Class: R509::Cert::Extensions::BasicConstraints

Inherits:

OpenSSL::X509::Extension

• Object
• OpenSSL::X509::Extension
• R509::Cert::Extensions::BasicConstraints

Defined in:

lib/r509/cert/extensions/basic_constraints.rb

Overview

RFC 5280 Description (see: www.ietf.org/rfc/rfc5280.txt)

The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate.

You can use this extension to parse an existing extension for easy access to the contents or create a new one.

Constant Summary

OID =

friendly name for BasicConstraints OID

"basicConstraints"

Instance Attribute Summary

• #path_length ⇒ Integer^? readonly

  returns the path length (if present).

Instance Method Summary

• #allows_sub_ca? ⇒ Boolean

  Returns true if the path length allows this certificate to be used to create subordinate signing certificates beneath it.

• #initialize(arg) ⇒ BasicConstraints constructor

  This method takes a hash or an existing Extension object to parse.

• #is_ca? ⇒ Boolean

  Check whether the extension value would make the parent certificate a CA.

• #to_h ⇒ Hash
• #to_yaml ⇒ YAML

Constructor Details

#initialize(arg) ⇒ BasicConstraints

This method takes a hash or an existing Extension object to parse

Parameters:

• arg (Hash) —

  a customizable set of options

Options Hash (arg):

• :ca (Boolean) —

  The ca key is required and must be set to true (for an issuing CA) or false (everything else).

• :path_length (Object) —

  optional [Integer] This option is only allowed if ca is set to TRUE. path_length allows you to define the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. For example, if you set this value to 0 then the certificate issued can only issue end entity certificates, not additional subroots. This must be a non-negative integer (>=0).

• :critical (Boolean) — default: true

# File 'lib/r509/cert/extensions/basic_constraints.rb', line 27

def initialize(arg)
  unless R509::Cert::Extensions.is_extension?(arg)
    arg = build_extension(arg)
  end

  super(arg)
  parse_extension
end

Instance Attribute Details

#path_length ⇒ Integer^? (readonly)

returns the path length (if present)

Returns:

• (Integer, nil)

# File 'lib/r509/cert/extensions/basic_constraints.rb', line 21

def path_length
  @path_length
end

Instance Method Details

#allows_sub_ca? ⇒ Boolean

Returns true if the path length allows this certificate to be used to create subordinate signing certificates beneath it. Does not check if there is a pathlen restriction in the cert chain above the current cert

Returns:

• (Boolean)

# File 'lib/r509/cert/extensions/basic_constraints.rb', line 46

def allows_sub_ca?
  return false unless is_ca?
  return true if @path_length.nil?
  @path_length > 0
end

#is_ca? ⇒ Boolean

Check whether the extension value would make the parent certificate a CA

Returns:

• (Boolean)

# File 'lib/r509/cert/extensions/basic_constraints.rb', line 38

def is_ca?
  @is_ca == true
end

#to_h ⇒ Hash

Returns:

• (Hash)

# File 'lib/r509/cert/extensions/basic_constraints.rb', line 53

def to_h
  hash = { :ca => @is_ca, :critical => self.critical? }
  hash[:path_length] = @path_length unless @path_length.nil? || !is_ca?
  hash
end

#to_yaml ⇒ YAML

Returns:

• (YAML)

# File 'lib/r509/cert/extensions/basic_constraints.rb', line 60

def to_yaml
  self.to_h.to_yaml
end