Workaround for Required Extension Missing or Incorrect

This page is only relevant for users of iText Core version 9.0.0.

Since the release of iText Core version 9.0 we’ve identified an issue relating to validating digital signatures using certificates issued from a Certificate Authority with certain parameters.

This is due to be resolved with the 9.1 release, however, in the meantime we want to share a workaround which may be helpful if you encounter this issue when validating signatures.

Required extension 2.5.29.19 is missing or incorrect. - INVALID report status.
This problem may occur in cases when the pathLength parameter of the basicConstraints extension is set to 0. This is a valid scenario for the last intermediate certificate in a chain,

However, iText Core 9.0 will falsely identify this extension as incorrect, and produce this report item. In order to fix this problem, you need to modify SignatureValidationProperties in the following way:

SignatureValidationProperties properties = builder.getProperties();
List<CertificateExtension> certIssuerRequiredExtensions = new ArrayList<>();
certIssuerRequiredExtensions.add(new KeyUsageExtension(KeyUsage.KEY_CERT_SIGN));
certIssuerRequiredExtensions.add(new DynamicBasicConstraintsExtension() {
    @Override
    public boolean existsInCertificate(X509Certificate certificate) {
        return certificate.getBasicConstraints() >= getCertificateChainSize() - 1;
    }
});
properties.setRequiredExtensions(CertificateSources.of(CertificateSource.CERT_ISSUER), certIssuerRequiredExtensions);
SignatureValidator signatureValidator = builder.buildSignatureValidator(document);

Applying this workaround should resolve the issue.

Alternatively, you can access the latest development version of iText Core from our SNAPSHOT repository (Java/.NET).