Class CertificateValidationContext.Builder

    • Constructor Detail

      • Builder

        private Builder()
      • Builder

        private Builder​(com.google.protobuf.AbstractMessage.BuilderParent parent)
    • Method Detail

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()
      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessage.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
      • maybeForceBuilderInitialization

        private void maybeForceBuilderInitialization()
      • getDescriptorForType

        public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
        Specified by:
        getDescriptorForType in interface com.google.protobuf.Message.Builder
        Specified by:
        getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
        Overrides:
        getDescriptorForType in class com.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
      • getDefaultInstanceForType

        public CertificateValidationContext getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder
      • build

        public CertificateValidationContext build()
        Specified by:
        build in interface com.google.protobuf.Message.Builder
        Specified by:
        build in interface com.google.protobuf.MessageLite.Builder
      • buildPartial

        public CertificateValidationContext buildPartial()
        Specified by:
        buildPartial in interface com.google.protobuf.Message.Builder
        Specified by:
        buildPartial in interface com.google.protobuf.MessageLite.Builder
      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
      • mergeFrom

        public CertificateValidationContext.Builder mergeFrom​(com.google.protobuf.CodedInputStream input,
                                                              com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                                       throws java.io.IOException
        Specified by:
        mergeFrom in interface com.google.protobuf.Message.Builder
        Specified by:
        mergeFrom in interface com.google.protobuf.MessageLite.Builder
        Overrides:
        mergeFrom in class com.google.protobuf.AbstractMessage.Builder<CertificateValidationContext.Builder>
        Throws:
        java.io.IOException
      • hasTrustedCa

        public boolean hasTrustedCa()
         TLS certificate data containing certificate authority certificates to use in verifying
         a presented peer certificate (e.g. server certificate for clusters or client certificate
         for listeners). If not specified and a peer certificate is presented it will not be
         verified. By default, a client certificate is optional, unless one of the additional
         options (:ref:`require_client_certificate
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
         specified.
        
         It can optionally contain certificate revocation lists, in which case Envoy will verify
         that the presented peer certificate has not been revoked by one of the included CRLs. Note
         that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
         provided for all certificate authorities in that chain. Failure to do so will result in
         verification failure for both revoked and unrevoked certificates from that chain.
         The behavior of requiring all certificates to contain CRLs can be altered by
         setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
         true. If set to true, only the final certificate in the chain undergoes CRL verification.
        
         See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
         system CA locations.
        
         If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
        
         X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
         can be treated as trust anchor as well. It allows verification with building valid partial chain instead
         of a full chain.
        
         If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
         
        .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
        Specified by:
        hasTrustedCa in interface CertificateValidationContextOrBuilder
        Returns:
        Whether the trustedCa field is set.
      • getTrustedCa

        public DataSource getTrustedCa()
         TLS certificate data containing certificate authority certificates to use in verifying
         a presented peer certificate (e.g. server certificate for clusters or client certificate
         for listeners). If not specified and a peer certificate is presented it will not be
         verified. By default, a client certificate is optional, unless one of the additional
         options (:ref:`require_client_certificate
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
         specified.
        
         It can optionally contain certificate revocation lists, in which case Envoy will verify
         that the presented peer certificate has not been revoked by one of the included CRLs. Note
         that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
         provided for all certificate authorities in that chain. Failure to do so will result in
         verification failure for both revoked and unrevoked certificates from that chain.
         The behavior of requiring all certificates to contain CRLs can be altered by
         setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
         true. If set to true, only the final certificate in the chain undergoes CRL verification.
        
         See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
         system CA locations.
        
         If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
        
         X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
         can be treated as trust anchor as well. It allows verification with building valid partial chain instead
         of a full chain.
        
         If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
         
        .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
        Specified by:
        getTrustedCa in interface CertificateValidationContextOrBuilder
        Returns:
        The trustedCa.
      • setTrustedCa

        public CertificateValidationContext.Builder setTrustedCa​(DataSource value)
         TLS certificate data containing certificate authority certificates to use in verifying
         a presented peer certificate (e.g. server certificate for clusters or client certificate
         for listeners). If not specified and a peer certificate is presented it will not be
         verified. By default, a client certificate is optional, unless one of the additional
         options (:ref:`require_client_certificate
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
         specified.
        
         It can optionally contain certificate revocation lists, in which case Envoy will verify
         that the presented peer certificate has not been revoked by one of the included CRLs. Note
         that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
         provided for all certificate authorities in that chain. Failure to do so will result in
         verification failure for both revoked and unrevoked certificates from that chain.
         The behavior of requiring all certificates to contain CRLs can be altered by
         setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
         true. If set to true, only the final certificate in the chain undergoes CRL verification.
        
         See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
         system CA locations.
        
         If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
        
         X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
         can be treated as trust anchor as well. It allows verification with building valid partial chain instead
         of a full chain.
        
         If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
         
        .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
      • setTrustedCa

        public CertificateValidationContext.Builder setTrustedCa​(DataSource.Builder builderForValue)
         TLS certificate data containing certificate authority certificates to use in verifying
         a presented peer certificate (e.g. server certificate for clusters or client certificate
         for listeners). If not specified and a peer certificate is presented it will not be
         verified. By default, a client certificate is optional, unless one of the additional
         options (:ref:`require_client_certificate
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
         specified.
        
         It can optionally contain certificate revocation lists, in which case Envoy will verify
         that the presented peer certificate has not been revoked by one of the included CRLs. Note
         that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
         provided for all certificate authorities in that chain. Failure to do so will result in
         verification failure for both revoked and unrevoked certificates from that chain.
         The behavior of requiring all certificates to contain CRLs can be altered by
         setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
         true. If set to true, only the final certificate in the chain undergoes CRL verification.
        
         See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
         system CA locations.
        
         If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
        
         X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
         can be treated as trust anchor as well. It allows verification with building valid partial chain instead
         of a full chain.
        
         If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
         
        .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
      • mergeTrustedCa

        public CertificateValidationContext.Builder mergeTrustedCa​(DataSource value)
         TLS certificate data containing certificate authority certificates to use in verifying
         a presented peer certificate (e.g. server certificate for clusters or client certificate
         for listeners). If not specified and a peer certificate is presented it will not be
         verified. By default, a client certificate is optional, unless one of the additional
         options (:ref:`require_client_certificate
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
         specified.
        
         It can optionally contain certificate revocation lists, in which case Envoy will verify
         that the presented peer certificate has not been revoked by one of the included CRLs. Note
         that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
         provided for all certificate authorities in that chain. Failure to do so will result in
         verification failure for both revoked and unrevoked certificates from that chain.
         The behavior of requiring all certificates to contain CRLs can be altered by
         setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
         true. If set to true, only the final certificate in the chain undergoes CRL verification.
        
         See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
         system CA locations.
        
         If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
        
         X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
         can be treated as trust anchor as well. It allows verification with building valid partial chain instead
         of a full chain.
        
         If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
         
        .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
      • clearTrustedCa

        public CertificateValidationContext.Builder clearTrustedCa()
         TLS certificate data containing certificate authority certificates to use in verifying
         a presented peer certificate (e.g. server certificate for clusters or client certificate
         for listeners). If not specified and a peer certificate is presented it will not be
         verified. By default, a client certificate is optional, unless one of the additional
         options (:ref:`require_client_certificate
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
         specified.
        
         It can optionally contain certificate revocation lists, in which case Envoy will verify
         that the presented peer certificate has not been revoked by one of the included CRLs. Note
         that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
         provided for all certificate authorities in that chain. Failure to do so will result in
         verification failure for both revoked and unrevoked certificates from that chain.
         The behavior of requiring all certificates to contain CRLs can be altered by
         setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
         true. If set to true, only the final certificate in the chain undergoes CRL verification.
        
         See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
         system CA locations.
        
         If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
        
         X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
         can be treated as trust anchor as well. It allows verification with building valid partial chain instead
         of a full chain.
        
         If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
         
        .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
      • getTrustedCaBuilder

        public DataSource.Builder getTrustedCaBuilder()
         TLS certificate data containing certificate authority certificates to use in verifying
         a presented peer certificate (e.g. server certificate for clusters or client certificate
         for listeners). If not specified and a peer certificate is presented it will not be
         verified. By default, a client certificate is optional, unless one of the additional
         options (:ref:`require_client_certificate
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
         specified.
        
         It can optionally contain certificate revocation lists, in which case Envoy will verify
         that the presented peer certificate has not been revoked by one of the included CRLs. Note
         that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
         provided for all certificate authorities in that chain. Failure to do so will result in
         verification failure for both revoked and unrevoked certificates from that chain.
         The behavior of requiring all certificates to contain CRLs can be altered by
         setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
         true. If set to true, only the final certificate in the chain undergoes CRL verification.
        
         See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
         system CA locations.
        
         If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
        
         X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
         can be treated as trust anchor as well. It allows verification with building valid partial chain instead
         of a full chain.
        
         If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
         
        .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
      • getTrustedCaOrBuilder

        public DataSourceOrBuilder getTrustedCaOrBuilder()
         TLS certificate data containing certificate authority certificates to use in verifying
         a presented peer certificate (e.g. server certificate for clusters or client certificate
         for listeners). If not specified and a peer certificate is presented it will not be
         verified. By default, a client certificate is optional, unless one of the additional
         options (:ref:`require_client_certificate
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
         specified.
        
         It can optionally contain certificate revocation lists, in which case Envoy will verify
         that the presented peer certificate has not been revoked by one of the included CRLs. Note
         that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
         provided for all certificate authorities in that chain. Failure to do so will result in
         verification failure for both revoked and unrevoked certificates from that chain.
         The behavior of requiring all certificates to contain CRLs can be altered by
         setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
         true. If set to true, only the final certificate in the chain undergoes CRL verification.
        
         See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
         system CA locations.
        
         If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
        
         X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
         can be treated as trust anchor as well. It allows verification with building valid partial chain instead
         of a full chain.
        
         If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
         
        .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
        Specified by:
        getTrustedCaOrBuilder in interface CertificateValidationContextOrBuilder
      • getTrustedCaFieldBuilder

        private com.google.protobuf.SingleFieldBuilder<DataSource,​DataSource.Builder,​DataSourceOrBuilder> getTrustedCaFieldBuilder()
         TLS certificate data containing certificate authority certificates to use in verifying
         a presented peer certificate (e.g. server certificate for clusters or client certificate
         for listeners). If not specified and a peer certificate is presented it will not be
         verified. By default, a client certificate is optional, unless one of the additional
         options (:ref:`require_client_certificate
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
         specified.
        
         It can optionally contain certificate revocation lists, in which case Envoy will verify
         that the presented peer certificate has not been revoked by one of the included CRLs. Note
         that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
         provided for all certificate authorities in that chain. Failure to do so will result in
         verification failure for both revoked and unrevoked certificates from that chain.
         The behavior of requiring all certificates to contain CRLs can be altered by
         setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
         true. If set to true, only the final certificate in the chain undergoes CRL verification.
        
         See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
         system CA locations.
        
         If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
        
         X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
         can be treated as trust anchor as well. It allows verification with building valid partial chain instead
         of a full chain.
        
         If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
         
        .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
      • hasCaCertificateProviderInstance

        public boolean hasCaCertificateProviderInstance()
         Certificate provider instance for fetching TLS certificates.
        
         If set, takes precedence over ``trusted_ca``.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
        Specified by:
        hasCaCertificateProviderInstance in interface CertificateValidationContextOrBuilder
        Returns:
        Whether the caCertificateProviderInstance field is set.
      • getCaCertificateProviderInstance

        public CertificateProviderPluginInstance getCaCertificateProviderInstance()
         Certificate provider instance for fetching TLS certificates.
        
         If set, takes precedence over ``trusted_ca``.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
        Specified by:
        getCaCertificateProviderInstance in interface CertificateValidationContextOrBuilder
        Returns:
        The caCertificateProviderInstance.
      • setCaCertificateProviderInstance

        public CertificateValidationContext.Builder setCaCertificateProviderInstance​(CertificateProviderPluginInstance value)
         Certificate provider instance for fetching TLS certificates.
        
         If set, takes precedence over ``trusted_ca``.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
      • setCaCertificateProviderInstance

        public CertificateValidationContext.Builder setCaCertificateProviderInstance​(CertificateProviderPluginInstance.Builder builderForValue)
         Certificate provider instance for fetching TLS certificates.
        
         If set, takes precedence over ``trusted_ca``.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
      • mergeCaCertificateProviderInstance

        public CertificateValidationContext.Builder mergeCaCertificateProviderInstance​(CertificateProviderPluginInstance value)
         Certificate provider instance for fetching TLS certificates.
        
         If set, takes precedence over ``trusted_ca``.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
      • clearCaCertificateProviderInstance

        public CertificateValidationContext.Builder clearCaCertificateProviderInstance()
         Certificate provider instance for fetching TLS certificates.
        
         If set, takes precedence over ``trusted_ca``.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
      • getCaCertificateProviderInstanceBuilder

        public CertificateProviderPluginInstance.Builder getCaCertificateProviderInstanceBuilder()
         Certificate provider instance for fetching TLS certificates.
        
         If set, takes precedence over ``trusted_ca``.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
      • hasSystemRootCerts

        public boolean hasSystemRootCerts()
         Use system root certs for validation.
         If present, system root certs are used only if neither of the ``trusted_ca``
         or ``ca_certificate_provider_instance`` fields are set.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
        Specified by:
        hasSystemRootCerts in interface CertificateValidationContextOrBuilder
        Returns:
        Whether the systemRootCerts field is set.
      • getSystemRootCerts

        public CertificateValidationContext.SystemRootCerts getSystemRootCerts()
         Use system root certs for validation.
         If present, system root certs are used only if neither of the ``trusted_ca``
         or ``ca_certificate_provider_instance`` fields are set.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
        Specified by:
        getSystemRootCerts in interface CertificateValidationContextOrBuilder
        Returns:
        The systemRootCerts.
      • setSystemRootCerts

        public CertificateValidationContext.Builder setSystemRootCerts​(CertificateValidationContext.SystemRootCerts value)
         Use system root certs for validation.
         If present, system root certs are used only if neither of the ``trusted_ca``
         or ``ca_certificate_provider_instance`` fields are set.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
      • setSystemRootCerts

        public CertificateValidationContext.Builder setSystemRootCerts​(CertificateValidationContext.SystemRootCerts.Builder builderForValue)
         Use system root certs for validation.
         If present, system root certs are used only if neither of the ``trusted_ca``
         or ``ca_certificate_provider_instance`` fields are set.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
      • mergeSystemRootCerts

        public CertificateValidationContext.Builder mergeSystemRootCerts​(CertificateValidationContext.SystemRootCerts value)
         Use system root certs for validation.
         If present, system root certs are used only if neither of the ``trusted_ca``
         or ``ca_certificate_provider_instance`` fields are set.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
      • clearSystemRootCerts

        public CertificateValidationContext.Builder clearSystemRootCerts()
         Use system root certs for validation.
         If present, system root certs are used only if neither of the ``trusted_ca``
         or ``ca_certificate_provider_instance`` fields are set.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
      • getSystemRootCertsBuilder

        public CertificateValidationContext.SystemRootCerts.Builder getSystemRootCertsBuilder()
         Use system root certs for validation.
         If present, system root certs are used only if neither of the ``trusted_ca``
         or ``ca_certificate_provider_instance`` fields are set.
         [#not-implemented-hide:]
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
      • hasWatchedDirectory

        public boolean hasWatchedDirectory()
         If specified, updates of a file-based ``trusted_ca`` source will be triggered
         by this watch. This allows explicit control over the path watched, by
         default the parent directory of the filesystem path in ``trusted_ca`` is
         watched if this field is not specified. This only applies when a
         ``CertificateValidationContext`` is delivered by SDS with references to
         filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
         documentation for further details.
         
        .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
        Specified by:
        hasWatchedDirectory in interface CertificateValidationContextOrBuilder
        Returns:
        Whether the watchedDirectory field is set.
      • getWatchedDirectory

        public WatchedDirectory getWatchedDirectory()
         If specified, updates of a file-based ``trusted_ca`` source will be triggered
         by this watch. This allows explicit control over the path watched, by
         default the parent directory of the filesystem path in ``trusted_ca`` is
         watched if this field is not specified. This only applies when a
         ``CertificateValidationContext`` is delivered by SDS with references to
         filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
         documentation for further details.
         
        .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
        Specified by:
        getWatchedDirectory in interface CertificateValidationContextOrBuilder
        Returns:
        The watchedDirectory.
      • setWatchedDirectory

        public CertificateValidationContext.Builder setWatchedDirectory​(WatchedDirectory value)
         If specified, updates of a file-based ``trusted_ca`` source will be triggered
         by this watch. This allows explicit control over the path watched, by
         default the parent directory of the filesystem path in ``trusted_ca`` is
         watched if this field is not specified. This only applies when a
         ``CertificateValidationContext`` is delivered by SDS with references to
         filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
         documentation for further details.
         
        .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
      • setWatchedDirectory

        public CertificateValidationContext.Builder setWatchedDirectory​(WatchedDirectory.Builder builderForValue)
         If specified, updates of a file-based ``trusted_ca`` source will be triggered
         by this watch. This allows explicit control over the path watched, by
         default the parent directory of the filesystem path in ``trusted_ca`` is
         watched if this field is not specified. This only applies when a
         ``CertificateValidationContext`` is delivered by SDS with references to
         filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
         documentation for further details.
         
        .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
      • mergeWatchedDirectory

        public CertificateValidationContext.Builder mergeWatchedDirectory​(WatchedDirectory value)
         If specified, updates of a file-based ``trusted_ca`` source will be triggered
         by this watch. This allows explicit control over the path watched, by
         default the parent directory of the filesystem path in ``trusted_ca`` is
         watched if this field is not specified. This only applies when a
         ``CertificateValidationContext`` is delivered by SDS with references to
         filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
         documentation for further details.
         
        .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
      • clearWatchedDirectory

        public CertificateValidationContext.Builder clearWatchedDirectory()
         If specified, updates of a file-based ``trusted_ca`` source will be triggered
         by this watch. This allows explicit control over the path watched, by
         default the parent directory of the filesystem path in ``trusted_ca`` is
         watched if this field is not specified. This only applies when a
         ``CertificateValidationContext`` is delivered by SDS with references to
         filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
         documentation for further details.
         
        .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
      • getWatchedDirectoryBuilder

        public WatchedDirectory.Builder getWatchedDirectoryBuilder()
         If specified, updates of a file-based ``trusted_ca`` source will be triggered
         by this watch. This allows explicit control over the path watched, by
         default the parent directory of the filesystem path in ``trusted_ca`` is
         watched if this field is not specified. This only applies when a
         ``CertificateValidationContext`` is delivered by SDS with references to
         filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
         documentation for further details.
         
        .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
      • getWatchedDirectoryOrBuilder

        public WatchedDirectoryOrBuilder getWatchedDirectoryOrBuilder()
         If specified, updates of a file-based ``trusted_ca`` source will be triggered
         by this watch. This allows explicit control over the path watched, by
         default the parent directory of the filesystem path in ``trusted_ca`` is
         watched if this field is not specified. This only applies when a
         ``CertificateValidationContext`` is delivered by SDS with references to
         filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
         documentation for further details.
         
        .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
        Specified by:
        getWatchedDirectoryOrBuilder in interface CertificateValidationContextOrBuilder
      • getWatchedDirectoryFieldBuilder

        private com.google.protobuf.SingleFieldBuilder<WatchedDirectory,​WatchedDirectory.Builder,​WatchedDirectoryOrBuilder> getWatchedDirectoryFieldBuilder()
         If specified, updates of a file-based ``trusted_ca`` source will be triggered
         by this watch. This allows explicit control over the path watched, by
         default the parent directory of the filesystem path in ``trusted_ca`` is
         watched if this field is not specified. This only applies when a
         ``CertificateValidationContext`` is delivered by SDS with references to
         filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
         documentation for further details.
         
        .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
      • ensureVerifyCertificateSpkiIsMutable

        private void ensureVerifyCertificateSpkiIsMutable()
      • getVerifyCertificateSpkiList

        public com.google.protobuf.ProtocolStringList getVerifyCertificateSpkiList()
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
         SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
         matches one of the specified values.
        
         A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -pubkey
         | openssl pkey -pubin -outform DER
         | openssl dgst -sha256 -binary
         | openssl enc -base64
         NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
        
         This is the format used in HTTP Public Key Pinning.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
        
         .. attention::
        
         This option is preferred over :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
         because SPKI is tied to a private key, so it doesn't change when the certificate
         is renewed using the same private key.
         
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateSpkiList in interface CertificateValidationContextOrBuilder
        Returns:
        A list containing the verifyCertificateSpki.
      • getVerifyCertificateSpkiCount

        public int getVerifyCertificateSpkiCount()
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
         SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
         matches one of the specified values.
        
         A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -pubkey
         | openssl pkey -pubin -outform DER
         | openssl dgst -sha256 -binary
         | openssl enc -base64
         NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
        
         This is the format used in HTTP Public Key Pinning.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
        
         .. attention::
        
         This option is preferred over :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
         because SPKI is tied to a private key, so it doesn't change when the certificate
         is renewed using the same private key.
         
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateSpkiCount in interface CertificateValidationContextOrBuilder
        Returns:
        The count of verifyCertificateSpki.
      • getVerifyCertificateSpki

        public java.lang.String getVerifyCertificateSpki​(int index)
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
         SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
         matches one of the specified values.
        
         A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -pubkey
         | openssl pkey -pubin -outform DER
         | openssl dgst -sha256 -binary
         | openssl enc -base64
         NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
        
         This is the format used in HTTP Public Key Pinning.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
        
         .. attention::
        
         This option is preferred over :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
         because SPKI is tied to a private key, so it doesn't change when the certificate
         is renewed using the same private key.
         
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateSpki in interface CertificateValidationContextOrBuilder
        Parameters:
        index - The index of the element to return.
        Returns:
        The verifyCertificateSpki at the given index.
      • getVerifyCertificateSpkiBytes

        public com.google.protobuf.ByteString getVerifyCertificateSpkiBytes​(int index)
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
         SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
         matches one of the specified values.
        
         A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -pubkey
         | openssl pkey -pubin -outform DER
         | openssl dgst -sha256 -binary
         | openssl enc -base64
         NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
        
         This is the format used in HTTP Public Key Pinning.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
        
         .. attention::
        
         This option is preferred over :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
         because SPKI is tied to a private key, so it doesn't change when the certificate
         is renewed using the same private key.
         
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateSpkiBytes in interface CertificateValidationContextOrBuilder
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the verifyCertificateSpki at the given index.
      • setVerifyCertificateSpki

        public CertificateValidationContext.Builder setVerifyCertificateSpki​(int index,
                                                                             java.lang.String value)
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
         SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
         matches one of the specified values.
        
         A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -pubkey
         | openssl pkey -pubin -outform DER
         | openssl dgst -sha256 -binary
         | openssl enc -base64
         NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
        
         This is the format used in HTTP Public Key Pinning.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
        
         .. attention::
        
         This option is preferred over :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
         because SPKI is tied to a private key, so it doesn't change when the certificate
         is renewed using the same private key.
         
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Parameters:
        index - The index to set the value at.
        value - The verifyCertificateSpki to set.
        Returns:
        This builder for chaining.
      • addVerifyCertificateSpki

        public CertificateValidationContext.Builder addVerifyCertificateSpki​(java.lang.String value)
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
         SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
         matches one of the specified values.
        
         A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -pubkey
         | openssl pkey -pubin -outform DER
         | openssl dgst -sha256 -binary
         | openssl enc -base64
         NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
        
         This is the format used in HTTP Public Key Pinning.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
        
         .. attention::
        
         This option is preferred over :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
         because SPKI is tied to a private key, so it doesn't change when the certificate
         is renewed using the same private key.
         
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Parameters:
        value - The verifyCertificateSpki to add.
        Returns:
        This builder for chaining.
      • addAllVerifyCertificateSpki

        public CertificateValidationContext.Builder addAllVerifyCertificateSpki​(java.lang.Iterable<java.lang.String> values)
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
         SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
         matches one of the specified values.
        
         A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -pubkey
         | openssl pkey -pubin -outform DER
         | openssl dgst -sha256 -binary
         | openssl enc -base64
         NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
        
         This is the format used in HTTP Public Key Pinning.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
        
         .. attention::
        
         This option is preferred over :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
         because SPKI is tied to a private key, so it doesn't change when the certificate
         is renewed using the same private key.
         
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Parameters:
        values - The verifyCertificateSpki to add.
        Returns:
        This builder for chaining.
      • clearVerifyCertificateSpki

        public CertificateValidationContext.Builder clearVerifyCertificateSpki()
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
         SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
         matches one of the specified values.
        
         A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -pubkey
         | openssl pkey -pubin -outform DER
         | openssl dgst -sha256 -binary
         | openssl enc -base64
         NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
        
         This is the format used in HTTP Public Key Pinning.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
        
         .. attention::
        
         This option is preferred over :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
         because SPKI is tied to a private key, so it doesn't change when the certificate
         is renewed using the same private key.
         
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Returns:
        This builder for chaining.
      • addVerifyCertificateSpkiBytes

        public CertificateValidationContext.Builder addVerifyCertificateSpkiBytes​(com.google.protobuf.ByteString value)
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
         SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
         matches one of the specified values.
        
         A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -pubkey
         | openssl pkey -pubin -outform DER
         | openssl dgst -sha256 -binary
         | openssl enc -base64
         NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
        
         This is the format used in HTTP Public Key Pinning.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
        
         .. attention::
        
         This option is preferred over :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
         because SPKI is tied to a private key, so it doesn't change when the certificate
         is renewed using the same private key.
         
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Parameters:
        value - The bytes of the verifyCertificateSpki to add.
        Returns:
        This builder for chaining.
      • ensureVerifyCertificateHashIsMutable

        private void ensureVerifyCertificateHashIsMutable()
      • getVerifyCertificateHashList

        public com.google.protobuf.ProtocolStringList getVerifyCertificateHashList()
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
         the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
        
         A hex-encoded SHA-256 of the certificate can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
         df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
        
         A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
         DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
        
         Both of those formats are acceptable.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
         
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateHashList in interface CertificateValidationContextOrBuilder
        Returns:
        A list containing the verifyCertificateHash.
      • getVerifyCertificateHashCount

        public int getVerifyCertificateHashCount()
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
         the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
        
         A hex-encoded SHA-256 of the certificate can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
         df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
        
         A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
         DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
        
         Both of those formats are acceptable.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
         
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateHashCount in interface CertificateValidationContextOrBuilder
        Returns:
        The count of verifyCertificateHash.
      • getVerifyCertificateHash

        public java.lang.String getVerifyCertificateHash​(int index)
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
         the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
        
         A hex-encoded SHA-256 of the certificate can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
         df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
        
         A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
         DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
        
         Both of those formats are acceptable.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
         
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateHash in interface CertificateValidationContextOrBuilder
        Parameters:
        index - The index of the element to return.
        Returns:
        The verifyCertificateHash at the given index.
      • getVerifyCertificateHashBytes

        public com.google.protobuf.ByteString getVerifyCertificateHashBytes​(int index)
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
         the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
        
         A hex-encoded SHA-256 of the certificate can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
         df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
        
         A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
         DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
        
         Both of those formats are acceptable.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
         
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateHashBytes in interface CertificateValidationContextOrBuilder
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the verifyCertificateHash at the given index.
      • setVerifyCertificateHash

        public CertificateValidationContext.Builder setVerifyCertificateHash​(int index,
                                                                             java.lang.String value)
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
         the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
        
         A hex-encoded SHA-256 of the certificate can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
         df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
        
         A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
         DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
        
         Both of those formats are acceptable.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
         
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Parameters:
        index - The index to set the value at.
        value - The verifyCertificateHash to set.
        Returns:
        This builder for chaining.
      • addVerifyCertificateHash

        public CertificateValidationContext.Builder addVerifyCertificateHash​(java.lang.String value)
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
         the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
        
         A hex-encoded SHA-256 of the certificate can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
         df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
        
         A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
         DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
        
         Both of those formats are acceptable.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
         
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Parameters:
        value - The verifyCertificateHash to add.
        Returns:
        This builder for chaining.
      • addAllVerifyCertificateHash

        public CertificateValidationContext.Builder addAllVerifyCertificateHash​(java.lang.Iterable<java.lang.String> values)
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
         the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
        
         A hex-encoded SHA-256 of the certificate can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
         df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
        
         A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
         DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
        
         Both of those formats are acceptable.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
         
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Parameters:
        values - The verifyCertificateHash to add.
        Returns:
        This builder for chaining.
      • clearVerifyCertificateHash

        public CertificateValidationContext.Builder clearVerifyCertificateHash()
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
         the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
        
         A hex-encoded SHA-256 of the certificate can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
         df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
        
         A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
         DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
        
         Both of those formats are acceptable.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
         
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Returns:
        This builder for chaining.
      • addVerifyCertificateHashBytes

        public CertificateValidationContext.Builder addVerifyCertificateHashBytes​(com.google.protobuf.ByteString value)
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
         the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
        
         A hex-encoded SHA-256 of the certificate can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
         df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
        
         A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
         can be generated with the following command:
        
         .. code-block:: bash
        
         $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
         DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
        
         Both of those formats are acceptable.
        
         When both:
         :ref:`verify_certificate_hash
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
         :ref:`verify_certificate_spki
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
         a hash matching value from either of the lists will result in the certificate being accepted.
         
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Parameters:
        value - The bytes of the verifyCertificateHash to add.
        Returns:
        This builder for chaining.
      • ensureMatchTypedSubjectAltNamesIsMutable

        private void ensureMatchTypedSubjectAltNamesIsMutable()
      • getMatchTypedSubjectAltNamesList

        public java.util.List<SubjectAltNameMatcher> getMatchTypedSubjectAltNamesList()
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
        Specified by:
        getMatchTypedSubjectAltNamesList in interface CertificateValidationContextOrBuilder
      • getMatchTypedSubjectAltNamesCount

        public int getMatchTypedSubjectAltNamesCount()
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
        Specified by:
        getMatchTypedSubjectAltNamesCount in interface CertificateValidationContextOrBuilder
      • getMatchTypedSubjectAltNames

        public SubjectAltNameMatcher getMatchTypedSubjectAltNames​(int index)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
        Specified by:
        getMatchTypedSubjectAltNames in interface CertificateValidationContextOrBuilder
      • setMatchTypedSubjectAltNames

        public CertificateValidationContext.Builder setMatchTypedSubjectAltNames​(int index,
                                                                                 SubjectAltNameMatcher value)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • setMatchTypedSubjectAltNames

        public CertificateValidationContext.Builder setMatchTypedSubjectAltNames​(int index,
                                                                                 SubjectAltNameMatcher.Builder builderForValue)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • addMatchTypedSubjectAltNames

        public CertificateValidationContext.Builder addMatchTypedSubjectAltNames​(SubjectAltNameMatcher value)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • addMatchTypedSubjectAltNames

        public CertificateValidationContext.Builder addMatchTypedSubjectAltNames​(int index,
                                                                                 SubjectAltNameMatcher value)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • addMatchTypedSubjectAltNames

        public CertificateValidationContext.Builder addMatchTypedSubjectAltNames​(SubjectAltNameMatcher.Builder builderForValue)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • addMatchTypedSubjectAltNames

        public CertificateValidationContext.Builder addMatchTypedSubjectAltNames​(int index,
                                                                                 SubjectAltNameMatcher.Builder builderForValue)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • addAllMatchTypedSubjectAltNames

        public CertificateValidationContext.Builder addAllMatchTypedSubjectAltNames​(java.lang.Iterable<? extends SubjectAltNameMatcher> values)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • clearMatchTypedSubjectAltNames

        public CertificateValidationContext.Builder clearMatchTypedSubjectAltNames()
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • removeMatchTypedSubjectAltNames

        public CertificateValidationContext.Builder removeMatchTypedSubjectAltNames​(int index)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • getMatchTypedSubjectAltNamesBuilder

        public SubjectAltNameMatcher.Builder getMatchTypedSubjectAltNamesBuilder​(int index)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • getMatchTypedSubjectAltNamesOrBuilder

        public SubjectAltNameMatcherOrBuilder getMatchTypedSubjectAltNamesOrBuilder​(int index)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
        Specified by:
        getMatchTypedSubjectAltNamesOrBuilder in interface CertificateValidationContextOrBuilder
      • getMatchTypedSubjectAltNamesOrBuilderList

        public java.util.List<? extends SubjectAltNameMatcherOrBuilder> getMatchTypedSubjectAltNamesOrBuilderList()
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
        Specified by:
        getMatchTypedSubjectAltNamesOrBuilderList in interface CertificateValidationContextOrBuilder
      • addMatchTypedSubjectAltNamesBuilder

        public SubjectAltNameMatcher.Builder addMatchTypedSubjectAltNamesBuilder()
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • addMatchTypedSubjectAltNamesBuilder

        public SubjectAltNameMatcher.Builder addMatchTypedSubjectAltNamesBuilder​(int index)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • getMatchTypedSubjectAltNamesBuilderList

        public java.util.List<SubjectAltNameMatcher.Builder> getMatchTypedSubjectAltNamesBuilderList()
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
         Subject Alternative Name of the presented certificate matches one of the specified matchers.
         The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
         matched.
        
         When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
         configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
         For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
         it should be configured as shown below.
        
         .. code-block:: yaml
        
         match_typed_subject_alt_names:
         - san_type: DNS
         matcher:
         exact: "api.example.com"
        
         .. attention::
        
         Subject Alternative Names are easily spoofable and verifying only them is insecure,
         therefore this option must be used together with :ref:`trusted_ca
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
         
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      • ensureMatchSubjectAltNamesIsMutable

        private void ensureMatchSubjectAltNamesIsMutable()
      • getMatchSubjectAltNamesList

        @Deprecated
        public java.util.List<StringMatcher> getMatchSubjectAltNamesList()
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
        Specified by:
        getMatchSubjectAltNamesList in interface CertificateValidationContextOrBuilder
      • getMatchSubjectAltNamesCount

        @Deprecated
        public int getMatchSubjectAltNamesCount()
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
        Specified by:
        getMatchSubjectAltNamesCount in interface CertificateValidationContextOrBuilder
      • getMatchSubjectAltNames

        @Deprecated
        public StringMatcher getMatchSubjectAltNames​(int index)
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
        Specified by:
        getMatchSubjectAltNames in interface CertificateValidationContextOrBuilder
      • setMatchSubjectAltNames

        @Deprecated
        public CertificateValidationContext.Builder setMatchSubjectAltNames​(int index,
                                                                            StringMatcher value)
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • setMatchSubjectAltNames

        @Deprecated
        public CertificateValidationContext.Builder setMatchSubjectAltNames​(int index,
                                                                            StringMatcher.Builder builderForValue)
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • addMatchSubjectAltNames

        @Deprecated
        public CertificateValidationContext.Builder addMatchSubjectAltNames​(StringMatcher value)
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • addMatchSubjectAltNames

        @Deprecated
        public CertificateValidationContext.Builder addMatchSubjectAltNames​(int index,
                                                                            StringMatcher value)
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • addMatchSubjectAltNames

        @Deprecated
        public CertificateValidationContext.Builder addMatchSubjectAltNames​(StringMatcher.Builder builderForValue)
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • addMatchSubjectAltNames

        @Deprecated
        public CertificateValidationContext.Builder addMatchSubjectAltNames​(int index,
                                                                            StringMatcher.Builder builderForValue)
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • addAllMatchSubjectAltNames

        @Deprecated
        public CertificateValidationContext.Builder addAllMatchSubjectAltNames​(java.lang.Iterable<? extends StringMatcher> values)
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • clearMatchSubjectAltNames

        @Deprecated
        public CertificateValidationContext.Builder clearMatchSubjectAltNames()
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • removeMatchSubjectAltNames

        @Deprecated
        public CertificateValidationContext.Builder removeMatchSubjectAltNames​(int index)
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • getMatchSubjectAltNamesBuilder

        @Deprecated
        public StringMatcher.Builder getMatchSubjectAltNamesBuilder​(int index)
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • getMatchSubjectAltNamesOrBuilder

        @Deprecated
        public StringMatcherOrBuilder getMatchSubjectAltNamesOrBuilder​(int index)
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
        Specified by:
        getMatchSubjectAltNamesOrBuilder in interface CertificateValidationContextOrBuilder
      • getMatchSubjectAltNamesOrBuilderList

        @Deprecated
        public java.util.List<? extends StringMatcherOrBuilder> getMatchSubjectAltNamesOrBuilderList()
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
        Specified by:
        getMatchSubjectAltNamesOrBuilderList in interface CertificateValidationContextOrBuilder
      • addMatchSubjectAltNamesBuilder

        @Deprecated
        public StringMatcher.Builder addMatchSubjectAltNamesBuilder()
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • addMatchSubjectAltNamesBuilder

        @Deprecated
        public StringMatcher.Builder addMatchSubjectAltNamesBuilder​(int index)
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • getMatchSubjectAltNamesBuilderList

        @Deprecated
        public java.util.List<StringMatcher.Builder> getMatchSubjectAltNamesBuilderList()
        Deprecated.
         This field is deprecated in favor of
         :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
         Note that if both this field and :ref:`match_typed_subject_alt_names
         <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
         are specified, the former (deprecated field) is ignored.
         
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      • hasRequireSignedCertificateTimestamp

        public boolean hasRequireSignedCertificateTimestamp()
         [#not-implemented-hide:] Must present signed certificate time-stamp.
         
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
        Specified by:
        hasRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilder
        Returns:
        Whether the requireSignedCertificateTimestamp field is set.
      • getRequireSignedCertificateTimestamp

        public com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()
         [#not-implemented-hide:] Must present signed certificate time-stamp.
         
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
        Specified by:
        getRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilder
        Returns:
        The requireSignedCertificateTimestamp.
      • setRequireSignedCertificateTimestamp

        public CertificateValidationContext.Builder setRequireSignedCertificateTimestamp​(com.google.protobuf.BoolValue value)
         [#not-implemented-hide:] Must present signed certificate time-stamp.
         
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      • setRequireSignedCertificateTimestamp

        public CertificateValidationContext.Builder setRequireSignedCertificateTimestamp​(com.google.protobuf.BoolValue.Builder builderForValue)
         [#not-implemented-hide:] Must present signed certificate time-stamp.
         
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      • mergeRequireSignedCertificateTimestamp

        public CertificateValidationContext.Builder mergeRequireSignedCertificateTimestamp​(com.google.protobuf.BoolValue value)
         [#not-implemented-hide:] Must present signed certificate time-stamp.
         
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      • clearRequireSignedCertificateTimestamp

        public CertificateValidationContext.Builder clearRequireSignedCertificateTimestamp()
         [#not-implemented-hide:] Must present signed certificate time-stamp.
         
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      • getRequireSignedCertificateTimestampBuilder

        public com.google.protobuf.BoolValue.Builder getRequireSignedCertificateTimestampBuilder()
         [#not-implemented-hide:] Must present signed certificate time-stamp.
         
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      • getRequireSignedCertificateTimestampFieldBuilder

        private com.google.protobuf.SingleFieldBuilder<com.google.protobuf.BoolValue,​com.google.protobuf.BoolValue.Builder,​com.google.protobuf.BoolValueOrBuilder> getRequireSignedCertificateTimestampFieldBuilder()
         [#not-implemented-hide:] Must present signed certificate time-stamp.
         
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      • hasCrl

        public boolean hasCrl()
         An optional `certificate revocation list
         <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
         (in PEM format). If specified, Envoy will verify that the presented peer
         certificate has not been revoked by this CRL. If this DataSource contains
         multiple CRLs, all of them will be used. Note that if a CRL is provided
         for any certificate authority in a trust chain, a CRL must be provided
         for all certificate authorities in that chain. Failure to do so will
         result in verification failure for both revoked and unrevoked certificates
         from that chain. This default behavior can be altered by setting
         :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
         true.
        
         If ``crl`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
         
        .envoy.config.core.v3.DataSource crl = 7;
        Specified by:
        hasCrl in interface CertificateValidationContextOrBuilder
        Returns:
        Whether the crl field is set.
      • getCrl

        public DataSource getCrl()
         An optional `certificate revocation list
         <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
         (in PEM format). If specified, Envoy will verify that the presented peer
         certificate has not been revoked by this CRL. If this DataSource contains
         multiple CRLs, all of them will be used. Note that if a CRL is provided
         for any certificate authority in a trust chain, a CRL must be provided
         for all certificate authorities in that chain. Failure to do so will
         result in verification failure for both revoked and unrevoked certificates
         from that chain. This default behavior can be altered by setting
         :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
         true.
        
         If ``crl`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
         
        .envoy.config.core.v3.DataSource crl = 7;
        Specified by:
        getCrl in interface CertificateValidationContextOrBuilder
        Returns:
        The crl.
      • setCrl

        public CertificateValidationContext.Builder setCrl​(DataSource value)
         An optional `certificate revocation list
         <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
         (in PEM format). If specified, Envoy will verify that the presented peer
         certificate has not been revoked by this CRL. If this DataSource contains
         multiple CRLs, all of them will be used. Note that if a CRL is provided
         for any certificate authority in a trust chain, a CRL must be provided
         for all certificate authorities in that chain. Failure to do so will
         result in verification failure for both revoked and unrevoked certificates
         from that chain. This default behavior can be altered by setting
         :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
         true.
        
         If ``crl`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
         
        .envoy.config.core.v3.DataSource crl = 7;
      • setCrl

        public CertificateValidationContext.Builder setCrl​(DataSource.Builder builderForValue)
         An optional `certificate revocation list
         <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
         (in PEM format). If specified, Envoy will verify that the presented peer
         certificate has not been revoked by this CRL. If this DataSource contains
         multiple CRLs, all of them will be used. Note that if a CRL is provided
         for any certificate authority in a trust chain, a CRL must be provided
         for all certificate authorities in that chain. Failure to do so will
         result in verification failure for both revoked and unrevoked certificates
         from that chain. This default behavior can be altered by setting
         :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
         true.
        
         If ``crl`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
         
        .envoy.config.core.v3.DataSource crl = 7;
      • mergeCrl

        public CertificateValidationContext.Builder mergeCrl​(DataSource value)
         An optional `certificate revocation list
         <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
         (in PEM format). If specified, Envoy will verify that the presented peer
         certificate has not been revoked by this CRL. If this DataSource contains
         multiple CRLs, all of them will be used. Note that if a CRL is provided
         for any certificate authority in a trust chain, a CRL must be provided
         for all certificate authorities in that chain. Failure to do so will
         result in verification failure for both revoked and unrevoked certificates
         from that chain. This default behavior can be altered by setting
         :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
         true.
        
         If ``crl`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
         
        .envoy.config.core.v3.DataSource crl = 7;
      • clearCrl

        public CertificateValidationContext.Builder clearCrl()
         An optional `certificate revocation list
         <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
         (in PEM format). If specified, Envoy will verify that the presented peer
         certificate has not been revoked by this CRL. If this DataSource contains
         multiple CRLs, all of them will be used. Note that if a CRL is provided
         for any certificate authority in a trust chain, a CRL must be provided
         for all certificate authorities in that chain. Failure to do so will
         result in verification failure for both revoked and unrevoked certificates
         from that chain. This default behavior can be altered by setting
         :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
         true.
        
         If ``crl`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
         
        .envoy.config.core.v3.DataSource crl = 7;
      • getCrlBuilder

        public DataSource.Builder getCrlBuilder()
         An optional `certificate revocation list
         <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
         (in PEM format). If specified, Envoy will verify that the presented peer
         certificate has not been revoked by this CRL. If this DataSource contains
         multiple CRLs, all of them will be used. Note that if a CRL is provided
         for any certificate authority in a trust chain, a CRL must be provided
         for all certificate authorities in that chain. Failure to do so will
         result in verification failure for both revoked and unrevoked certificates
         from that chain. This default behavior can be altered by setting
         :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
         true.
        
         If ``crl`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
         
        .envoy.config.core.v3.DataSource crl = 7;
      • getCrlOrBuilder

        public DataSourceOrBuilder getCrlOrBuilder()
         An optional `certificate revocation list
         <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
         (in PEM format). If specified, Envoy will verify that the presented peer
         certificate has not been revoked by this CRL. If this DataSource contains
         multiple CRLs, all of them will be used. Note that if a CRL is provided
         for any certificate authority in a trust chain, a CRL must be provided
         for all certificate authorities in that chain. Failure to do so will
         result in verification failure for both revoked and unrevoked certificates
         from that chain. This default behavior can be altered by setting
         :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
         true.
        
         If ``crl`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
         
        .envoy.config.core.v3.DataSource crl = 7;
        Specified by:
        getCrlOrBuilder in interface CertificateValidationContextOrBuilder
      • getCrlFieldBuilder

        private com.google.protobuf.SingleFieldBuilder<DataSource,​DataSource.Builder,​DataSourceOrBuilder> getCrlFieldBuilder()
         An optional `certificate revocation list
         <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
         (in PEM format). If specified, Envoy will verify that the presented peer
         certificate has not been revoked by this CRL. If this DataSource contains
         multiple CRLs, all of them will be used. Note that if a CRL is provided
         for any certificate authority in a trust chain, a CRL must be provided
         for all certificate authorities in that chain. Failure to do so will
         result in verification failure for both revoked and unrevoked certificates
         from that chain. This default behavior can be altered by setting
         :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
         true.
        
         If ``crl`` is a filesystem path, a watch will be added to the parent
         directory for any file moves to support rotation. This currently only
         applies to dynamic secrets, when the ``CertificateValidationContext`` is
         delivered via SDS.
         
        .envoy.config.core.v3.DataSource crl = 7;
      • setAllowExpiredCertificate

        public CertificateValidationContext.Builder setAllowExpiredCertificate​(boolean value)
         If specified, Envoy will not reject expired certificates.
         
        bool allow_expired_certificate = 8;
        Parameters:
        value - The allowExpiredCertificate to set.
        Returns:
        This builder for chaining.
      • clearAllowExpiredCertificate

        public CertificateValidationContext.Builder clearAllowExpiredCertificate()
         If specified, Envoy will not reject expired certificates.
         
        bool allow_expired_certificate = 8;
        Returns:
        This builder for chaining.
      • getTrustChainVerificationValue

        public int getTrustChainVerificationValue()
         Certificate trust chain verification mode.
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
        Specified by:
        getTrustChainVerificationValue in interface CertificateValidationContextOrBuilder
        Returns:
        The enum numeric value on the wire for trustChainVerification.
      • setTrustChainVerificationValue

        public CertificateValidationContext.Builder setTrustChainVerificationValue​(int value)
         Certificate trust chain verification mode.
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
        Parameters:
        value - The enum numeric value on the wire for trustChainVerification to set.
        Returns:
        This builder for chaining.
      • setTrustChainVerification

        public CertificateValidationContext.Builder setTrustChainVerification​(CertificateValidationContext.TrustChainVerification value)
         Certificate trust chain verification mode.
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
        Parameters:
        value - The trustChainVerification to set.
        Returns:
        This builder for chaining.
      • clearTrustChainVerification

        public CertificateValidationContext.Builder clearTrustChainVerification()
         Certificate trust chain verification mode.
         
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
        Returns:
        This builder for chaining.
      • hasCustomValidatorConfig

        public boolean hasCustomValidatorConfig()
         The configuration of an extension specific certificate validator.
         If specified, all validation is done by the specified validator,
         and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
         Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
         [#extension-category: envoy.tls.cert_validator]
         
        .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
        Specified by:
        hasCustomValidatorConfig in interface CertificateValidationContextOrBuilder
        Returns:
        Whether the customValidatorConfig field is set.
      • getCustomValidatorConfig

        public TypedExtensionConfig getCustomValidatorConfig()
         The configuration of an extension specific certificate validator.
         If specified, all validation is done by the specified validator,
         and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
         Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
         [#extension-category: envoy.tls.cert_validator]
         
        .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
        Specified by:
        getCustomValidatorConfig in interface CertificateValidationContextOrBuilder
        Returns:
        The customValidatorConfig.
      • setCustomValidatorConfig

        public CertificateValidationContext.Builder setCustomValidatorConfig​(TypedExtensionConfig value)
         The configuration of an extension specific certificate validator.
         If specified, all validation is done by the specified validator,
         and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
         Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
         [#extension-category: envoy.tls.cert_validator]
         
        .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
      • setCustomValidatorConfig

        public CertificateValidationContext.Builder setCustomValidatorConfig​(TypedExtensionConfig.Builder builderForValue)
         The configuration of an extension specific certificate validator.
         If specified, all validation is done by the specified validator,
         and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
         Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
         [#extension-category: envoy.tls.cert_validator]
         
        .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
      • mergeCustomValidatorConfig

        public CertificateValidationContext.Builder mergeCustomValidatorConfig​(TypedExtensionConfig value)
         The configuration of an extension specific certificate validator.
         If specified, all validation is done by the specified validator,
         and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
         Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
         [#extension-category: envoy.tls.cert_validator]
         
        .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
      • clearCustomValidatorConfig

        public CertificateValidationContext.Builder clearCustomValidatorConfig()
         The configuration of an extension specific certificate validator.
         If specified, all validation is done by the specified validator,
         and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
         Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
         [#extension-category: envoy.tls.cert_validator]
         
        .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
      • getCustomValidatorConfigBuilder

        public TypedExtensionConfig.Builder getCustomValidatorConfigBuilder()
         The configuration of an extension specific certificate validator.
         If specified, all validation is done by the specified validator,
         and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
         Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
         [#extension-category: envoy.tls.cert_validator]
         
        .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
      • getCustomValidatorConfigOrBuilder

        public TypedExtensionConfigOrBuilder getCustomValidatorConfigOrBuilder()
         The configuration of an extension specific certificate validator.
         If specified, all validation is done by the specified validator,
         and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
         Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
         [#extension-category: envoy.tls.cert_validator]
         
        .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
        Specified by:
        getCustomValidatorConfigOrBuilder in interface CertificateValidationContextOrBuilder
      • getCustomValidatorConfigFieldBuilder

        private com.google.protobuf.SingleFieldBuilder<TypedExtensionConfig,​TypedExtensionConfig.Builder,​TypedExtensionConfigOrBuilder> getCustomValidatorConfigFieldBuilder()
         The configuration of an extension specific certificate validator.
         If specified, all validation is done by the specified validator,
         and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
         Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
         [#extension-category: envoy.tls.cert_validator]
         
        .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
      • getOnlyVerifyLeafCertCrl

        public boolean getOnlyVerifyLeafCertCrl()
         If this option is set to true, only the certificate at the end of the
         certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
         
        bool only_verify_leaf_cert_crl = 14;
        Specified by:
        getOnlyVerifyLeafCertCrl in interface CertificateValidationContextOrBuilder
        Returns:
        The onlyVerifyLeafCertCrl.
      • setOnlyVerifyLeafCertCrl

        public CertificateValidationContext.Builder setOnlyVerifyLeafCertCrl​(boolean value)
         If this option is set to true, only the certificate at the end of the
         certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
         
        bool only_verify_leaf_cert_crl = 14;
        Parameters:
        value - The onlyVerifyLeafCertCrl to set.
        Returns:
        This builder for chaining.
      • clearOnlyVerifyLeafCertCrl

        public CertificateValidationContext.Builder clearOnlyVerifyLeafCertCrl()
         If this option is set to true, only the certificate at the end of the
         certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
         
        bool only_verify_leaf_cert_crl = 14;
        Returns:
        This builder for chaining.
      • hasMaxVerifyDepth

        public boolean hasMaxVerifyDepth()
         Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
         This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer
         appears in the chain, but in a depth larger than configured, the certificate validation will fail.
         This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth``
         in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included.
         Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
         
        .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
        Specified by:
        hasMaxVerifyDepth in interface CertificateValidationContextOrBuilder
        Returns:
        Whether the maxVerifyDepth field is set.
      • getMaxVerifyDepth

        public com.google.protobuf.UInt32Value getMaxVerifyDepth()
         Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
         This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer
         appears in the chain, but in a depth larger than configured, the certificate validation will fail.
         This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth``
         in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included.
         Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
         
        .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
        Specified by:
        getMaxVerifyDepth in interface CertificateValidationContextOrBuilder
        Returns:
        The maxVerifyDepth.
      • setMaxVerifyDepth

        public CertificateValidationContext.Builder setMaxVerifyDepth​(com.google.protobuf.UInt32Value value)
         Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
         This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer
         appears in the chain, but in a depth larger than configured, the certificate validation will fail.
         This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth``
         in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included.
         Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
         
        .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
      • setMaxVerifyDepth

        public CertificateValidationContext.Builder setMaxVerifyDepth​(com.google.protobuf.UInt32Value.Builder builderForValue)
         Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
         This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer
         appears in the chain, but in a depth larger than configured, the certificate validation will fail.
         This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth``
         in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included.
         Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
         
        .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
      • mergeMaxVerifyDepth

        public CertificateValidationContext.Builder mergeMaxVerifyDepth​(com.google.protobuf.UInt32Value value)
         Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
         This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer
         appears in the chain, but in a depth larger than configured, the certificate validation will fail.
         This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth``
         in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included.
         Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
         
        .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
      • clearMaxVerifyDepth

        public CertificateValidationContext.Builder clearMaxVerifyDepth()
         Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
         This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer
         appears in the chain, but in a depth larger than configured, the certificate validation will fail.
         This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth``
         in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included.
         Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
         
        .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
      • getMaxVerifyDepthBuilder

        public com.google.protobuf.UInt32Value.Builder getMaxVerifyDepthBuilder()
         Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
         This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer
         appears in the chain, but in a depth larger than configured, the certificate validation will fail.
         This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth``
         in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included.
         Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
         
        .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
      • getMaxVerifyDepthOrBuilder

        public com.google.protobuf.UInt32ValueOrBuilder getMaxVerifyDepthOrBuilder()
         Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
         This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer
         appears in the chain, but in a depth larger than configured, the certificate validation will fail.
         This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth``
         in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included.
         Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
         
        .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
        Specified by:
        getMaxVerifyDepthOrBuilder in interface CertificateValidationContextOrBuilder
      • getMaxVerifyDepthFieldBuilder

        private com.google.protobuf.SingleFieldBuilder<com.google.protobuf.UInt32Value,​com.google.protobuf.UInt32Value.Builder,​com.google.protobuf.UInt32ValueOrBuilder> getMaxVerifyDepthFieldBuilder()
         Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
         This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer
         appears in the chain, but in a depth larger than configured, the certificate validation will fail.
         This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth``
         in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included.
         Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
         
        .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }