NameConstraintsExtension (kona-pkix 1.0.7.1 API)

java.lang.Object
- com.tencent.kona.sun.security.x509.Extension
- - com.tencent.kona.sun.security.x509.NameConstraintsExtension

All Implemented Interfaces:

com.tencent.kona.sun.security.util.DerEncoder, java.lang.Cloneable, java.security.cert.Extension
```
public class NameConstraintsExtension
extends Extension
implements java.lang.Cloneable
```
This class defines the Name Constraints Extension.
The name constraints extension provides permitted and excluded subtrees that place restrictions on names that may be included within a certificate issued by a given CA. Restrictions may apply to the subject distinguished name or subject alternative names. Any name matching a restriction in the excluded subtrees field is invalid regardless of information appearing in the permitted subtrees.
The ASN.1 syntax for this is:
```
 NameConstraints ::= SEQUENCE {
    permittedSubtrees [0]  GeneralSubtrees OPTIONAL,
    excludedSubtrees  [1]  GeneralSubtrees OPTIONAL
 }
 GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
 
```
See Also:

Extension

Field Summary

Fields
Modifier and Type Field and Description

static java.lang.String NAME
- Fields inherited from class com.tencent.kona.sun.security.x509.Extension
  critical, extensionId, extensionValue

Fields
Modifier and Type	Field and Description
`static java.lang.String`	`NAME`

Constructor Summary

Constructors
Constructor and Description
`NameConstraintsExtension(java.lang.Boolean critical, java.lang.Object value)` Create the extension from the passed DER encoded value.
`NameConstraintsExtension(GeneralSubtrees permitted, GeneralSubtrees excluded)` The default constructor for this class.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`java.lang.Object`	`clone()` Clone all objects that may be modified during certificate validation.
`void`	`encode(com.tencent.kona.sun.security.util.DerOutputStream out)` Write the extension to the OutputStream.
`GeneralSubtrees`	`getExcludedSubtrees()`
`java.lang.String`	`getName()` Return the name of this extension.
`GeneralSubtrees`	`getPermittedSubtrees()`
`void`	`merge(NameConstraintsExtension newConstraints)` Merge additional name constraints with existing ones.
`java.lang.String`	`toString()` Return the printable string.
`boolean`	`verify(GeneralNameInterface name)` check whether a name conforms to these NameConstraints.
`boolean`	`verify(java.security.cert.X509Certificate cert)` check whether a certificate conforms to these NameConstraints.

Methods inherited from class com.tencent.kona.sun.security.x509.Extension
encode, equals, getExtensionId, getExtensionValue, getId, getValue, hashCode, isCritical, newExtension

Methods inherited from class java.lang.Object
finalize, getClass, notify, notifyAll, wait, wait, wait

- Field Detail
  - NAME
```
public static final java.lang.String NAME
```
    See Also:
    
    Constant Field Values
- Constructor Detail
  - NameConstraintsExtension
```
public NameConstraintsExtension(GeneralSubtrees permitted,
                                GeneralSubtrees excluded)
```
    The default constructor for this class. Both parameters are optional but at least one should be non null. The extension criticality is set to true.
    
    Parameters:
    
    permitted - the permitted GeneralSubtrees (null for optional).
    
    excluded - the excluded GeneralSubtrees (null for optional).
  - NameConstraintsExtension
```
public NameConstraintsExtension(java.lang.Boolean critical,
                                java.lang.Object value)
                         throws java.io.IOException
```
    Create the extension from the passed DER encoded value.
    
    Parameters:
    
    critical - true if the extension is to be treated as critical.
    
    value - an array of DER encoded bytes of the actual value.
    
    Throws:
    
    java.lang.ClassCastException - if value is not an array of bytes
    
    java.io.IOException - on error.
- Method Detail
  - toString
```
public java.lang.String toString()
```
    Return the printable string.
    
    Overrides:
    
    toString in class Extension
  - encode
```
public void encode(com.tencent.kona.sun.security.util.DerOutputStream out)
```
    Write the extension to the OutputStream.
    
    Specified by:
    
    encode in interface com.tencent.kona.sun.security.util.DerEncoder
    
    Overrides:
    
    encode in class Extension
    
    Parameters:
    
    out - the DerOutputStream to write the extension to.
  - getPermittedSubtrees
```
public GeneralSubtrees getPermittedSubtrees()
```
  - getExcludedSubtrees
```
public GeneralSubtrees getExcludedSubtrees()
```
  - getName
```
public java.lang.String getName()
```
    Return the name of this extension.
    
    Overrides:
    
    getName in class Extension
  - merge
```
public void merge(NameConstraintsExtension newConstraints)
           throws java.io.IOException
```
    Merge additional name constraints with existing ones. This function is used in certification path processing to accumulate name constraints from successive certificates in the path. Note that NameConstraints can never be expanded by a merge, just remain constant or become more limiting.
    IETF RFC 5280 specifies the processing of Name Constraints as follows:
    (j) If permittedSubtrees is present in the certificate, set the constrained subtrees state variable to the intersection of its previous value and the value indicated in the extension field.
    (k) If excludedSubtrees is present in the certificate, set the excluded subtrees state variable to the union of its previous value and the value indicated in the extension field.
    
    Parameters:
    
    newConstraints - additional NameConstraints to be applied
    
    Throws:
    
    java.io.IOException - on error
  - verify
```
public boolean verify(java.security.cert.X509Certificate cert)
               throws java.io.IOException
```
    check whether a certificate conforms to these NameConstraints. This involves verifying that the subject name and subjectAltName extension (critical or noncritical) is consistent with the permitted subtrees state variables. Also verify that the subject name and subjectAltName extension (critical or noncritical) is consistent with the excluded subtrees state variables.
    
    Parameters:
    
    cert - X509Certificate to be verified
    
    Returns:
    
    true if certificate verifies successfully
    
    Throws:
    
    java.io.IOException - on error
  - verify
```
public boolean verify(GeneralNameInterface name)
               throws java.io.IOException
```
    check whether a name conforms to these NameConstraints. This involves verifying that the name is consistent with the permitted and excluded subtrees variables.
    
    Parameters:
    
    name - GeneralNameInterface name to be verified
    
    Returns:
    
    true if certificate verifies successfully
    
    Throws:
    
    java.io.IOException - on error
  - clone
```
public java.lang.Object clone()
```
    Clone all objects that may be modified during certificate validation.
    
    Overrides:
    
    clone in class java.lang.Object

Class NameConstraintsExtension

Field Summary

Fields inherited from class com.tencent.kona.sun.security.x509.Extension

Constructor Summary

Method Summary

Methods inherited from class com.tencent.kona.sun.security.x509.Extension

Methods inherited from class java.lang.Object

Field Detail

NAME

Constructor Detail

NameConstraintsExtension

NameConstraintsExtension

Method Detail

toString

encode

getPermittedSubtrees

getExcludedSubtrees

getName

merge

verify

verify

clone