sun.security.x509

Class NameConstraintsExtension

java.lang.Object

sun.security.x509.Extension

sun.security.x509.NameConstraintsExtension

All Implemented Interfaces:

java.lang.Cloneable, CertAttrSet<java.lang.String>

public class NameConstraintsExtension
extends Extension
implements CertAttrSet<java.lang.String>, java.lang.Cloneable

This class defines the Name Constraints Extension.

The name constraints extension provides permitted and excluded subtrees that place restrictions on names that may be included within a certificate issued by a given CA. Restrictions may apply to the subject distinguished name or subject alternative names. Any name matching a restriction in the excluded subtrees field is invalid regardless of information appearing in the permitted subtrees.

The ASN.1 syntax for this is:

 NameConstraints ::= SEQUENCE {
    permittedSubtrees [0]  GeneralSubtrees OPTIONAL,
    excludedSubtrees  [1]  GeneralSubtrees OPTIONAL
 }
 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
 

Author:

Amit Kapoor, Hemma Prafullchandra

See Also:

Extension, CertAttrSet

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	EXCLUDED_SUBTREES
static java.lang.String	IDENT Identifier for this attribute, to be used with the get, set, delete methods of Certificate, x509 type.
static java.lang.String	NAME Attribute names.
static java.lang.String	PERMITTED_SUBTREES

Fields inherited from class sun.security.x509.Extension

critical, extensionId, extensionValue

Constructor Summary

Constructors

Constructor and Description
NameConstraintsExtension(java.lang.Boolean critical, java.lang.Object value) Create the extension from the passed DER encoded value.
NameConstraintsExtension(GeneralSubtrees permitted, GeneralSubtrees excluded) The default constructor for this class.

Method Summary

Methods

Modifier and Type	Method and Description
java.lang.Object	clone() Clone all objects that may be modified during certificate validation.
void	delete(java.lang.String name) Delete the attribute value.
void	encode(java.io.OutputStream out) Write the extension to the OutputStream.
java.lang.Object	get(java.lang.String name) Get the attribute value.
java.util.Enumeration<java.lang.String>	getElements() Return an enumeration of names of attributes existing within this attribute.
java.lang.String	getName() Return the name of this attribute.
void	merge(NameConstraintsExtension newConstraints) Merge additional name constraints with existing ones.
void	set(java.lang.String name, java.lang.Object obj) Set the attribute value.
java.lang.String	toString() Return the printable string.
boolean	verify(GeneralNameInterface name) check whether a name conforms to these NameConstraints.
boolean	verify(java.security.cert.X509Certificate cert) check whether a certificate conforms to these NameConstraints.
boolean	verifyRFC822SpecialCase(X500Name subject) Perform the RFC 822 special case check.

Methods inherited from class sun.security.x509.Extension

encode, equals, getExtensionId, getExtensionValue, hashCode, isCritical

Methods inherited from class java.lang.Object

finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

IDENT

public static final java.lang.String IDENT

Identifier for this attribute, to be used with the get, set, delete methods of Certificate, x509 type.

See Also:

Constant Field Values

NAME

public static final java.lang.String NAME

Attribute names.

See Also:

Constant Field Values

PERMITTED_SUBTREES

public static final java.lang.String PERMITTED_SUBTREES

See Also:

Constant Field Values

EXCLUDED_SUBTREES

public static final java.lang.String EXCLUDED_SUBTREES

See Also:

Constant Field Values

Constructor Detail

NameConstraintsExtension

public NameConstraintsExtension(GeneralSubtrees permitted,
                        GeneralSubtrees excluded)
                         throws java.io.IOException

The default constructor for this class. Both parameters are optional and can be set to null. The extension criticality is set to true.

Parameters:

permitted - the permitted GeneralSubtrees (null for optional).

excluded - the excluded GeneralSubtrees (null for optional).

Throws:

java.io.IOException

NameConstraintsExtension

public NameConstraintsExtension(java.lang.Boolean critical,
                        java.lang.Object value)
                         throws java.io.IOException

Create the extension from the passed DER encoded value.

Parameters:

critical - true if the extension is to be treated as critical.

value - an array of DER encoded bytes of the actual value.

Throws:

java.lang.ClassCastException - if value is not an array of bytes

java.io.IOException - on error.

Method Detail

toString

public java.lang.String toString()

Return the printable string.

Specified by:

toString in interface CertAttrSet<java.lang.String>

Overrides:

toString in class Extension

Returns:

value of this certificate attribute in printable form.

encode

public void encode(java.io.OutputStream out)
            throws java.io.IOException

Write the extension to the OutputStream.

Specified by:

encode in interface CertAttrSet<java.lang.String>

Parameters:

out - the OutputStream to write the extension to.

Throws:

java.io.IOException - on encoding errors.

set

public void set(java.lang.String name,
       java.lang.Object obj)
         throws java.io.IOException

Set the attribute value.

Specified by:

set in interface CertAttrSet<java.lang.String>

Parameters:

name - the name of the attribute (e.g. "x509.info.key")

obj - the attribute object.

Throws:

java.io.IOException - on other errors.

get

public java.lang.Object get(java.lang.String name)
                     throws java.io.IOException

Get the attribute value.

Specified by:

get in interface CertAttrSet<java.lang.String>

Parameters:

name - the name of the attribute to return.

Throws:

java.io.IOException - on other errors.

delete

public void delete(java.lang.String name)
            throws java.io.IOException

Delete the attribute value.

Specified by:

delete in interface CertAttrSet<java.lang.String>

Parameters:

name - the name of the attribute to delete.

Throws:

java.io.IOException - on other errors.

getElements

public java.util.Enumeration<java.lang.String> getElements()

Return an enumeration of names of attributes existing within this attribute.

Specified by:

getElements in interface CertAttrSet<java.lang.String>

Returns:

an enumeration of the attribute names.

getName

public java.lang.String getName()

Return the name of this attribute.

Specified by:

getName in interface CertAttrSet<java.lang.String>

Returns:

the name of this CertAttrSet.

merge

public void merge(NameConstraintsExtension newConstraints)
           throws java.io.IOException

Merge additional name constraints with existing ones. This function is used in certification path processing to accumulate name constraints from successive certificates in the path. Note that NameConstraints can never be expanded by a merge, just remain constant or become more limiting.

IETF RFC2459 specifies the processing of Name Constraints as follows:

(j) If permittedSubtrees is present in the certificate, set the constrained subtrees state variable to the intersection of its previous value and the value indicated in the extension field.

(k) If excludedSubtrees is present in the certificate, set the excluded subtrees state variable to the union of its previous value and the value indicated in the extension field.

Parameters:

newConstraints - additional NameConstraints to be applied

Throws:

java.io.IOException - on error

verify

public boolean verify(java.security.cert.X509Certificate cert)
               throws java.io.IOException

check whether a certificate conforms to these NameConstraints. This involves verifying that the subject name and subjectAltName extension (critical or noncritical) is consistent with the permitted subtrees state variables. Also verify that the subject name and subjectAltName extension (critical or noncritical) is consistent with the excluded subtrees state variables.

Parameters:

cert - X509Certificate to be verified

Throws:

java.io.IOException - on error

verify

public boolean verify(GeneralNameInterface name)
               throws java.io.IOException

check whether a name conforms to these NameConstraints. This involves verifying that the name is consistent with the permitted and excluded subtrees variables.

Parameters:

name - GeneralNameInterface name to be verified

Throws:

java.io.IOException - on error

verifyRFC822SpecialCase

public boolean verifyRFC822SpecialCase(X500Name subject)
                                throws java.io.IOException

Perform the RFC 822 special case check. We have a certificate that does not contain any subject alternative names. Check that any EMAILADDRESS attributes in its subject name conform to these NameConstraints.

Parameters:

subject - the certificate's subject name

Throws:

java.io.IOException - on error

clone

public java.lang.Object clone()

Clone all objects that may be modified during certificate validation.

Overrides:

clone in class java.lang.Object