private ContentInfo encryptThenSign(PkiMessage request, PrivateKey identityKey,
    X509Cert identityCert) throws ScepClientException {
  HashAlgo hashAlgo = caCaps.mostSecureHashAlgo();
  String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(identityKey, hashAlgo);
  ASN1ObjectIdentifier encAlgId;
  if (caCaps.containsCapability(CaCapability.AES)) {
    encAlgId = CMSAlgorithm.AES128_CBC;
  } else if (caCaps.containsCapability(CaCapability.DES3)) {
    encAlgId = CMSAlgorithm.DES_EDE3_CBC;
  } else if (useInsecureAlgorithms) {
    encAlgId = CMSAlgorithm.DES_CBC;
  } else { // no support of DES
    throw new ScepClientException("DES will not be supported by this client");
  }

  try {
    return request.encode(identityKey, signatureAlgorithm, identityCert,
        new X509Cert[]{identityCert}, authorityCertStore.getEncryptionCert(), encAlgId);
  } catch (MessageEncodingException ex) {
    throw new ScepClientException(ex);
  }
}
 

public static byte[] encryptData(final byte[] data, X509Certificate encryptionCertificate) throws CertificateEncodingException, CMSException, IOException {
    byte[] encryptedData = null;
    if (null != data && null != encryptionCertificate) {
        CMSEnvelopedDataGenerator cmsEnvelopedDataGenerator = new CMSEnvelopedDataGenerator();
        JceKeyTransRecipientInfoGenerator jceKey = new JceKeyTransRecipientInfoGenerator(encryptionCertificate);
        cmsEnvelopedDataGenerator.addRecipientInfoGenerator(jceKey);
        CMSTypedData msg = new CMSProcessableByteArray(data);
        OutputEncryptor encryptor = new JceCMSContentEncryptorBuilder(CMSAlgorithm.AES128_CBC).setProvider("BC").build();
        CMSEnvelopedData cmsEnvelopedData = cmsEnvelopedDataGenerator.generate(msg, encryptor);
        encryptedData = cmsEnvelopedData.getEncoded();
    }
    return encryptedData;
}