NameConstraints (5.24 API Documentation)

java.lang.Object
- iaik.x509.V3Extension
- - iaik.x509.extensions.NameConstraints

```
public class NameConstraints
extends V3Extension
```
This class implements the NameConstraints extension.
The NameConstraints extension is a critical standard X509v3 extension for being used in CA certificates.
Each extension is associated with a specific certificateExtension object identifier, derived from:
```
 certificateExtension  OBJECT IDENTIFIER ::=
                            {joint-iso-ccitt(2) ds(5) 29}
 id-ce                 OBJECT IDENTIFIER ::=  certificateExtension
 
```
The object identifier for the NameConstraints extension is defined as:
id-ce-nameConstraints OBJECT IDENTIFIER ::= { id-ce 30 }
which corresponds to the OID string "2.5.29.30".
The X.509 Certificate and CRL profile presented in RFC 3280 specifies the Name Constraints extension for indicating a name space within which all subject names in subsequent certificates in a certification path must be located. Restrictions may apply to the subject distinguished name or subject alternative names. Restrictions are defined in terms of permitted or excluded name subtrees. Any name matching a restriction in the excludedSubtrees field is invalid regardless of information appearing in the permittedSubtrees:
```
 NameConstraints ::= SEQUENCE {
   permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
   excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
 
 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
 GeneralSubtree ::= SEQUENCE {
   base                    GeneralName,
   minimum         [0]     BaseDistance DEFAULT 0,
   maximum         [1]     BaseDistance OPTIONAL }
 

 BaseDistance ::= INTEGER (0..MAX)
 
```
Within this profile, the minimum and maximum fields are not used with any name forms, thus minimum is always zero, and maximum is always absent.
Restrictions for the rfc822, dNSName, and uri name forms are all expressed in terms of strings with wild card matching. An "*" is the wildcard character. For uris and rfc822 names, the restriction applies to the host part of the name. Examples would be foo.bar.com; www*.bar.com; *.xyz.com.
More information can be found in RFC 3280, section 4.2.1.11 "Name Constraints".
For adding a NameConstraints extension object to a X509Certificate, use the addExtension method of the iaik.x509.X509Certificate class. The subtree information supplied when creating a NameConstraints object has to be an array of type iaik.asn1.structures.GeneralSubtree, e.g.:
```
 NameConstraints nameConstraints = new NameConstraints();
 GeneralSubtree generalSubtree = new GeneralSubtree(new GeneralName(GeneralName.rfc822Name, "*.tu-graz.ac.at"));
 generalSubtree.setMinimum(1);
 generalSubtree.setMaximum(3);
 nameConstraints.setPermittedSubtrees(new GeneralSubtree[] {generalSubtree});
 X509Certificate cert = new X509Certificate();
  ...
 cert.addExtension(nameConstraints);
 
```
Since the NameConstraints extension is a critical extension, critical has to be set to true before adding the NameConstraints extension to a certificate:
```
 nameConstraints.setCritical(true);
 
```
Version:

File Revision 23

See Also:
GeneralSubtree, GeneralName, V3Extension, X509Extensions, X509Certificate

Field Summary

Fields
Modifier and Type Field and Description

static ObjectID oid
The object identifier of this NameConstraints extension.
- Fields inherited from class iaik.x509.V3Extension
  critical

Fields
Modifier and Type	Field and Description
`static ObjectID`	`oid` The object identifier of this `NameConstraints` extension.

Constructor Summary

Constructors
Constructor and Description

NameConstraints()
Default costructor.

Constructors
Constructor and Description
`NameConstraints()` Default costructor.

Method Summary

Methods
Modifier and Type	Method and Description
`GeneralSubtree[]`	`getExcludedSubtrees()` Returns the excluded subtrees.
`ObjectID`	`getObjectID()` Returns the object ID of this `NameConstraints` extension
`GeneralSubtree[]`	`getPermittedSubtrees()` Returns the permitted subtrees.
`int`	`hashCode()` Returns a hashcode for this identity.
`void`	`init(ASN1Object obj)` Inits this `NameConstraints` implementation with an ASN1object representing the value of this extension.
`void`	`setExcludedSubtrees(GeneralSubtree[] excludedSubtrees)` Sets the excluded subtrees.
`void`	`setPermittedSubtrees(GeneralSubtree[] permittedSubtrees)` Sets the permitted subtrees.
`ASN1Object`	`toASN1Object()` Returns an ASN1Object representing the value of this `NameConstraints` extension object.
`java.lang.String`	`toString()` Returns a string that represents the contents of `NameConstraints` extension.

Methods inherited from class iaik.x509.V3Extension
getName, isCritical, setCritical

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, notify, notifyAll, wait, wait, wait

- Field Detail
  - oid
```
public static final ObjectID oid
```
    The object identifier of this NameConstraints extension. The corresponding OID string is "2.5.29.30".
- Constructor Detail
  - NameConstraints
```
public NameConstraints()
```
    Default costructor.
    Creates an empty NameConstraints object. Use setExcludedSubtrees or/and setPermittedSubtrees for adding any restricting information to this extension.
    Do not forget to specify this extension as critical before adding it to a certificate:
```
 NameConstraints nameConstraints = new NameConstraints();
 GeneralSubtree generalSubtree = new GeneralSubtree(new GeneralName(GeneralName.rfc822Name, "*.tu-graz.ac.at"));
 generalSubtree.setMinimum(1);
 generalSubtree.setMaximum(3);
 nameConstraints.setPermittedSubtrees(new GeneralSubtree[] {generalSubtree});
 nameConstraints.setCritical(true);
 X509Certificate cert = new X509Certificate();
  ...
 cert.addExtension(nameConstraints);
 
```
    See Also:
    GeneralSubtree, V3Extension.setCritical(boolean)
- Method Detail
  - toASN1Object
```
public ASN1Object toASN1Object()
                        throws X509ExtensionException
```
    Returns an ASN1Object representing the value of this NameConstraints extension object.
    The returned ASN1Object is an ASN.1 Sequence representing any included permitted or excluded subtree information:
```
 NameConstraints ::= SEQUENCE {
   permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
   excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
 
```
    Specified by:
    
    toASN1Object in class V3Extension
    
    Returns:
    the value of this NameConstraints as ASN1Object
    
    Throws:
    
    X509ExtensionException - if the extension could not be created
  - init
```
public void init(ASN1Object obj)
          throws X509ExtensionException
```
    Inits this NameConstraints implementation with an ASN1object representing the value of this extension.
    The given ASN1Object represents a sequence of permitted/excluded subtree informations.
    The given ASN1Object is the one created by toASN1Object().
    This method is used by the X509Extensions class when parsing the ASN.1 representation of a certificate for properly initializing an included NameConstraints extension. This method initializes the extension only with its value, but not with its critical specification. For that reason, this method shall not be explicitly called by an application.
    
    Specified by:
    
    init in class V3Extension
    
    Parameters:
    obj - the NameConstraints as ASN1Object
    
    Throws:
    
    X509ExtensionException - if the extension could not be parsed
  - hashCode
```
public int hashCode()
```
    Returns a hashcode for this identity.
    
    Specified by:
    
    hashCode in class V3Extension
    
    Returns:
    a hash code for this identity
  - getObjectID
```
public ObjectID getObjectID()
```
    Returns the object ID of this NameConstraints extension
    
    Specified by:
    
    getObjectID in class V3Extension
    
    Returns:
    the object ID
  - setPermittedSubtrees
```
public void setPermittedSubtrees(GeneralSubtree[] permittedSubtrees)
```
    Sets the permitted subtrees.
    
    Parameters:
    permittedSubtrees - the permitted subtrees as array of GeneralSubtree
    See Also:
    GeneralSubtree
  - setExcludedSubtrees
```
public void setExcludedSubtrees(GeneralSubtree[] excludedSubtrees)
```
    Sets the excluded subtrees.
    
    Parameters:
    excludedSubtrees - the excluded subtrees as array of GeneralSubtree
    See Also:
    GeneralSubtree
  - getPermittedSubtrees
```
public GeneralSubtree[] getPermittedSubtrees()
```
    Returns the permitted subtrees.
    
    Returns:
    the permitted subtrees as array of GeneralSubtree
    See Also:
    GeneralSubtree
  - getExcludedSubtrees
```
public GeneralSubtree[] getExcludedSubtrees()
```
    Returns the excluded subtrees.
    
    Returns:
    the excluded subtrees as array of GeneralSubtree
    See Also:
    GeneralSubtree
  - toString
```
public java.lang.String toString()
```
    Returns a string that represents the contents of NameConstraints extension.
    
    Overrides:
    
    toString in class java.lang.Object
    
    Returns:
    the string representation

Class NameConstraints

Field Summary

Fields inherited from class iaik.x509.V3Extension

Constructor Summary

Method Summary

Methods inherited from class iaik.x509.V3Extension

Methods inherited from class java.lang.Object

Field Detail

oid

Constructor Detail

NameConstraints

Method Detail

toASN1Object

init

hashCode

getObjectID

setPermittedSubtrees

setExcludedSubtrees

getPermittedSubtrees

getExcludedSubtrees

toString