|
|||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
java.lang.Object
|
+--iaik.x509.V3Extension
|
+--iaik.x509.extensions.NameConstraints
This class implements the NameConstraints extension.
The NameConstraints extension is a critical standard X509v3
extension for being used in CA certificates.
Each extension is associated with a specific certificateExtension
object identifier, derived from:
certificateExtension OBJECT IDENTIFIER ::=
{joint-iso-ccitt(2) ds(5) 29}
id-ce OBJECT IDENTIFIER ::= certificateExtension
The object identifier for the NameConstraints extension
is defined as:
id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
which corresponds to the OID string "2.5.29.30".
The X.509 Certificate and CRL profile presented in RFC 2459 specifies the Name Constraints extension for indicating a name space within which all subject names in subsequent certificates in a certification path must be located. Restrictions may apply to the subject distinguished name or subject alternative names. Restrictions are defined in terms of permitted or excluded name subtrees. Any name matching a restriction in the excludedSubtrees field is invalid regardless of information appearing in the permittedSubtrees:
NameConstraints ::= SEQUENCE {
permittedSubtrees [0] GeneralSubtrees OPTIONAL,
excludedSubtrees [1] GeneralSubtrees OPTIONAL }
GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
GeneralSubtree ::= SEQUENCE {
base GeneralName,
minimum [0] BaseDistance DEFAULT 0,
maximum [1] BaseDistance OPTIONAL }
BaseDistance ::= INTEGER (0..MAX)
Within this profile, the minimum and maximum fields are not used with any name forms, thus minimum is always zero, and maximum is always absent.
Restrictions for the rfc822, dNSName, and uri name forms are all expressed in terms of strings with wild card matching. An "*" is the wildcard character. For uris and rfc822 names, the restriction applies to the host part of the name. Examples would be foo.bar.com; www*.bar.com; *.xyz.com.
More information can be found in RFC 2459, section 4.2.1.11 "Name Constraints".
For adding a NameConstraints extension object to a X509Certificate, use the
addExtension method of the iaik.x509.X509Certificate class.
The subtree information supplied when creating a NameConstraints object
has to be an array of type iaik.asn1.structures.GeneralSubtree, e.g.:
NameConstraints nameConstraints = new NameConstraints();
GeneralSubtree generalSubtree = new GeneralSubtree(new GeneralName(GeneralName.rfc822Name, "*.tu-graz.ac.at"));
generalSubtree.setMinimum(1);
generalSubtree.setMaximum(3);
nameConstraints.setPermittedSubtrees(new GeneralSubtree[] {generalSubtree});
X509Certificate cert = new X509Certificate();
...
cert.addExtension(nameConstraints);
Since the NameConstraints extension is a critical extension, critical
has to be set to true before adding the NameConstraints extension
to a certificate:
nameConstraints.setCritical(true);
GeneralSubtree,
GeneralName,
V3Extension,
X509Extensions,
X509Certificate| Field Summary | |
static ObjectID |
oid
The object identifier of this NameConstraints extension.
|
| Fields inherited from class iaik.x509.V3Extension |
critical |
| Constructor Summary | |
NameConstraints()
Default costructor. |
|
| Method Summary | |
GeneralSubtree[] |
getExcludedSubtrees()
Returns the excluded subtrees. |
ObjectID |
getObjectID()
Returns the object ID of this NameConstraints extension |
GeneralSubtree[] |
getPermittedSubtrees()
Returns the permitted subtrees. |
int |
hashCode()
Returns a hashcode for this identity. |
void |
init(ASN1Object obj)
Inits this NameConstraints implementation with an ASN1object
representing the value of this extension.
|
void |
setExcludedSubtrees(GeneralSubtree[] excludedSubtrees)
Sets the excluded subtrees. |
void |
setPermittedSubtrees(GeneralSubtree[] permittedSubtrees)
Sets the permitted subtrees. |
ASN1Object |
toASN1Object()
Returns an ASN1Object representing the value of this NameConstraints
extension object.
|
String |
toString()
Returns a string that represents the contents of NameConstraints extension. |
| Methods inherited from class iaik.x509.V3Extension |
getName, isCritical, setCritical |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, notify, notifyAll, wait, wait, wait |
| Field Detail |
public static final ObjectID oid
NameConstraints extension.
The corresponding OID string is "2.5.29.30".| Constructor Detail |
public NameConstraints()
Creates an empty NameConstraints object.
Use setExcludedSubtrees or/and
setPermittedSubtrees for adding any
restricting information to this extension.
Do not forget to specify this extension as critical before adding it to a certificate:
NameConstraints nameConstraints = new NameConstraints();
GeneralSubtree generalSubtree = new GeneralSubtree(new GeneralName(GeneralName.rfc822Name, "*.tu-graz.ac.at"));
generalSubtree.setMinimum(1);
generalSubtree.setMaximum(3);
nameConstraints.setPermittedSubtrees(new GeneralSubtree[] {generalSubtree});
nameConstraints.setCritical(true);
X509Certificate cert = new X509Certificate();
...
cert.addExtension(nameConstraints);
GeneralSubtree,
V3Extension.setCritical(boolean)| Method Detail |
public ASN1Object toASN1Object()
throws X509ExtensionException
NameConstraints
extension object.
The returned ASN1Object is an ASN.1 Sequence representing any included permitted or excluded subtree information:
NameConstraints ::= SEQUENCE {
permittedSubtrees [0] GeneralSubtrees OPTIONAL,
excludedSubtrees [1] GeneralSubtrees OPTIONAL }
toASN1Object in class V3ExtensionNameConstraints as ASN1Object
public void init(ASN1Object obj)
throws X509ExtensionException
NameConstraints implementation with an ASN1object
representing the value of this extension.
The given ASN1Object represents a sequence of permitted/excluded subtree informations.
The given ASN1Object is the one created by toASN1Object().
This method is used by the X509Extensions class when parsing the ASN.1 representation
of a certificate for properly initializing an included
NameConstraints extension. This method initializes the
extension only with its value, but not with its critical
specification. For that reason, this method shall not be
explicitly called by an application.
init in class V3Extensionobj - the NameConstraints as ASN1ObjectX509ExtensionException - if the extension could not be parsedpublic int hashCode()
hashCode in class V3Extensionpublic ObjectID getObjectID()
NameConstraints extensiongetObjectID in class V3Extensionpublic void setPermittedSubtrees(GeneralSubtree[] permittedSubtrees)
permittedSubtrees - the permitted subtrees as array of GeneralSubtreeGeneralSubtreepublic void setExcludedSubtrees(GeneralSubtree[] excludedSubtrees)
excludedSubtrees - the excluded subtrees as array of GeneralSubtreeGeneralSubtreepublic GeneralSubtree[] getPermittedSubtrees()
GeneralSubtreepublic GeneralSubtree[] getExcludedSubtrees()
GeneralSubtreepublic String toString()
NameConstraints extension.toString in class Object
|
This Javadoc may contain text parts from Internet Standard specifications (RFC 2459, 3280, 3039, 2560, 1521, 821, 822, 2253, 1319, 1321, ,2630, 2631, 2268, 3058, 2984, 2104, 2144, 2040, 2311, 2279, see copyright note) and RSA Data Security Public-Key Cryptography Standards (PKCS#1,3,5,7,8,9,10,12, see copyright note). | ||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: INNER | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
IAIK-JCE 3.1 with IAIK-JCE CC Core 3.1, (c) 1997-2004 IAIK