Replies: 1 comment
-
|
I haven't seen anything official on the alt signature extensions, as far as I am aware it's either or both, depending on local policy. I think to do this properly we need to add an additional setting to the ExtendedPKIXParameters (that would allow for the classical signature to be ignored), however if you're trying to do both you could make use of the PKIXCertPathChecker class to add support for verifying the alternate signature now. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hello BouncyCastle community !
Using the version 1.79 of BouncyCastle Java libraries, I noticed on one hand that a certificate chain validation CertPathValidator.validate() does a lot through but doesn't verify the alternative signature (if present of course). On the other hand, the method X509CertificateHolder.isAlternativeSignatureValid() is checking the alternative signature.
Now for hybrid certificates (that contains both a regular ECDSA signature and an alternative PQC signature like ML-DSA), my understanding is that the certificate verification should / might check both signatures.
Am I correct and if so is there a way to do it ?
Thanks
Sebastien
Beta Was this translation helpful? Give feedback.
All reactions