Hybrid certificates verification: how to force the verification of alternative signature when using CertPathValidator.validate() ?

[sbahloul]

Hello BouncyCastle community !

Using the version 1.79 of BouncyCastle Java libraries, I noticed on one hand that a certificate chain validation CertPathValidator.validate() does a lot through but doesn't verify the alternative signature (if present of course). On the other hand, the method X509CertificateHolder.isAlternativeSignatureValid() is checking the alternative signature.

Now for hybrid certificates (that contains both a regular ECDSA signature and an alternative PQC signature like ML-DSA), my understanding is that the certificate verification should / might check both signatures.

Am I correct and if so is there a way to do it ?

Thanks
Sebastien

[dghgit]

I haven't seen anything official on the alt signature extensions, as far as I am aware it's either or both, depending on local policy. I think to do this properly we need to add an additional setting to the ExtendedPKIXParameters (that would allow for the classical signature to be ignored), however if you're trying to do both you could make use of the PKIXCertPathChecker class to add support for verifying the alternate signature now.