Example usage for org.bouncycastle.cert.ocsp OCSPReq getSignatureAlgOID

List of usage examples for org.bouncycastle.cert.ocsp OCSPReq getSignatureAlgOID

  1. HOME
  2. Java
  3. org.bouncycastle
  4. org.bouncycastle.cert.ocsp.*
  5. OCSPReq
  6. getSignatureAlgOID

Introduction

In this page you can find the example usage for org.bouncycastle.cert.ocsp OCSPReq getSignatureAlgOID.

Prototype

public ASN1ObjectIdentifier getSignatureAlgOID()

Source Link

Document

return the object identifier representing the signature algorithm

Usage

From source file:org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean.java

License:Open Source License

/**
 * Select the preferred OCSP response sigAlg according to RFC6960 Section 4.4.7 in the following order:
 * //from   ww  w.  j  a  v a  2  s  . c  o m
 *    1. Select an algorithm specified as a preferred signature algorithm in the client request if it is 
 *       an acceptable algorithm by EJBCA.
 *    2. Select the signature algorithm used to sign a certificate revocation list (CRL) issued by the 
 *       certificate issuer providing status information for the certificate specified by CertID.
 *       (NOT APPLIED)
 *    3. Select the signature algorithm used to sign the OCSPRequest if it is an acceptable algorithm in EJBCA.
 *    4. Select a signature algorithm that has been advertised as being the default signature algorithm for 
 *       the signing service using an out-of-band mechanism.
 *    5. Select a mandatory or recommended signature algorithm specified for the version of OCSP in use, aka. 
 *       specified in the properties file.
 * 
 *    The acceptable algorithm by EJBCA are the algorithms specified in ocsp.properties file in 'ocsp.signaturealgorithm'
 * 
 * @param req
 * @param ocspSigningCacheEntry
 * @param signerCert
 * @return
 */
private String getSigAlg(OCSPReq req, final OcspSigningCacheEntry ocspSigningCacheEntry,
        final X509Certificate signerCert) {
    String sigAlg = null;
    PublicKey pk = signerCert.getPublicKey();
    // Start with the preferred signature algorithm in the OCSP request
    final Extension preferredSigAlgExtension = req
            .getExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp + ".8"));
    if (preferredSigAlgExtension != null) {
        final ASN1Sequence preferredSignatureAlgorithms = ASN1Sequence
                .getInstance(preferredSigAlgExtension.getParsedValue());
        for (int i = 0; i < preferredSignatureAlgorithms.size(); i++) {
            final ASN1Encodable asn1Encodable = preferredSignatureAlgorithms.getObjectAt(i);
            final ASN1ObjectIdentifier algorithmOid;
            if (asn1Encodable instanceof ASN1ObjectIdentifier) {
                // Handle client requests that were adapted to EJBCA 6.1.0's implementation
                log.info(
                        "OCSP request's PreferredSignatureAlgorithms did not contain an PreferredSignatureAlgorithm, but instead an algorithm OID."
                                + " This will not be supported in a future versions of EJBCA.");
                algorithmOid = (ASN1ObjectIdentifier) asn1Encodable;
            } else {
                // Handle client requests that provide a proper AlgorithmIdentifier as specified in RFC 6960 + RFC 5280
                final ASN1Sequence preferredSignatureAlgorithm = ASN1Sequence.getInstance(asn1Encodable);
                final AlgorithmIdentifier algorithmIdentifier = AlgorithmIdentifier
                        .getInstance(preferredSignatureAlgorithm.getObjectAt(0));
                algorithmOid = algorithmIdentifier.getAlgorithm();
            }
            if (algorithmOid != null) {
                sigAlg = AlgorithmTools.getAlgorithmNameFromOID(algorithmOid);
                if (sigAlg != null && OcspConfiguration.isAcceptedSignatureAlgorithm(sigAlg)
                        && AlgorithmTools.isCompatibleSigAlg(pk, sigAlg)) {
                    if (log.isDebugEnabled()) {
                        log.debug(
                                "Using OCSP response signature algorithm extracted from OCSP request extension. "
                                        + algorithmOid);
                    }
                    return sigAlg;
                }
            }
        }
    }
    // the signature algorithm used to sign the OCSPRequest
    if (req.getSignatureAlgOID() != null) {
        sigAlg = AlgorithmTools.getAlgorithmNameFromOID(req.getSignatureAlgOID());
        if (OcspConfiguration.isAcceptedSignatureAlgorithm(sigAlg)
                && AlgorithmTools.isCompatibleSigAlg(pk, sigAlg)) {
            if (log.isDebugEnabled()) {
                log.debug(
                        "OCSP response signature algorithm: the signature algorithm used to sign the OCSPRequest. "
                                + sigAlg);
            }
            return sigAlg;
        }
    }
    // The signature algorithm that has been advertised as being the default signature algorithm for the signing service using an
    // out-of-band mechanism.
    if (ocspSigningCacheEntry.isUsingSeparateOcspSigningCertificate()) {
        // If we have an OcspKeyBinding we use this configuration to override the default
        sigAlg = ocspSigningCacheEntry.getOcspKeyBinding().getSignatureAlgorithm();
        if (log.isDebugEnabled()) {
            log.debug(
                    "OCSP response signature algorithm: the signature algorithm that has been advertised as being the default signature algorithm "
                            + "for the signing service using an out-of-band mechanism. " + sigAlg);
        }
        return sigAlg;
    }
    // The signature algorithm specified for the version of OCSP in use.
    String sigAlgs = OcspConfiguration.getSignatureAlgorithm();
    sigAlg = getSigningAlgFromAlgSelection(sigAlgs, pk);
    if (log.isDebugEnabled()) {
        log.debug("Using configured signature algorithm to sign OCSP response. " + sigAlg);
    }
    return sigAlg;
}