Bruno, Attila, there indeed is a bug in CertificateVerification.VerifyCertificate in iTextSharp.
In Java there is a test cert.hasUnsupportedCriticalExtension in that method, and only if that test fails, there is an explicit second test whether the cert has a specific selection of critical extensions which has been discovered to falsely fail the hasUnsupportedCriticalExtension test in some LTV scenario. In C# that explicit test in 5.3.3 is now executed always (most likely there is no equivalent to hasUnsupportedCriticalExtension there), i.e. only the special case tested for and any case with even less critical extensions is accepted. And this is wrong, there are many other supported critical extensions. 1T3XT BVBA wrote > I'm not sure if we really need to test for extensions. Well, a serious verification component must check critical extensions, cf. the RFCs: RFC 3280, 5280 wrote > A certificate using system MUST reject the certificate if it encounters a > critical extension it does not recognize; however, a non-critical > extension MAY be ignored if it is not recognized. Regards, Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/iText-5-3-signature-verification-tp4656646p4656656.html Sent from the iText - General mailing list archive at Nabble.com. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ iText-questions mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
