A certificate contains only the signature algorithm OID which maps to a unique couple digest/algorithm. Therefore the easiest way to found the digest algorithm is to use a mapping table OID -> digest algo.
Unfortunately I know no centralized location where you can find these OID. However they can be collected in these RFC:
- Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
- Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
- Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters
- Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA
Parsing the algorithm name and splitting on "With" should work but with these limitations
- It may only work with Oracle Cryptography provider (see the documentation on signature algorithm naming conventions). Another provider, with its own certificate implementation, may use another incompatible naming convention.
- If the algorithm is unknown the
getSigAlgName()
method will return a String of the formOID.a.b.c.d...
. For instance theSHA256withDSA
algorithm is not supported by the old Java6 and will be printedOID.2.16.840.1.101.3.4.3.2