com.rsa.certj.cert.extensions

Class NameConstraints

java.lang.Object
  |
  +--com.rsa.certj.cert.extensions.X509V3Extension
        |
        +--com.rsa.certj.cert.extensions.NameConstraints

All Implemented Interfaces:

CertExtension, Cloneable, Serializable

public class NameConstraints

extends X509V3Extension

implements Cloneable, Serializable, CertExtension

This class builds and holds the NameConstraints extension, which is used only in a CA certificate. It indicates a name space within which all subject names in subsequent certificates in a certification path must be located. Restrictions might apply to the subject distinguished name or subject alternative names. Restrictions apply only when the specified name form is present. If no name of the type is in the certificate, the certificate is acceptable. Restrictions are defined in terms of permitted or excluded name subtrees. Any name that matches a restriction in the excludedSubtrees field is invalid, regardless of information appearing in permittedSubtrees.

The ASN.1 definition is as follows:

 nameConstraints EXTENSION ::= {
	SYNTAX	NameConstraintsSyntax
	IDENTIFIED BY id-ce-nameConstraints }

 NameConstraintsSyntax ::= SEQUENCE {
	permittedSubtrees	[0]	GeneralSubtrees OPTIONAL,
	excludedSubtrees	[1]	GeneralSubtrees OPTIONAL }
 

If present, the permittedSubtrees and excludedSubtrees components each specify one or more naming subtrees, each defined by the name of the root of the subtree and, optionally, within that subtree, an area that is bounded by upper and lower levels. If permittedSubtrees is present, of all the certificates issued by the subject CA and subsequent CAs in the certification path, only those certificates with subject names within these subtrees are acceptable. If excludedSubtrees is present, any certificate issued by the subject CA or subsequent CAs in the certification path that has a subject name within these subtrees is unacceptable. If permittedSubtrees and excludedSubtrees are both present and the name spaces overlap, the exclusion statement takes precedence.

Copyright © RSA Security Inc., 1998-2001. All rights reserved.

See Also

Serialized Form

Fields inherited from class com.rsa.certj.cert.extensions.X509V3Extension

ARCHIVE_CUTOFF, ARCHIVE_CUTOFF_OID, AUTHORITY_INFO_ACCESS, AUTHORITY_INFO_OID, AUTHORITY_KEY_ID, BASIC_CONSTRAINTS, BIO_INFO, BIO_INFO_OID, CERT_POLICIES, CERTIFICATE_ISSUER, CRL_DISTRIBUTION_POINTS, CRL_NUMBER, CRL_REFERENCE, CRL_REFERENCE_OID, DELTA_CRL_INDICATOR, EXTENDED_KEY_USAGE, HOLD_INSTRUCTION_CODE, INHIBIT_ANY_POLICY, INVALIDITY_DATE, ISSUER_ALT_NAME, ISSUING_DISTRIBUTION_POINT, KEY_USAGE, NAME_CONSTRAINTS, NETSCAPE_BASE_URL, NETSCAPE_BASE_URL_OID, NETSCAPE_CA_POLICY_URL, NETSCAPE_CA_POLICY_URL_OID, NETSCAPE_CA_REVOCATION_URL, NETSCAPE_CA_REVOCATION_URL_OID, NETSCAPE_CERT_RENEWAL_URL, NETSCAPE_CERT_RENEWAL_URL_OID, NETSCAPE_CERT_TYPE, NETSCAPE_CERT_TYPE_OID, NETSCAPE_COMMENT, NETSCAPE_COMMENT_OID, NETSCAPE_REVOCATION_URL, NETSCAPE_REVOCATION_URL_OID, NETSCAPE_SSL_SERVER_NAME, NETSCAPE_SSL_SERVER_NAME_OID, NON_STANDARD_EXTENSION, OCSP_ACCEPTABLE_RESPONSES, OCSP_ACCEPTABLE_RESPONSES_OID, OCSP_NOCHECK, OCSP_NOCHECK_OID, OCSP_NONCE, OCSP_NONCE_OID, OCSP_SERVICE_LOCATOR, OCSP_SERVICE_LOCATOR_OID, POLICY_CONSTRAINTS, POLICY_MAPPINGS, PRIVATE_KEY_USAGE_PERIOD, QC_STATEMENTS, QC_STATEMENTS_OID, REASON_CODE, SUBJECT_ALT_NAME, SUBJECT_DIRECTORY_ATTRIBUTES, SUBJECT_KEY_ID, VERISIGN_CZAG, VERISIGN_CZAG_OID, VERISIGN_FIDELITY_ID, VERISIGN_FIDELITY_ID_OID, VERISIGN_JURISDICTION_HASH, VERISIGN_JURISDICTION_HASH_OID, VERISIGN_NETSCAPE_INBOX_V1, VERISIGN_NETSCAPE_INBOX_V1_OID, VERISIGN_NETSCAPE_INBOX_V2, VERISIGN_NETSCAPE_INBOX_V2_OID, VERISIGN_NON_VERIFIED, VERISIGN_NON_VERIFIED_OID, VERISIGN_SERIAL_NUMBER, VERISIGN_SERIAL_NUMBER_OID, VERISIGN_TOKEN_TYPE, VERISIGN_TOKEN_TYPE_OID

Constructor Summary

NameConstraints()

Constructs an empty NameConstraints object.

NameConstraints(GeneralSubtrees permittedSubtrees, GeneralSubtrees excludedSubtrees, boolean criticality)

Constructs a NameConstraints object and initializes it with the given values.

Method Summary

Object	clone() Overrides the default clone method to get a deeper clone.
void	decodeValue(byte[] valueBER, int offset) Decode the value.
int	derEncodeValue(byte[] encoding, int offset) Place the encoding of the value into encoding, beginning at offset.
int	derEncodeValueInit() Initialize for encoding the value.
GeneralSubtrees	getExcludedSubtrees() Gets the excluded subtrees value.
GeneralSubtrees	getPermittedSubtrees() Gets the permitted subtrees value.
void	setExcludedSubtrees(GeneralSubtrees subTree) Sets the excluded subtrees value.
void	setPermittedSubtrees(GeneralSubtrees subTree) Sets the permitted subtrees value.

Methods inherited from class com.rsa.certj.cert.extensions.X509V3Extension

extend, getCriticality, getDEREncoding, getDERLen, getExtensionType, getExtensionTypeString, getInstance, getNextBEROffset, isExtensionType, setCriticality, setEncoding, setSpecialOID, setStandardOID

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

NameConstraints

public NameConstraints()

Constructs an empty NameConstraints object.

NameConstraints

public NameConstraints(GeneralSubtrees permittedSubtrees,
                       GeneralSubtrees excludedSubtrees,
                       boolean criticality)

Constructs a NameConstraints object and initializes it with the given values. Either of the GeneralSubtrees parameters can be null.

Parameters

	permittedSubtrees		The acceptable subtrees.
	excludedSubtrees		The unacceptable subtrees.
	criticality		The user-specified criticality.

Method Detail

decodeValue

public void decodeValue(byte[] valueBER,
                        int offset)
                 throws CertificateException

Decode the value. The input is the BER encoding that was wrapped in the OCTET STRING.

Overrides

decodeValue in class X509V3Extension

Parameters

	valueBER		The BER encoding of the extension's value.
	offset		The offset into valueBER where the encoding begins.

Throws

CertificateException - If the encoding is invalid for this extension.

setPermittedSubtrees

public void setPermittedSubtrees(GeneralSubtrees subTree)

Sets the permitted subtrees value.

Parameters

subTree

A permittedTrees component.

setExcludedSubtrees

public void setExcludedSubtrees(GeneralSubtrees subTree)

Sets the excluded subtrees value.

Parameters

subTree

An excludedTrees component.

getPermittedSubtrees

public GeneralSubtrees getPermittedSubtrees()

Gets the permitted subtrees value.

Returns

The permittedTrees component.

getExcludedSubtrees

public GeneralSubtrees getExcludedSubtrees()

Gets the excluded subtrees value.

Returns

The excludedTrees component.

derEncodeValueInit

public int derEncodeValueInit()

Initialize for encoding the value.

Overrides

derEncodeValueInit in class X509V3Extension

Returns

How many bytes the encoding will be.

derEncodeValue

public int derEncodeValue(byte[] encoding,
                          int offset)

Place the encoding of the value into encoding, beginning at offset. This is the actual contents that are wrapped in the OCTET STRING (not the surrounding OCTET STRING tag and length).

Overrides

derEncodeValue in class X509V3Extension

Parameters

	encoding		The byte array into which the result will be placed.
	offset		The offest into encoding where the writing is to begin.

Returns

The number of bytes actually placed into encoding.

clone

public Object clone()
             throws CloneNotSupportedException

Overrides the default clone method to get a deeper clone.

Overrides

clone in class X509V3Extension

Returns

A new NameConstraints object, a copy of this object.

Throws

CloneNotSupportedException - If the cloning operation is not successful.