CERT_BASIC_CONSTRAINTS_INFO

The CERT_BASIC_CONSTRAINTS_INFO structure contains information indicating whether the certified subject may act as a CA, an end-entity, or both. If the subject may act as a CA, a certification path length constraint may also be specified, as may a set of subtrees within which all subject names in subsequent certificates in a certification path must be located. This extension can be used in validating certificates used to sign other certificates.

When the CryptDecodeObject or CryptDecodeObjectEx function is performed on a CERT_EXTENSION structure's Value member, and the structure's pszObjId member is set to "2.5.29.10", this CERT_BASIC_CONSTRAINTS_INFO is output from the function call.

typedef struct _CERT_BASIC_CONSTRAINTS_INFO {
    CRYPT_BIT_BLOB               SubjectType;
    BOOL                         fPathLenConstraint;
    DWORD                        dwPathLenConstraint;
    DWORD                        cSubtreesConstraint;
    CERT_NAME_BLOB*              rgSubtreesConstraint;
 } CERT_BASIC_CONSTRAINTS_INFO, *PCERT_BASIC_CONSTRAINTS_INFO;
 

Members

SubjectType

Contains two bits of information. The first bit, CERT_CA_SUBJECT_FLAG, indicates that the subject may act as a CA, when it is set. The second bit, CERT_END_ENTITY_SUBJECT_FLAG, indicates that the subject may act as an end entity when it is set.

fPathLenConstraint

A flag indicating that the dwPathLenConstraint field is to be used to limit the allowed length of the certification path.

dwPathLenConstraint

Indicates the maximum number of CA certificates that may follow this certificate in a certification path. A value of zero indicates that the subject of this certificate may issue certificates only to end-entities and not to further CAs.

cSubtreesConstraint

The number of elements in the array rgSubtreesConstraint.

rgSubtreesConstraint

An array of CERT_NAME_BLOB structures associated with subtree constraints.

See Also

BLOB Structure, CRYPT_BIT_BLOB