Class CertificateValidationContext.Builder
java.lang.Object
com.google.protobuf.AbstractMessageLite.Builder
com.google.protobuf.AbstractMessage.Builder<CertificateValidationContext.Builder>
com.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.Builder
- All Implemented Interfaces:
com.google.protobuf.Message.Builder
,com.google.protobuf.MessageLite.Builder
,com.google.protobuf.MessageLiteOrBuilder
,com.google.protobuf.MessageOrBuilder
,CertificateValidationContextOrBuilder
,Cloneable
- Enclosing class:
CertificateValidationContext
public static final class CertificateValidationContext.Builder
extends com.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
implements CertificateValidationContextOrBuilder
[#next-free-field: 18]Protobuf type
envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate boolean
private int
private com.google.protobuf.SingleFieldBuilder
<CertificateProviderPluginInstance, CertificateProviderPluginInstance.Builder, CertificateProviderPluginInstanceOrBuilder> private DataSource
private com.google.protobuf.SingleFieldBuilder
<DataSource, DataSource.Builder, DataSourceOrBuilder> private TypedExtensionConfig
private com.google.protobuf.SingleFieldBuilder
<TypedExtensionConfig, TypedExtensionConfig.Builder, TypedExtensionConfigOrBuilder> private List
<StringMatcher> private com.google.protobuf.RepeatedFieldBuilder
<StringMatcher, StringMatcher.Builder, StringMatcherOrBuilder> private List
<SubjectAltNameMatcher> private com.google.protobuf.RepeatedFieldBuilder
<SubjectAltNameMatcher, SubjectAltNameMatcher.Builder, SubjectAltNameMatcherOrBuilder> private com.google.protobuf.UInt32Value
private com.google.protobuf.SingleFieldBuilder
<com.google.protobuf.UInt32Value, com.google.protobuf.UInt32Value.Builder, com.google.protobuf.UInt32ValueOrBuilder> private boolean
private com.google.protobuf.BoolValue
private com.google.protobuf.SingleFieldBuilder
<com.google.protobuf.BoolValue, com.google.protobuf.BoolValue.Builder, com.google.protobuf.BoolValueOrBuilder> private com.google.protobuf.SingleFieldBuilder
<CertificateValidationContext.SystemRootCerts, CertificateValidationContext.SystemRootCerts.Builder, CertificateValidationContext.SystemRootCertsOrBuilder> private int
private DataSource
private com.google.protobuf.SingleFieldBuilder
<DataSource, DataSource.Builder, DataSourceOrBuilder> private com.google.protobuf.LazyStringArrayList
private com.google.protobuf.LazyStringArrayList
private WatchedDirectory
private com.google.protobuf.SingleFieldBuilder
<WatchedDirectory, WatchedDirectory.Builder, WatchedDirectoryOrBuilder> -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionaddAllMatchSubjectAltNames
(Iterable<? extends StringMatcher> values) Deprecated.addAllMatchTypedSubjectAltNames
(Iterable<? extends SubjectAltNameMatcher> values) An optional list of Subject Alternative name matchers.addAllVerifyCertificateHash
(Iterable<String> values) An optional list of hex-encoded SHA-256 hashes.addAllVerifyCertificateSpki
(Iterable<String> values) An optional list of base64-encoded SHA-256 hashes.addMatchSubjectAltNames
(int index, StringMatcher value) Deprecated.addMatchSubjectAltNames
(int index, StringMatcher.Builder builderForValue) Deprecated.Deprecated.addMatchSubjectAltNames
(StringMatcher.Builder builderForValue) Deprecated.Deprecated.addMatchSubjectAltNamesBuilder
(int index) Deprecated.addMatchTypedSubjectAltNames
(int index, SubjectAltNameMatcher value) An optional list of Subject Alternative name matchers.addMatchTypedSubjectAltNames
(int index, SubjectAltNameMatcher.Builder builderForValue) An optional list of Subject Alternative name matchers.An optional list of Subject Alternative name matchers.addMatchTypedSubjectAltNames
(SubjectAltNameMatcher.Builder builderForValue) An optional list of Subject Alternative name matchers.An optional list of Subject Alternative name matchers.addMatchTypedSubjectAltNamesBuilder
(int index) An optional list of Subject Alternative name matchers.addVerifyCertificateHash
(String value) An optional list of hex-encoded SHA-256 hashes.addVerifyCertificateHashBytes
(com.google.protobuf.ByteString value) An optional list of hex-encoded SHA-256 hashes.addVerifyCertificateSpki
(String value) An optional list of base64-encoded SHA-256 hashes.addVerifyCertificateSpkiBytes
(com.google.protobuf.ByteString value) An optional list of base64-encoded SHA-256 hashes.build()
private void
private void
clear()
If specified, Envoy will not reject expired certificates.Certificate provider instance for fetching TLS certificates.clearCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).The configuration of an extension specific certificate validator.Deprecated.An optional list of Subject Alternative name matchers.Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.[#not-implemented-hide:] Must present signed certificate time-stamp.Use system root certs for validation.Certificate trust chain verification mode.TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.An optional list of hex-encoded SHA-256 hashes.An optional list of base64-encoded SHA-256 hashes.If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.private void
private void
private void
private void
boolean
If specified, Envoy will not reject expired certificates.Certificate provider instance for fetching TLS certificates.Certificate provider instance for fetching TLS certificates.Certificate provider instance for fetching TLS certificates.getCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).The configuration of an extension specific certificate validator.The configuration of an extension specific certificate validator.The configuration of an extension specific certificate validator.static final com.google.protobuf.Descriptors.Descriptor
com.google.protobuf.Descriptors.Descriptor
getMatchSubjectAltNames
(int index) Deprecated.getMatchSubjectAltNamesBuilder
(int index) Deprecated.Deprecated.int
Deprecated.Deprecated.getMatchSubjectAltNamesOrBuilder
(int index) Deprecated.List
<? extends StringMatcherOrBuilder> Deprecated.getMatchTypedSubjectAltNames
(int index) An optional list of Subject Alternative name matchers.getMatchTypedSubjectAltNamesBuilder
(int index) An optional list of Subject Alternative name matchers.An optional list of Subject Alternative name matchers.int
An optional list of Subject Alternative name matchers.An optional list of Subject Alternative name matchers.getMatchTypedSubjectAltNamesOrBuilder
(int index) An optional list of Subject Alternative name matchers.List
<? extends SubjectAltNameMatcherOrBuilder> An optional list of Subject Alternative name matchers.com.google.protobuf.UInt32Value
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.com.google.protobuf.UInt32Value.Builder
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.com.google.protobuf.UInt32ValueOrBuilder
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.boolean
If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.com.google.protobuf.BoolValue
[#not-implemented-hide:] Must present signed certificate time-stamp.com.google.protobuf.BoolValue.Builder
[#not-implemented-hide:] Must present signed certificate time-stamp.com.google.protobuf.BoolValueOrBuilder
[#not-implemented-hide:] Must present signed certificate time-stamp.Use system root certs for validation.Use system root certs for validation.Use system root certs for validation.Certificate trust chain verification mode.int
Certificate trust chain verification mode.TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.getVerifyCertificateHash
(int index) An optional list of hex-encoded SHA-256 hashes.com.google.protobuf.ByteString
getVerifyCertificateHashBytes
(int index) An optional list of hex-encoded SHA-256 hashes.int
An optional list of hex-encoded SHA-256 hashes.com.google.protobuf.ProtocolStringList
An optional list of hex-encoded SHA-256 hashes.getVerifyCertificateSpki
(int index) An optional list of base64-encoded SHA-256 hashes.com.google.protobuf.ByteString
getVerifyCertificateSpkiBytes
(int index) An optional list of base64-encoded SHA-256 hashes.int
An optional list of base64-encoded SHA-256 hashes.com.google.protobuf.ProtocolStringList
An optional list of base64-encoded SHA-256 hashes.If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.boolean
Certificate provider instance for fetching TLS certificates.boolean
hasCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).boolean
The configuration of an extension specific certificate validator.boolean
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.boolean
[#not-implemented-hide:] Must present signed certificate time-stamp.boolean
Use system root certs for validation.boolean
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.boolean
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.private com.google.protobuf.SingleFieldBuilder
<CertificateProviderPluginInstance, CertificateProviderPluginInstance.Builder, CertificateProviderPluginInstanceOrBuilder> Certificate provider instance for fetching TLS certificates.private com.google.protobuf.SingleFieldBuilder
<DataSource, DataSource.Builder, DataSourceOrBuilder> An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).private com.google.protobuf.SingleFieldBuilder
<TypedExtensionConfig, TypedExtensionConfig.Builder, TypedExtensionConfigOrBuilder> The configuration of an extension specific certificate validator.protected com.google.protobuf.GeneratedMessage.FieldAccessorTable
private com.google.protobuf.RepeatedFieldBuilder
<StringMatcher, StringMatcher.Builder, StringMatcherOrBuilder> private com.google.protobuf.RepeatedFieldBuilder
<SubjectAltNameMatcher, SubjectAltNameMatcher.Builder, SubjectAltNameMatcherOrBuilder> private com.google.protobuf.SingleFieldBuilder
<com.google.protobuf.UInt32Value, com.google.protobuf.UInt32Value.Builder, com.google.protobuf.UInt32ValueOrBuilder> Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.private com.google.protobuf.SingleFieldBuilder
<com.google.protobuf.BoolValue, com.google.protobuf.BoolValue.Builder, com.google.protobuf.BoolValueOrBuilder> [#not-implemented-hide:] Must present signed certificate time-stamp.private com.google.protobuf.SingleFieldBuilder
<CertificateValidationContext.SystemRootCerts, CertificateValidationContext.SystemRootCerts.Builder, CertificateValidationContext.SystemRootCertsOrBuilder> Use system root certs for validation.private com.google.protobuf.SingleFieldBuilder
<DataSource, DataSource.Builder, DataSourceOrBuilder> TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.private com.google.protobuf.SingleFieldBuilder
<WatchedDirectory, WatchedDirectory.Builder, WatchedDirectoryOrBuilder> If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.final boolean
private void
Certificate provider instance for fetching TLS certificates.mergeCrl
(DataSource value) An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).The configuration of an extension specific certificate validator.mergeFrom
(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) mergeFrom
(com.google.protobuf.Message other) mergeMaxVerifyDepth
(com.google.protobuf.UInt32Value value) Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.mergeRequireSignedCertificateTimestamp
(com.google.protobuf.BoolValue value) [#not-implemented-hide:] Must present signed certificate time-stamp.Use system root certs for validation.mergeTrustedCa
(DataSource value) TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.removeMatchSubjectAltNames
(int index) Deprecated.removeMatchTypedSubjectAltNames
(int index) An optional list of Subject Alternative name matchers.setAllowExpiredCertificate
(boolean value) If specified, Envoy will not reject expired certificates.Certificate provider instance for fetching TLS certificates.Certificate provider instance for fetching TLS certificates.setCrl
(DataSource value) An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).setCrl
(DataSource.Builder builderForValue) An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).The configuration of an extension specific certificate validator.setCustomValidatorConfig
(TypedExtensionConfig.Builder builderForValue) The configuration of an extension specific certificate validator.setMatchSubjectAltNames
(int index, StringMatcher value) Deprecated.setMatchSubjectAltNames
(int index, StringMatcher.Builder builderForValue) Deprecated.setMatchTypedSubjectAltNames
(int index, SubjectAltNameMatcher value) An optional list of Subject Alternative name matchers.setMatchTypedSubjectAltNames
(int index, SubjectAltNameMatcher.Builder builderForValue) An optional list of Subject Alternative name matchers.setMaxVerifyDepth
(com.google.protobuf.UInt32Value value) Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.setMaxVerifyDepth
(com.google.protobuf.UInt32Value.Builder builderForValue) Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.setOnlyVerifyLeafCertCrl
(boolean value) If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.setRequireSignedCertificateTimestamp
(com.google.protobuf.BoolValue value) [#not-implemented-hide:] Must present signed certificate time-stamp.setRequireSignedCertificateTimestamp
(com.google.protobuf.BoolValue.Builder builderForValue) [#not-implemented-hide:] Must present signed certificate time-stamp.Use system root certs for validation.setSystemRootCerts
(CertificateValidationContext.SystemRootCerts.Builder builderForValue) Use system root certs for validation.Certificate trust chain verification mode.setTrustChainVerificationValue
(int value) Certificate trust chain verification mode.setTrustedCa
(DataSource value) TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.setTrustedCa
(DataSource.Builder builderForValue) TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.setVerifyCertificateHash
(int index, String value) An optional list of hex-encoded SHA-256 hashes.setVerifyCertificateSpki
(int index, String value) An optional list of base64-encoded SHA-256 hashes.If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.setWatchedDirectory
(WatchedDirectory.Builder builderForValue) If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.Methods inherited from class com.google.protobuf.GeneratedMessage.Builder
addRepeatedField, clearField, clearOneof, clone, getAllFields, getField, getFieldBuilder, getOneofFieldDescriptor, getParentForChildren, getRepeatedField, getRepeatedFieldBuilder, getRepeatedFieldCount, getUnknownFields, getUnknownFieldSetBuilder, hasField, hasOneof, internalGetMapField, internalGetMapFieldReflection, internalGetMutableMapField, internalGetMutableMapFieldReflection, isClean, markClean, mergeUnknownFields, mergeUnknownLengthDelimitedField, mergeUnknownVarintField, newBuilderForField, onBuilt, onChanged, parseUnknownField, setField, setRepeatedField, setUnknownFields, setUnknownFieldSetBuilder, setUnknownFieldsProto3
Methods inherited from class com.google.protobuf.AbstractMessage.Builder
findInitializationErrors, getInitializationErrorString, internalMergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, newUninitializedMessageException, toString
Methods inherited from class com.google.protobuf.AbstractMessageLite.Builder
addAll, addAll, mergeDelimitedFrom, mergeDelimitedFrom, mergeFrom, newUninitializedMessageException
Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface com.google.protobuf.Message.Builder
mergeDelimitedFrom, mergeDelimitedFrom
Methods inherited from interface com.google.protobuf.MessageLite.Builder
mergeFrom
Methods inherited from interface com.google.protobuf.MessageOrBuilder
findInitializationErrors, getAllFields, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof
-
Field Details
-
bitField0_
private int bitField0_ -
trustedCa_
-
trustedCaBuilder_
private com.google.protobuf.SingleFieldBuilder<DataSource,DataSource.Builder, trustedCaBuilder_DataSourceOrBuilder> -
caCertificateProviderInstance_
-
caCertificateProviderInstanceBuilder_
private com.google.protobuf.SingleFieldBuilder<CertificateProviderPluginInstance,CertificateProviderPluginInstance.Builder, caCertificateProviderInstanceBuilder_CertificateProviderPluginInstanceOrBuilder> -
systemRootCerts_
-
systemRootCertsBuilder_
private com.google.protobuf.SingleFieldBuilder<CertificateValidationContext.SystemRootCerts,CertificateValidationContext.SystemRootCerts.Builder, systemRootCertsBuilder_CertificateValidationContext.SystemRootCertsOrBuilder> -
watchedDirectory_
-
watchedDirectoryBuilder_
private com.google.protobuf.SingleFieldBuilder<WatchedDirectory,WatchedDirectory.Builder, watchedDirectoryBuilder_WatchedDirectoryOrBuilder> -
verifyCertificateSpki_
private com.google.protobuf.LazyStringArrayList verifyCertificateSpki_ -
verifyCertificateHash_
private com.google.protobuf.LazyStringArrayList verifyCertificateHash_ -
matchTypedSubjectAltNames_
-
matchTypedSubjectAltNamesBuilder_
private com.google.protobuf.RepeatedFieldBuilder<SubjectAltNameMatcher,SubjectAltNameMatcher.Builder, matchTypedSubjectAltNamesBuilder_SubjectAltNameMatcherOrBuilder> -
matchSubjectAltNames_
-
matchSubjectAltNamesBuilder_
private com.google.protobuf.RepeatedFieldBuilder<StringMatcher,StringMatcher.Builder, matchSubjectAltNamesBuilder_StringMatcherOrBuilder> -
requireSignedCertificateTimestamp_
private com.google.protobuf.BoolValue requireSignedCertificateTimestamp_ -
requireSignedCertificateTimestampBuilder_
private com.google.protobuf.SingleFieldBuilder<com.google.protobuf.BoolValue,com.google.protobuf.BoolValue.Builder, requireSignedCertificateTimestampBuilder_com.google.protobuf.BoolValueOrBuilder> -
crl_
-
crlBuilder_
private com.google.protobuf.SingleFieldBuilder<DataSource,DataSource.Builder, crlBuilder_DataSourceOrBuilder> -
allowExpiredCertificate_
private boolean allowExpiredCertificate_ -
trustChainVerification_
private int trustChainVerification_ -
customValidatorConfig_
-
customValidatorConfigBuilder_
private com.google.protobuf.SingleFieldBuilder<TypedExtensionConfig,TypedExtensionConfig.Builder, customValidatorConfigBuilder_TypedExtensionConfigOrBuilder> -
onlyVerifyLeafCertCrl_
private boolean onlyVerifyLeafCertCrl_ -
maxVerifyDepth_
private com.google.protobuf.UInt32Value maxVerifyDepth_ -
maxVerifyDepthBuilder_
private com.google.protobuf.SingleFieldBuilder<com.google.protobuf.UInt32Value,com.google.protobuf.UInt32Value.Builder, maxVerifyDepthBuilder_com.google.protobuf.UInt32ValueOrBuilder>
-
-
Constructor Details
-
Builder
private Builder() -
Builder
private Builder(com.google.protobuf.AbstractMessage.BuilderParent parent)
-
-
Method Details
-
getDescriptor
public static final com.google.protobuf.Descriptors.Descriptor getDescriptor() -
internalGetFieldAccessorTable
protected com.google.protobuf.GeneratedMessage.FieldAccessorTable internalGetFieldAccessorTable()- Specified by:
internalGetFieldAccessorTable
in classcom.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
-
maybeForceBuilderInitialization
private void maybeForceBuilderInitialization() -
clear
- Specified by:
clear
in interfacecom.google.protobuf.Message.Builder
- Specified by:
clear
in interfacecom.google.protobuf.MessageLite.Builder
- Overrides:
clear
in classcom.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
-
getDescriptorForType
public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()- Specified by:
getDescriptorForType
in interfacecom.google.protobuf.Message.Builder
- Specified by:
getDescriptorForType
in interfacecom.google.protobuf.MessageOrBuilder
- Overrides:
getDescriptorForType
in classcom.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
-
getDefaultInstanceForType
- Specified by:
getDefaultInstanceForType
in interfacecom.google.protobuf.MessageLiteOrBuilder
- Specified by:
getDefaultInstanceForType
in interfacecom.google.protobuf.MessageOrBuilder
-
build
- Specified by:
build
in interfacecom.google.protobuf.Message.Builder
- Specified by:
build
in interfacecom.google.protobuf.MessageLite.Builder
-
buildPartial
- Specified by:
buildPartial
in interfacecom.google.protobuf.Message.Builder
- Specified by:
buildPartial
in interfacecom.google.protobuf.MessageLite.Builder
-
buildPartialRepeatedFields
-
buildPartial0
-
mergeFrom
- Specified by:
mergeFrom
in interfacecom.google.protobuf.Message.Builder
- Overrides:
mergeFrom
in classcom.google.protobuf.AbstractMessage.Builder<CertificateValidationContext.Builder>
-
mergeFrom
-
isInitialized
public final boolean isInitialized()- Specified by:
isInitialized
in interfacecom.google.protobuf.MessageLiteOrBuilder
- Overrides:
isInitialized
in classcom.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
-
mergeFrom
public CertificateValidationContext.Builder mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException - Specified by:
mergeFrom
in interfacecom.google.protobuf.Message.Builder
- Specified by:
mergeFrom
in interfacecom.google.protobuf.MessageLite.Builder
- Overrides:
mergeFrom
in classcom.google.protobuf.AbstractMessage.Builder<CertificateValidationContext.Builder>
- Throws:
IOException
-
hasTrustedCa
public boolean hasTrustedCa()TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
hasTrustedCa
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the trustedCa field is set.
-
getTrustedCa
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
getTrustedCa
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The trustedCa.
-
setTrustedCa
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
setTrustedCa
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
mergeTrustedCa
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
clearTrustedCa
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
getTrustedCaBuilder
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
getTrustedCaOrBuilder
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
getTrustedCaOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
internalGetTrustedCaFieldBuilder
private com.google.protobuf.SingleFieldBuilder<DataSource,DataSource.Builder, internalGetTrustedCaFieldBuilder()DataSourceOrBuilder> TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
hasCaCertificateProviderInstance
public boolean hasCaCertificateProviderInstance()Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
hasCaCertificateProviderInstance
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the caCertificateProviderInstance field is set.
-
getCaCertificateProviderInstance
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
getCaCertificateProviderInstance
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The caCertificateProviderInstance.
-
setCaCertificateProviderInstance
public CertificateValidationContext.Builder setCaCertificateProviderInstance(CertificateProviderPluginInstance value) Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
setCaCertificateProviderInstance
public CertificateValidationContext.Builder setCaCertificateProviderInstance(CertificateProviderPluginInstance.Builder builderForValue) Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
mergeCaCertificateProviderInstance
public CertificateValidationContext.Builder mergeCaCertificateProviderInstance(CertificateProviderPluginInstance value) Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
clearCaCertificateProviderInstance
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
getCaCertificateProviderInstanceBuilder
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
getCaCertificateProviderInstanceOrBuilder
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
getCaCertificateProviderInstanceOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
internalGetCaCertificateProviderInstanceFieldBuilder
private com.google.protobuf.SingleFieldBuilder<CertificateProviderPluginInstance,CertificateProviderPluginInstance.Builder, internalGetCaCertificateProviderInstanceFieldBuilder()CertificateProviderPluginInstanceOrBuilder> Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
hasSystemRootCerts
public boolean hasSystemRootCerts()Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
- Specified by:
hasSystemRootCerts
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the systemRootCerts field is set.
-
getSystemRootCerts
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
- Specified by:
getSystemRootCerts
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The systemRootCerts.
-
setSystemRootCerts
public CertificateValidationContext.Builder setSystemRootCerts(CertificateValidationContext.SystemRootCerts value) Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
setSystemRootCerts
public CertificateValidationContext.Builder setSystemRootCerts(CertificateValidationContext.SystemRootCerts.Builder builderForValue) Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
mergeSystemRootCerts
public CertificateValidationContext.Builder mergeSystemRootCerts(CertificateValidationContext.SystemRootCerts value) Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
clearSystemRootCerts
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
getSystemRootCertsBuilder
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
getSystemRootCertsOrBuilder
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
- Specified by:
getSystemRootCertsOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
internalGetSystemRootCertsFieldBuilder
private com.google.protobuf.SingleFieldBuilder<CertificateValidationContext.SystemRootCerts,CertificateValidationContext.SystemRootCerts.Builder, internalGetSystemRootCertsFieldBuilder()CertificateValidationContext.SystemRootCertsOrBuilder> Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
hasWatchedDirectory
public boolean hasWatchedDirectory()If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
- Specified by:
hasWatchedDirectory
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the watchedDirectory field is set.
-
getWatchedDirectory
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
- Specified by:
getWatchedDirectory
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The watchedDirectory.
-
setWatchedDirectory
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
setWatchedDirectory
public CertificateValidationContext.Builder setWatchedDirectory(WatchedDirectory.Builder builderForValue) If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
mergeWatchedDirectory
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
clearWatchedDirectory
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
getWatchedDirectoryBuilder
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
getWatchedDirectoryOrBuilder
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
- Specified by:
getWatchedDirectoryOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
internalGetWatchedDirectoryFieldBuilder
private com.google.protobuf.SingleFieldBuilder<WatchedDirectory,WatchedDirectory.Builder, internalGetWatchedDirectoryFieldBuilder()WatchedDirectoryOrBuilder> If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
ensureVerifyCertificateSpkiIsMutable
private void ensureVerifyCertificateSpkiIsMutable() -
getVerifyCertificateSpkiList
public com.google.protobuf.ProtocolStringList getVerifyCertificateSpkiList()An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateSpkiList
in interfaceCertificateValidationContextOrBuilder
- Returns:
- A list containing the verifyCertificateSpki.
-
getVerifyCertificateSpkiCount
public int getVerifyCertificateSpkiCount()An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateSpkiCount
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The count of verifyCertificateSpki.
-
getVerifyCertificateSpki
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateSpki
in interfaceCertificateValidationContextOrBuilder
- Parameters:
index
- The index of the element to return.- Returns:
- The verifyCertificateSpki at the given index.
-
getVerifyCertificateSpkiBytes
public com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index) An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateSpkiBytes
in interfaceCertificateValidationContextOrBuilder
- Parameters:
index
- The index of the value to return.- Returns:
- The bytes of the verifyCertificateSpki at the given index.
-
setVerifyCertificateSpki
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Parameters:
index
- The index to set the value at.value
- The verifyCertificateSpki to set.- Returns:
- This builder for chaining.
-
addVerifyCertificateSpki
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Parameters:
value
- The verifyCertificateSpki to add.- Returns:
- This builder for chaining.
-
addAllVerifyCertificateSpki
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Parameters:
values
- The verifyCertificateSpki to add.- Returns:
- This builder for chaining.
-
clearVerifyCertificateSpki
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Returns:
- This builder for chaining.
-
addVerifyCertificateSpkiBytes
public CertificateValidationContext.Builder addVerifyCertificateSpkiBytes(com.google.protobuf.ByteString value) An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Parameters:
value
- The bytes of the verifyCertificateSpki to add.- Returns:
- This builder for chaining.
-
ensureVerifyCertificateHashIsMutable
private void ensureVerifyCertificateHashIsMutable() -
getVerifyCertificateHashList
public com.google.protobuf.ProtocolStringList getVerifyCertificateHashList()An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateHashList
in interfaceCertificateValidationContextOrBuilder
- Returns:
- A list containing the verifyCertificateHash.
-
getVerifyCertificateHashCount
public int getVerifyCertificateHashCount()An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateHashCount
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The count of verifyCertificateHash.
-
getVerifyCertificateHash
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateHash
in interfaceCertificateValidationContextOrBuilder
- Parameters:
index
- The index of the element to return.- Returns:
- The verifyCertificateHash at the given index.
-
getVerifyCertificateHashBytes
public com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index) An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateHashBytes
in interfaceCertificateValidationContextOrBuilder
- Parameters:
index
- The index of the value to return.- Returns:
- The bytes of the verifyCertificateHash at the given index.
-
setVerifyCertificateHash
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Parameters:
index
- The index to set the value at.value
- The verifyCertificateHash to set.- Returns:
- This builder for chaining.
-
addVerifyCertificateHash
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Parameters:
value
- The verifyCertificateHash to add.- Returns:
- This builder for chaining.
-
addAllVerifyCertificateHash
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Parameters:
values
- The verifyCertificateHash to add.- Returns:
- This builder for chaining.
-
clearVerifyCertificateHash
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Returns:
- This builder for chaining.
-
addVerifyCertificateHashBytes
public CertificateValidationContext.Builder addVerifyCertificateHashBytes(com.google.protobuf.ByteString value) An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Parameters:
value
- The bytes of the verifyCertificateHash to add.- Returns:
- This builder for chaining.
-
ensureMatchTypedSubjectAltNamesIsMutable
private void ensureMatchTypedSubjectAltNamesIsMutable() -
getMatchTypedSubjectAltNamesList
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNamesList
in interfaceCertificateValidationContextOrBuilder
-
getMatchTypedSubjectAltNamesCount
public int getMatchTypedSubjectAltNamesCount()An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNamesCount
in interfaceCertificateValidationContextOrBuilder
-
getMatchTypedSubjectAltNames
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNames
in interfaceCertificateValidationContextOrBuilder
-
setMatchTypedSubjectAltNames
public CertificateValidationContext.Builder setMatchTypedSubjectAltNames(int index, SubjectAltNameMatcher value) An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
setMatchTypedSubjectAltNames
public CertificateValidationContext.Builder setMatchTypedSubjectAltNames(int index, SubjectAltNameMatcher.Builder builderForValue) An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
addMatchTypedSubjectAltNames
public CertificateValidationContext.Builder addMatchTypedSubjectAltNames(SubjectAltNameMatcher value) An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
addMatchTypedSubjectAltNames
public CertificateValidationContext.Builder addMatchTypedSubjectAltNames(int index, SubjectAltNameMatcher value) An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
addMatchTypedSubjectAltNames
public CertificateValidationContext.Builder addMatchTypedSubjectAltNames(SubjectAltNameMatcher.Builder builderForValue) An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
addMatchTypedSubjectAltNames
public CertificateValidationContext.Builder addMatchTypedSubjectAltNames(int index, SubjectAltNameMatcher.Builder builderForValue) An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
addAllMatchTypedSubjectAltNames
public CertificateValidationContext.Builder addAllMatchTypedSubjectAltNames(Iterable<? extends SubjectAltNameMatcher> values) An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
clearMatchTypedSubjectAltNames
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
removeMatchTypedSubjectAltNames
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
getMatchTypedSubjectAltNamesBuilder
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
getMatchTypedSubjectAltNamesOrBuilder
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNamesOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getMatchTypedSubjectAltNamesOrBuilderList
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNamesOrBuilderList
in interfaceCertificateValidationContextOrBuilder
-
addMatchTypedSubjectAltNamesBuilder
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
addMatchTypedSubjectAltNamesBuilder
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
getMatchTypedSubjectAltNamesBuilderList
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
internalGetMatchTypedSubjectAltNamesFieldBuilder
private com.google.protobuf.RepeatedFieldBuilder<SubjectAltNameMatcher,SubjectAltNameMatcher.Builder, internalGetMatchTypedSubjectAltNamesFieldBuilder()SubjectAltNameMatcherOrBuilder> -
ensureMatchSubjectAltNamesIsMutable
private void ensureMatchSubjectAltNamesIsMutable() -
getMatchSubjectAltNamesList
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNamesList
in interfaceCertificateValidationContextOrBuilder
-
getMatchSubjectAltNamesCount
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNamesCount
in interfaceCertificateValidationContextOrBuilder
-
getMatchSubjectAltNames
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNames
in interfaceCertificateValidationContextOrBuilder
-
setMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder setMatchSubjectAltNames(int index, StringMatcher value) Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
setMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder setMatchSubjectAltNames(int index, StringMatcher.Builder builderForValue) Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
addMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder addMatchSubjectAltNames(StringMatcher value) Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
addMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder addMatchSubjectAltNames(int index, StringMatcher value) Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
addMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder addMatchSubjectAltNames(StringMatcher.Builder builderForValue) Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
addMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder addMatchSubjectAltNames(int index, StringMatcher.Builder builderForValue) Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
addAllMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder addAllMatchSubjectAltNames(Iterable<? extends StringMatcher> values) Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
clearMatchSubjectAltNames
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
removeMatchSubjectAltNames
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
getMatchSubjectAltNamesBuilder
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
getMatchSubjectAltNamesOrBuilder
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNamesOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getMatchSubjectAltNamesOrBuilderList
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNamesOrBuilderList
in interfaceCertificateValidationContextOrBuilder
-
addMatchSubjectAltNamesBuilder
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
addMatchSubjectAltNamesBuilder
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
getMatchSubjectAltNamesBuilderList
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
internalGetMatchSubjectAltNamesFieldBuilder
private com.google.protobuf.RepeatedFieldBuilder<StringMatcher,StringMatcher.Builder, internalGetMatchSubjectAltNamesFieldBuilder()StringMatcherOrBuilder> -
hasRequireSignedCertificateTimestamp
public boolean hasRequireSignedCertificateTimestamp()[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
- Specified by:
hasRequireSignedCertificateTimestamp
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the requireSignedCertificateTimestamp field is set.
-
getRequireSignedCertificateTimestamp
public com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
- Specified by:
getRequireSignedCertificateTimestamp
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The requireSignedCertificateTimestamp.
-
setRequireSignedCertificateTimestamp
public CertificateValidationContext.Builder setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value) [#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
setRequireSignedCertificateTimestamp
public CertificateValidationContext.Builder setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue.Builder builderForValue) [#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
mergeRequireSignedCertificateTimestamp
public CertificateValidationContext.Builder mergeRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value) [#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
clearRequireSignedCertificateTimestamp
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
getRequireSignedCertificateTimestampBuilder
public com.google.protobuf.BoolValue.Builder getRequireSignedCertificateTimestampBuilder()[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
getRequireSignedCertificateTimestampOrBuilder
public com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
- Specified by:
getRequireSignedCertificateTimestampOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
internalGetRequireSignedCertificateTimestampFieldBuilder
private com.google.protobuf.SingleFieldBuilder<com.google.protobuf.BoolValue,com.google.protobuf.BoolValue.Builder, internalGetRequireSignedCertificateTimestampFieldBuilder()com.google.protobuf.BoolValueOrBuilder> [#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
hasCrl
public boolean hasCrl()An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
- Specified by:
hasCrl
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the crl field is set.
-
getCrl
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
- Specified by:
getCrl
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The crl.
-
setCrl
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
setCrl
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
mergeCrl
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
clearCrl
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
getCrlBuilder
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
getCrlOrBuilder
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
- Specified by:
getCrlOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
internalGetCrlFieldBuilder
private com.google.protobuf.SingleFieldBuilder<DataSource,DataSource.Builder, internalGetCrlFieldBuilder()DataSourceOrBuilder> An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
getAllowExpiredCertificate
public boolean getAllowExpiredCertificate()If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
- Specified by:
getAllowExpiredCertificate
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The allowExpiredCertificate.
-
setAllowExpiredCertificate
If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
- Parameters:
value
- The allowExpiredCertificate to set.- Returns:
- This builder for chaining.
-
clearAllowExpiredCertificate
If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
- Returns:
- This builder for chaining.
-
getTrustChainVerificationValue
public int getTrustChainVerificationValue()Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Specified by:
getTrustChainVerificationValue
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The enum numeric value on the wire for trustChainVerification.
-
setTrustChainVerificationValue
Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Parameters:
value
- The enum numeric value on the wire for trustChainVerification to set.- Returns:
- This builder for chaining.
-
getTrustChainVerification
Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Specified by:
getTrustChainVerification
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The trustChainVerification.
-
setTrustChainVerification
public CertificateValidationContext.Builder setTrustChainVerification(CertificateValidationContext.TrustChainVerification value) Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Parameters:
value
- The trustChainVerification to set.- Returns:
- This builder for chaining.
-
clearTrustChainVerification
Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Returns:
- This builder for chaining.
-
hasCustomValidatorConfig
public boolean hasCustomValidatorConfig()The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
- Specified by:
hasCustomValidatorConfig
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the customValidatorConfig field is set.
-
getCustomValidatorConfig
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
- Specified by:
getCustomValidatorConfig
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The customValidatorConfig.
-
setCustomValidatorConfig
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
setCustomValidatorConfig
public CertificateValidationContext.Builder setCustomValidatorConfig(TypedExtensionConfig.Builder builderForValue) The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
mergeCustomValidatorConfig
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
clearCustomValidatorConfig
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
getCustomValidatorConfigBuilder
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
getCustomValidatorConfigOrBuilder
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
- Specified by:
getCustomValidatorConfigOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
internalGetCustomValidatorConfigFieldBuilder
private com.google.protobuf.SingleFieldBuilder<TypedExtensionConfig,TypedExtensionConfig.Builder, internalGetCustomValidatorConfigFieldBuilder()TypedExtensionConfigOrBuilder> The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
getOnlyVerifyLeafCertCrl
public boolean getOnlyVerifyLeafCertCrl()If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
bool only_verify_leaf_cert_crl = 14;
- Specified by:
getOnlyVerifyLeafCertCrl
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The onlyVerifyLeafCertCrl.
-
setOnlyVerifyLeafCertCrl
If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
bool only_verify_leaf_cert_crl = 14;
- Parameters:
value
- The onlyVerifyLeafCertCrl to set.- Returns:
- This builder for chaining.
-
clearOnlyVerifyLeafCertCrl
If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
bool only_verify_leaf_cert_crl = 14;
- Returns:
- This builder for chaining.
-
hasMaxVerifyDepth
public boolean hasMaxVerifyDepth()Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
- Specified by:
hasMaxVerifyDepth
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the maxVerifyDepth field is set.
-
getMaxVerifyDepth
public com.google.protobuf.UInt32Value getMaxVerifyDepth()Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
- Specified by:
getMaxVerifyDepth
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The maxVerifyDepth.
-
setMaxVerifyDepth
public CertificateValidationContext.Builder setMaxVerifyDepth(com.google.protobuf.UInt32Value value) Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-
setMaxVerifyDepth
public CertificateValidationContext.Builder setMaxVerifyDepth(com.google.protobuf.UInt32Value.Builder builderForValue) Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-
mergeMaxVerifyDepth
public CertificateValidationContext.Builder mergeMaxVerifyDepth(com.google.protobuf.UInt32Value value) Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-
clearMaxVerifyDepth
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-
getMaxVerifyDepthBuilder
public com.google.protobuf.UInt32Value.Builder getMaxVerifyDepthBuilder()Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-
getMaxVerifyDepthOrBuilder
public com.google.protobuf.UInt32ValueOrBuilder getMaxVerifyDepthOrBuilder()Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
- Specified by:
getMaxVerifyDepthOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
internalGetMaxVerifyDepthFieldBuilder
private com.google.protobuf.SingleFieldBuilder<com.google.protobuf.UInt32Value,com.google.protobuf.UInt32Value.Builder, internalGetMaxVerifyDepthFieldBuilder()com.google.protobuf.UInt32ValueOrBuilder> Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-