Class CertificateValidationContext

java.lang.Object
com.google.protobuf.AbstractMessageLite
com.google.protobuf.AbstractMessage
com.google.protobuf.GeneratedMessage
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext
All Implemented Interfaces:
com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, CertificateValidationContextOrBuilder, Serializable

public final class CertificateValidationContext extends com.google.protobuf.GeneratedMessage implements CertificateValidationContextOrBuilder
 [#next-free-field: 18]
 
Protobuf type envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext
See Also:
  • Field Details

    • serialVersionUID

      private static final long serialVersionUID
      See Also:
    • bitField0_

      private int bitField0_
    • TRUSTED_CA_FIELD_NUMBER

      public static final int TRUSTED_CA_FIELD_NUMBER
      See Also:
    • trustedCa_

      private DataSource trustedCa_
    • CA_CERTIFICATE_PROVIDER_INSTANCE_FIELD_NUMBER

      public static final int CA_CERTIFICATE_PROVIDER_INSTANCE_FIELD_NUMBER
      See Also:
    • caCertificateProviderInstance_

      private CertificateProviderPluginInstance caCertificateProviderInstance_
    • SYSTEM_ROOT_CERTS_FIELD_NUMBER

      public static final int SYSTEM_ROOT_CERTS_FIELD_NUMBER
      See Also:
    • systemRootCerts_

    • WATCHED_DIRECTORY_FIELD_NUMBER

      public static final int WATCHED_DIRECTORY_FIELD_NUMBER
      See Also:
    • watchedDirectory_

      private WatchedDirectory watchedDirectory_
    • VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER

      public static final int VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER
      See Also:
    • verifyCertificateSpki_

      private com.google.protobuf.LazyStringArrayList verifyCertificateSpki_
    • VERIFY_CERTIFICATE_HASH_FIELD_NUMBER

      public static final int VERIFY_CERTIFICATE_HASH_FIELD_NUMBER
      See Also:
    • verifyCertificateHash_

      private com.google.protobuf.LazyStringArrayList verifyCertificateHash_
    • MATCH_TYPED_SUBJECT_ALT_NAMES_FIELD_NUMBER

      public static final int MATCH_TYPED_SUBJECT_ALT_NAMES_FIELD_NUMBER
      See Also:
    • matchTypedSubjectAltNames_

      private List<SubjectAltNameMatcher> matchTypedSubjectAltNames_
    • MATCH_SUBJECT_ALT_NAMES_FIELD_NUMBER

      public static final int MATCH_SUBJECT_ALT_NAMES_FIELD_NUMBER
      See Also:
    • matchSubjectAltNames_

      private List<StringMatcher> matchSubjectAltNames_
    • REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER

      public static final int REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER
      See Also:
    • requireSignedCertificateTimestamp_

      private com.google.protobuf.BoolValue requireSignedCertificateTimestamp_
    • CRL_FIELD_NUMBER

      public static final int CRL_FIELD_NUMBER
      See Also:
    • crl_

      private DataSource crl_
    • ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER

      public static final int ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER
      See Also:
    • allowExpiredCertificate_

      private boolean allowExpiredCertificate_
    • TRUST_CHAIN_VERIFICATION_FIELD_NUMBER

      public static final int TRUST_CHAIN_VERIFICATION_FIELD_NUMBER
      See Also:
    • trustChainVerification_

      private int trustChainVerification_
    • CUSTOM_VALIDATOR_CONFIG_FIELD_NUMBER

      public static final int CUSTOM_VALIDATOR_CONFIG_FIELD_NUMBER
      See Also:
    • customValidatorConfig_

      private TypedExtensionConfig customValidatorConfig_
    • ONLY_VERIFY_LEAF_CERT_CRL_FIELD_NUMBER

      public static final int ONLY_VERIFY_LEAF_CERT_CRL_FIELD_NUMBER
      See Also:
    • onlyVerifyLeafCertCrl_

      private boolean onlyVerifyLeafCertCrl_
    • MAX_VERIFY_DEPTH_FIELD_NUMBER

      public static final int MAX_VERIFY_DEPTH_FIELD_NUMBER
      See Also:
    • maxVerifyDepth_

      private com.google.protobuf.UInt32Value maxVerifyDepth_
    • memoizedIsInitialized

      private byte memoizedIsInitialized
    • DEFAULT_INSTANCE

      private static final CertificateValidationContext DEFAULT_INSTANCE
    • PARSER

      private static final com.google.protobuf.Parser<CertificateValidationContext> PARSER
  • Constructor Details

    • CertificateValidationContext

      private CertificateValidationContext(com.google.protobuf.GeneratedMessage.Builder<?> builder)
    • CertificateValidationContext

      private CertificateValidationContext()
  • Method Details

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()
    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessage.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessage
    • hasTrustedCa

      public boolean hasTrustedCa()
       TLS certificate data containing certificate authority certificates to use in verifying
       a presented peer certificate (e.g. server certificate for clusters or client certificate
       for listeners). If not specified and a peer certificate is presented it will not be
       verified. By default, a client certificate is optional, unless one of the additional
       options (:ref:`require_client_certificate
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
       :ref:`verify_certificate_spki
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
       :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
       :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
       specified.
      
       It can optionally contain certificate revocation lists, in which case Envoy will verify
       that the presented peer certificate has not been revoked by one of the included CRLs. Note
       that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
       provided for all certificate authorities in that chain. Failure to do so will result in
       verification failure for both revoked and unrevoked certificates from that chain.
       The behavior of requiring all certificates to contain CRLs can be altered by
       setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
       true. If set to true, only the final certificate in the chain undergoes CRL verification.
      
       See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
       system CA locations.
      
       If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
       directory for any file moves to support rotation. This currently only
       applies to dynamic secrets, when the ``CertificateValidationContext`` is
       delivered via SDS.
      
       X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
       can be treated as trust anchor as well. It allows verification with building valid partial chain instead
       of a full chain.
      
       If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
       
      .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
      Specified by:
      hasTrustedCa in interface CertificateValidationContextOrBuilder
      Returns:
      Whether the trustedCa field is set.
    • getTrustedCa

      public DataSource getTrustedCa()
       TLS certificate data containing certificate authority certificates to use in verifying
       a presented peer certificate (e.g. server certificate for clusters or client certificate
       for listeners). If not specified and a peer certificate is presented it will not be
       verified. By default, a client certificate is optional, unless one of the additional
       options (:ref:`require_client_certificate
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
       :ref:`verify_certificate_spki
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
       :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
       :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
       specified.
      
       It can optionally contain certificate revocation lists, in which case Envoy will verify
       that the presented peer certificate has not been revoked by one of the included CRLs. Note
       that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
       provided for all certificate authorities in that chain. Failure to do so will result in
       verification failure for both revoked and unrevoked certificates from that chain.
       The behavior of requiring all certificates to contain CRLs can be altered by
       setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
       true. If set to true, only the final certificate in the chain undergoes CRL verification.
      
       See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
       system CA locations.
      
       If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
       directory for any file moves to support rotation. This currently only
       applies to dynamic secrets, when the ``CertificateValidationContext`` is
       delivered via SDS.
      
       X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
       can be treated as trust anchor as well. It allows verification with building valid partial chain instead
       of a full chain.
      
       If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
       
      .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
      Specified by:
      getTrustedCa in interface CertificateValidationContextOrBuilder
      Returns:
      The trustedCa.
    • getTrustedCaOrBuilder

      public DataSourceOrBuilder getTrustedCaOrBuilder()
       TLS certificate data containing certificate authority certificates to use in verifying
       a presented peer certificate (e.g. server certificate for clusters or client certificate
       for listeners). If not specified and a peer certificate is presented it will not be
       verified. By default, a client certificate is optional, unless one of the additional
       options (:ref:`require_client_certificate
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
       :ref:`verify_certificate_spki
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
       :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
       :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
       specified.
      
       It can optionally contain certificate revocation lists, in which case Envoy will verify
       that the presented peer certificate has not been revoked by one of the included CRLs. Note
       that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
       provided for all certificate authorities in that chain. Failure to do so will result in
       verification failure for both revoked and unrevoked certificates from that chain.
       The behavior of requiring all certificates to contain CRLs can be altered by
       setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
       true. If set to true, only the final certificate in the chain undergoes CRL verification.
      
       See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
       system CA locations.
      
       If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
       directory for any file moves to support rotation. This currently only
       applies to dynamic secrets, when the ``CertificateValidationContext`` is
       delivered via SDS.
      
       X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
       can be treated as trust anchor as well. It allows verification with building valid partial chain instead
       of a full chain.
      
       If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
       
      .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
      Specified by:
      getTrustedCaOrBuilder in interface CertificateValidationContextOrBuilder
    • hasCaCertificateProviderInstance

      public boolean hasCaCertificateProviderInstance()
       Certificate provider instance for fetching TLS certificates.
      
       If set, takes precedence over ``trusted_ca``.
       [#not-implemented-hide:]
       
      .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
      Specified by:
      hasCaCertificateProviderInstance in interface CertificateValidationContextOrBuilder
      Returns:
      Whether the caCertificateProviderInstance field is set.
    • getCaCertificateProviderInstance

      public CertificateProviderPluginInstance getCaCertificateProviderInstance()
       Certificate provider instance for fetching TLS certificates.
      
       If set, takes precedence over ``trusted_ca``.
       [#not-implemented-hide:]
       
      .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
      Specified by:
      getCaCertificateProviderInstance in interface CertificateValidationContextOrBuilder
      Returns:
      The caCertificateProviderInstance.
    • getCaCertificateProviderInstanceOrBuilder

      public CertificateProviderPluginInstanceOrBuilder getCaCertificateProviderInstanceOrBuilder()
       Certificate provider instance for fetching TLS certificates.
      
       If set, takes precedence over ``trusted_ca``.
       [#not-implemented-hide:]
       
      .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
      Specified by:
      getCaCertificateProviderInstanceOrBuilder in interface CertificateValidationContextOrBuilder
    • hasSystemRootCerts

      public boolean hasSystemRootCerts()
       Use system root certs for validation.
       If present, system root certs are used only if neither of the ``trusted_ca``
       or ``ca_certificate_provider_instance`` fields are set.
       [#not-implemented-hide:]
       
      .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
      Specified by:
      hasSystemRootCerts in interface CertificateValidationContextOrBuilder
      Returns:
      Whether the systemRootCerts field is set.
    • getSystemRootCerts

      public CertificateValidationContext.SystemRootCerts getSystemRootCerts()
       Use system root certs for validation.
       If present, system root certs are used only if neither of the ``trusted_ca``
       or ``ca_certificate_provider_instance`` fields are set.
       [#not-implemented-hide:]
       
      .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
      Specified by:
      getSystemRootCerts in interface CertificateValidationContextOrBuilder
      Returns:
      The systemRootCerts.
    • getSystemRootCertsOrBuilder

      public CertificateValidationContext.SystemRootCertsOrBuilder getSystemRootCertsOrBuilder()
       Use system root certs for validation.
       If present, system root certs are used only if neither of the ``trusted_ca``
       or ``ca_certificate_provider_instance`` fields are set.
       [#not-implemented-hide:]
       
      .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
      Specified by:
      getSystemRootCertsOrBuilder in interface CertificateValidationContextOrBuilder
    • hasWatchedDirectory

      public boolean hasWatchedDirectory()
       If specified, updates of a file-based ``trusted_ca`` source will be triggered
       by this watch. This allows explicit control over the path watched, by
       default the parent directory of the filesystem path in ``trusted_ca`` is
       watched if this field is not specified. This only applies when a
       ``CertificateValidationContext`` is delivered by SDS with references to
       filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
       documentation for further details.
       
      .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
      Specified by:
      hasWatchedDirectory in interface CertificateValidationContextOrBuilder
      Returns:
      Whether the watchedDirectory field is set.
    • getWatchedDirectory

      public WatchedDirectory getWatchedDirectory()
       If specified, updates of a file-based ``trusted_ca`` source will be triggered
       by this watch. This allows explicit control over the path watched, by
       default the parent directory of the filesystem path in ``trusted_ca`` is
       watched if this field is not specified. This only applies when a
       ``CertificateValidationContext`` is delivered by SDS with references to
       filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
       documentation for further details.
       
      .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
      Specified by:
      getWatchedDirectory in interface CertificateValidationContextOrBuilder
      Returns:
      The watchedDirectory.
    • getWatchedDirectoryOrBuilder

      public WatchedDirectoryOrBuilder getWatchedDirectoryOrBuilder()
       If specified, updates of a file-based ``trusted_ca`` source will be triggered
       by this watch. This allows explicit control over the path watched, by
       default the parent directory of the filesystem path in ``trusted_ca`` is
       watched if this field is not specified. This only applies when a
       ``CertificateValidationContext`` is delivered by SDS with references to
       filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
       documentation for further details.
       
      .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
      Specified by:
      getWatchedDirectoryOrBuilder in interface CertificateValidationContextOrBuilder
    • getVerifyCertificateSpkiList

      public com.google.protobuf.ProtocolStringList getVerifyCertificateSpkiList()
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
       SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
       matches one of the specified values.
      
       A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
       can be generated with the following command:
      
       .. code-block:: bash
      
       $ openssl x509 -in path/to/client.crt -noout -pubkey
       | openssl pkey -pubin -outform DER
       | openssl dgst -sha256 -binary
       | openssl enc -base64
       NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
      
       This is the format used in HTTP Public Key Pinning.
      
       When both:
       :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
       :ref:`verify_certificate_spki
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
       a hash matching value from either of the lists will result in the certificate being accepted.
      
       .. attention::
      
       This option is preferred over :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
       because SPKI is tied to a private key, so it doesn't change when the certificate
       is renewed using the same private key.
       
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateSpkiList in interface CertificateValidationContextOrBuilder
      Returns:
      A list containing the verifyCertificateSpki.
    • getVerifyCertificateSpkiCount

      public int getVerifyCertificateSpkiCount()
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
       SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
       matches one of the specified values.
      
       A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
       can be generated with the following command:
      
       .. code-block:: bash
      
       $ openssl x509 -in path/to/client.crt -noout -pubkey
       | openssl pkey -pubin -outform DER
       | openssl dgst -sha256 -binary
       | openssl enc -base64
       NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
      
       This is the format used in HTTP Public Key Pinning.
      
       When both:
       :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
       :ref:`verify_certificate_spki
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
       a hash matching value from either of the lists will result in the certificate being accepted.
      
       .. attention::
      
       This option is preferred over :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
       because SPKI is tied to a private key, so it doesn't change when the certificate
       is renewed using the same private key.
       
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateSpkiCount in interface CertificateValidationContextOrBuilder
      Returns:
      The count of verifyCertificateSpki.
    • getVerifyCertificateSpki

      public String getVerifyCertificateSpki(int index)
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
       SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
       matches one of the specified values.
      
       A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
       can be generated with the following command:
      
       .. code-block:: bash
      
       $ openssl x509 -in path/to/client.crt -noout -pubkey
       | openssl pkey -pubin -outform DER
       | openssl dgst -sha256 -binary
       | openssl enc -base64
       NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
      
       This is the format used in HTTP Public Key Pinning.
      
       When both:
       :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
       :ref:`verify_certificate_spki
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
       a hash matching value from either of the lists will result in the certificate being accepted.
      
       .. attention::
      
       This option is preferred over :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
       because SPKI is tied to a private key, so it doesn't change when the certificate
       is renewed using the same private key.
       
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateSpki in interface CertificateValidationContextOrBuilder
      Parameters:
      index - The index of the element to return.
      Returns:
      The verifyCertificateSpki at the given index.
    • getVerifyCertificateSpkiBytes

      public com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index)
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
       SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
       matches one of the specified values.
      
       A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
       can be generated with the following command:
      
       .. code-block:: bash
      
       $ openssl x509 -in path/to/client.crt -noout -pubkey
       | openssl pkey -pubin -outform DER
       | openssl dgst -sha256 -binary
       | openssl enc -base64
       NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
      
       This is the format used in HTTP Public Key Pinning.
      
       When both:
       :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
       :ref:`verify_certificate_spki
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
       a hash matching value from either of the lists will result in the certificate being accepted.
      
       .. attention::
      
       This option is preferred over :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
       because SPKI is tied to a private key, so it doesn't change when the certificate
       is renewed using the same private key.
       
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateSpkiBytes in interface CertificateValidationContextOrBuilder
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the verifyCertificateSpki at the given index.
    • getVerifyCertificateHashList

      public com.google.protobuf.ProtocolStringList getVerifyCertificateHashList()
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
       the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
      
       A hex-encoded SHA-256 of the certificate can be generated with the following command:
      
       .. code-block:: bash
      
       $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
       df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
      
       A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
       can be generated with the following command:
      
       .. code-block:: bash
      
       $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
       DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
      
       Both of those formats are acceptable.
      
       When both:
       :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
       :ref:`verify_certificate_spki
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
       a hash matching value from either of the lists will result in the certificate being accepted.
       
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateHashList in interface CertificateValidationContextOrBuilder
      Returns:
      A list containing the verifyCertificateHash.
    • getVerifyCertificateHashCount

      public int getVerifyCertificateHashCount()
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
       the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
      
       A hex-encoded SHA-256 of the certificate can be generated with the following command:
      
       .. code-block:: bash
      
       $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
       df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
      
       A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
       can be generated with the following command:
      
       .. code-block:: bash
      
       $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
       DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
      
       Both of those formats are acceptable.
      
       When both:
       :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
       :ref:`verify_certificate_spki
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
       a hash matching value from either of the lists will result in the certificate being accepted.
       
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateHashCount in interface CertificateValidationContextOrBuilder
      Returns:
      The count of verifyCertificateHash.
    • getVerifyCertificateHash

      public String getVerifyCertificateHash(int index)
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
       the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
      
       A hex-encoded SHA-256 of the certificate can be generated with the following command:
      
       .. code-block:: bash
      
       $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
       df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
      
       A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
       can be generated with the following command:
      
       .. code-block:: bash
      
       $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
       DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
      
       Both of those formats are acceptable.
      
       When both:
       :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
       :ref:`verify_certificate_spki
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
       a hash matching value from either of the lists will result in the certificate being accepted.
       
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateHash in interface CertificateValidationContextOrBuilder
      Parameters:
      index - The index of the element to return.
      Returns:
      The verifyCertificateHash at the given index.
    • getVerifyCertificateHashBytes

      public com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index)
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
       the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
      
       A hex-encoded SHA-256 of the certificate can be generated with the following command:
      
       .. code-block:: bash
      
       $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
       df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
      
       A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
       can be generated with the following command:
      
       .. code-block:: bash
      
       $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
       DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
      
       Both of those formats are acceptable.
      
       When both:
       :ref:`verify_certificate_hash
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
       :ref:`verify_certificate_spki
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
       a hash matching value from either of the lists will result in the certificate being accepted.
       
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateHashBytes in interface CertificateValidationContextOrBuilder
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the verifyCertificateHash at the given index.
    • getMatchTypedSubjectAltNamesList

      public List<SubjectAltNameMatcher> getMatchTypedSubjectAltNamesList()
       An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
       Subject Alternative Name of the presented certificate matches one of the specified matchers.
       The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
       matched.
      
       When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
       configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
       For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
       it should be configured as shown below.
      
       .. code-block:: yaml
      
       match_typed_subject_alt_names:
       - san_type: DNS
       matcher:
       exact: "api.example.com"
      
       .. attention::
      
       Subject Alternative Names are easily spoofable and verifying only them is insecure,
       therefore this option must be used together with :ref:`trusted_ca
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
       
      repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      Specified by:
      getMatchTypedSubjectAltNamesList in interface CertificateValidationContextOrBuilder
    • getMatchTypedSubjectAltNamesOrBuilderList

      public List<? extends SubjectAltNameMatcherOrBuilder> getMatchTypedSubjectAltNamesOrBuilderList()
       An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
       Subject Alternative Name of the presented certificate matches one of the specified matchers.
       The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
       matched.
      
       When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
       configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
       For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
       it should be configured as shown below.
      
       .. code-block:: yaml
      
       match_typed_subject_alt_names:
       - san_type: DNS
       matcher:
       exact: "api.example.com"
      
       .. attention::
      
       Subject Alternative Names are easily spoofable and verifying only them is insecure,
       therefore this option must be used together with :ref:`trusted_ca
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
       
      repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      Specified by:
      getMatchTypedSubjectAltNamesOrBuilderList in interface CertificateValidationContextOrBuilder
    • getMatchTypedSubjectAltNamesCount

      public int getMatchTypedSubjectAltNamesCount()
       An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
       Subject Alternative Name of the presented certificate matches one of the specified matchers.
       The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
       matched.
      
       When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
       configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
       For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
       it should be configured as shown below.
      
       .. code-block:: yaml
      
       match_typed_subject_alt_names:
       - san_type: DNS
       matcher:
       exact: "api.example.com"
      
       .. attention::
      
       Subject Alternative Names are easily spoofable and verifying only them is insecure,
       therefore this option must be used together with :ref:`trusted_ca
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
       
      repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      Specified by:
      getMatchTypedSubjectAltNamesCount in interface CertificateValidationContextOrBuilder
    • getMatchTypedSubjectAltNames

      public SubjectAltNameMatcher getMatchTypedSubjectAltNames(int index)
       An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
       Subject Alternative Name of the presented certificate matches one of the specified matchers.
       The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
       matched.
      
       When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
       configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
       For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
       it should be configured as shown below.
      
       .. code-block:: yaml
      
       match_typed_subject_alt_names:
       - san_type: DNS
       matcher:
       exact: "api.example.com"
      
       .. attention::
      
       Subject Alternative Names are easily spoofable and verifying only them is insecure,
       therefore this option must be used together with :ref:`trusted_ca
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
       
      repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      Specified by:
      getMatchTypedSubjectAltNames in interface CertificateValidationContextOrBuilder
    • getMatchTypedSubjectAltNamesOrBuilder

      public SubjectAltNameMatcherOrBuilder getMatchTypedSubjectAltNamesOrBuilder(int index)
       An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
       Subject Alternative Name of the presented certificate matches one of the specified matchers.
       The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
       matched.
      
       When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
       configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
       For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
       it should be configured as shown below.
      
       .. code-block:: yaml
      
       match_typed_subject_alt_names:
       - san_type: DNS
       matcher:
       exact: "api.example.com"
      
       .. attention::
      
       Subject Alternative Names are easily spoofable and verifying only them is insecure,
       therefore this option must be used together with :ref:`trusted_ca
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
       
      repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
      Specified by:
      getMatchTypedSubjectAltNamesOrBuilder in interface CertificateValidationContextOrBuilder
    • getMatchSubjectAltNamesList

      @Deprecated public List<StringMatcher> getMatchSubjectAltNamesList()
      Deprecated.
       This field is deprecated in favor of
       :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
       Note that if both this field and :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
       are specified, the former (deprecated field) is ignored.
       
      repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      Specified by:
      getMatchSubjectAltNamesList in interface CertificateValidationContextOrBuilder
    • getMatchSubjectAltNamesOrBuilderList

      @Deprecated public List<? extends StringMatcherOrBuilder> getMatchSubjectAltNamesOrBuilderList()
      Deprecated.
       This field is deprecated in favor of
       :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
       Note that if both this field and :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
       are specified, the former (deprecated field) is ignored.
       
      repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      Specified by:
      getMatchSubjectAltNamesOrBuilderList in interface CertificateValidationContextOrBuilder
    • getMatchSubjectAltNamesCount

      @Deprecated public int getMatchSubjectAltNamesCount()
      Deprecated.
       This field is deprecated in favor of
       :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
       Note that if both this field and :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
       are specified, the former (deprecated field) is ignored.
       
      repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      Specified by:
      getMatchSubjectAltNamesCount in interface CertificateValidationContextOrBuilder
    • getMatchSubjectAltNames

      @Deprecated public StringMatcher getMatchSubjectAltNames(int index)
      Deprecated.
       This field is deprecated in favor of
       :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
       Note that if both this field and :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
       are specified, the former (deprecated field) is ignored.
       
      repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      Specified by:
      getMatchSubjectAltNames in interface CertificateValidationContextOrBuilder
    • getMatchSubjectAltNamesOrBuilder

      @Deprecated public StringMatcherOrBuilder getMatchSubjectAltNamesOrBuilder(int index)
      Deprecated.
       This field is deprecated in favor of
       :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
       Note that if both this field and :ref:`match_typed_subject_alt_names
       <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
       are specified, the former (deprecated field) is ignored.
       
      repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
      Specified by:
      getMatchSubjectAltNamesOrBuilder in interface CertificateValidationContextOrBuilder
    • hasRequireSignedCertificateTimestamp

      public boolean hasRequireSignedCertificateTimestamp()
       [#not-implemented-hide:] Must present signed certificate time-stamp.
       
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      Specified by:
      hasRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilder
      Returns:
      Whether the requireSignedCertificateTimestamp field is set.
    • getRequireSignedCertificateTimestamp

      public com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()
       [#not-implemented-hide:] Must present signed certificate time-stamp.
       
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      Specified by:
      getRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilder
      Returns:
      The requireSignedCertificateTimestamp.
    • getRequireSignedCertificateTimestampOrBuilder

      public com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()
       [#not-implemented-hide:] Must present signed certificate time-stamp.
       
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      Specified by:
      getRequireSignedCertificateTimestampOrBuilder in interface CertificateValidationContextOrBuilder
    • hasCrl

      public boolean hasCrl()
       An optional `certificate revocation list
       <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
       (in PEM format). If specified, Envoy will verify that the presented peer
       certificate has not been revoked by this CRL. If this DataSource contains
       multiple CRLs, all of them will be used. Note that if a CRL is provided
       for any certificate authority in a trust chain, a CRL must be provided
       for all certificate authorities in that chain. Failure to do so will
       result in verification failure for both revoked and unrevoked certificates
       from that chain. This default behavior can be altered by setting
       :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
       true.
      
       If ``crl`` is a filesystem path, a watch will be added to the parent
       directory for any file moves to support rotation. This currently only
       applies to dynamic secrets, when the ``CertificateValidationContext`` is
       delivered via SDS.
       
      .envoy.config.core.v3.DataSource crl = 7;
      Specified by:
      hasCrl in interface CertificateValidationContextOrBuilder
      Returns:
      Whether the crl field is set.
    • getCrl

      public DataSource getCrl()
       An optional `certificate revocation list
       <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
       (in PEM format). If specified, Envoy will verify that the presented peer
       certificate has not been revoked by this CRL. If this DataSource contains
       multiple CRLs, all of them will be used. Note that if a CRL is provided
       for any certificate authority in a trust chain, a CRL must be provided
       for all certificate authorities in that chain. Failure to do so will
       result in verification failure for both revoked and unrevoked certificates
       from that chain. This default behavior can be altered by setting
       :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
       true.
      
       If ``crl`` is a filesystem path, a watch will be added to the parent
       directory for any file moves to support rotation. This currently only
       applies to dynamic secrets, when the ``CertificateValidationContext`` is
       delivered via SDS.
       
      .envoy.config.core.v3.DataSource crl = 7;
      Specified by:
      getCrl in interface CertificateValidationContextOrBuilder
      Returns:
      The crl.
    • getCrlOrBuilder

      public DataSourceOrBuilder getCrlOrBuilder()
       An optional `certificate revocation list
       <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
       (in PEM format). If specified, Envoy will verify that the presented peer
       certificate has not been revoked by this CRL. If this DataSource contains
       multiple CRLs, all of them will be used. Note that if a CRL is provided
       for any certificate authority in a trust chain, a CRL must be provided
       for all certificate authorities in that chain. Failure to do so will
       result in verification failure for both revoked and unrevoked certificates
       from that chain. This default behavior can be altered by setting
       :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
       true.
      
       If ``crl`` is a filesystem path, a watch will be added to the parent
       directory for any file moves to support rotation. This currently only
       applies to dynamic secrets, when the ``CertificateValidationContext`` is
       delivered via SDS.
       
      .envoy.config.core.v3.DataSource crl = 7;
      Specified by:
      getCrlOrBuilder in interface CertificateValidationContextOrBuilder
    • getAllowExpiredCertificate

      public boolean getAllowExpiredCertificate()
       If specified, Envoy will not reject expired certificates.
       
      bool allow_expired_certificate = 8;
      Specified by:
      getAllowExpiredCertificate in interface CertificateValidationContextOrBuilder
      Returns:
      The allowExpiredCertificate.
    • getTrustChainVerificationValue

      public int getTrustChainVerificationValue()
       Certificate trust chain verification mode.
       
      .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
      Specified by:
      getTrustChainVerificationValue in interface CertificateValidationContextOrBuilder
      Returns:
      The enum numeric value on the wire for trustChainVerification.
    • getTrustChainVerification

      public CertificateValidationContext.TrustChainVerification getTrustChainVerification()
       Certificate trust chain verification mode.
       
      .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
      Specified by:
      getTrustChainVerification in interface CertificateValidationContextOrBuilder
      Returns:
      The trustChainVerification.
    • hasCustomValidatorConfig

      public boolean hasCustomValidatorConfig()
       The configuration of an extension specific certificate validator.
       If specified, all validation is done by the specified validator,
       and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
       Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
       [#extension-category: envoy.tls.cert_validator]
       
      .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
      Specified by:
      hasCustomValidatorConfig in interface CertificateValidationContextOrBuilder
      Returns:
      Whether the customValidatorConfig field is set.
    • getCustomValidatorConfig

      public TypedExtensionConfig getCustomValidatorConfig()
       The configuration of an extension specific certificate validator.
       If specified, all validation is done by the specified validator,
       and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
       Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
       [#extension-category: envoy.tls.cert_validator]
       
      .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
      Specified by:
      getCustomValidatorConfig in interface CertificateValidationContextOrBuilder
      Returns:
      The customValidatorConfig.
    • getCustomValidatorConfigOrBuilder

      public TypedExtensionConfigOrBuilder getCustomValidatorConfigOrBuilder()
       The configuration of an extension specific certificate validator.
       If specified, all validation is done by the specified validator,
       and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
       Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
       [#extension-category: envoy.tls.cert_validator]
       
      .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
      Specified by:
      getCustomValidatorConfigOrBuilder in interface CertificateValidationContextOrBuilder
    • getOnlyVerifyLeafCertCrl

      public boolean getOnlyVerifyLeafCertCrl()
       If this option is set to true, only the certificate at the end of the
       certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
       
      bool only_verify_leaf_cert_crl = 14;
      Specified by:
      getOnlyVerifyLeafCertCrl in interface CertificateValidationContextOrBuilder
      Returns:
      The onlyVerifyLeafCertCrl.
    • hasMaxVerifyDepth

      public boolean hasMaxVerifyDepth()
       Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
       This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer
       appears in the chain, but in a depth larger than configured, the certificate validation will fail.
       This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth``
       in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included.
       Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
       
      .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
      Specified by:
      hasMaxVerifyDepth in interface CertificateValidationContextOrBuilder
      Returns:
      Whether the maxVerifyDepth field is set.
    • getMaxVerifyDepth

      public com.google.protobuf.UInt32Value getMaxVerifyDepth()
       Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
       This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer
       appears in the chain, but in a depth larger than configured, the certificate validation will fail.
       This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth``
       in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included.
       Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
       
      .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
      Specified by:
      getMaxVerifyDepth in interface CertificateValidationContextOrBuilder
      Returns:
      The maxVerifyDepth.
    • getMaxVerifyDepthOrBuilder

      public com.google.protobuf.UInt32ValueOrBuilder getMaxVerifyDepthOrBuilder()
       Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
       This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer
       appears in the chain, but in a depth larger than configured, the certificate validation will fail.
       This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth``
       in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included.
       Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
       
      .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
      Specified by:
      getMaxVerifyDepthOrBuilder in interface CertificateValidationContextOrBuilder
    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessage
    • writeTo

      public void writeTo(com.google.protobuf.CodedOutputStream output) throws IOException
      Specified by:
      writeTo in interface com.google.protobuf.MessageLite
      Overrides:
      writeTo in class com.google.protobuf.GeneratedMessage
      Throws:
      IOException
    • getSerializedSize

      public int getSerializedSize()
      Specified by:
      getSerializedSize in interface com.google.protobuf.MessageLite
      Overrides:
      getSerializedSize in class com.google.protobuf.GeneratedMessage
    • equals

      public boolean equals(Object obj)
      Specified by:
      equals in interface com.google.protobuf.Message
      Overrides:
      equals in class com.google.protobuf.AbstractMessage
    • hashCode

      public int hashCode()
      Specified by:
      hashCode in interface com.google.protobuf.Message
      Overrides:
      hashCode in class com.google.protobuf.AbstractMessage
    • parseFrom

      public static CertificateValidationContext parseFrom(ByteBuffer data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException
    • parseFrom

      public static CertificateValidationContext parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException
    • parseFrom

      public static CertificateValidationContext parseFrom(com.google.protobuf.ByteString data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException
    • parseFrom

      public static CertificateValidationContext parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException
    • parseFrom

      public static CertificateValidationContext parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException
    • parseFrom

      public static CertificateValidationContext parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException
    • parseFrom

      public static CertificateValidationContext parseFrom(InputStream input) throws IOException
      Throws:
      IOException
    • parseFrom

      public static CertificateValidationContext parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException
    • parseDelimitedFrom

      public static CertificateValidationContext parseDelimitedFrom(InputStream input) throws IOException
      Throws:
      IOException
    • parseDelimitedFrom

      public static CertificateValidationContext parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException
    • parseFrom

      public static CertificateValidationContext parseFrom(com.google.protobuf.CodedInputStream input) throws IOException
      Throws:
      IOException
    • parseFrom

      public static CertificateValidationContext parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException
    • newBuilderForType

      public CertificateValidationContext.Builder newBuilderForType()
      Specified by:
      newBuilderForType in interface com.google.protobuf.Message
      Specified by:
      newBuilderForType in interface com.google.protobuf.MessageLite
    • newBuilder

      public static CertificateValidationContext.Builder newBuilder()
    • newBuilder

    • toBuilder

      Specified by:
      toBuilder in interface com.google.protobuf.Message
      Specified by:
      toBuilder in interface com.google.protobuf.MessageLite
    • newBuilderForType

      protected CertificateValidationContext.Builder newBuilderForType(com.google.protobuf.AbstractMessage.BuilderParent parent)
      Overrides:
      newBuilderForType in class com.google.protobuf.AbstractMessage
    • getDefaultInstance

      public static CertificateValidationContext getDefaultInstance()
    • parser

      public static com.google.protobuf.Parser<CertificateValidationContext> parser()
    • getParserForType

      public com.google.protobuf.Parser<CertificateValidationContext> getParserForType()
      Specified by:
      getParserForType in interface com.google.protobuf.Message
      Specified by:
      getParserForType in interface com.google.protobuf.MessageLite
      Overrides:
      getParserForType in class com.google.protobuf.GeneratedMessage
    • getDefaultInstanceForType

      public CertificateValidationContext getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder