2362N/A * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * This class defines the Name Constraints Extension. 0N/A * The name constraints extension provides permitted and excluded 0N/A * subtrees that place restrictions on names that may be included within 0N/A * a certificate issued by a given CA. Restrictions may apply to the 0N/A * subject distinguished name or subject alternative names. Any name 0N/A * matching a restriction in the excluded subtrees field is invalid 0N/A * regardless of information appearing in the permitted subtrees. 0N/A * The ASN.1 syntax for this is: 0N/A * NameConstraints ::= SEQUENCE { 0N/A * permittedSubtrees [0] GeneralSubtrees OPTIONAL, 0N/A * excludedSubtrees [1] GeneralSubtrees OPTIONAL 0N/A * GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 0N/A * @author Amit Kapoor 0N/A * @author Hemma Prafullchandra 0N/A * Identifier for this attribute, to be used with the 0N/A * get, set, delete methods of Certificate, x509 type. 0N/A public static final String IDENT =
"x509.info.extensions.NameConstraints";
0N/A // Private data members 0N/A // Recalculate hasMin and hasMax flags. 0N/A // Encode this extension value. 0N/A * The default constructor for this class. Both parameters 0N/A * are optional and can be set to null. The extension criticality 0N/A * @param permitted the permitted GeneralSubtrees (null for optional). 0N/A * @param excluded the excluded GeneralSubtrees (null for optional). 0N/A * Create the extension from the passed DER encoded value. 0N/A * @param critical true if the extension is to be treated as critical. 0N/A * @param value an array of DER encoded bytes of the actual value. 0N/A * @exception ClassCastException if value is not an array of bytes 0N/A * @exception IOException on error. 0N/A " NameConstraintsExtension.");
0N/A // NB. this is always encoded with the IMPLICIT tag 0N/A // The checks only make sense if we assume implicit tagging, 0N/A // with explicit tagging the form is always constructed. 0N/A // Note that all the fields in NameConstraints are defined as 0N/A // being OPTIONAL, i.e., there could be an empty SEQUENCE, resulting 0N/A // in val.data being null. 0N/A "GeneralSubtrees in NameConstraintsExtension.");
0N/A "GeneralSubtrees in NameConstraintsExtension.");
0N/A "NameConstraintsExtension.");
0N/A * Return the printable string. 0N/A * Write the extension to the OutputStream. 0N/A * @param out the OutputStream to write the extension to. 0N/A * @exception IOException on encoding errors. 0N/A * Set the attribute value. 0N/A +
" of type GeneralSubtrees.");
0N/A +
"of type GeneralSubtrees.");
0N/A "CertAttrSet:NameConstraintsExtension.");
0N/A * Get the attribute value. 0N/A "CertAttrSet:NameConstraintsExtension.");
0N/A * Delete the attribute value. 0N/A "CertAttrSet:NameConstraintsExtension.");
0N/A * Return an enumeration of names of attributes existing within this 0N/A * Return the name of this attribute. 0N/A * Merge additional name constraints with existing ones. 0N/A * This function is used in certification path processing 0N/A * to accumulate name constraints from successive certificates 0N/A * in the path. Note that NameConstraints can never be 0N/A * expanded by a merge, just remain constant or become more 0N/A * IETF RFC2459 specifies the processing of Name Constraints as 0N/A * (j) If permittedSubtrees is present in the certificate, set the 0N/A * constrained subtrees state variable to the intersection of its 0N/A * previous value and the value indicated in the extension field. 0N/A * (k) If excludedSubtrees is present in the certificate, set the 0N/A * excluded subtrees state variable to the union of its previous 0N/A * value and the value indicated in the extension field. 0N/A * @param newConstraints additional NameConstraints to be applied 0N/A * @throws IOException on error 0N/A // absence of any explicit constraints implies unconstrained 0N/A * If excludedSubtrees is present in the certificate, set the 0N/A * excluded subtrees state variable to the union of its previous 0N/A * value and the value indicated in the extension field. 0N/A // Merge new excluded with current excluded (union) 0N/A * If permittedSubtrees is present in the certificate, set the 0N/A * constrained subtrees state variable to the intersection of its 0N/A * previous value and the value indicated in the extension field. 0N/A // Merge new permitted with current permitted (intersection) 0N/A // Merge new excluded subtrees to current excluded (union) 0N/A // Optional optimization: remove permitted subtrees that are excluded. 0N/A // This is not necessary for algorithm correctness, but it makes 0N/A // subsequent operations on the NameConstraints faster and require 0N/A // The NameConstraints have been changed, so re-encode them. Methods in 0N/A // this class assume that the encodings have already been done. 0N/A * check whether a certificate conforms to these NameConstraints. 0N/A * This involves verifying that the subject name and subjectAltName 0N/A * extension (critical or noncritical) is consistent with the permitted 0N/A * subtrees state variables. Also verify that the subject name and 0N/A * subjectAltName extension (critical or noncritical) is consistent with 0N/A * the excluded subtrees state variables. 0N/A * @param cert X509Certificate to be verified 0N/A * @returns true if certificate verifies successfully 0N/A * @throws IOException on error 0N/A // Calculate hasMin and hasMax booleans (if necessary) 0N/A +
" name constraints not supported");
0N/A +
" name constraints not supported");
0N/A // extract extensions, if any, from certInfo 0N/A // following returns null if certificate contains no extensions 0N/A // extract altNames from extension; this call does not 0N/A // return an IOException on null altnames 0N/A // If there are no subjectAlternativeNames, perform the special-case 0N/A // check where if the subjectName contains any EMAILADDRESS 0N/A // attributes, they must be checked against RFC822 constraints. 0N/A // If that passes, we're fine. 0N/A // verify each subjectAltName 0N/A // All tests passed. 0N/A * check whether a name conforms to these NameConstraints. 0N/A * This involves verifying that the name is consistent with the 0N/A * permitted and excluded subtrees variables. 0N/A * @param name GeneralNameInterface name to be verified 0N/A * @returns true if certificate verifies successfully 0N/A * @throws IOException on error 0N/A // Verify that the name is consistent with the excluded subtrees 0N/A // if name matches or narrows any excluded subtree, 0N/A // Verify that the name is consistent with the permitted subtrees 0N/A // if Name matches any type in permitted, 0N/A // and Name does not match or narrow some permitted subtree, 0N/A continue;
// continue checking other permitted names 0N/A continue;
// continue to look for a match or narrow 0N/A // name narrows permitted 0N/A return true;
// name is definitely OK, so break out of loop 0N/A * Perform the RFC 822 special case check. We have a certificate 0N/A * that does not contain any subject alternative names. Check that 0N/A * any EMAILADDRESS attributes in its subject name conform to these 0N/A * @param subject the certificate's subject name 0N/A * @returns true if certificate verifies successfully 0N/A * @throws IOException on error 0N/A * Clone all objects that may be modified during certificate validation. 0N/A "cloning NameConstraintsException. This should never happen.");