be.cardon.asn1.x509.extensions
Class SubjectAltName

java.lang.Object
  extended by org.bouncycastle.asn1.ASN1Encodable
      extended by be.cardon.asn1.x509.GeneralNames
          extended by be.cardon.asn1.x509.extensions.SubjectAltName
All Implemented Interfaces:
org.bouncycastle.asn1.DEREncodable

public class SubjectAltName
extends GeneralNames

Extension SubjectAlternativeName.

Documentation from RFC 3280:

The subject alternative names extension allows additional identities to be bound to the subject of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a uniform resource identifier (URI). Other options exist, including completely local definitions. Multiple name forms, and multiple instances of each name form, MAY be included. Whenever such identities are to be bound into a certificate, the subject alternative name (or issuer alternative name) extension MUST be used; however, a DNS name MAY be represented in the subject field using the domainComponent attribute as described in section 4.1.2.4.

Because the subject alternative name is considered to be definitively bound to the public key, all parts of the subject alternative name MUST be verified by the CA.

Further, if the only subject identity included in the certificate is an alternative name form (e.g., an electronic mail address), then the subject distinguished name MUST be empty (an empty sequence), and the subjectAltName extension MUST be present. If the subject field contains an empty sequence, the subjectAltName extension MUST be marked critical.

When the subjectAltName extension contains an Internet mail address, the address MUST be included as an rfc822Name. The format of an rfc822Name is an "addr-spec" as defined in RFC 822 [RFC 822]. An addr-spec has the form "local-part@domain". Note that an addr-spec has no phrase (such as a common name) before it, has no comment (text surrounded in parentheses) after it, and is not surrounded by "<" and ">". Note that while upper and lower case letters are allowed in an RFC 822 addr-spec, no significance is attached to the case.

When the subjectAltName extension contains a iPAddress, the address MUST be stored in the octet string in "network byte order," as specified in RFC 791 [RFC 791]. The least significant bit (LSB) of each octet is the LSB of the corresponding byte in the network address. For IP Version 4, as specified in RFC 791, the octet string MUST contain exactly four octets. For IP Version 6, as specified in RFC 1883, the octet string MUST contain exactly sixteen octets [RFC 1883].

When the subjectAltName extension contains a domain name system label, the domain name MUST be stored in the dNSName (an IA5String). The name MUST be in the "preferred name syntax," as specified by RFC 1034 [RFC 1034]. Note that while upper and lower case letters are allowed in domain names, no signifigance is attached to the case. In addition, while the string " " is a legal domain name, subjectAltName extensions with a dNSName of " " MUST NOT be used. Finally, the use of the DNS representation for Internet mail addresses (wpolk.nist.gov instead of wpolk@nist.gov) MUST NOT be used; such identities are to be encoded as rfc822Name.

Note: work is currently underway to specify domain names in international character sets. Such names will likely not be accommodated by IA5String. Once this work is complete, this profile will be revisited and the appropriate functionality will be added.

When the subjectAltName extension contains a URI, the name MUST be stored in the uniformResourceIdentifier (an IA5String). The name MUST NOT be a relative URL, and it MUST follow the URL syntax and encoding rules specified in [RFC 1738]. The name MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. The scheme-specific-part MUST include a fully qualified domain name or IP address as the host.

As specified in [RFC 1738], the scheme name is not case-sensitive (e.g., "http" is equivalent to "HTTP"). The host part is also not case-sensitive, but other components of the scheme-specific-part may be case-sensitive. When comparing URIs, conforming implementations MUST compare the scheme and host without regard to case, but assume the remainder of the scheme-specific-part is case sensitive.

When the subjectAltName extension contains a DN in the directoryName, the DN MUST be unique for each subject entity certified by the one CA as defined by the issuer name field. A CA MAY issue more than one certificate with the same DN to the same subject entity.

The subjectAltName MAY carry additional name types through the use of the otherName field. The format and semantics of the name are indicated through the OBJECT IDENTIFIER in the type-id field. The name itself is conveyed as value field in otherName. For example, Kerberos [RFC 1510] format names can be encoded into the otherName, using using a Kerberos 5 principal name OID and a SEQUENCE of the Realm and the PrincipalName.

Subject alternative names MAY be constrained in the same manner as subject distinguished names using the name constraints extension as described in section 4.2.1.11.

If the subjectAltName extension is present, the sequence MUST contain at least one entry. Unlike the subject field, conforming CAs MUST NOT issue certificates with subjectAltNames containing empty GeneralName fields. For example, an rfc822Name is represented as an IA5String. While an empty string is a valid IA5String, such an rfc822Name is not permitted by this profile. The behavior of clients that encounter such a certificate when processing a certificication path is not defined by this profile.

Finally, the semantics of subject alternative names that include wildcard characters (e.g., as a placeholder for a set of names) are not addressed by this specification. Applications with specific requirements MAY use such names, but they must define the semantics.

ASN.1 definitions:

   id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }

   SubjectAltName ::= GeneralNames

   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

   GeneralName ::= CHOICE {
        otherName                       [0]     OtherName,
        rfc822Name                      [1]     IA5String,
        dNSName                         [2]     IA5String,
        x400Address                     [3]     ORAddress,
        directoryName                   [4]     Name,
        ediPartyName                    [5]     EDIPartyName,
        uniformResourceIdentifier       [6]     IA5String,
        iPAddress                       [7]     OCTET STRING,
        registeredID                    [8]     OBJECT IDENTIFIER }

   OtherName ::= SEQUENCE {
        type-id    OBJECT IDENTIFIER,
        value      [0] EXPLICIT ANY DEFINED BY type-id }

   EDIPartyName ::= SEQUENCE {
        nameAssigner            [0]     DirectoryString OPTIONAL,
        partyName               [1]     DirectoryString }
   


Field Summary
 
Fields inherited from class org.bouncycastle.asn1.ASN1Encodable
BER, DER
 
Constructor Summary
SubjectAltName(org.bouncycastle.asn1.ASN1Sequence seq)
          Creates a new instance from a ASN1Sequence.
SubjectAltName(GeneralName name)
          Creates a new instance containing one GeneralName.
SubjectAltName(GeneralNames names)
          Creates a new instance containing the given GeneralNames.
 
Method Summary
 java.util.Vector<GeneralName> getGeneralNames()
          Returns the vector of GeneralName.
static SubjectAltName getInstance(org.bouncycastle.asn1.ASN1TaggedObject obj, boolean explicit)
          Creates an new object from an existing ASN.1 tagged object.
static SubjectAltName getInstance(java.lang.Object obj)
          Returns a new instance from an ASN1Sequence, or a GeneralNames, or a SubjectAlternativeName object.
 
Methods inherited from class be.cardon.asn1.x509.GeneralNames
getGeneralNameVector, toASN1Object
 
Methods inherited from class org.bouncycastle.asn1.ASN1Encodable
equals, getDEREncoded, getDERObject, getEncoded, getEncoded, hashCode
 
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SubjectAltName

public SubjectAltName(GeneralName name)
Creates a new instance containing one GeneralName.

Parameters:
name - the name to be contained.

SubjectAltName

public SubjectAltName(GeneralNames names)
Creates a new instance containing the given GeneralNames.


SubjectAltName

public SubjectAltName(org.bouncycastle.asn1.ASN1Sequence seq)
Creates a new instance from a ASN1Sequence.

Method Detail

getInstance

public static SubjectAltName getInstance(java.lang.Object obj)
Returns a new instance from an ASN1Sequence, or a GeneralNames, or a SubjectAlternativeName object.


getInstance

public static SubjectAltName getInstance(org.bouncycastle.asn1.ASN1TaggedObject obj,
                                         boolean explicit)
Creates an new object from an existing ASN.1 tagged object.


getGeneralNames

public java.util.Vector<GeneralName> getGeneralNames()
Returns the vector of GeneralName.

This vector may be empty but is never null.

This function is an alias for GeneralNames.getGeneralNameVector().