Class: R509::Cert::Extensions::NameConstraints

Inherits:
OpenSSL::X509::Extension
  • Object
show all
Defined in:
lib/r509/cert/extensions/name_constraints.rb

Overview

RFC 5280 Description (see: www.ietf.org/rfc/rfc5280.txt)

The name constraints extension, which MUST be used only in a CA certificate, indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located. Restrictions apply to the subject distinguished name and apply to subject alternative names. Restrictions apply only when the specified name form is present. If no name of the type is in the certificate, the certificate is acceptable.

Name constraints are not applied to self-issued certificates (unless the certificate is the final certificate in the path). (This could prevent CAs that use name constraints from employing self-issued certificates to implement key rollover.)

Restrictions are defined in terms of permitted or excluded name subtrees. Any name matching a restriction in the excludedSubtrees field is invalid regardless of information appearing in the permittedSubtrees. Conforming CAs MUST mark this extension as critical and SHOULD NOT impose name constraints on the x400Address, ediPartyName, or registeredID name forms. Conforming CAs MUST NOT issue certificates where name constraints is an empty sequence. That is, either the permittedSubtrees field or the excludedSubtrees MUST be present.

You can use this extension to parse an existing extension for easy access to the contents or create a new one.

Constant Summary

OID =

friendly name for CP OID

"nameConstraints"

Instance Attribute Summary (collapse)

Instance Method Summary (collapse)

Constructor Details

- (NameConstraints) initialize(arg)

Note:

When supplying IP you must supply a full netmask in addition to an IP. (both IPv4 and IPv6 supported)

Note:

When supplying dirName the value is an R509::Subject or the hash used to build an R509::Subject

A new instance of NameConstraints

Examples:

R509::Cert::Extensions::NameConstraints.new(
  :critical => false,
  :permitted => [
    { :type => 'dirName', :value => { :CN => 'myCN', :O => 'org' } }
  ]
)
R509::Cert::Extensions::NameConstraints.new(
  :critical => false,
  :permitted => [
    { :type => 'dirName', :value => { :CN => 'myCN', :O => 'org' } }
  ],
  :excluded => [
    { :type => 'DNS', :value => 'domain.com' }
  ]
)

Parameters:

  • arg (Hash)

    a customizable set of options

Options Hash (arg):

  • :permitted (Array, R509::ASN1::GeneralNames)

    Array of hashes (see examples) or GeneralNames object

  • :excluded (Array, R509::ASN1::GeneralNames)

    Array of hashes (see examples) or GeneralNames object

  • :critical (Boolean) — default: false 


65
66
67
68
69
70
71
72
 
# File 'lib/r509/cert/extensions/name_constraints.rb', line 65

def initialize(arg)
  if not R509::Cert::Extensions.is_extension?(arg)
    arg = build_extension(arg)
  end
  super(arg)

  parse_extension
end

Instance Attribute Details

- (R509::ASN1::GeneralNames?) excluded (readonly)

Returns:



40
41
42
 
# File 'lib/r509/cert/extensions/name_constraints.rb', line 40

def excluded
  @excluded
end

- (R509::ASN1::GeneralNames?) permitted (readonly)

Returns:



40
41
42
 
# File 'lib/r509/cert/extensions/name_constraints.rb', line 40

def permitted
  @permitted
end

Instance Method Details

- (Hash) to_h

Returns:

  • (Hash) 


75
76
77
78
79
80
 
# File 'lib/r509/cert/extensions/name_constraints.rb', line 75

def to_h
  hash = { :critical => self.critical?  }
  hash[:permitted] = R509::Cert::Extensions.names_to_h(@permitted.names) unless @permitted.names.empty?
  hash[:excluded] = R509::Cert::Extensions.names_to_h(@excluded.names) unless @excluded.names.empty?
  hash
end

- (YAML) to_yaml

Returns:

  • (YAML) 


83
84
85
 
# File 'lib/r509/cert/extensions/name_constraints.rb', line 83

def to_yaml
  self.to_h.to_yaml
end