Class CertificateValidationContext
java.lang.Object
com.google.protobuf.AbstractMessageLite
com.google.protobuf.AbstractMessage
com.google.protobuf.GeneratedMessage
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext
- All Implemented Interfaces:
com.google.protobuf.Message
,com.google.protobuf.MessageLite
,com.google.protobuf.MessageLiteOrBuilder
,com.google.protobuf.MessageOrBuilder
,CertificateValidationContextOrBuilder
,Serializable
public final class CertificateValidationContext
extends com.google.protobuf.GeneratedMessage
implements CertificateValidationContextOrBuilder
[#next-free-field: 18]Protobuf type
envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext
- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic final class
[#next-free-field: 18]static final class
Protobuf typeenvoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts
static interface
static enum
Peer certificate verification mode.Nested classes/interfaces inherited from class com.google.protobuf.GeneratedMessage
com.google.protobuf.GeneratedMessage.ExtendableBuilder<MessageT extends com.google.protobuf.GeneratedMessage.ExtendableMessage<MessageT>,
BuilderT extends com.google.protobuf.GeneratedMessage.ExtendableBuilder<MessageT, BuilderT>>, com.google.protobuf.GeneratedMessage.ExtendableMessage<MessageT extends com.google.protobuf.GeneratedMessage.ExtendableMessage<MessageT>>, com.google.protobuf.GeneratedMessage.ExtendableMessageOrBuilder<MessageT extends com.google.protobuf.GeneratedMessage.ExtendableMessage<MessageT>>, com.google.protobuf.GeneratedMessage.FieldAccessorTable, com.google.protobuf.GeneratedMessage.GeneratedExtension<ContainingT extends com.google.protobuf.Message, T>, com.google.protobuf.GeneratedMessage.UnusedPrivateParameter Nested classes/interfaces inherited from class com.google.protobuf.AbstractMessage
com.google.protobuf.AbstractMessage.BuilderParent
Nested classes/interfaces inherited from class com.google.protobuf.AbstractMessageLite
com.google.protobuf.AbstractMessageLite.InternalOneOfEnum
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final int
private boolean
private int
static final int
private DataSource
static final int
static final int
private TypedExtensionConfig
private static final CertificateValidationContext
static final int
static final int
private List
<StringMatcher> private List
<SubjectAltNameMatcher> static final int
private com.google.protobuf.UInt32Value
private byte
static final int
private boolean
private static final com.google.protobuf.Parser
<CertificateValidationContext> static final int
private com.google.protobuf.BoolValue
private static final long
static final int
static final int
private int
static final int
private DataSource
static final int
static final int
private com.google.protobuf.LazyStringArrayList
private com.google.protobuf.LazyStringArrayList
static final int
private WatchedDirectory
Fields inherited from class com.google.protobuf.GeneratedMessage
alwaysUseFieldBuilders, unknownFields
Fields inherited from class com.google.protobuf.AbstractMessage
memoizedSize
Fields inherited from class com.google.protobuf.AbstractMessageLite
memoizedHashCode
-
Constructor Summary
ConstructorsModifierConstructorDescriptionprivate
private
CertificateValidationContext
(com.google.protobuf.GeneratedMessage.Builder<?> builder) -
Method Summary
Modifier and TypeMethodDescriptionboolean
boolean
If specified, Envoy will not reject expired certificates.Certificate provider instance for fetching TLS certificates.Certificate provider instance for fetching TLS certificates.getCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).The configuration of an extension specific certificate validator.The configuration of an extension specific certificate validator.static CertificateValidationContext
static final com.google.protobuf.Descriptors.Descriptor
getMatchSubjectAltNames
(int index) Deprecated.int
Deprecated.Deprecated.getMatchSubjectAltNamesOrBuilder
(int index) Deprecated.List
<? extends StringMatcherOrBuilder> Deprecated.getMatchTypedSubjectAltNames
(int index) An optional list of Subject Alternative name matchers.int
An optional list of Subject Alternative name matchers.An optional list of Subject Alternative name matchers.getMatchTypedSubjectAltNamesOrBuilder
(int index) An optional list of Subject Alternative name matchers.List
<? extends SubjectAltNameMatcherOrBuilder> An optional list of Subject Alternative name matchers.com.google.protobuf.UInt32Value
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.com.google.protobuf.UInt32ValueOrBuilder
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.boolean
If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.com.google.protobuf.Parser
<CertificateValidationContext> com.google.protobuf.BoolValue
[#not-implemented-hide:] Must present signed certificate time-stamp.com.google.protobuf.BoolValueOrBuilder
[#not-implemented-hide:] Must present signed certificate time-stamp.int
Use system root certs for validation.Use system root certs for validation.Certificate trust chain verification mode.int
Certificate trust chain verification mode.TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.getVerifyCertificateHash
(int index) An optional list of hex-encoded SHA-256 hashes.com.google.protobuf.ByteString
getVerifyCertificateHashBytes
(int index) An optional list of hex-encoded SHA-256 hashes.int
An optional list of hex-encoded SHA-256 hashes.com.google.protobuf.ProtocolStringList
An optional list of hex-encoded SHA-256 hashes.getVerifyCertificateSpki
(int index) An optional list of base64-encoded SHA-256 hashes.com.google.protobuf.ByteString
getVerifyCertificateSpkiBytes
(int index) An optional list of base64-encoded SHA-256 hashes.int
An optional list of base64-encoded SHA-256 hashes.com.google.protobuf.ProtocolStringList
An optional list of base64-encoded SHA-256 hashes.If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.boolean
Certificate provider instance for fetching TLS certificates.boolean
hasCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).boolean
The configuration of an extension specific certificate validator.int
hashCode()
boolean
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.boolean
[#not-implemented-hide:] Must present signed certificate time-stamp.boolean
Use system root certs for validation.boolean
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.boolean
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.protected com.google.protobuf.GeneratedMessage.FieldAccessorTable
final boolean
newBuilder
(CertificateValidationContext prototype) protected CertificateValidationContext.Builder
newBuilderForType
(com.google.protobuf.AbstractMessage.BuilderParent parent) static CertificateValidationContext
parseDelimitedFrom
(InputStream input) static CertificateValidationContext
parseDelimitedFrom
(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) static CertificateValidationContext
parseFrom
(byte[] data) static CertificateValidationContext
parseFrom
(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) static CertificateValidationContext
parseFrom
(com.google.protobuf.ByteString data) static CertificateValidationContext
parseFrom
(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) static CertificateValidationContext
parseFrom
(com.google.protobuf.CodedInputStream input) static CertificateValidationContext
parseFrom
(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) static CertificateValidationContext
parseFrom
(InputStream input) static CertificateValidationContext
parseFrom
(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) static CertificateValidationContext
parseFrom
(ByteBuffer data) static CertificateValidationContext
parseFrom
(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) static com.google.protobuf.Parser
<CertificateValidationContext> parser()
void
writeTo
(com.google.protobuf.CodedOutputStream output) Methods inherited from class com.google.protobuf.GeneratedMessage
canUseUnsafe, computeStringSize, computeStringSizeNoTag, emptyBooleanList, emptyDoubleList, emptyFloatList, emptyIntList, emptyList, emptyLongList, getAllFields, getDescriptorForType, getField, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof, internalGetMapField, internalGetMapFieldReflection, isStringEmpty, makeMutableCopy, makeMutableCopy, mergeFromAndMakeImmutableInternal, newFileScopedGeneratedExtension, newInstance, newMessageScopedGeneratedExtension, parseDelimitedWithIOException, parseDelimitedWithIOException, parseUnknownField, parseUnknownFieldProto3, parseWithIOException, parseWithIOException, parseWithIOException, parseWithIOException, serializeBooleanMapTo, serializeIntegerMapTo, serializeLongMapTo, serializeStringMapTo, writeReplace, writeString, writeStringNoTag
Methods inherited from class com.google.protobuf.AbstractMessage
findInitializationErrors, getInitializationErrorString, hashFields, toString
Methods inherited from class com.google.protobuf.AbstractMessageLite
addAll, checkByteStringIsUtf8, toByteArray, toByteString, writeDelimitedTo, writeTo
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait
Methods inherited from interface com.google.protobuf.MessageLite
toByteArray, toByteString, writeDelimitedTo, writeTo
Methods inherited from interface com.google.protobuf.MessageOrBuilder
findInitializationErrors, getAllFields, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof
-
Field Details
-
serialVersionUID
private static final long serialVersionUID- See Also:
-
bitField0_
private int bitField0_ -
TRUSTED_CA_FIELD_NUMBER
public static final int TRUSTED_CA_FIELD_NUMBER- See Also:
-
trustedCa_
-
CA_CERTIFICATE_PROVIDER_INSTANCE_FIELD_NUMBER
public static final int CA_CERTIFICATE_PROVIDER_INSTANCE_FIELD_NUMBER- See Also:
-
caCertificateProviderInstance_
-
SYSTEM_ROOT_CERTS_FIELD_NUMBER
public static final int SYSTEM_ROOT_CERTS_FIELD_NUMBER- See Also:
-
systemRootCerts_
-
WATCHED_DIRECTORY_FIELD_NUMBER
public static final int WATCHED_DIRECTORY_FIELD_NUMBER- See Also:
-
watchedDirectory_
-
VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER
public static final int VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER- See Also:
-
verifyCertificateSpki_
private com.google.protobuf.LazyStringArrayList verifyCertificateSpki_ -
VERIFY_CERTIFICATE_HASH_FIELD_NUMBER
public static final int VERIFY_CERTIFICATE_HASH_FIELD_NUMBER- See Also:
-
verifyCertificateHash_
private com.google.protobuf.LazyStringArrayList verifyCertificateHash_ -
MATCH_TYPED_SUBJECT_ALT_NAMES_FIELD_NUMBER
public static final int MATCH_TYPED_SUBJECT_ALT_NAMES_FIELD_NUMBER- See Also:
-
matchTypedSubjectAltNames_
-
MATCH_SUBJECT_ALT_NAMES_FIELD_NUMBER
public static final int MATCH_SUBJECT_ALT_NAMES_FIELD_NUMBER- See Also:
-
matchSubjectAltNames_
-
REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER
public static final int REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER- See Also:
-
requireSignedCertificateTimestamp_
private com.google.protobuf.BoolValue requireSignedCertificateTimestamp_ -
CRL_FIELD_NUMBER
public static final int CRL_FIELD_NUMBER- See Also:
-
crl_
-
ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER
public static final int ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER- See Also:
-
allowExpiredCertificate_
private boolean allowExpiredCertificate_ -
TRUST_CHAIN_VERIFICATION_FIELD_NUMBER
public static final int TRUST_CHAIN_VERIFICATION_FIELD_NUMBER- See Also:
-
trustChainVerification_
private int trustChainVerification_ -
CUSTOM_VALIDATOR_CONFIG_FIELD_NUMBER
public static final int CUSTOM_VALIDATOR_CONFIG_FIELD_NUMBER- See Also:
-
customValidatorConfig_
-
ONLY_VERIFY_LEAF_CERT_CRL_FIELD_NUMBER
public static final int ONLY_VERIFY_LEAF_CERT_CRL_FIELD_NUMBER- See Also:
-
onlyVerifyLeafCertCrl_
private boolean onlyVerifyLeafCertCrl_ -
MAX_VERIFY_DEPTH_FIELD_NUMBER
public static final int MAX_VERIFY_DEPTH_FIELD_NUMBER- See Also:
-
maxVerifyDepth_
private com.google.protobuf.UInt32Value maxVerifyDepth_ -
memoizedIsInitialized
private byte memoizedIsInitialized -
DEFAULT_INSTANCE
-
PARSER
-
-
Constructor Details
-
CertificateValidationContext
private CertificateValidationContext(com.google.protobuf.GeneratedMessage.Builder<?> builder) -
CertificateValidationContext
private CertificateValidationContext()
-
-
Method Details
-
getDescriptor
public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() -
internalGetFieldAccessorTable
protected com.google.protobuf.GeneratedMessage.FieldAccessorTable internalGetFieldAccessorTable()- Specified by:
internalGetFieldAccessorTable
in classcom.google.protobuf.GeneratedMessage
-
hasTrustedCa
public boolean hasTrustedCa()TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
hasTrustedCa
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the trustedCa field is set.
-
getTrustedCa
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
getTrustedCa
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The trustedCa.
-
getTrustedCaOrBuilder
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
getTrustedCaOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
hasCaCertificateProviderInstance
public boolean hasCaCertificateProviderInstance()Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
hasCaCertificateProviderInstance
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the caCertificateProviderInstance field is set.
-
getCaCertificateProviderInstance
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
getCaCertificateProviderInstance
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The caCertificateProviderInstance.
-
getCaCertificateProviderInstanceOrBuilder
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
getCaCertificateProviderInstanceOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
hasSystemRootCerts
public boolean hasSystemRootCerts()Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
- Specified by:
hasSystemRootCerts
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the systemRootCerts field is set.
-
getSystemRootCerts
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
- Specified by:
getSystemRootCerts
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The systemRootCerts.
-
getSystemRootCertsOrBuilder
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
- Specified by:
getSystemRootCertsOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
hasWatchedDirectory
public boolean hasWatchedDirectory()If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
- Specified by:
hasWatchedDirectory
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the watchedDirectory field is set.
-
getWatchedDirectory
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
- Specified by:
getWatchedDirectory
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The watchedDirectory.
-
getWatchedDirectoryOrBuilder
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
- Specified by:
getWatchedDirectoryOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getVerifyCertificateSpkiList
public com.google.protobuf.ProtocolStringList getVerifyCertificateSpkiList()An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateSpkiList
in interfaceCertificateValidationContextOrBuilder
- Returns:
- A list containing the verifyCertificateSpki.
-
getVerifyCertificateSpkiCount
public int getVerifyCertificateSpkiCount()An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateSpkiCount
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The count of verifyCertificateSpki.
-
getVerifyCertificateSpki
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateSpki
in interfaceCertificateValidationContextOrBuilder
- Parameters:
index
- The index of the element to return.- Returns:
- The verifyCertificateSpki at the given index.
-
getVerifyCertificateSpkiBytes
public com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index) An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateSpkiBytes
in interfaceCertificateValidationContextOrBuilder
- Parameters:
index
- The index of the value to return.- Returns:
- The bytes of the verifyCertificateSpki at the given index.
-
getVerifyCertificateHashList
public com.google.protobuf.ProtocolStringList getVerifyCertificateHashList()An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateHashList
in interfaceCertificateValidationContextOrBuilder
- Returns:
- A list containing the verifyCertificateHash.
-
getVerifyCertificateHashCount
public int getVerifyCertificateHashCount()An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateHashCount
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The count of verifyCertificateHash.
-
getVerifyCertificateHash
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateHash
in interfaceCertificateValidationContextOrBuilder
- Parameters:
index
- The index of the element to return.- Returns:
- The verifyCertificateHash at the given index.
-
getVerifyCertificateHashBytes
public com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index) An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateHashBytes
in interfaceCertificateValidationContextOrBuilder
- Parameters:
index
- The index of the value to return.- Returns:
- The bytes of the verifyCertificateHash at the given index.
-
getMatchTypedSubjectAltNamesList
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNamesList
in interfaceCertificateValidationContextOrBuilder
-
getMatchTypedSubjectAltNamesOrBuilderList
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNamesOrBuilderList
in interfaceCertificateValidationContextOrBuilder
-
getMatchTypedSubjectAltNamesCount
public int getMatchTypedSubjectAltNamesCount()An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNamesCount
in interfaceCertificateValidationContextOrBuilder
-
getMatchTypedSubjectAltNames
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNames
in interfaceCertificateValidationContextOrBuilder
-
getMatchTypedSubjectAltNamesOrBuilder
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNamesOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getMatchSubjectAltNamesList
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNamesList
in interfaceCertificateValidationContextOrBuilder
-
getMatchSubjectAltNamesOrBuilderList
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNamesOrBuilderList
in interfaceCertificateValidationContextOrBuilder
-
getMatchSubjectAltNamesCount
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNamesCount
in interfaceCertificateValidationContextOrBuilder
-
getMatchSubjectAltNames
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNames
in interfaceCertificateValidationContextOrBuilder
-
getMatchSubjectAltNamesOrBuilder
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNamesOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
hasRequireSignedCertificateTimestamp
public boolean hasRequireSignedCertificateTimestamp()[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
- Specified by:
hasRequireSignedCertificateTimestamp
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the requireSignedCertificateTimestamp field is set.
-
getRequireSignedCertificateTimestamp
public com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
- Specified by:
getRequireSignedCertificateTimestamp
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The requireSignedCertificateTimestamp.
-
getRequireSignedCertificateTimestampOrBuilder
public com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
- Specified by:
getRequireSignedCertificateTimestampOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
hasCrl
public boolean hasCrl()An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
- Specified by:
hasCrl
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the crl field is set.
-
getCrl
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
- Specified by:
getCrl
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The crl.
-
getCrlOrBuilder
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
- Specified by:
getCrlOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getAllowExpiredCertificate
public boolean getAllowExpiredCertificate()If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
- Specified by:
getAllowExpiredCertificate
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The allowExpiredCertificate.
-
getTrustChainVerificationValue
public int getTrustChainVerificationValue()Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Specified by:
getTrustChainVerificationValue
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The enum numeric value on the wire for trustChainVerification.
-
getTrustChainVerification
Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Specified by:
getTrustChainVerification
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The trustChainVerification.
-
hasCustomValidatorConfig
public boolean hasCustomValidatorConfig()The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
- Specified by:
hasCustomValidatorConfig
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the customValidatorConfig field is set.
-
getCustomValidatorConfig
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
- Specified by:
getCustomValidatorConfig
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The customValidatorConfig.
-
getCustomValidatorConfigOrBuilder
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
- Specified by:
getCustomValidatorConfigOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getOnlyVerifyLeafCertCrl
public boolean getOnlyVerifyLeafCertCrl()If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
bool only_verify_leaf_cert_crl = 14;
- Specified by:
getOnlyVerifyLeafCertCrl
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The onlyVerifyLeafCertCrl.
-
hasMaxVerifyDepth
public boolean hasMaxVerifyDepth()Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
- Specified by:
hasMaxVerifyDepth
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the maxVerifyDepth field is set.
-
getMaxVerifyDepth
public com.google.protobuf.UInt32Value getMaxVerifyDepth()Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
- Specified by:
getMaxVerifyDepth
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The maxVerifyDepth.
-
getMaxVerifyDepthOrBuilder
public com.google.protobuf.UInt32ValueOrBuilder getMaxVerifyDepthOrBuilder()Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
- Specified by:
getMaxVerifyDepthOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
isInitialized
public final boolean isInitialized()- Specified by:
isInitialized
in interfacecom.google.protobuf.MessageLiteOrBuilder
- Overrides:
isInitialized
in classcom.google.protobuf.GeneratedMessage
-
writeTo
- Specified by:
writeTo
in interfacecom.google.protobuf.MessageLite
- Overrides:
writeTo
in classcom.google.protobuf.GeneratedMessage
- Throws:
IOException
-
getSerializedSize
public int getSerializedSize()- Specified by:
getSerializedSize
in interfacecom.google.protobuf.MessageLite
- Overrides:
getSerializedSize
in classcom.google.protobuf.GeneratedMessage
-
equals
- Specified by:
equals
in interfacecom.google.protobuf.Message
- Overrides:
equals
in classcom.google.protobuf.AbstractMessage
-
hashCode
public int hashCode()- Specified by:
hashCode
in interfacecom.google.protobuf.Message
- Overrides:
hashCode
in classcom.google.protobuf.AbstractMessage
-
parseFrom
public static CertificateValidationContext parseFrom(ByteBuffer data) throws com.google.protobuf.InvalidProtocolBufferException - Throws:
com.google.protobuf.InvalidProtocolBufferException
-
parseFrom
public static CertificateValidationContext parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException - Throws:
com.google.protobuf.InvalidProtocolBufferException
-
parseFrom
public static CertificateValidationContext parseFrom(com.google.protobuf.ByteString data) throws com.google.protobuf.InvalidProtocolBufferException - Throws:
com.google.protobuf.InvalidProtocolBufferException
-
parseFrom
public static CertificateValidationContext parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException - Throws:
com.google.protobuf.InvalidProtocolBufferException
-
parseFrom
public static CertificateValidationContext parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException - Throws:
com.google.protobuf.InvalidProtocolBufferException
-
parseFrom
public static CertificateValidationContext parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException - Throws:
com.google.protobuf.InvalidProtocolBufferException
-
parseFrom
- Throws:
IOException
-
parseFrom
public static CertificateValidationContext parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException - Throws:
IOException
-
parseDelimitedFrom
- Throws:
IOException
-
parseDelimitedFrom
public static CertificateValidationContext parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException - Throws:
IOException
-
parseFrom
public static CertificateValidationContext parseFrom(com.google.protobuf.CodedInputStream input) throws IOException - Throws:
IOException
-
parseFrom
public static CertificateValidationContext parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException - Throws:
IOException
-
newBuilderForType
- Specified by:
newBuilderForType
in interfacecom.google.protobuf.Message
- Specified by:
newBuilderForType
in interfacecom.google.protobuf.MessageLite
-
newBuilder
-
newBuilder
public static CertificateValidationContext.Builder newBuilder(CertificateValidationContext prototype) -
toBuilder
- Specified by:
toBuilder
in interfacecom.google.protobuf.Message
- Specified by:
toBuilder
in interfacecom.google.protobuf.MessageLite
-
newBuilderForType
protected CertificateValidationContext.Builder newBuilderForType(com.google.protobuf.AbstractMessage.BuilderParent parent) - Overrides:
newBuilderForType
in classcom.google.protobuf.AbstractMessage
-
getDefaultInstance
-
parser
-
getParserForType
- Specified by:
getParserForType
in interfacecom.google.protobuf.Message
- Specified by:
getParserForType
in interfacecom.google.protobuf.MessageLite
- Overrides:
getParserForType
in classcom.google.protobuf.GeneratedMessage
-
getDefaultInstanceForType
- Specified by:
getDefaultInstanceForType
in interfacecom.google.protobuf.MessageLiteOrBuilder
- Specified by:
getDefaultInstanceForType
in interfacecom.google.protobuf.MessageOrBuilder
-