private ContentInfo encryptThenSign(PkiMessage request, PrivateKey identityKey,
X509Certificate identityCert) throws ScepClientException {
ScepHashAlgo hashAlgo = caCaps.mostSecureHashAlgo();
if (hashAlgo == ScepHashAlgo.MD5 && !useInsecureAlgorithms) {
throw new ScepClientException("Scep server supports only MD5 but it not permitted in client");
}
String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(identityKey, hashAlgo);
ASN1ObjectIdentifier encAlgId;
if (caCaps.containsCapability(CaCapability.AES)) {
encAlgId = CMSAlgorithm.AES128_CBC;
} else if (caCaps.containsCapability(CaCapability.DES3)) {
encAlgId = CMSAlgorithm.DES_EDE3_CBC;
} else if (useInsecureAlgorithms) {
encAlgId = CMSAlgorithm.DES_CBC;
} else {
throw new ScepClientException("DES will not be supported by this client");
}
try {
return request.encode(identityKey, signatureAlgorithm, identityCert,
new X509Certificate[]{identityCert}, authorityCertStore.getEncryptionCert(), encAlgId);
} catch (MessageEncodingException ex) {
throw new ScepClientException(ex);
}
}