Class: R509::Cert::Extensions::BasicConstraints

Inherits:
OpenSSL::X509::Extension
  • Object
show all
Defined in:
lib/r509/cert/extensions/basic_constraints.rb

Overview

RFC 5280 Description (see: www.ietf.org/rfc/rfc5280.txt)

The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate.

You can use this extension to parse an existing extension for easy access to the contents or create a new one.

Constant Summary

OID =

friendly name for BasicConstraints OID

"basicConstraints"

Instance Attribute Summary (collapse)

Instance Method Summary (collapse)

Constructor Details

- (BasicConstraints) initialize(arg)

This method takes a hash or an existing Extension object to parse

Parameters:

  • arg (Hash)

    a customizable set of options

Options Hash (arg):

  • :ca (Boolean)

    The ca key is required and must be set to true (for an issuing CA) or false (everything else).

  • :path_length (Object)

    optional [Integer] This option is only allowed if ca is set to TRUE. path_length allows you to define the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. For example, if you set this value to 0 then the certificate issued can only issue end entity certificates, not additional subroots. This must be a non-negative integer (>=0).

  • :critical (Boolean) — default: true 


28
29
30
31
32
33
34
35
 
# File 'lib/r509/cert/extensions/basic_constraints.rb', line 28

def initialize(arg)
  if not R509::Cert::Extensions.is_extension?(arg)
    arg = build_extension(arg)
  end

  super(arg)
  parse_extension
end

Instance Attribute Details

- (Integer?) path_length (readonly)

returns the path length (if present)

Returns:

  • (Integer, nil) 


22
23
24
 
# File 'lib/r509/cert/extensions/basic_constraints.rb', line 22

def path_length
  @path_length
end

Instance Method Details

- (Boolean) allows_sub_ca?

Returns true if the path length allows this certificate to be used to create subordinate signing certificates beneath it. Does not check if there is a pathlen restriction in the cert chain above the current cert

Returns:

  • (Boolean) 


47
48
49
50
51
 
# File 'lib/r509/cert/extensions/basic_constraints.rb', line 47

def allows_sub_ca?
  return false unless is_ca?
  return true if @path_length.nil?
  return @path_length > 0
end

- (Boolean) is_ca?

Check whether the extension value would make the parent certificate a CA

Returns:

  • (Boolean) 


39
40
41
 
# File 'lib/r509/cert/extensions/basic_constraints.rb', line 39

def is_ca?
  return @is_ca == true
end

- (Hash) to_h

Returns:

  • (Hash) 


54
55
56
57
58
 
# File 'lib/r509/cert/extensions/basic_constraints.rb', line 54

def to_h
  hash = { :ca => @is_ca, :critical => self.critical? }
  hash[:path_length] = @path_length unless @path_length.nil? or not is_ca?
  hash
end

- (YAML) to_yaml

Returns:

  • (YAML) 


61
62
63
 
# File 'lib/r509/cert/extensions/basic_constraints.rb', line 61

def to_yaml
  self.to_h.to_yaml
end