public static String getKeystoreSignerConfWithoutAlgo(
      final String keystoreFile,
      final String password,
      final int parallelism,
      final String keyLabel) {
    ParamChecker.assertNotBlank("keystoreFile", keystoreFile);
    ParamChecker.assertNotBlank("password", password);

    CmpUtf8Pairs conf = new CmpUtf8Pairs("password", password);
    conf.putUtf8Pair("parallelism", Integer.toString(parallelism));
    if (keyLabel != null) {
      conf.putUtf8Pair("key-label", keyLabel);
    }
    conf.putUtf8Pair("keystore", "file:" + keystoreFile);

    return conf.getEncoded();
  }
  public static String getPkcs11SignerConfWithoutAlgo(
      final String pkcs11ModuleName,
      final P11SlotIdentifier slotId,
      final P11KeyIdentifier keyId,
      final int parallelism) {
    ParamChecker.assertNotNull("keyId", keyId);

    CmpUtf8Pairs conf = new CmpUtf8Pairs();
    conf.putUtf8Pair("parallelism", Integer.toString(parallelism));

    if (pkcs11ModuleName != null && pkcs11ModuleName.length() > 0) {
      conf.putUtf8Pair("module", pkcs11ModuleName);
    }

    if (slotId.getSlotId() != null) {
      conf.putUtf8Pair("slot-id", slotId.getSlotId().toString());
    } else {
      conf.putUtf8Pair("slot", slotId.getSlotIndex().toString());
    }

    if (keyId.getKeyId() != null) {
      conf.putUtf8Pair("key-id", Hex.toHexString(keyId.getKeyId()));
    }

    if (keyId.getKeyLabel() != null) {
      conf.putUtf8Pair("key-label", keyId.getKeyLabel());
    }

    return conf.getEncoded();
  }
  private static void validateSigner(
      final ConcurrentContentSigner signer,
      final X509Certificate[] certificateChain,
      final String signerType,
      final String signerConf)
      throws SignerException {
    X509Certificate cert = signer.getCertificate();
    if (certificateChain == null) {
      return;
    }

    String signatureAlgoName;
    try {
      signatureAlgoName = AlgorithmUtil.getSignatureAlgoName(signer.getAlgorithmIdentifier());
    } catch (NoSuchAlgorithmException e) {
      throw new SignerException(e.getMessage(), e);
    }

    ContentSigner csigner;
    try {
      csigner = signer.borrowContentSigner();
    } catch (NoIdleSignerException e) {
      throw new SignerException(e.getMessage(), e);
    }

    try {
      byte[] dummyContent = new byte[] {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
      Signature verifier = Signature.getInstance(signatureAlgoName, "BC");

      OutputStream signatureStream = csigner.getOutputStream();
      signatureStream.write(dummyContent);
      byte[] signatureValue = csigner.getSignature();

      verifier.initVerify(cert.getPublicKey());
      verifier.update(dummyContent);
      boolean valid = verifier.verify(signatureValue);
      if (valid == false) {
        String subject = X509Util.getRFC4519Name(cert.getSubjectX500Principal());

        StringBuilder sb = new StringBuilder();
        sb.append("key and certificate not match. ");
        sb.append("key type='").append(signerType).append("'; ");

        CmpUtf8Pairs keyValues = new CmpUtf8Pairs(signerConf);
        String pwd = keyValues.getValue("password");
        if (pwd != null) {
          keyValues.putUtf8Pair("password", "****");
        }
        keyValues.putUtf8Pair("algo", signatureAlgoName);
        sb.append("conf='").append(keyValues.getEncoded()).append("', ");
        sb.append("certificate subject='").append(subject).append("'");

        throw new SignerException(sb.toString());
      }
    } catch (IOException
        | NoSuchAlgorithmException
        | InvalidKeyException
        | SignatureException
        | NoSuchProviderException e) {
      throw new SignerException(e.getMessage(), e);
    } finally {
      if (csigner != null) {
        signer.returnContentSigner(csigner);
      }
    }
  }