List of usage examples for org.bouncycastle.cert.ocsp OCSPReq getSignatureAlgOID
public ASN1ObjectIdentifier getSignatureAlgOID()
From source file:org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean.java
License:Open Source License
/** * Select the preferred OCSP response sigAlg according to RFC6960 Section 4.4.7 in the following order: * //from ww w. j a v a 2 s . c o m * 1. Select an algorithm specified as a preferred signature algorithm in the client request if it is * an acceptable algorithm by EJBCA. * 2. Select the signature algorithm used to sign a certificate revocation list (CRL) issued by the * certificate issuer providing status information for the certificate specified by CertID. * (NOT APPLIED) * 3. Select the signature algorithm used to sign the OCSPRequest if it is an acceptable algorithm in EJBCA. * 4. Select a signature algorithm that has been advertised as being the default signature algorithm for * the signing service using an out-of-band mechanism. * 5. Select a mandatory or recommended signature algorithm specified for the version of OCSP in use, aka. * specified in the properties file. * * The acceptable algorithm by EJBCA are the algorithms specified in ocsp.properties file in 'ocsp.signaturealgorithm' * * @param req * @param ocspSigningCacheEntry * @param signerCert * @return */ private String getSigAlg(OCSPReq req, final OcspSigningCacheEntry ocspSigningCacheEntry, final X509Certificate signerCert) { String sigAlg = null; PublicKey pk = signerCert.getPublicKey(); // Start with the preferred signature algorithm in the OCSP request final Extension preferredSigAlgExtension = req .getExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp + ".8")); if (preferredSigAlgExtension != null) { final ASN1Sequence preferredSignatureAlgorithms = ASN1Sequence .getInstance(preferredSigAlgExtension.getParsedValue()); for (int i = 0; i < preferredSignatureAlgorithms.size(); i++) { final ASN1Encodable asn1Encodable = preferredSignatureAlgorithms.getObjectAt(i); final ASN1ObjectIdentifier algorithmOid; if (asn1Encodable instanceof ASN1ObjectIdentifier) { // Handle client requests that were adapted to EJBCA 6.1.0's implementation log.info( "OCSP request's PreferredSignatureAlgorithms did not contain an PreferredSignatureAlgorithm, but instead an algorithm OID." + " This will not be supported in a future versions of EJBCA."); algorithmOid = (ASN1ObjectIdentifier) asn1Encodable; } else { // Handle client requests that provide a proper AlgorithmIdentifier as specified in RFC 6960 + RFC 5280 final ASN1Sequence preferredSignatureAlgorithm = ASN1Sequence.getInstance(asn1Encodable); final AlgorithmIdentifier algorithmIdentifier = AlgorithmIdentifier .getInstance(preferredSignatureAlgorithm.getObjectAt(0)); algorithmOid = algorithmIdentifier.getAlgorithm(); } if (algorithmOid != null) { sigAlg = AlgorithmTools.getAlgorithmNameFromOID(algorithmOid); if (sigAlg != null && OcspConfiguration.isAcceptedSignatureAlgorithm(sigAlg) && AlgorithmTools.isCompatibleSigAlg(pk, sigAlg)) { if (log.isDebugEnabled()) { log.debug( "Using OCSP response signature algorithm extracted from OCSP request extension. " + algorithmOid); } return sigAlg; } } } } // the signature algorithm used to sign the OCSPRequest if (req.getSignatureAlgOID() != null) { sigAlg = AlgorithmTools.getAlgorithmNameFromOID(req.getSignatureAlgOID()); if (OcspConfiguration.isAcceptedSignatureAlgorithm(sigAlg) && AlgorithmTools.isCompatibleSigAlg(pk, sigAlg)) { if (log.isDebugEnabled()) { log.debug( "OCSP response signature algorithm: the signature algorithm used to sign the OCSPRequest. " + sigAlg); } return sigAlg; } } // The signature algorithm that has been advertised as being the default signature algorithm for the signing service using an // out-of-band mechanism. if (ocspSigningCacheEntry.isUsingSeparateOcspSigningCertificate()) { // If we have an OcspKeyBinding we use this configuration to override the default sigAlg = ocspSigningCacheEntry.getOcspKeyBinding().getSignatureAlgorithm(); if (log.isDebugEnabled()) { log.debug( "OCSP response signature algorithm: the signature algorithm that has been advertised as being the default signature algorithm " + "for the signing service using an out-of-band mechanism. " + sigAlg); } return sigAlg; } // The signature algorithm specified for the version of OCSP in use. String sigAlgs = OcspConfiguration.getSignatureAlgorithm(); sigAlg = getSigningAlgFromAlgSelection(sigAlgs, pk); if (log.isDebugEnabled()) { log.debug("Using configured signature algorithm to sign OCSP response. " + sigAlg); } return sigAlg; }