List of usage examples for java.security.cert X509Certificate getSubjectAlternativeNames
public Collection<List<?>> getSubjectAlternativeNames() throws CertificateParsingException
From source file:org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateAuthenticator.java
/** * Get alternative name that match with the given regex from the certificate. * * @param cert x509 certificate. * @param authenticationContext authenticationContext *//* w w w.j a v a 2 s . c om*/ private String getMatchedAlternativeName(X509Certificate cert, AuthenticationContext authenticationContext) throws AuthenticationFailedException { List<String> matchedAlternativeNamesList = new ArrayList<>(); try { Collection<List<?>> altNames = cert.getSubjectAlternativeNames(); if (altNames != null) { for (List item : altNames) { ASN1InputStream decoder = null; if (item.toArray()[1] instanceof byte[]) decoder = new ASN1InputStream((byte[]) item.toArray()[1]); else if (item.toArray()[1] instanceof String) { Matcher m = alternativeNamesPatternCompiled.matcher((String) item.toArray()[1]); addMatchStringsToList(m, matchedAlternativeNamesList); } if (decoder == null) continue; String identity = decodeAlternativeName(decoder); Matcher m = alternativeNamesPatternCompiled.matcher(identity); addMatchStringsToList(m, matchedAlternativeNamesList); } } else { authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.X509_CERTIFICATE_ALTERNATIVE_NAMES_NOTFOUND_ERROR_CODE); throw new AuthenticationFailedException( X509CertificateConstants.X509_CERTIFICATE_ALTERNATIVE_NAMES_NOTFOUND_ERROR); } } catch (CertificateParsingException | IOException e) { throw new AuthenticationFailedException("Failed to Parse the certificate"); } if (matchedAlternativeNamesList.isEmpty()) { authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.X509_CERTIFICATE_ALTERNATIVE_NAMES_REGEX_NO_MATCHES_ERROR_CODE); throw new AuthenticationFailedException("Regex Configured but no matches found for the given regex"); } else if (matchedAlternativeNamesList.size() > 1) { authenticationContext.setProperty(X509CertificateConstants.X509_CERTIFICATE_ERROR_CODE, X509CertificateConstants.X509_CERTIFICATE_ALTERNATIVE_NAMES_REGEX_MULTIPLE_MATCHES_ERROR_CODE); throw new AuthenticationFailedException("More than one match for the given regex"); } else { return matchedAlternativeNamesList.get(0); } }
From source file:org.atricore.idbus.capabilities.clientcertauthn.X509CertificateAuthScheme.java
protected String resolveUID(X509Certificate cert) throws SSOAuthenticationException { try {//from ww w . j a v a 2 s . c o m // If CN is used, UID is CN // If DN is used, we need to resolve it using the credentials store // If Certificate is used, we need to resolve it using the credential store // If Email is used, we need to resolve it using the credential store Principal dn = cert.getSubjectDN(); java.util.Collection an = (java.util.Collection) cert.getSubjectAlternativeNames(); X500Principal x500 = cert.getSubjectX500Principal(); return null; } catch (Exception e) { throw new SSOAuthenticationException(e); } }
From source file:mitm.common.security.certificate.impl.StandardX509CertificateBuilderTest.java
@Test public void testGenerateSelfSignedV3Certificate() throws Exception { X509CertificateBuilder certificateBuilder = new StandardX509CertificateBuilder("BC", "BC"); KeyPairGenerator keyPairGenerator = securityFactory.createKeyPairGenerator("RSA"); keyPairGenerator.initialize(2048, randomSource); KeyPair keyPair = keyPairGenerator.generateKeyPair(); X500PrincipalBuilder issuerBuilder = new X500PrincipalBuilder(); issuerBuilder.setCommonName("Martijn Brinkers"); issuerBuilder.setCountryCode("NL"); issuerBuilder.setEmail("test@example.com", "test2@example.com"); issuerBuilder.setGivenName("Martijn"); issuerBuilder.setSurname("Brinkers"); issuerBuilder.setLocality("Amsterdam"); issuerBuilder.setOrganisation("None"); issuerBuilder.setState("NH"); AltNamesBuilder altNamesBuider = new AltNamesBuilder(); altNamesBuider.setRFC822Names("m.brinkers@pobox.com"); altNamesBuider.setDNSNames("example.com"); X500Principal issuer = issuerBuilder.buildPrincipal(); GeneralNames altNames = altNamesBuider.buildAltNames(); Set<KeyUsageType> keyUsage = new HashSet<KeyUsageType>(); keyUsage.add(KeyUsageType.DIGITALSIGNATURE); keyUsage.add(KeyUsageType.KEYENCIPHERMENT); keyUsage.add(KeyUsageType.NONREPUDIATION); Set<ExtendedKeyUsageType> extendedKeyUsage = new HashSet<ExtendedKeyUsageType>(); extendedKeyUsage.add(ExtendedKeyUsageType.CLIENTAUTH); extendedKeyUsage.add(ExtendedKeyUsageType.EMAILPROTECTION); Date notBefore = DateUtils.addHours(new Date(), -1); Date notAfter = DateUtils.addYears(new Date(), 10); certificateBuilder.setSubject(issuer); certificateBuilder.setIssuer(issuer); certificateBuilder.setAltNames(altNames, true); certificateBuilder.setKeyUsage(keyUsage, true); certificateBuilder.setExtendedKeyUsage(extendedKeyUsage, true); certificateBuilder.setNotBefore(notBefore); certificateBuilder.setNotAfter(notAfter); certificateBuilder.setPublicKey(keyPair.getPublic()); certificateBuilder.setSerialNumber(new BigInteger("1")); certificateBuilder.setSignatureAlgorithm("SHA256WithRSA"); certificateBuilder.setIsCA(true, true /* critical */); certificateBuilder.setPathLengthConstraint(5); Set<String> crlDistPoints = new HashSet<String>(); crlDistPoints.add("http://example.com"); crlDistPoints.add("123"); certificateBuilder.setCRLDistributionPoints(crlDistPoints); X509Certificate certificate = certificateBuilder.generateCertificate(keyPair.getPrivate(), null); assertNotNull(certificate);/*www . ja v a 2 s . c om*/ File file = new File(tempDir, "testGenerateSelfSignedV3Certificate.cer"); CertificateUtils.writeCertificate(certificate, file); X509CertificateInspector certInspector = new X509CertificateInspector(certificate); assertEquals( "EMAILADDRESS=test2@example.com, EMAILADDRESS=test@example.com, GIVENNAME=Martijn, " + "SURNAME=Brinkers, CN=Martijn Brinkers, O=None, L=Amsterdam, ST=NH, C=NL", certInspector.getSubjectFriendly()); assertEquals(certInspector.getIssuerFriendly(), certInspector.getSubjectFriendly()); AltNamesInspector altNamesInspector = new AltNamesInspector(certificate.getSubjectAlternativeNames()); List<String> rFC822Names = altNamesInspector.getRFC822Names(); assertEquals(1, rFC822Names.size()); assertEquals("m.brinkers@pobox.com", rFC822Names.get(0)); List<String> dNSNames = altNamesInspector.getDNSNames(); assertEquals(1, dNSNames.size()); assertEquals("example.com", dNSNames.get(0)); assertEquals(3, certInspector.getKeyUsage().size()); assertTrue(certInspector.getKeyUsage().contains(KeyUsageType.DIGITALSIGNATURE)); assertTrue(certInspector.getKeyUsage().contains(KeyUsageType.KEYENCIPHERMENT)); assertTrue(certInspector.getKeyUsage().contains(KeyUsageType.NONREPUDIATION)); assertEquals(2, certInspector.getExtendedKeyUsage().size()); assertTrue(certInspector.getExtendedKeyUsage().contains(ExtendedKeyUsageType.CLIENTAUTH)); assertTrue(certInspector.getExtendedKeyUsage().contains(ExtendedKeyUsageType.EMAILPROTECTION)); // we cannot compare the dates because of encoding we loose some detail so check if within 1 sec assertTrue(Math.abs(notAfter.getTime() - certificate.getNotAfter().getTime()) < 1000); assertTrue(Math.abs(notBefore.getTime() - certificate.getNotBefore().getTime()) < 1000); assertEquals("1", certInspector.getSerialNumberHex()); assertEquals("SHA256WITHRSA", certificate.getSigAlgName()); assertTrue(certInspector.isCA()); assertEquals(5, certInspector.getBasicConstraints().getPathLenConstraint().intValue()); Set<String> crlDistPointsCert = CRLDistributionPointsInspector .getURIDistributionPointNames(certInspector.getCRLDistibutionPoints()); assertTrue(crlDistPointsCert.contains("http://example.com")); assertTrue(crlDistPointsCert.contains("123")); }
From source file:de.duenndns.ssl.MemorizingTrustManager.java
private String hostNameMessage(X509Certificate cert, String hostname) { StringBuffer si = new StringBuffer(); si.append(master.getString(R.string.mtm_hostname_mismatch, hostname)); si.append("\n\n"); try {//from ww w. j a v a2 s.c o m Collection<List<?>> sans = cert.getSubjectAlternativeNames(); if (sans == null) { si.append(cert.getSubjectDN()); si.append("\n"); } else for (List<?> altName : sans) { Object name = altName.get(1); if (name instanceof String) { si.append("["); si.append((Integer) altName.get(0)); si.append("] "); si.append(name); si.append("\n"); } } } catch (CertificateParsingException e) { e.printStackTrace(); si.append("<Parsing error: "); si.append(e.getLocalizedMessage()); si.append(">\n"); } si.append("\n"); si.append(master.getString(R.string.mtm_connect_anyway)); si.append("\n\n"); si.append(master.getString(R.string.mtm_cert_details)); certDetails(si, cert); return si.toString(); }
From source file:org.ejbca.util.CertTools.java
/** * Gets the Microsoft specific GUID altName, that is encoded as an octect string. * * @param cert certificate containing the extension * @return String with the hex-encoded GUID byte array or null if the altName does not exist *//*from www . j a v a 2s .c o m*/ public static String getGuidAltName(Certificate cert) throws IOException, CertificateParsingException { if (cert instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) cert; Collection<List<?>> altNames = x509cert.getSubjectAlternativeNames(); if (altNames != null) { Iterator<List<?>> i = altNames.iterator(); while (i.hasNext()) { ASN1Sequence seq = getAltnameSequence((List<?>) i.next()); if (seq != null) { // First in sequence is the object identifier, that we must check DERObjectIdentifier id = DERObjectIdentifier.getInstance(seq.getObjectAt(0)); if (id.getId().equals(CertTools.GUID_OBJECTID)) { ASN1TaggedObject obj = (ASN1TaggedObject) seq.getObjectAt(1); ASN1OctetString str = ASN1OctetString.getInstance(obj.getObject()); return new String(Hex.encode(str.getOctets())); } } } } } return null; }
From source file:net.maritimecloud.identityregistry.utils.CertificateUtil.java
public UserDetails getUserFromCert(X509Certificate userCertificate) { String certDN = userCertificate.getSubjectDN().getName(); X500Name x500name = new X500Name(certDN); InetOrgPerson.Essence essence = new InetOrgPerson.Essence(); String name = getElement(x500name, BCStyle.CN); String uid = getElement(x500name, BCStyle.UID); essence.setUsername(uid);/*from w w w . j a va 2s. c o m*/ essence.setUid(uid); essence.setDn(certDN); essence.setCn(new String[] { name }); essence.setSn(name); essence.setO(getElement(x500name, BCStyle.O)); essence.setOu(getElement(x500name, BCStyle.OU)); essence.setDescription(certDN); // Hack alert! There is no country property in this type, so we misuse PostalAddress... essence.setPostalAddress(getElement(x500name, BCStyle.C)); log.debug("Parsed certificate, name: " + name); // Extract info from Subject Alternative Name extension Collection<List<?>> san = null; try { san = userCertificate.getSubjectAlternativeNames(); } catch (CertificateParsingException e) { log.warn("could not extract info from Subject Alternative Names - will be ignored."); } // Check that the certificate includes the SubjectAltName extension if (san != null) { // Use the type OtherName to search for the certified server name Collection<GrantedAuthority> roles = new ArrayList<>(); for (List item : san) { Integer type = (Integer) item.get(0); if (type == 0) { // Type OtherName found so return the associated value ASN1InputStream decoder = null; String oid = ""; String value = ""; try { // Value is encoded using ASN.1 so decode it to get it out again decoder = new ASN1InputStream((byte[]) item.toArray()[1]); DLSequence seq = (DLSequence) decoder.readObject(); ASN1ObjectIdentifier asnOID = (ASN1ObjectIdentifier) seq.getObjectAt(0); ASN1Encodable encoded = seq.getObjectAt(1); encoded = ((DERTaggedObject) encoded).getObject(); encoded = ((DERTaggedObject) encoded).getObject(); oid = asnOID.getId(); value = ((DERUTF8String) encoded).getString(); } catch (UnsupportedEncodingException e) { log.error("Error decoding subjectAltName" + e.getLocalizedMessage(), e); continue; } catch (Exception e) { log.error("Error decoding subjectAltName" + e.getLocalizedMessage(), e); continue; } finally { if (decoder != null) { try { decoder.close(); } catch (IOException e) { } } } log.debug("oid: " + oid + ", value: " + value); switch (oid) { case MC_OID_FLAGSTATE: case MC_OID_CALLSIGN: case MC_OID_IMO_NUMBER: case MC_OID_MMSI_NUMBER: case MC_OID_AIS_SHIPTYPE: case MC_OID_PORT_OF_REGISTER: log.debug("Ship specific OIDs are ignored"); break; case MC_OID_MRN: // We only support 1 mrn essence.setUid(value); break; case MC_OID_PERMISSIONS: if (value != null && !value.trim().isEmpty()) { SimpleGrantedAuthority role = new SimpleGrantedAuthority(value); roles.add(role); } break; default: log.error("Unknown OID!"); break; } } else { // Other types are not supported so ignore them log.warn("SubjectAltName of invalid type found: " + type); } } if (!roles.isEmpty()) { essence.setAuthorities(roles); } } return essence.createUserDetails(); }
From source file:org.ejbca.util.CertTools.java
/** * SubjectAltName ::= GeneralNames/*w w w . j a va2s . co m*/ * * GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName * * GeneralName ::= CHOICE { * otherName [0] OtherName, * rfc822Name [1] IA5String, * dNSName [2] IA5String, * x400Address [3] ORAddress, * directoryName [4] Name, * ediPartyName [5] EDIPartyName, * uniformResourceIdentifier [6] IA5String, * iPAddress [7] OCTET STRING, * registeredID [8] OBJECT IDENTIFIER} * * SubjectAltName is of form \"rfc822Name=<email>, * dNSName=<host name>, uniformResourceIdentifier=<http://host.com/>, * iPAddress=<address>, guid=<globally unique id>, directoryName=<CN=testDirName|dir|name> * * Supported altNames are upn, rfc822Name, uniformResourceIdentifier, dNSName, iPAddress, directoryName * * @author Marco Ferrante, (c) 2005 CSITA - University of Genoa (Italy) * @author Tomas Gustavsson * @param certificate containing alt names * @return String containing altNames of form "rfc822Name=email, dNSName=hostname, uniformResourceIdentifier=uri, iPAddress=ip, upn=upn, directoryName=CN=testDirName|dir|name" or null if no altNames exist. Values in returned String is from CertTools constants. AltNames not supported are simply not shown in the resulting string. * @throws java.lang.Exception */ public static String getSubjectAlternativeName(Certificate certificate) throws CertificateParsingException, IOException { log.debug("Search for SubjectAltName"); String result = ""; if (certificate instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) certificate; Collection<List<?>> altNames = x509cert.getSubjectAlternativeNames(); if (altNames == null) { return null; } Iterator<List<?>> iter = altNames.iterator(); String append = ""; while (iter.hasNext()) { List<?> item = iter.next(); Integer type = (Integer) item.get(0); Object value = item.get(1); if (!StringUtils.isEmpty(result)) { // Result already contains one altname, so we have to add comma if there are more altNames append = ", "; } switch (type.intValue()) { case 0: ASN1Sequence seq = getAltnameSequence(item); String upn = getUPNStringFromSequence(seq); // OtherName can be something else besides UPN if (upn != null) { result += append + CertTools.UPN + "=" + upn; } else { String krb5Principal = getKrb5PrincipalNameFromSequence(seq); if (krb5Principal != null) { result += append + CertTools.KRB5PRINCIPAL + "=" + krb5Principal; } } break; case 1: result += append + CertTools.EMAIL + "=" + (String) value; break; case 2: result += append + CertTools.DNS + "=" + (String) value; break; case 3: // SubjectAltName of type x400Address not supported break; case 4: result += append + CertTools.DIRECTORYNAME + "=" + (String) value; break; case 5: // SubjectAltName of type ediPartyName not supported break; case 6: result += append + CertTools.URI + "=" + (String) value; break; case 7: result += append + CertTools.IPADDR + "=" + (String) value; break; default: // SubjectAltName of unknown type break; } } if (StringUtils.isEmpty(result)) { return null; } } return result; }
From source file:edu.washington.iam.registry.ws.RelyingPartyController.java
private RPSession processRequestInfo(HttpServletRequest request, HttpServletResponse response, boolean canLogin) { RPSession session = new RPSession(); session.isAdmin = false;/*from w ww . j a v a2s.co m*/ session.adminRole = false; session.isUWLogin = false; session.isProxy = false; String reloginPath = null; log.info("RP new session =============== path=" + request.getPathInfo()); session.isMobile = false; Device currentDevice = DeviceUtils.getCurrentDevice(request); if (currentDevice != null) session.isMobile = currentDevice.isMobile(); log.debug("mobile? " + session.isMobile); // see if logged in (browser has login cookie; cert user has cert) int resetAdmin = 1; // on expired or no cookie, reset the 'admin role cookei' Cookie[] cookies = request.getCookies(); if (cookies != null) { for (int i = 0; i < cookies.length; i++) { if (cookies[i].getName().equals(loginCookie)) { log.debug("got cookie " + cookies[i].getName()); String cookieStr = RPCrypt.decode(cookies[i].getValue()); if (cookieStr == null) continue; String[] cookieData = cookieStr.split(";"); if (cookieData.length == 5) { if (cookieData[3].charAt(0) == '2') session.authn2 = true; log.debug("login time = " + cookieData[4]); long cSec = new Long(cookieData[4]); long nSec = new Date().getTime() / 1000; if (cookieData[1].indexOf("@") < 0) session.isUWLogin = true; // klugey way to know UW people session.timeLeft = (cSec + standardLoginSec) - nSec; if (session.timeLeft > 0) { if ((nSec > (cSec + secureLoginSec)) && session.authn2) { log.debug("secure expired"); session.authn2 = false; resetAdmin = 2; } // cookie OK session.remoteUser = cookieData[1]; session.xsrfCode = cookieData[2]; log.debug("login for " + session.remoteUser); if (session.authn2) log.debug("secure login"); if (adminGroup.isMember(session.remoteUser)) { log.debug("is admin"); session.isAdmin = true; } if (resetAdmin == 1) resetAdmin = 0; } else { log.debug("cookie expired for " + cookieData[1]); // remember where they logged in last if (session.isUWLogin) reloginPath = browserRootPath + request.getServletPath() + standardLoginPath; else if (cookieData[1].indexOf("gmail.com") > 0) reloginPath = browserRootPath + request.getServletPath() + googleLoginPath; // let others choose } } } else if (cookies[i].getName().equals(roleCookie) && cookies[i].getValue().equals("a")) { log.debug("got role=admin cookie"); session.adminRole = true; } } } if (resetAdmin > 0) { log.debug("clearing expired admn request"); session.adminRole = false; Cookie c = new Cookie(roleCookie, "x"); c.setSecure(true); c.setPath("/"); response.addCookie(c); } if (session.remoteUser != null) { // ok, is a logged in browser session.viewType = "browser"; session.isBrowser = true; session.rootPath = browserRootPath; } else { // maybe is cert client // use the CN portion of the DN as the client userid X509Certificate[] certs = (X509Certificate[]) request .getAttribute("javax.servlet.request.X509Certificate"); if (certs != null) { session.viewType = "xml"; session.isBrowser = false; session.rootPath = certRootPath; X509Certificate cert = certs[0]; String dn = cert.getSubjectX500Principal().getName(); session.remoteUser = dn.replaceAll(".*CN=", "").replaceAll(",.*", ""); log.info(".. remote user by cert, dn=" + dn + ", cn=" + session.remoteUser); session.altNames = new Vector(); try { Collection altNames = cert.getSubjectAlternativeNames(); if (altNames != null) { for (Iterator i = altNames.iterator(); i.hasNext();) { List item = (List) i.next(); Integer type = (Integer) item.get(0); if (type.intValue() == 2) { String altName = (String) item.get(1); log.info(".. adding altname " + altName); session.altNames.add(altName); } } } else session.altNames.add(session.remoteUser); // rules say cn meaningful only when altnames not present } catch (CertificateParsingException e) { log.info(".. altname parse failed: " + e); } } } /* send missing remoteUser to login */ if (session.remoteUser == null) { if (canLogin) { if (reloginPath != null) { log.debug("no user yet: relogin at " + reloginPath); try { response.sendRedirect(reloginPath); } catch (IOException e) { log.error("redirect: " + e); } } log.debug("no user yet: send to choose"); session.mv = loginChooserMV(session, request, response); return session; } return null; } // only admins can get admin role if (!session.isAdmin) session.adminRole = false; if (session.adminRole && !session.authn2) { // admin needs 2f log.debug("need secure login for admin role"); sendToLogin(request, response, secureLoginPath); } session.servletPath = request.getServletPath(); session.remoteAddr = request.getRemoteAddr(); // etag headers session.ifMatch = getLongHeader(request, "If-Match"); session.ifNoneMatch = getLongHeader(request, "If-None-Match"); log.info("tags: match=" + session.ifMatch + ", nonematch=" + session.ifNoneMatch); log.info("user: " + session.remoteUser); response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, max_age=1"); response.setHeader("X-UA-Compatible", "IE=7"); log.info("user: " + session.remoteUser); if (session.viewType.equals("browser") && session.isMobile) session.viewType = "mobile"; return session; }
From source file:org.cesecore.util.CertTools.java
/** * Gets the Microsoft specific UPN altName (altName, OtherName). * /*from w w w . j a v a 2s. c om*/ * UPN is an OtherName Subject Alternative Name: * * OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id } * * UPN ::= UTF8String * * @param cert certificate containing the extension * @return String with the UPN name or null if the altName does not exist */ public static String getUPNAltName(Certificate cert) throws IOException, CertificateParsingException { String ret = null; if (cert instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) cert; Collection<List<?>> altNames = x509cert.getSubjectAlternativeNames(); if (altNames != null) { Iterator<List<?>> i = altNames.iterator(); while (i.hasNext()) { ASN1Sequence seq = getAltnameSequence((List<?>) i.next()); ret = getUPNStringFromSequence(seq); if (ret != null) { break; } } } } return ret; }
From source file:org.cesecore.util.CertTools.java
/** * Gets the Permanent Identifier (altName, OtherName). * /*from w ww . java 2 s.c om*/ * permanentIdentifier is an OtherName Subject Alternative Name: * * OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id } * * -- Permanent Identifier * * permanentIdentifier OTHER-NAME ::= * { PermanentIdentifier IDENTIFIED BY id-on-permanentIdentifier } * * PermanentIdentifier ::= SEQUENCE { * identifierValue UTF8String OPTIONAL, * -- if absent, use the serialNumber attribute * -- if there is a single such attribute present * -- in the subject DN * assigner OBJECT IDENTIFIER OPTIONAL * -- if absent, the assigner is * -- the certificate issuer * } * * @param cert certificate containing the extension * @return String with the permanentIdentifier name or null if the altName does not exist */ public static String getPermanentIdentifierAltName(Certificate cert) throws IOException, CertificateParsingException { String ret = null; if (cert instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) cert; Collection<List<?>> altNames = x509cert.getSubjectAlternativeNames(); if (altNames != null) { Iterator<List<?>> i = altNames.iterator(); while (i.hasNext()) { ASN1Sequence seq = getAltnameSequence((List<?>) i.next()); ret = getPermanentIdentifierStringFromSequence(seq); if (ret != null) { break; } } } } return ret; }