Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

be.cardon.asn1.x509.extensions
Class NameConstraints

java.lang.Object
  extended by org.bouncycastle.asn1.ASN1Encodable
      extended by be.cardon.asn1.x509.extensions.NameConstraints
All Implemented Interfaces:
org.bouncycastle.asn1.DEREncodable
public class NameConstraints
extends org.bouncycastle.asn1.ASN1Encodable

Extension NameConstraints.

Documentation from RFC 3280:

The name constraints extension, which MUST be used only in a CA certificate, indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located. Restrictions apply to the subject distinguished name and apply to subject alternative names. Restrictions apply only when the specified name form is present. If no name of the type is in the certificate, the certificate is acceptable.

Name constraints are not applied to certificates whose issuer and subject are identical (unless the certificate is the final certificate in the path). (This could prevent CAs that use name constraints from employing self-issued certificates to implement key rollover.)

Restrictions are defined in terms of permitted or excluded name subtrees. Any name matching a restriction in the excludedSubtrees field is invalid regardless of information appearing in the permittedSubtrees. This extension MUST be critical.

Within this profile, the minimum and maximum fields are not used with any name forms, thus minimum MUST be zero, and maximum MUST be absent.

For URIs, the constraint applies to the host part of the name. The constraint MAY specify a host or a domain. Examples would be "foo.bar.com"; and ".xyz.com". When the the constraint begins with a period, it MAY be expanded with one or more subdomains. That is, the constraint ".xyz.com" is satisfied by both abc.xyz.com and abc.def.xyz.com. However, the constraint ".xyz.com" is not satisfied by "xyz.com". When the constraint does not begin with a period, it specifies a host.

A name constraint for Internet mail addresses MAY specify a particular mailbox, all addresses at a particular host, or all mailboxes in a domain. To indicate a particular mailbox, the constraint is the complete mail address. For example, "root@xyz.com" indicates the root mailbox on the host "xyz.com". To indicate all Internet mail addresses on a particular host, the constraint is specified as the host name. For example, the constraint "xyz.com" is satisfied by any mail address at the host "xyz.com". To specify any address within a domain, the constraint is specified with a leading period (as with URIs). For example, ".xyz.com" indicates all the Internet mail addresses in the domain "xyz.com", but not Internet mail addresses on the host "xyz.com".

DNS name restrictions are expressed as foo.bar.com. Any DNS name that can be constructed by simply adding to the left hand side of the name satisfies the name constraint. For example, www.foo.bar.com would satisfy the constraint but foo1.bar.com would not.

Legacy implementations exist where an RFC 822 name is embedded in the subject distinguished name in an attribute of type EmailAddress (section 4.1.2.6). When rfc822 names are constrained, but the certificate does not include a subject alternative name, the rfc822 name constraint MUST be applied to the attribute of type EmailAddress in the subject distinguished name. The ASN.1 syntax for EmailAddress and the corresponding OID are supplied in Appendix A.

Restrictions of the form directoryName MUST be applied to the subject field in the certificate and to the subjectAltName extensions of type directoryName. Restrictions of the form x400Address MUST be applied to subjectAltName extensions of type x400Address.

When applying restrictions of the form directoryName, an implementation MUST compare DN attributes. At a minimum, implementations MUST perform the DN comparison rules specified in Section 4.1.2.4. CAs issuing certificates with a restriction of the form directoryName SHOULD NOT rely on implementation of the full ISO DN name comparison algorithm. This implies name restrictions MUST be stated identically to the encoding used in the subject field or subjectAltName extension.

The syntax of iPAddress MUST be as described in section 4.2.1.7 with the following additions specifically for Name Constraints. For IPv4 addresses, the ipAddress field of generalName MUST contain eight (8) octets, encoded in the style of RFC 1519 (CIDR) to represent an address range [RFC 1519]. For IPv6 addresses, the ipAddress field MUST contain 32 octets similarly encoded. For example, a name constraint for "class C" subnet 10.9.8.0 is represented as the octets 0A 09 08 00 FF FF FF 00, representing the CIDR notation 10.9.8.0/255.255.255.0.

The syntax and semantics for name constraints for otherName, ediPartyName, and registeredID are not defined by this specification.

ASN.1 definitions:

      id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }

      NameConstraints ::= SEQUENCE {
           permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
           excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

      GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

      GeneralSubtree ::= SEQUENCE {
           base                    GeneralName,
           minimum         [0]     BaseDistance DEFAULT 0,
           maximum         [1]     BaseDistance OPTIONAL }

      BaseDistance ::= INTEGER (0..MAX)

Field Summary
 
Fields inherited from class org.bouncycastle.asn1.ASN1Encodable
BER, DER
 
Constructor Summary
NameConstraints(org.bouncycastle.asn1.ASN1Sequence seq)
          Creates an new instance from a ASN1Sequence object.
NameConstraints(GeneralSubtrees permitted, GeneralSubtrees excluded)
          Creates an new instance from the given permittedSubtrees and excludedSubtrees.
 
Method Summary
 GeneralSubtrees getExcludedSubtrees()
          Returns the excludedSubtrees value, or null is absent.
static NameConstraints getInstance(java.lang.Object obj)
          Returns an instance from a ASN1Sequence or a NameConstraints object.
 GeneralSubtrees getPermittedSubtrees()
          Returns the permittedSubtrees value, or null is absent.
 org.bouncycastle.asn1.DERObject toASN1Object()
           
 
Methods inherited from class org.bouncycastle.asn1.ASN1Encodable
equals, getDEREncoded, getDERObject, getEncoded, getEncoded, hashCode
 
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

NameConstraints

public NameConstraints(org.bouncycastle.asn1.ASN1Sequence seq)
Creates an new instance from a ASN1Sequence object.

NameConstraints

public NameConstraints(GeneralSubtrees permitted,
                       GeneralSubtrees excluded)
Creates an new instance from the given permittedSubtrees and excludedSubtrees.

Method Detail

getInstance

public static NameConstraints getInstance(java.lang.Object obj)
Returns an instance from a ASN1Sequence or a NameConstraints object.

getExcludedSubtrees

public GeneralSubtrees getExcludedSubtrees()
Returns the excludedSubtrees value, or null is absent.

getPermittedSubtrees

public GeneralSubtrees getPermittedSubtrees()
Returns the permittedSubtrees value, or null is absent.

toASN1Object

public org.bouncycastle.asn1.DERObject toASN1Object()
Specified by:
toASN1Object in class org.bouncycastle.asn1.ASN1Encodable
Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD