Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES
SUMMARY:  INNER | FIELD | CONSTR | METHOD DETAIL:  FIELD | CONSTR | METHOD

iaik.x509.extensions
Class BasicConstraints

java.lang.Object
  |
  +--iaik.x509.V3Extension
        |
        +--iaik.x509.extensions.BasicConstraints
public class BasicConstraints
extends V3Extension

This class implements the BasicConstraints Extension.

The BasicConstraints extension is a standard X509v3 extension, which shall be used only in CA certificates where it has to be marked as being critical.

Each extension is associated with a specific certificateExtension object identifier, derived from: 

 certificateExtension  OBJECT IDENTIFIER ::=
                            {joint-iso-ccitt(2) ds(5) 29}
 id-ce                 OBJECT IDENTIFIER ::=  certificateExtension

The object identifier for the BasicConstraints extension is defined as:

id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }

which corresponds to the OID string "2.5.29.19".

The X.509 Certificate and CRL profile presented in RFC 2459 specifies the basic constraints extension for identifying whether the subject of the certificate is a CA and how deep a certification path may exist through that CA. This profile requires the use of this extension.

The ASN.1 definition of the BasicConstraints extension is specified as follows: 

 BasicConstraints ::= SEQUENCE {
     cA                      BOOLEAN DEFAULT FALSE,
     pathLenConstraint       INTEGER (0..MAX) OPTIONAL }

The pathLenConstraint field is meaningful only if cA is set to TRUE. In this case, it gives the maximum number of CA certificates that may follow this certificate in a certification path. A value of zero indicates that only an end-entity certificate may follow in the path.

If the pathLenConstraint value is set, it has to be greater than or equal to zero. If it is not set, the certification path may be of any length.

This class provides several methods for setting respectively getting the component values of an BasicConstraints extension object.

For adding a BasicConstraints extension object to a X509Certificate, use the addExtension method of the iaik.x509.X509Certificate class: 

 X509Certificate cert = new X509Certificate();
  ...
 BasicConstraints bc = new BasicConstraints(true, 0);
 bc.setCritical(true);
 cert.addExtension(bc);

where true sets the cA value for indicating that the subject of the certificate is a CA, and the 0 pathLenConstraint value implements the case stated above indicating that only an end-entity certificate may follow in the path. Note that per default cA is set to false and pathLenConstraint is set to -1 indicating that the subject of the certificate is not a CA and that the pathLenConstraint value is not specified.

Since the BasicConstraints extension is a critical extension, critical has to be set to true before adding the BasicConstraints extension to a certificate: 

 bc.setCritical(true)

Version:
File Revision 22
See Also:
ObjectID, X509Certificate, X509Extensions, V3Extension

Field Summary
static ObjectID oid
          The object identifier of this BasicConstraints extension.
 
Fields inherited from class iaik.x509.V3Extension
critical
 
Constructor Summary
BasicConstraints()
          Default constructor.
BasicConstraints(boolean ca)
          Creates a new BasicConstraints extension setting cA to the given parameter value.
BasicConstraints(boolean ca, int plc)
          Creates a new BasicConstraints extension with the given cA and pathLenConstraint values.
 
Method Summary
 boolean ca()
          Returns true if the subject of the certificate holding this BasicConstraints extension is a CA.
 ObjectID getObjectID()
          Returns the object ID of this BasicConstraints extension
 int getPathLenConstraint()
          Returns the pathLenConstraint value of this BasicConstraints extension specifying the maximum number of CA certificates that may follow the certificate in a certification path.
 int hashCode()
          Returns a hashcode for this identity.
 void init(ASN1Object obj)
          Inits this BasicConstraints implementation with an ASN1Object representing the value of this extension.
 void setCa(boolean ca)
          Sets the cA value of this BasicConstraints extension to true if the subject is a CA.
 void setPathLenConstraint(int plc)
          Sets the pathLenConstraint value of this BasicConstraints extension specifying the maximum number of CA certificates that may follow the certificate in a certification path.
 ASN1Object toASN1Object()
          Returns an ASN1Object representing the value of this BasicConstraints extension object.
 String toString()
          Returns a string that represents the contents of this BasicConstraints extension.
 
Methods inherited from class iaik.x509.V3Extension
getName, isCritical, setCritical
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, notify, notifyAll, wait, wait, wait
 

Field Detail

oid

public static final ObjectID oid
The object identifier of this BasicConstraints extension. The corresponding OID string is "2.5.29.19".
Constructor Detail

BasicConstraints

public BasicConstraints()
Default constructor. Creates an empty BasicConstraints object.

Per default cA is set to false and pathLenConstraint is set to -1 indicating that the subject of the certificate is not a CA and that the pathLenConstraint value is not specified. Use setCa and setPathLenConstraint for explicitly setting the corresponding values.

Do not forget to specify this extension as critical before adding it to a certificate: 

 BasicConstraints bc = new BasicConstraints();
 bc.setCa(true);
 bc.setPathLenConstraint(1);
 bc.setCritical(true);
 cert.addExtension(bc);

See Also:
V3Extension.setCritical(boolean)

BasicConstraints

public BasicConstraints(boolean ca,
                        int plc)
Creates a new BasicConstraints extension with the given cA and pathLenConstraint values.

The ca parameter specifies if the subject of the certificate holding this BasicConstraints extension is a CA, and the plc value specifies how deep a certification path may exist.

Do not forget to specify this extension as critical before adding it to a certificate, e.g.: 

 BasicConstraints bc = new BasicConstraints(true, 1);
   ...
 bc.setCritical(true);
 cert.addExtension(bc);

Parameters:
ca - true if the certificate subject is a CA, false otherwise
plc - the maximum number of CA certificates that may follow this certificate in a certification path
See Also:
V3Extension.setCritical(boolean)

BasicConstraints

public BasicConstraints(boolean ca)
Creates a new BasicConstraints extension setting cA to the given parameter value.

The ca parameter specifies whether the subject of the certificate holding this BasicConstraints extension is a CA or not. Use this constructor for indicating a CA certificate and leaving the pathLenConstraint value at -1 indicating that there is no limit to the allowed length of the certification path.

Do not forget to specify this extension as critical before adding it to a certificate, e.g.: 

 BasicConstraints bc = new BasicConstraints(true);
   ...
 bc.setCritical(true);
 cert.addExtension(bc);

Parameters:
ca - true if the certificate subject is a CA, false otherwise
See Also:
V3Extension.setCritical(boolean)
Method Detail

getObjectID

public ObjectID getObjectID()
Returns the object ID of this BasicConstraints extension
Overrides:
getObjectID in class V3Extension
Returns:
the object ID

init

public void init(ASN1Object obj)
          throws X509ExtensionException
Inits this BasicConstraints implementation with an ASN1Object representing the value of this extension.

The given ASN1Object represents the cA and (optioanl) pathLenConstraint values of this extension.

The given ASN1Object is the one created by toASN1Object().

This method is used by the X509Extensions class when parsing the ASN.1 representation of a certificate for properly initializing an included BasicConstraints extension. This method initializes the extension only with its value, but not with its critical specification. For that reason, this method shall not be explicitly called by an application.

Overrides:
init in class V3Extension
Parameters:
obj - the BasicConstraints as ASN1Object
Throws:
X509ExtensionException - if the extension could not be parsed

toASN1Object

public ASN1Object toASN1Object()
Returns an ASN1Object representing the value of this BasicConstraints extension object.

The returned ASN1Object is an ASN.1 Sequence representing the cA and (optioanl) pathLenConstraint values of this extension: 

 BasicConstraints ::= SEQUENCE {
     cA                      BOOLEAN DEFAULT FALSE,
     pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
Overrides:
toASN1Object in class V3Extension
Returns:
the value of this BasicConstraints as ASN1Object

setPathLenConstraint

public void setPathLenConstraint(int plc)
Sets the pathLenConstraint value of this BasicConstraints extension specifying the maximum number of CA certificates that may follow the certificate in a certification path.

For instance: 

 BasicConstraints bc = new BasicConstraints();
 bc.setCa(true);
 bc.setPathLenConstraint(1);
 bc.setCritical(true);
 cert.addExtension(bc);

Parameters:
plc - the pathLenConstraint value
See Also:
getPathLenConstraint()

setCa

public void setCa(boolean ca)
Sets the cA value of this BasicConstraints extension to true if the subject is a CA.

For instance: 

 BasicConstraints bc = new BasicConstraints();
 bc.setCa(true);
 bc.setPathLenConstraint(1);
 bc.setCritical(true);
 cert.addExtension(bc);

Parameters:
ca - the cA value, true if the subject is a CA
See Also:
ca()

getPathLenConstraint

public int getPathLenConstraint()
Returns the pathLenConstraint value of this BasicConstraints extension specifying the maximum number of CA certificates that may follow the certificate in a certification path.

The pathLenConstraint field is meaningful only if cA is set to true:

Returns:
the pathLenConstraint value specifying the maximum number of CA certificates that may follow the certificate in a certification path, or allowing any length of the certification path, if set to -1; only meaningful, if the cA value is set to true
See Also:
setPathLenConstraint(int)

ca

public boolean ca()
Returns true if the subject of the certificate holding this BasicConstraints extension is a CA.
Returns:
true if the subject is a CA, false if not.
See Also:
setCa(boolean)

hashCode

public int hashCode()
Returns a hashcode for this identity.
Overrides:
hashCode in class V3Extension
Returns:
a hash code for this identity

toString

public String toString()
Returns a string that represents the contents of this BasicConstraints extension.
Overrides:
toString in class Object
Returns:
the string representation
Overview  Package   Class  Tree  Deprecated  Index  Help 
This Javadoc may contain text parts from Internet Standard specifications (RFC 2459, 3280, 3039, 2560, 1521, 821, 822, 2253, 1319, 1321, ,2630, 2631, 2268, 3058, 2984, 2104, 2144, 2040, 2311, 2279, see copyright note) and RSA Data Security Public-Key Cryptography Standards (PKCS#1,3,5,7,8,9,10,12, see copyright note).
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES
SUMMARY:  INNER | FIELD | CONSTR | METHOD DETAIL:  FIELD | CONSTR | METHOD
IAIK-JCE 3.1 with IAIK-JCE CC Core 3.1, (c) 1997-2004 IAIK