Class: R509::Cert::Extensions::NameConstraints

Inherits:
OpenSSL::X509::Extension
  • Object
show all
Defined in:
lib/r509/cert/extensions/name_constraints.rb

Overview

RFC 5280 Description (see: www.ietf.org/rfc/rfc5280.txt)

The name constraints extension, which MUST be used only in a CA certificate, indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located. Restrictions apply to the subject distinguished name and apply to subject alternative names. Restrictions apply only when the specified name form is present. If no name of the type is in the certificate, the certificate is acceptable.

Name constraints are not applied to self-issued certificates (unless the certificate is the final certificate in the path). (This could prevent CAs that use name constraints from employing self-issued certificates to implement key rollover.)

Restrictions are defined in terms of permitted or excluded name subtrees. Any name matching a restriction in the excludedSubtrees field is invalid regardless of information appearing in the permittedSubtrees. Conforming CAs MUST mark this extension as critical and SHOULD NOT impose name constraints on the x400Address, ediPartyName, or registeredID name forms. Conforming CAs MUST NOT issue certificates where name constraints is an empty sequence. That is, either the permittedSubtrees field or the excludedSubtrees MUST be present.

You can use this extension to parse an existing extension for easy access to the contents or create a new one.

Constant Summary

OID =

friendly name for CP OID

"nameConstraints"

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(arg) ⇒ NameConstraints

Note:

When supplying IP you must supply a full netmask in addition to an IP. (both IPv4 and IPv6 supported)

Note:

When supplying dirName the value is an R509::Subject or the hash used to build an R509::Subject

Returns a new instance of NameConstraints

Examples:

R509::Cert::Extensions::NameConstraints.new(
  :critical => false,
  :permitted => [
    { :type => 'dirName', :value => { :CN => 'myCN', :O => 'org' } }
  ]
)
R509::Cert::Extensions::NameConstraints.new(
  :critical => false,
  :permitted => [
    { :type => 'dirName', :value => { :CN => 'myCN', :O => 'org' } }
  ],
  :excluded => [
    { :type => 'DNS', :value => 'domain.com' }
  ]
)

Parameters:

  • arg (Hash)

    a customizable set of options

Options Hash (arg):

  • :permitted (Array, R509::ASN1::GeneralNames)

    Array of hashes (see examples) or GeneralNames object

  • :excluded (Array, R509::ASN1::GeneralNames)

    Array of hashes (see examples) or GeneralNames object

  • :critical (Boolean) — default: false 


64
65
66
67
68
69
70
71
 
# File 'lib/r509/cert/extensions/name_constraints.rb', line 64

def initialize(arg)
  unless R509::Cert::Extensions.is_extension?(arg)
    arg = build_extension(arg)
  end
  super(arg)

  parse_extension
end

Instance Attribute Details

#excludedR509::ASN1::GeneralNames? (readonly)

Returns:



39
40
41
 
# File 'lib/r509/cert/extensions/name_constraints.rb', line 39

def excluded
  @excluded
end

#permittedR509::ASN1::GeneralNames? (readonly)

Returns:



39
40
41
 
# File 'lib/r509/cert/extensions/name_constraints.rb', line 39

def permitted
  @permitted
end

Instance Method Details

#to_hHash

Returns:

  • (Hash) 


74
75
76
77
78
79
 
# File 'lib/r509/cert/extensions/name_constraints.rb', line 74

def to_h
  hash = { :critical => self.critical?  }
  hash[:permitted] = R509::Cert::Extensions.names_to_h(@permitted.names) unless @permitted.names.empty?
  hash[:excluded] = R509::Cert::Extensions.names_to_h(@excluded.names) unless @excluded.names.empty?
  hash
end

#to_yamlYAML

Returns:

  • (YAML) 


82
83
84
 
# File 'lib/r509/cert/extensions/name_constraints.rb', line 82

def to_yaml
  self.to_h.to_yaml
end