How to extract the digest algorithm from a X509Certificate

Question

I can extract the OID and the name of the signature algorithm from a X509Certificate instance such as "SHA256WithRSA" but how do i extract the name of the digest algorithm like e.g. "SHA256".

Is there a way beside a string splitting for "with" or a fixed mapping of the OID's?

Side question: Would it be safe to split for "with"?

Answer 1

A certificate contains only the signature algorithm OID which maps to a unique couple digest/algorithm. Therefore the easiest way to found the digest algorithm is to use a mapping table OID -> digest algo.

Unfortunately I know no centralized location where you can find these OID. However they can be collected in these RFC:

• Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
• Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
• Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters
• Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA

Parsing the algorithm name and splitting on "With" should work but with these limitations

• It may only work with Oracle Cryptography provider (see the documentation on signature algorithm naming conventions). Another provider, with its own certificate implementation, may use another incompatible naming convention.
• If the algorithm is unknown the getSigAlgName() method will return a String of the form OID.a.b.c.d.... For instance the SHA256withDSA algorithm is not supported by the old Java6 and will be printed OID.2.16.840.1.101.3.4.3.2