com.rsa.certj.cert.extensions

Class BasicConstraints

java.lang.Object
  |
  +--com.rsa.certj.cert.extensions.X509V3Extension
        |
        +--com.rsa.certj.cert.extensions.BasicConstraints

All Implemented Interfaces:

CertExtension, Cloneable, Serializable

public class BasicConstraints

extends X509V3Extension

implements Cloneable, Serializable, CertExtension

This class builds and holds the BasicConstraints extension. It indicates whether the subject may act as a CA, and use its certified public key to verify certificate signatures. If so, a certification path length constraint may also be specified.

The ASN.1 definition is as follows:

 basicConstraints EXTENSION ::= {
	SYNTAX	BasicConstraintsSyntax
	IDENTIFIED BY id-ce-basicConstraints }

 BasicConstraintsSyntax ::= SEQUENCE {
	cA			BOOLEAN DEFAULT FALSE,
	pathLenConstraint 	INTEGER (0..MAX) OPTIONAL }

The cA component indicates whether the certified public key may be used to verify certificate signatures. Include the pathLenConstraint component only if cA is set to true. It gives the maximum number of CA certificates that may follow this certificate in a certification path. A value of zero indicates that the subject of this certificate may issue certificates only to end-entities and not to further CAs. If no pathLenConstraint field appears in any certificate of a certification path, there is no limit to the allowed length of the certification path.

This extension must appear as a critical extension in all CA certificates. This extension should not appear in end-entity certificates.

Copyright © RSA Security Inc., 1999-2001. All rights reserved.

See Also

Serialized Form

Fields inherited from class com.rsa.certj.cert.extensions.X509V3Extension

ARCHIVE_CUTOFF, ARCHIVE_CUTOFF_OID, AUTHORITY_INFO_ACCESS, AUTHORITY_INFO_OID, AUTHORITY_KEY_ID, BASIC_CONSTRAINTS, BIO_INFO, BIO_INFO_OID, CERT_POLICIES, CERTIFICATE_ISSUER, CRL_DISTRIBUTION_POINTS, CRL_NUMBER, CRL_REFERENCE, CRL_REFERENCE_OID, DELTA_CRL_INDICATOR, EXTENDED_KEY_USAGE, HOLD_INSTRUCTION_CODE, INHIBIT_ANY_POLICY, INVALIDITY_DATE, ISSUER_ALT_NAME, ISSUING_DISTRIBUTION_POINT, KEY_USAGE, NAME_CONSTRAINTS, NETSCAPE_BASE_URL, NETSCAPE_BASE_URL_OID, NETSCAPE_CA_POLICY_URL, NETSCAPE_CA_POLICY_URL_OID, NETSCAPE_CA_REVOCATION_URL, NETSCAPE_CA_REVOCATION_URL_OID, NETSCAPE_CERT_RENEWAL_URL, NETSCAPE_CERT_RENEWAL_URL_OID, NETSCAPE_CERT_TYPE, NETSCAPE_CERT_TYPE_OID, NETSCAPE_COMMENT, NETSCAPE_COMMENT_OID, NETSCAPE_REVOCATION_URL, NETSCAPE_REVOCATION_URL_OID, NETSCAPE_SSL_SERVER_NAME, NETSCAPE_SSL_SERVER_NAME_OID, NON_STANDARD_EXTENSION, OCSP_ACCEPTABLE_RESPONSES, OCSP_ACCEPTABLE_RESPONSES_OID, OCSP_NOCHECK, OCSP_NOCHECK_OID, OCSP_NONCE, OCSP_NONCE_OID, OCSP_SERVICE_LOCATOR, OCSP_SERVICE_LOCATOR_OID, POLICY_CONSTRAINTS, POLICY_MAPPINGS, PRIVATE_KEY_USAGE_PERIOD, QC_STATEMENTS, QC_STATEMENTS_OID, REASON_CODE, SUBJECT_ALT_NAME, SUBJECT_DIRECTORY_ATTRIBUTES, SUBJECT_KEY_ID, VERISIGN_CZAG, VERISIGN_CZAG_OID, VERISIGN_FIDELITY_ID, VERISIGN_FIDELITY_ID_OID, VERISIGN_JURISDICTION_HASH, VERISIGN_JURISDICTION_HASH_OID, VERISIGN_NETSCAPE_INBOX_V1, VERISIGN_NETSCAPE_INBOX_V1_OID, VERISIGN_NETSCAPE_INBOX_V2, VERISIGN_NETSCAPE_INBOX_V2_OID, VERISIGN_NON_VERIFIED, VERISIGN_NON_VERIFIED_OID, VERISIGN_SERIAL_NUMBER, VERISIGN_SERIAL_NUMBER_OID, VERISIGN_TOKEN_TYPE, VERISIGN_TOKEN_TYPE_OID

Constructor Summary

BasicConstraints()

Constructs an empty BasicConstraints object that is not a critical extension.

BasicConstraints(boolean cA, int pathLenConstraint, boolean criticality)

Constructs a BasicConstraints object and initializes it with the given values.

Method Summary

Object	clone() Overrides the default clone method to get a deeper clone.
void	decodeValue(byte[] valueBER, int offset) Decode the value.
int	derEncodeValue(byte[] encoding, int offset) Place the encoding of the value into encoding, beginning at offset.
int	derEncodeValueInit() Initialize for encoding the value.
boolean	getCA() Returns the value of the cA field.
int	getPathLen() Returns the value of the pathLenConstraint field.
void	setCA(boolean cA) Sets the value of the cA field of the BasicConstraints extension.
void	setPathLen(int pathLenConstraint) Sets the pathLenConstraint value, if cA is set to true.

Methods inherited from class com.rsa.certj.cert.extensions.X509V3Extension

extend, getCriticality, getDEREncoding, getDERLen, getExtensionType, getExtensionTypeString, getInstance, getNextBEROffset, isExtensionType, setCriticality, setEncoding, setSpecialOID, setStandardOID

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

BasicConstraints

public BasicConstraints()

Constructs an empty BasicConstraints object that is not a critical extension.

BasicConstraints

public BasicConstraints(boolean cA,
                        int pathLenConstraint,
                        boolean criticality)
                 throws CertificateException

Constructs a BasicConstraints object and initializes it with the given values.

Parameters

	cA		A boolean that indicates whether the certified public key may be used to verify certificate signatures.
	pathLenConstraint		An int that is the maximum number of CA certificates that may follow this certificate in a certification path.
	criticality		The user-specified criticality.

Throws

CertificateException - If cA is set to false and a pathLenConstraint is present.

Method Detail

decodeValue

public void decodeValue(byte[] valueBER,
                        int offset)
                 throws CertificateException

Decode the value. The input is the BER encoding that was wrapped in the OCTET STRING.

Overrides

decodeValue in class X509V3Extension

Parameters

	valueBER		The BER encoding of the extension's value.
	offset		The offset into valueBER where the encoding actually begins.

Throws

CertificateException - If the encoding is invalid for this extension.

setCA

public void setCA(boolean cA)
           throws CertificateException

Sets the value of the cA field of the BasicConstraints extension.

Parameters

cA

A boolean that indicates whether the certified public key may be used to verify certificate signatures.

getCA

public boolean getCA()

Returns the value of the cA field.

Returns

The cA component that indicates whether the certified public key may be used to verify certificate signatures.

setPathLen

public void setPathLen(int pathLenConstraint)
                throws CertificateException

Sets the pathLenConstraint value, if cA is set to true.

Parameters

pathLenConstraint

The maximum number of CA certificates that may follow this certificate in a certification path. The pathLenConstraint field should be present only if cA is set to true.

Throws

CertificateException - If cA is set to false when this method is called.

getPathLen

public int getPathLen()

Returns the value of the pathLenConstraint field.

Returns

The maximum number of CA certificates that may follow this certificate in the certification path.

derEncodeValueInit

public int derEncodeValueInit()

Initialize for encoding the value.

Overrides

derEncodeValueInit in class X509V3Extension

Returns

How many bytes the encoding will be.

derEncodeValue

public int derEncodeValue(byte[] encoding,
                          int offset)

Place the encoding of the value into encoding, beginning at offset. This is the actual contents that are wrapped in the OCTET STRING (not the surrounding OCTET STRING tag and length).

Overrides

derEncodeValue in class X509V3Extension

Parameters

	encoding		The byte array into which the result will be placed.
	offset		The offest into encoding where the writing is to begin.

Returns

The number of bytes actually placed into encoding.

clone

public Object clone()
             throws CloneNotSupportedException

Overrides the default clone method to get a deeper clone.

Overrides

clone in class X509V3Extension

Returns

A new BasicConstraints object, a copy of this object.

Throws

CloneNotSupportedException - If the cloning operation is not successful.