2isdp0MSTHgmQ0g/VcPh7am70Vr
+cF08cI/+5FsNk9lxnu8u4GTZxA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwSjELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MSswKQYDVQQDDCJpVGV4dFRlc3RWYWxpZEJhc2ljQ29u
+c3RyYWludHNSb290MCAXDTAwMDEwMTAwMDAwMFoYDzI1MDAwMTAxMDAwMDAwWjBS
+MQswCQYDVQQGEwJCRTEOMAwGA1UECgwFaVRleHQxMzAxBgNVBAMMKmlUZXh0VGVz
+dFZhbGlkQmFzaWNDb25zdHJhaW50c0ludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAJ/Vv3Zb9h6K2fqLC5keZ8XtzDvjRVqocY4Bq8To
+OHBUKt9WVYO9qYX5J7Cd/Yq4jF5ZphyLLlND+chrwJwPeoMmxiNhQrov5GgT4tvl
+gwo4RSlzanhdm8teY4g6XcAR7YCcgPFESTWB+7oFgXLOaO7ysctLLu5r8jnrvaq5
+178Q8Yb6PJv5qMhvI1KwvrmGQ6slRwm2VEiElBUJnf2Fw10DyVEGtXOrU1aCcTHI
+WyqUhikC4PUiydL+vWQw7OM9qL8CE86qmcHqiBmn4Ov33BhjnsO/0F1+8q2C5frT
+wPmbRGnfKsRD9fmb1+tO+nT0wIcoxT5f37XgtmJqh3cC1BUCAwEAAaNmMGQwHQYD
+VR0OBBYEFDcAZCLWmV+kqPTwxVM3Hng0WQJzMB8GA1UdIwQYMBaAFO+yyAVRhSDu
+W4XD3MCv21m5Ci68MBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgIE
+MA0GCSqGSIb3DQEBCwUAA4IBAQB0CFElE09ge6LUM+odJMLzAvMg2ZbeuyM0tbe1
+QyivtRVDVQXyJRL55dGUtRSMCxx5Iv3wwoH6W+2k4IsXKFQH/vmPv9mnCXtThoaw
+iTYUR7TmZnMj9cGBKekAsAmm8cI5qMkKzz0nUAerGvPoF1Pe+7yZeqpafe9ltjF6
+RCGxJFhQL0bL9o6Z52qzZJdOrHRh7Xqz7ikGaPGFvsKk3J8evWNX/4fVoN6VHZ4w
+MLqCmNtBzTXOO/pdFsMrYZ5JKUQGBDbXJ8xFTMZwNO+oRarKmTExVLSVdAIq2Tmv
+Xn5u7+WWu1FXQa6rIxeRgfKvGrMuQAM21GYKB4owSNIZWEju
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDeDCCAmCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwSjELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MSswKQYDVQQDDCJpVGV4dFRlc3RWYWxpZEJhc2ljQ29u
+c3RyYWludHNSb290MCAXDTAwMDEwMTAwMDAwMFoYDzI1MDAwMTAxMDAwMDAwWjBK
+MQswCQYDVQQGEwJCRTEOMAwGA1UECgwFaVRleHQxKzApBgNVBAMMImlUZXh0VGVz
+dFZhbGlkQmFzaWNDb25zdHJhaW50c1Jvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDeS1+3Uu6MGyZ+mG68QLYulF/PjWmV5LKLY1FAorrBBkRIMwCf
+3h9VLjf6wmSJIasm5z7lUZ7QLLXtFTxJVWdfLj8BUG+v9isuMZ81O4Jb4D+kEkTI
+sn/x1KSZPaMFfwqlxTKuMeLxDs4hRp7ce7lYHPiFyZNihd9wRDBqaiK6rHicq0f4
+IQ5niu0bbPENJGHDseKyFRhzRTzzq3FhW1kn498LNuWe15yw01q5wkIIdkEfRoX3
+IeyV66ZUvaLbgQsdjmLM0cfvmsziSlYU9RcP10zBTtRQOkv1Ghb3Yekbtf8JMM9k
+bMdG3yytS0UfhLZvRwjSUJbR5bt2SYhiV5ZDAgMBAAGjZjBkMB0GA1UdDgQWBBTv
+ssgFUYUg7luFw9zAr9tZuQouvDAfBgNVHSMEGDAWgBTvssgFUYUg7luFw9zAr9tZ
+uQouvDASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG
+9w0BAQsFAAOCAQEAcJsUExWQAKX6VZc1yVorL3mf2/keswI9RdSb7s+CU6WMKvga
+Bb0wOANC46oetD0e2QWmi396sxTmC/X/wiG0OhA2TnuuMi9EISQFXTDjfUUxUF1i
+k6T+EyGq1f7SFzrhCsSVAmAgSVUDp2IeERtNZbGP0uPPIqII767oLKkHzhh21LlN
+3zZKwvUrsk+E6quAVWFSiRoEzH2drV0fcOFLrw+NCH6Rh31QBk1wEDJocJ4U9zsD
+6w/EU0oyNuKTaQXSh75G5MZMUdmHGj1elVF8tRWWpZzuKgfnVDKb3GxdEf3FEg6y
+usswWis9kk/09DZU5AuyvBJTvdq58p4+U4kYtg==
+-----END CERTIFICATE-----

itext/itext.sign/itext/signatures/validation/v1/CRLValidator.cs

@@ -186,7 +186,8 @@ public virtual void Validate(ValidationReport report, ValidationContext context,
             IDistributionPoint distributionPoint = null;
             if (!issuingDistPoint.IsNull()) {
                 // Verify that certificate is in the CRL scope using IDP extension.
-                bool basicConstraintsCaAsserted = new BasicConstraintsExtension(true).ExistsInCertificate(certificate);
+                bool basicConstraintsCaAsserted = new DynamicBasicConstraintsExtension().WithCertificateChainSize(1).ExistsInCertificate
+                    (certificate);
                 if ((issuingDistPoint.OnlyContainsUserCerts() && basicConstraintsCaAsserted) || (issuingDistPoint.OnlyContainsCACerts
                     () && !basicConstraintsCaAsserted)) {
                     report.AddReportItem(new CertificateReportItem(certificate, CRL_CHECK, CERTIFICATE_IS_NOT_IN_THE_CRL_SCOPE

itext/itext.sign/itext/signatures/validation/v1/CertificateChainValidator.cs

@@ -210,9 +210,14 @@ public virtual ValidationReport ValidateCertificate(ValidationContext context, I
         /// </returns>
         public virtual ValidationReport Validate(ValidationReport result, ValidationContext context, IX509Certificate
              certificate, DateTime validationDate) {
+            return Validate(result, context, certificate, validationDate, 0);
+        }
+
+        private ValidationReport Validate(ValidationReport result, ValidationContext context, IX509Certificate certificate
+            , DateTime validationDate, int certificateChainSize) {
             ValidationContext localContext = context.SetValidatorContext(ValidatorContext.CERTIFICATE_CHAIN_VALIDATOR);
             ValidateValidityPeriod(result, certificate, validationDate);
-            ValidateRequiredExtensions(result, localContext, certificate);
+            ValidateRequiredExtensions(result, localContext, certificate, certificateChainSize);
             if (StopValidation(result, localContext)) {
                 return result;
             }
@@ -225,7 +230,7 @@ public virtual ValidationReport Validate(ValidationReport result, ValidationCont
             if (StopValidation(result, localContext)) {
                 return result;
             }
-            ValidateChain(result, localContext, certificate, validationDate);
+            ValidateChain(result, localContext, certificate, validationDate, certificateChainSize);
             return result;
         }
 
@@ -319,10 +324,13 @@ private void ValidateValidityPeriod(ValidationReport result, IX509Certificate ce
         }
 
         private void ValidateRequiredExtensions(ValidationReport result, ValidationContext context, IX509Certificate
-             certificate) {
+             certificate, int certificateChainSize) {
             IList<CertificateExtension> requiredExtensions = properties.GetRequiredExtensions(context);
             if (requiredExtensions != null) {
                 foreach (CertificateExtension requiredExtension in requiredExtensions) {
+                    if (requiredExtension is DynamicCertificateExtension) {
+                        ((DynamicCertificateExtension)requiredExtension).WithCertificateChainSize(certificateChainSize);
+                    }
                     if (!requiredExtension.ExistsInCertificate(certificate)) {
                         result.AddReportItem(new CertificateReportItem(certificate, EXTENSIONS_CHECK, MessageFormatUtil.Format(EXTENSION_MISSING
                             , requiredExtension.GetExtensionOid()), ReportItem.ReportItemStatus.INVALID));
@@ -339,7 +347,7 @@ private void ValidateRevocationData(ValidationReport report, ValidationContext c
         }
 
         private void ValidateChain(ValidationReport result, ValidationContext context, IX509Certificate certificate
-            , DateTime validationDate) {
+            , DateTime validationDate, int certificateChainSize) {
             IX509Certificate issuerCertificate = null;
             try {
                 issuerCertificate = (IX509Certificate)certificateRetriever.RetrieveIssuerCertificate(certificate);
@@ -370,7 +378,7 @@ private void ValidateChain(ValidationReport result, ValidationContext context, I
                 return;
             }
             this.Validate(result, context.SetCertificateSource(CertificateSource.CERT_ISSUER), issuerCertificate, validationDate
-                );
+                , certificateChainSize + 1);
         }
     }
 }

itext/itext.sign/itext/signatures/validation/v1/SignatureValidationProperties.cs

@@ -70,7 +70,7 @@ public SignatureValidationProperties() {
                 <CertificateExtension>(new KeyUsageExtension(KeyUsage.NON_REPUDIATION)));
             IList<CertificateExtension> certIssuerRequiredExtensions = new List<CertificateExtension>();
             certIssuerRequiredExtensions.Add(new KeyUsageExtension(KeyUsage.KEY_CERT_SIGN));
-            certIssuerRequiredExtensions.Add(new BasicConstraintsExtension(true));
+            certIssuerRequiredExtensions.Add(new DynamicBasicConstraintsExtension());
             SetRequiredExtensions(CertificateSources.Of(CertificateSource.CERT_ISSUER), certIssuerRequiredExtensions);
             SetRequiredExtensions(CertificateSources.Of(CertificateSource.TIMESTAMP), JavaCollectionsUtil.SingletonList
                 <CertificateExtension>(new ExtendedKeyUsageExtension(JavaCollectionsUtil.SingletonList<String>(ExtendedKeyUsageExtension

itext/itext.sign/itext/signatures/validation/v1/extensions/BasicConstraintsExtension.cs

@@ -28,6 +28,7 @@ You should have received a copy of the GNU Affero General Public License
 
 namespace iText.Signatures.Validation.V1.Extensions {
     /// <summary>Class representing "Basic Constraints" certificate extension.</summary>
+    [System.ObsoleteAttribute(@"since 8.0.5. To be removed.")]
     public class BasicConstraintsExtension : CertificateExtension {
         private static readonly IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.GetFactory();
 

itext/itext.sign/itext/signatures/validation/v1/extensions/DynamicBasicConstraintsExtension.cs

@@ -0,0 +1,54 @@
+using iText.Bouncycastleconnector;
+using iText.Commons.Bouncycastle;
+using iText.Commons.Bouncycastle.Cert;
+using iText.Signatures;
+
+namespace iText.Signatures.Validation.V1.Extensions {
+    /// <summary>
+    /// Class representing "Basic Constraints" certificate extension,
+    /// which uses provided amount of certificates in chain during the comparison.
+    /// </summary>
+    public class DynamicBasicConstraintsExtension : DynamicCertificateExtension {
+        private static readonly IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.GetFactory();
+
+        /// <summary>
+        /// Create new instance of
+        /// <see cref="DynamicBasicConstraintsExtension"/>.
+        /// </summary>
+        public DynamicBasicConstraintsExtension()
+            : base(OID.X509Extensions.BASIC_CONSTRAINTS, FACTORY.CreateBasicConstraints(true).ToASN1Primitive()) {
+        }
+
+        /// <summary>Check if this extension is present in the provided certificate.</summary>
+        /// <remarks>
+        /// Check if this extension is present in the provided certificate.
+        /// In case of
+        /// <see cref="DynamicBasicConstraintsExtension"/>
+        /// , check if path length for this extension is less or equal
+        /// to the path length, specified in the certificate.
+        /// </remarks>
+        /// <param name="certificate">
+        /// 
+        /// <see cref="iText.Commons.Bouncycastle.Cert.IX509Certificate"/>
+        /// in which this extension shall be present
+        /// </param>
+        /// <returns>
+        /// 
+        /// <see langword="true"/>
+        /// if this path length is less or equal to a one from the certificate,
+        /// <see langword="false"/>
+        /// otherwise
+        /// </returns>
+        public override bool ExistsInCertificate(IX509Certificate certificate) {
+            try {
+                if (CertificateUtil.GetExtensionValue(certificate, OID.X509Extensions.BASIC_CONSTRAINTS) == null) {
+                    return false;
+                }
+            }
+            catch (System.IO.IOException) {
+                return false;
+            }
+            return certificate.GetBasicConstraints() >= GetCertificateChainSize();
+        }
+    }
+}