public class

NameConstraintsExtension

extends Extension
implements Cloneable CertAttrSet<T>
java.lang.Object
   ↳ sun.security.x509.Extension
     ↳ sun.security.x509.NameConstraintsExtension

Class Overview

This class defines the Name Constraints Extension.

The name constraints extension provides permitted and excluded subtrees that place restrictions on names that may be included within a certificate issued by a given CA. Restrictions may apply to the subject distinguished name or subject alternative names. Any name matching a restriction in the excluded subtrees field is invalid regardless of information appearing in the permitted subtrees.

The ASN.1 syntax for this is: 

 NameConstraints ::= SEQUENCE {
    permittedSubtrees [0]  GeneralSubtrees OPTIONAL,
    excludedSubtrees  [1]  GeneralSubtrees OPTIONAL
 }
 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree

See Also

Summary

Constants
String EXCLUDED_SUBTREES
String IDENT Identifier for this attribute, to be used with the get, set, delete methods of Certificate, x509 type.
String NAME Attribute names.
String PERMITTED_SUBTREES
[Expand]
Inherited Fields
From class sun.security.x509.Extension
Public Constructors
NameConstraintsExtension(GeneralSubtrees permitted, GeneralSubtrees excluded)
The default constructor for this class.
NameConstraintsExtension(Boolean critical, Object value)
Create the extension from the passed DER encoded value.
Public Methods
Object clone()
Clone all objects that may be modified during certificate validation.
void delete(String name)
Delete the attribute value.
void encode(OutputStream out)
Write the extension to the OutputStream.
Object get(String name)
Get the attribute value.
Enumeration<String> getElements()
Return an enumeration of names of attributes existing within this attribute.
String getName()
Return the name of this attribute.
void merge(NameConstraintsExtension newConstraints)
Merge additional name constraints with existing ones.
void set(String name, Object obj)
Set the attribute value.
String toString()
Return the printable string.
boolean verify(GeneralNameInterface name)
check whether a name conforms to these NameConstraints.
boolean verify(X509Certificate cert)
check whether a certificate conforms to these NameConstraints.
boolean verifyRFC822SpecialCase(X500Name subject)
Perform the RFC 822 special case check.
[Expand]
Inherited Methods
From class sun.security.x509.Extension
From class java.lang.Object
From interface sun.security.x509.CertAttrSet

Constants

public static final String EXCLUDED_SUBTREES

Constant Value: "excluded_subtrees"

public static final String IDENT

Identifier for this attribute, to be used with the get, set, delete methods of Certificate, x509 type.

Constant Value: "x509.info.extensions.NameConstraints"

public static final String NAME

Attribute names.

Constant Value: "NameConstraints"

public static final String PERMITTED_SUBTREES

Constant Value: "permitted_subtrees"

Public Constructors

public NameConstraintsExtension (GeneralSubtrees permitted, GeneralSubtrees excluded)

The default constructor for this class. Both parameters are optional and can be set to null. The extension criticality is set to true.

Parameters
permitted the permitted GeneralSubtrees (null for optional).
excluded the excluded GeneralSubtrees (null for optional).
Throws
IOException

public NameConstraintsExtension (Boolean critical, Object value)

Create the extension from the passed DER encoded value.

Parameters
critical true if the extension is to be treated as critical.
value an array of DER encoded bytes of the actual value.
Throws
ClassCastException if value is not an array of bytes
IOException on error.

Public Methods

public Object clone ()

Clone all objects that may be modified during certificate validation.

Returns
  • a clone of this instance.

public void delete (String name)

Delete the attribute value.

Parameters
name the name of the attribute to delete.
Throws
IOException

public void encode (OutputStream out)

Write the extension to the OutputStream.

Parameters
out the OutputStream to write the extension to.
Throws
IOException on encoding errors.

public Object get (String name)

Get the attribute value.

Parameters
name the name of the attribute to return.
Throws
IOException

public Enumeration<String> getElements ()

Return an enumeration of names of attributes existing within this attribute.

Returns
  • an enumeration of the attribute names.

public String getName ()

Return the name of this attribute.

Returns
  • the name of this CertAttrSet.

public void merge (NameConstraintsExtension newConstraints)

Merge additional name constraints with existing ones. This function is used in certification path processing to accumulate name constraints from successive certificates in the path. Note that NameConstraints can never be expanded by a merge, just remain constant or become more limiting.

IETF RFC2459 specifies the processing of Name Constraints as follows:

(j) If permittedSubtrees is present in the certificate, set the constrained subtrees state variable to the intersection of its previous value and the value indicated in the extension field.

(k) If excludedSubtrees is present in the certificate, set the excluded subtrees state variable to the union of its previous value and the value indicated in the extension field.

Parameters
newConstraints additional NameConstraints to be applied
Throws
IOException on error

public void set (String name, Object obj)

Set the attribute value.

Parameters
name the name of the attribute (e.g. "x509.info.key")
obj the attribute object.
Throws
IOException

public String toString ()

Return the printable string.

Returns
  • a string representation of the object.

public boolean verify (GeneralNameInterface name)

check whether a name conforms to these NameConstraints. This involves verifying that the name is consistent with the permitted and excluded subtrees variables.

Parameters
name GeneralNameInterface name to be verified
Throws
IOException on error

public boolean verify (X509Certificate cert)

check whether a certificate conforms to these NameConstraints. This involves verifying that the subject name and subjectAltName extension (critical or noncritical) is consistent with the permitted subtrees state variables. Also verify that the subject name and subjectAltName extension (critical or noncritical) is consistent with the excluded subtrees state variables.

Parameters
cert X509Certificate to be verified
Throws
IOException on error

public boolean verifyRFC822SpecialCase (X500Name subject)

Perform the RFC 822 special case check. We have a certificate that does not contain any subject alternative names. Check that any EMAILADDRESS attributes in its subject name conform to these NameConstraints.

Parameters
subject the certificate's subject name
Throws
IOException on error