Fix BasicConstraints extension validation

Eugene Bochilo · Eugene Bochilo · commit 61bc84b37196 · 2024-07-05T02:54:34.000+03:00
DEVSIX-8420
diff --git a/sign/pom.xml b/sign/pom.xml
@@ -12,9 +12,7 @@
 
   <name>iText - sign</name>
   <url>https://itextpdf.com/</url>
-  <properties>
-    <sonar.coverage.exclusions>**/validation/v1/**/*,**/cms/SignerInfo.java</sonar.coverage.exclusions>
-  </properties>
+
   <dependencies>
     <dependency>
       <groupId>com.itextpdf</groupId>
diff --git a/sign/src/main/java/com/itextpdf/signatures/validation/v1/CRLValidator.java b/sign/src/main/java/com/itextpdf/signatures/validation/v1/CRLValidator.java
@@ -38,7 +38,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.signatures.validation.v1.context.CertificateSource;
 import com.itextpdf.signatures.validation.v1.context.ValidationContext;
 import com.itextpdf.signatures.validation.v1.context.ValidatorContext;
-import com.itextpdf.signatures.validation.v1.extensions.BasicConstraintsExtension;
+import com.itextpdf.signatures.validation.v1.extensions.DynamicBasicConstraintsExtension;
 import com.itextpdf.signatures.validation.v1.report.CertificateReportItem;
 import com.itextpdf.signatures.validation.v1.report.ReportItem;
 import com.itextpdf.signatures.validation.v1.report.ReportItem.ReportItemStatus;
@@ -174,7 +174,8 @@ public void validate(ValidationReport report, ValidationContext context, X509Cer
         IDistributionPoint distributionPoint = null;
         if (!issuingDistPoint.isNull()) {
             // Verify that certificate is in the CRL scope using IDP extension.
-            boolean basicConstraintsCaAsserted = new BasicConstraintsExtension(true).existsInCertificate(certificate);
+            boolean basicConstraintsCaAsserted = new DynamicBasicConstraintsExtension().withCertificateChainSize(1)
+                    .existsInCertificate(certificate);
             if ((issuingDistPoint.onlyContainsUserCerts() && basicConstraintsCaAsserted) ||
                     (issuingDistPoint.onlyContainsCACerts() && !basicConstraintsCaAsserted)) {
                 report.addReportItem(new CertificateReportItem(certificate, CRL_CHECK,
diff --git a/sign/src/main/java/com/itextpdf/signatures/validation/v1/CertificateChainValidator.java b/sign/src/main/java/com/itextpdf/signatures/validation/v1/CertificateChainValidator.java
@@ -30,6 +30,7 @@ This file is part of the iText (R) project.
 import com.itextpdf.signatures.validation.v1.context.ValidationContext;
 import com.itextpdf.signatures.validation.v1.context.ValidatorContext;
 import com.itextpdf.signatures.validation.v1.extensions.CertificateExtension;
+import com.itextpdf.signatures.validation.v1.extensions.DynamicCertificateExtension;
 import com.itextpdf.signatures.validation.v1.report.CertificateReportItem;
 import com.itextpdf.signatures.validation.v1.report.ValidationReport;
 import com.itextpdf.signatures.validation.v1.report.ReportItem.ReportItemStatus;
@@ -152,9 +153,14 @@ public ValidationReport validateCertificate(ValidationContext context, X509Certi
      */
     public ValidationReport validate(ValidationReport result, ValidationContext context, X509Certificate certificate,
             Date validationDate) {
+        return validate(result, context, certificate, validationDate, 0);
+    }
+
+    private ValidationReport validate(ValidationReport result, ValidationContext context, X509Certificate certificate,
+            Date validationDate, int certificateChainSize) {
         ValidationContext localContext = context.setValidatorContext(ValidatorContext.CERTIFICATE_CHAIN_VALIDATOR);
         validateValidityPeriod(result, certificate, validationDate);
-        validateRequiredExtensions(result, localContext, certificate);
+        validateRequiredExtensions(result, localContext, certificate, certificateChainSize);
         if (stopValidation(result, localContext)) {
             return result;
         }
@@ -168,7 +174,7 @@ public ValidationReport validate(ValidationReport result, ValidationContext cont
         if (stopValidation(result, localContext)) {
             return result;
         }
-        validateChain(result, localContext, certificate, validationDate);
+        validateChain(result, localContext, certificate, validationDate, certificateChainSize);
         return result;
     }
 
@@ -263,10 +269,13 @@ private void validateValidityPeriod(ValidationReport result, X509Certificate cer
     }
 
     private void validateRequiredExtensions(ValidationReport result, ValidationContext context,
-            X509Certificate certificate) {
+            X509Certificate certificate, int certificateChainSize) {
         List<CertificateExtension> requiredExtensions = properties.getRequiredExtensions(context);
         if (requiredExtensions != null) {
             for (CertificateExtension requiredExtension : requiredExtensions) {
+                if (requiredExtension instanceof DynamicCertificateExtension) {
+                    ((DynamicCertificateExtension) requiredExtension).withCertificateChainSize(certificateChainSize);
+                }
                 if (!requiredExtension.existsInCertificate(certificate)) {
                     result.addReportItem(new CertificateReportItem(certificate, EXTENSIONS_CHECK,
                             MessageFormatUtil.format(EXTENSION_MISSING, requiredExtension.getExtensionOid()),
@@ -285,7 +294,7 @@ private void validateRevocationData(ValidationReport report, ValidationContext c
     }
 
     private void validateChain(ValidationReport result, ValidationContext context, X509Certificate certificate,
-            Date validationDate) {
+            Date validationDate, int certificateChainSize) {
         X509Certificate issuerCertificate = null;
         try {
             issuerCertificate =
@@ -314,6 +323,6 @@ private void validateChain(ValidationReport result, ValidationContext context, X
             return;
         }
         this.validate(result, context.setCertificateSource(CertificateSource.CERT_ISSUER),
-                issuerCertificate, validationDate);
+                issuerCertificate, validationDate, certificateChainSize + 1);
     }
 }
diff --git a/sign/src/main/java/com/itextpdf/signatures/validation/v1/SignatureValidationProperties.java b/sign/src/main/java/com/itextpdf/signatures/validation/v1/SignatureValidationProperties.java
@@ -36,8 +36,8 @@ This file is part of the iText (R) project.
 import com.itextpdf.signatures.validation.v1.context.ValidationContext;
 import com.itextpdf.signatures.validation.v1.context.ValidatorContext;
 import com.itextpdf.signatures.validation.v1.context.ValidatorContexts;
-import com.itextpdf.signatures.validation.v1.extensions.BasicConstraintsExtension;
 import com.itextpdf.signatures.validation.v1.extensions.CertificateExtension;
+import com.itextpdf.signatures.validation.v1.extensions.DynamicBasicConstraintsExtension;
 import com.itextpdf.signatures.validation.v1.extensions.ExtendedKeyUsageExtension;
 import com.itextpdf.signatures.validation.v1.extensions.KeyUsage;
 import com.itextpdf.signatures.validation.v1.extensions.KeyUsageExtension;
@@ -86,7 +86,7 @@ public SignatureValidationProperties() {
                 Collections.<CertificateExtension>singletonList(new KeyUsageExtension(KeyUsage.NON_REPUDIATION)));
         List<CertificateExtension> certIssuerRequiredExtensions = new ArrayList<>();
         certIssuerRequiredExtensions.add(new KeyUsageExtension(KeyUsage.KEY_CERT_SIGN));
-        certIssuerRequiredExtensions.add(new BasicConstraintsExtension(true));
+        certIssuerRequiredExtensions.add(new DynamicBasicConstraintsExtension());
         setRequiredExtensions(CertificateSources.of(CertificateSource.CERT_ISSUER), certIssuerRequiredExtensions);
         setRequiredExtensions(CertificateSources.of(CertificateSource.TIMESTAMP),
                 Collections.<CertificateExtension>singletonList(new ExtendedKeyUsageExtension(
diff --git a/sign/src/main/java/com/itextpdf/signatures/validation/v1/extensions/BasicConstraintsExtension.java b/sign/src/main/java/com/itextpdf/signatures/validation/v1/extensions/BasicConstraintsExtension.java
@@ -32,7 +32,10 @@ This file is part of the iText (R) project.
 
 /**
  * Class representing "Basic Constraints" certificate extension.
+ *
+ * @deprecated since 8.0.5. To be removed.
  */
+@Deprecated
 public class BasicConstraintsExtension extends CertificateExtension {
     private static final IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.getFactory();
 
diff --git a/sign/src/main/java/com/itextpdf/signatures/validation/v1/extensions/DynamicBasicConstraintsExtension.java b/sign/src/main/java/com/itextpdf/signatures/validation/v1/extensions/DynamicBasicConstraintsExtension.java
@@ -0,0 +1,45 @@
+package com.itextpdf.signatures.validation.v1.extensions;
+
+import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
+import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
+import com.itextpdf.signatures.CertificateUtil;
+import com.itextpdf.signatures.OID;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+
+/**
+ * Class representing "Basic Constraints" certificate extension,
+ * which uses provided amount of certificates in chain during the comparison.
+ */
+public class DynamicBasicConstraintsExtension extends DynamicCertificateExtension {
+    private static final IBouncyCastleFactory FACTORY = BouncyCastleFactoryCreator.getFactory();
+
+    /**
+     * Create new instance of {@link DynamicBasicConstraintsExtension}.
+     */
+    public DynamicBasicConstraintsExtension() {
+        super(OID.X509Extensions.BASIC_CONSTRAINTS, FACTORY.createBasicConstraints(true).toASN1Primitive());
+    }
+
+    /**
+     * Check if this extension is present in the provided certificate.
+     * In case of {@link DynamicBasicConstraintsExtension}, check if path length for this extension is less or equal
+     * to the path length, specified in the certificate.
+     *
+     * @param certificate {@link X509Certificate} in which this extension shall be present
+     *
+     * @return {@code true} if this path length is less or equal to a one from the certificate, {@code false} otherwise
+     */
+    @Override
+    public boolean existsInCertificate(X509Certificate certificate) {
+        try {
+            if (CertificateUtil.getExtensionValue(certificate, OID.X509Extensions.BASIC_CONSTRAINTS) == null) {
+                return false;
+            }
+        } catch (IOException e) {
+            return false;
+        }
+        return certificate.getBasicConstraints() >= getCertificateChainSize();
+    }
+}
diff --git a/sign/src/main/java/com/itextpdf/signatures/validation/v1/extensions/DynamicCertificateExtension.java b/sign/src/main/java/com/itextpdf/signatures/validation/v1/extensions/DynamicCertificateExtension.java
@@ -0,0 +1,42 @@
+package com.itextpdf.signatures.validation.v1.extensions;
+
+import com.itextpdf.commons.bouncycastle.asn1.IASN1Primitive;
+
+/**
+ * Certificate extension which is populated with additional dynamically changing validation related information.
+ */
+public class DynamicCertificateExtension extends CertificateExtension {
+
+    private int certificateChainSize;
+
+    /**
+     * Create new instance of {@link CertificateExtension} using provided extension OID and value.
+     *
+     * @param extensionOid   {@link String}, which represents extension OID
+     * @param extensionValue {@link IASN1Primitive}, which represents extension value
+     */
+    public DynamicCertificateExtension(String extensionOid, IASN1Primitive extensionValue) {
+        super(extensionOid, extensionValue);
+    }
+
+    /**
+     * Sets amount of certificates currently present in the chain.
+     *
+     * @param certificateChainSize amount of certificates currently present in the chain
+     *
+     * @return this {@link DynamicCertificateExtension} instance
+     */
+    public DynamicCertificateExtension withCertificateChainSize(int certificateChainSize) {
+        this.certificateChainSize = certificateChainSize;
+        return this;
+    }
+
+    /**
+     * Gets amount of certificates currently present in the chain.
+     *
+     * @return amount of certificates currently present in the chain
+     */
+    public int getCertificateChainSize() {
+        return certificateChainSize;
+    }
+}
diff --git a/sign/src/test/java/com/itextpdf/signatures/validation/v1/CertificateChainValidatorTest.java b/sign/src/test/java/com/itextpdf/signatures/validation/v1/CertificateChainValidatorTest.java
@@ -110,6 +110,71 @@ public void validChainTest() throws CertificateException, IOException {
                    ));
     }
 
+    @Test
+    public void validNumericBasicConstraintsTest() throws CertificateException, IOException {
+        String chainName = CERTS_SRC + "signChainWithValidNumericBasicConstraints.pem";
+        Certificate[] certificateChain = PemFileHelper.readFirstChain(chainName);
+        X509Certificate signingCert = (X509Certificate) certificateChain[0];
+        X509Certificate intermediateCert = (X509Certificate) certificateChain[1];
+        X509Certificate rootCert = (X509Certificate) certificateChain[2];
+
+        CertificateChainValidator validator = validatorChainBuilder.buildCertificateChainValidator();
+        certificateRetriever.addKnownCertificates(Collections.<Certificate>singletonList(intermediateCert));
+        certificateRetriever.setTrustedCertificates(Collections.<Certificate>singletonList(rootCert));
+
+        ValidationReport report =
+                validator.validateCertificate(baseContext, signingCert, TimeTestUtil.TEST_DATE_TIME);
+        AssertValidationReport.assertThat(report, a -> a
+                .hasStatus(ValidationResult.VALID)
+                .hasNumberOfFailures(0)
+                .hasNumberOfLogs(1)
+                .hasLogItem(la -> la
+                        .withCheckName(CertificateChainValidator.CERTIFICATE_CHECK)
+                        .withMessage("Certificate {0} is trusted, revocation data checks are not required.",
+                                l -> rootCert.getSubjectX500Principal())
+                        .withCertificate(rootCert)
+                ));
+    }
+
+    @Test
+    public void invalidNumericBasicConstraintsTest() throws CertificateException, IOException {
+        String chainName = CERTS_SRC + "signChainWithInvalidNumericBasicConstraints.pem";
+        Certificate[] certificateChain = PemFileHelper.readFirstChain(chainName);
+        X509Certificate signingCert = (X509Certificate) certificateChain[0];
+        X509Certificate intermediateCert = (X509Certificate) certificateChain[1];
+        X509Certificate rootCert = (X509Certificate) certificateChain[2];
+
+        CertificateChainValidator validator = validatorChainBuilder.buildCertificateChainValidator();
+        certificateRetriever.addKnownCertificates(Collections.<Certificate>singletonList(intermediateCert));
+        certificateRetriever.setTrustedCertificates(Collections.<Certificate>singletonList(rootCert));
+
+        ValidationReport report =
+                validator.validateCertificate(baseContext, signingCert, TimeTestUtil.TEST_DATE_TIME);
+        AssertValidationReport.assertThat(report, a -> a
+                .hasStatus(ValidationResult.INVALID)
+                .hasNumberOfFailures(2)
+                .hasNumberOfLogs(3)
+                .hasLogItem(la -> la
+                        .withCheckName(CertificateChainValidator.CERTIFICATE_CHECK)
+                        .withMessage("Certificate {0} is trusted, revocation data checks are not required.",
+                                l -> rootCert.getSubjectX500Principal())
+                        .withCertificate(rootCert)
+                )
+                .hasLogItem(la -> la
+                        .withCheckName(CertificateChainValidator.EXTENSIONS_CHECK)
+                        .withMessage(CertificateChainValidator.EXTENSION_MISSING,
+                                l -> "2.5.29.19")
+                        .withCertificate(rootCert)
+                )
+                .hasLogItem(la -> la
+                        .withCheckName(CertificateChainValidator.EXTENSIONS_CHECK)
+                        .withMessage(CertificateChainValidator.EXTENSION_MISSING,
+                                l -> "2.5.29.19")
+                        .withCertificate(intermediateCert)
+                )
+        );
+    }
+
     @Test
     public void revocationValidationCallTest() throws CertificateException, IOException {
         String chainName = CERTS_SRC + "chain.pem";
diff --git a/sign/src/test/resources/com/itextpdf/signatures/validation/v1/CertificateChainValidatorTest/signChainWithInvalidNumericBasicConstraints.pem b/sign/src/test/resources/com/itextpdf/signatures/validation/v1/CertificateChainValidatorTest/signChainWithInvalidNumericBasicConstraints.pem
@@ -0,0 +1,63 @@
+-----BEGIN CERTIFICATE-----
+MIIDczCCAlugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MTUwMwYDVQQDDCxpVGV4dFRlc3RJbnZhbGlkQmFzaWND
+b25zdHJhaW50c0ludGVybWVkaWF0ZTAgFw0wMDAxMDEwMDAwMDBaGA8yNTAwMDEw
+MTAwMDAwMFowTzELMAkGA1UEBhMCQkUxDjAMBgNVBAoMBWlUZXh0MTAwLgYDVQQD
+DCdpVGV4dFRlc3RJbnZhbGlkQmFzaWNDb25zdHJhaW50c1NpZ25pbmcwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk0UKW8iOW/YPocIBpaICH96wbdhwd
+9O1spY/7LA6JHLVZgSRIB3if5sU3tNclN3uO2NPiQhZXCMDJP+ISdQGCCSeRCo0n
+OXu46984qB4+YrlT3ScpAQ0uZY943PYTcBVnUYMYA+nFRZhtJ8aLJpBl5ND08ye0
+TlEWTU0RmXNXhUbhAuwWdAHaDTDYGyJ+Bmr3ob/ktILtHwzS8rkGw+FRY+bty4BD
+mJTGiSNR/c2MdUikXOVzoybRX7BqvvHlU78XZTtGxwIJ17oorZBgk/8AUMSCe+xN
+2Zr13ucerbTnRLNBo1lbHIb4jWH5aq7BLdah9qEPOMTTc2aGow3yR9U1AgMBAAGj
+UjBQMB0GA1UdDgQWBBQkLmgOAQOWlcnrtVUv57Rj05TsRTAfBgNVHSMEGDAWgBQ3
+AGQi1plfpKj08MVTNx54NFkCczAOBgNVHQ8BAf8EBAMCBkAwDQYJKoZIhvcNAQEL
+BQADggEBADHWfy2/K8cd1P1ijelp/KOj92ESC1i1seo4tGfRreM5+VskkIbix2Dl
+8/Gpy1/Igw9jMoOdPyyqj72mBO2aiEikNL8+PQgKjK7WVF7MLdWPtE2h77fiQN3o
+J1ybtlrasOSmlSKxixyFHL2caBjLC/YiYU28wuAGkDqSb3bug6JKz0U+KP5bQr1Y
++irR91kcpiIAfdeDmN1NLa+IHcwAHzZNtc334map1vXy4AVbox1oee+pICkgyAgM
+XGuUMqts5sfBVCeZ4YXmtFEFhypo9sZgQ82yj8D/n53oyOfGok9sZtQO5d/KL523
+6UISiCz3koNIaqnFJejITnmHrE7SgvE=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAmygAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwTDELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MS0wKwYDVQQDDCRpVGV4dFRlc3RJbnZhbGlkQmFzaWND
+b25zdHJhaW50c1Jvb3QwIBcNMDAwMTAxMDAwMDAwWhgPMjUwMDAxMDEwMDAwMDBa
+MFQxCzAJBgNVBAYTAkJFMQ4wDAYDVQQKDAVpVGV4dDE1MDMGA1UEAwwsaVRleHRU
+ZXN0SW52YWxpZEJhc2ljQ29uc3RyYWludHNJbnRlcm1lZGlhdGUwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf1b92W/Yeitn6iwuZHmfF7cw740VaqHGO
+AavE6DhwVCrfVlWDvamF+Sewnf2KuIxeWaYciy5TQ/nIa8CcD3qDJsYjYUK6L+Ro
+E+Lb5YMKOEUpc2p4XZvLXmOIOl3AEe2AnIDxREk1gfu6BYFyzmju8rHLSy7ua/I5
+672qude/EPGG+jyb+ajIbyNSsL65hkOrJUcJtlRIhJQVCZ39hcNdA8lRBrVzq1NW
+gnExyFsqlIYpAuD1IsnS/r1kMOzjPai/AhPOqpnB6ogZp+Dr99wYY57Dv9BdfvKt
+guX608D5m0Rp3yrEQ/X5m9frTvp09MCHKMU+X9+14LZiaod3AtQVAgMBAAGjZjBk
+MB0GA1UdDgQWBBQ3AGQi1plfpKj08MVTNx54NFkCczAfBgNVHSMEGDAWgBTvssgF
+UYUg7luFw9zAr9tZuQouvDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE
+AwICBDANBgkqhkiG9w0BAQsFAAOCAQEANzdFjm4iasZpvPwPEeoulmGr33Ofp0L+
+IQ03ZYjgUDSx3xuUhfpZHgmEcoovQz6IGw0wlp4W7HJ8rqaj3aLEte7ZXF2mpaTQ
+vGU3suY3SXTLTZq2TinA0KEToaObX9XLVTJTe6GNMcNf1uAQnQVzOgm3kNpnqcLp
+QyNZrUH+q4q6gO9EcdMAq4oFXvqPkxYy01B9eHChrASWV3/CsbuyLUDnY1ZduGGZ
+yXF8/NiAgsYQk12cryo5sbkHzpbH62zSwdvzf4s/dp95Tub9bxdta7NYVJL0eOe7
+nTMcY6TMT7FXFIkpZ3nr2zEonGMf+zM5qG2crqtteHGbWqmp3f8R/Q==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDfDCCAmSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwTDELMAkGA1UEBhMCQkUx
+DjAMBgNVBAoMBWlUZXh0MS0wKwYDVQQDDCRpVGV4dFRlc3RJbnZhbGlkQmFzaWND
+b25zdHJhaW50c1Jvb3QwIBcNMDAwMTAxMDAwMDAwWhgPMjUwMDAxMDEwMDAwMDBa
+MEwxCzAJBgNVBAYTAkJFMQ4wDAYDVQQKDAVpVGV4dDEtMCsGA1UEAwwkaVRleHRU
+ZXN0SW52YWxpZEJhc2ljQ29uc3RyYWludHNSb290MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA3ktft1LujBsmfphuvEC2LpRfz41pleSyi2NRQKK6wQZE
+SDMAn94fVS43+sJkiSGrJuc+5VGe0Cy17RU8SVVnXy4/AVBvr/YrLjGfNTuCW+A/
+pBJEyLJ/8dSkmT2jBX8KpcUyrjHi8Q7OIUae3Hu5WBz4hcmTYoXfcEQwamoiuqx4
+nKtH+CEOZ4rtG2zxDSRhw7HishUYc0U886txYVtZJ+PfCzblntecsNNaucJCCHZB
+H0aF9yHsleumVL2i24ELHY5izNHH75rM4kpWFPUXD9dMwU7UUDpL9RoW92HpG7X/
+CTDPZGzHRt8srUtFH4S2b0cI0lCW0eW7dkmIYleWQwIDAQABo2YwZDAdBgNVHQ4E
+FgQU77LIBVGFIO5bhcPcwK/bWbkKLrwwHwYDVR0jBBgwFoAU77LIBVGFIO5bhcPc
+wK/bWbkKLrwwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwDQYJ
+KoZIhvcNAQELBQADggEBAA3Nyit5cNUHE9hVpEZ4mkpYoHDiw7NfHqmuhRC4Gnsy
+oVaVgQmDJH52EwWLqpZkQCSr3gwJv+OZZ1oR+LW1qRSyXqIcoLzyuxj3sBclbwzE
+XCknvNT1D2Kbd2mubz37GwwdzN4T59lWO371aIT4uoYWaTIdkYFCiONydfsKzBsS
+uEGb1z94pZ71Kt00jwrG8CP841Cdw5RRsb39AAI9k8Gy4+g24HZeLI+Z4/ZlmsFG
+XNgx5PDZpNZ5W+xlEc5W7ksL675AoD51yoW9d/J7DXg7NI5ur5MxOUf+T0wQh/W5
+9uwx924xwDeeHdLBxdZHsN9v4eVIxELr9huFrN9SbRQ=
+-----END CERTIFICATE-----
diff --git a/sign/src/test/resources/com/itextpdf/signatures/validation/v1/CertificateChainValidatorTest/signChainWithValidNumericBasicConstraints.pem b/sign/src/test/resources/com/itextpdf/signatures/validation/v1/CertificateChainValidatorTest/signChainWithValidNumericBasicConstraints.pem
