Interface CertificateValidationContextOrBuilder
- All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder
,com.google.protobuf.MessageOrBuilder
- All Known Implementing Classes:
CertificateValidationContext
,CertificateValidationContext.Builder
public interface CertificateValidationContextOrBuilder
extends com.google.protobuf.MessageOrBuilder
-
Method Summary
Modifier and TypeMethodDescriptionboolean
If specified, Envoy will not reject expired certificates.Certificate provider instance for fetching TLS certificates.Certificate provider instance for fetching TLS certificates.getCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).The configuration of an extension specific certificate validator.The configuration of an extension specific certificate validator.getMatchSubjectAltNames
(int index) Deprecated.int
Deprecated.Deprecated.getMatchSubjectAltNamesOrBuilder
(int index) Deprecated.List
<? extends StringMatcherOrBuilder> Deprecated.getMatchTypedSubjectAltNames
(int index) An optional list of Subject Alternative name matchers.int
An optional list of Subject Alternative name matchers.An optional list of Subject Alternative name matchers.getMatchTypedSubjectAltNamesOrBuilder
(int index) An optional list of Subject Alternative name matchers.List
<? extends SubjectAltNameMatcherOrBuilder> An optional list of Subject Alternative name matchers.com.google.protobuf.UInt32Value
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.com.google.protobuf.UInt32ValueOrBuilder
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.boolean
If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.com.google.protobuf.BoolValue
[#not-implemented-hide:] Must present signed certificate time-stamp.com.google.protobuf.BoolValueOrBuilder
[#not-implemented-hide:] Must present signed certificate time-stamp.Use system root certs for validation.Use system root certs for validation.Certificate trust chain verification mode.int
Certificate trust chain verification mode.TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.getVerifyCertificateHash
(int index) An optional list of hex-encoded SHA-256 hashes.com.google.protobuf.ByteString
getVerifyCertificateHashBytes
(int index) An optional list of hex-encoded SHA-256 hashes.int
An optional list of hex-encoded SHA-256 hashes.An optional list of hex-encoded SHA-256 hashes.getVerifyCertificateSpki
(int index) An optional list of base64-encoded SHA-256 hashes.com.google.protobuf.ByteString
getVerifyCertificateSpkiBytes
(int index) An optional list of base64-encoded SHA-256 hashes.int
An optional list of base64-encoded SHA-256 hashes.An optional list of base64-encoded SHA-256 hashes.If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.boolean
Certificate provider instance for fetching TLS certificates.boolean
hasCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).boolean
The configuration of an extension specific certificate validator.boolean
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.boolean
[#not-implemented-hide:] Must present signed certificate time-stamp.boolean
Use system root certs for validation.boolean
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.boolean
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder
isInitialized
Methods inherited from interface com.google.protobuf.MessageOrBuilder
findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof
-
Method Details
-
hasTrustedCa
boolean hasTrustedCa()TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
- Returns:
- Whether the trustedCa field is set.
-
getTrustedCa
DataSource getTrustedCa()TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
- Returns:
- The trustedCa.
-
getTrustedCaOrBuilder
DataSourceOrBuilder getTrustedCaOrBuilder()TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
hasCaCertificateProviderInstance
boolean hasCaCertificateProviderInstance()Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
- Returns:
- Whether the caCertificateProviderInstance field is set.
-
getCaCertificateProviderInstance
CertificateProviderPluginInstance getCaCertificateProviderInstance()Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
- Returns:
- The caCertificateProviderInstance.
-
getCaCertificateProviderInstanceOrBuilder
CertificateProviderPluginInstanceOrBuilder getCaCertificateProviderInstanceOrBuilder()Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
hasSystemRootCerts
boolean hasSystemRootCerts()Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
- Returns:
- Whether the systemRootCerts field is set.
-
getSystemRootCerts
CertificateValidationContext.SystemRootCerts getSystemRootCerts()Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
- Returns:
- The systemRootCerts.
-
getSystemRootCertsOrBuilder
CertificateValidationContext.SystemRootCertsOrBuilder getSystemRootCertsOrBuilder()Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
hasWatchedDirectory
boolean hasWatchedDirectory()If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
- Returns:
- Whether the watchedDirectory field is set.
-
getWatchedDirectory
WatchedDirectory getWatchedDirectory()If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
- Returns:
- The watchedDirectory.
-
getWatchedDirectoryOrBuilder
WatchedDirectoryOrBuilder getWatchedDirectoryOrBuilder()If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
getVerifyCertificateSpkiList
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Returns:
- A list containing the verifyCertificateSpki.
-
getVerifyCertificateSpkiCount
int getVerifyCertificateSpkiCount()An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Returns:
- The count of verifyCertificateSpki.
-
getVerifyCertificateSpki
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Parameters:
index
- The index of the element to return.- Returns:
- The verifyCertificateSpki at the given index.
-
getVerifyCertificateSpkiBytes
com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index) An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Parameters:
index
- The index of the value to return.- Returns:
- The bytes of the verifyCertificateSpki at the given index.
-
getVerifyCertificateHashList
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Returns:
- A list containing the verifyCertificateHash.
-
getVerifyCertificateHashCount
int getVerifyCertificateHashCount()An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Returns:
- The count of verifyCertificateHash.
-
getVerifyCertificateHash
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Parameters:
index
- The index of the element to return.- Returns:
- The verifyCertificateHash at the given index.
-
getVerifyCertificateHashBytes
com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index) An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Parameters:
index
- The index of the value to return.- Returns:
- The bytes of the verifyCertificateHash at the given index.
-
getMatchTypedSubjectAltNamesList
List<SubjectAltNameMatcher> getMatchTypedSubjectAltNamesList()An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
getMatchTypedSubjectAltNames
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
getMatchTypedSubjectAltNamesCount
int getMatchTypedSubjectAltNamesCount()An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
getMatchTypedSubjectAltNamesOrBuilderList
List<? extends SubjectAltNameMatcherOrBuilder> getMatchTypedSubjectAltNamesOrBuilderList()An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
getMatchTypedSubjectAltNamesOrBuilder
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
getMatchSubjectAltNamesList
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
getMatchSubjectAltNames
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
getMatchSubjectAltNamesCount
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
getMatchSubjectAltNamesOrBuilderList
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
getMatchSubjectAltNamesOrBuilder
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
hasRequireSignedCertificateTimestamp
boolean hasRequireSignedCertificateTimestamp()[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
- Returns:
- Whether the requireSignedCertificateTimestamp field is set.
-
getRequireSignedCertificateTimestamp
com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
- Returns:
- The requireSignedCertificateTimestamp.
-
getRequireSignedCertificateTimestampOrBuilder
com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
hasCrl
boolean hasCrl()An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
- Returns:
- Whether the crl field is set.
-
getCrl
DataSource getCrl()An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
- Returns:
- The crl.
-
getCrlOrBuilder
DataSourceOrBuilder getCrlOrBuilder()An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
getAllowExpiredCertificate
boolean getAllowExpiredCertificate()If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
- Returns:
- The allowExpiredCertificate.
-
getTrustChainVerificationValue
int getTrustChainVerificationValue()Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Returns:
- The enum numeric value on the wire for trustChainVerification.
-
getTrustChainVerification
CertificateValidationContext.TrustChainVerification getTrustChainVerification()Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Returns:
- The trustChainVerification.
-
hasCustomValidatorConfig
boolean hasCustomValidatorConfig()The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
- Returns:
- Whether the customValidatorConfig field is set.
-
getCustomValidatorConfig
TypedExtensionConfig getCustomValidatorConfig()The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
- Returns:
- The customValidatorConfig.
-
getCustomValidatorConfigOrBuilder
TypedExtensionConfigOrBuilder getCustomValidatorConfigOrBuilder()The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
getOnlyVerifyLeafCertCrl
boolean getOnlyVerifyLeafCertCrl()If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
bool only_verify_leaf_cert_crl = 14;
- Returns:
- The onlyVerifyLeafCertCrl.
-
hasMaxVerifyDepth
boolean hasMaxVerifyDepth()Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
- Returns:
- Whether the maxVerifyDepth field is set.
-
getMaxVerifyDepth
com.google.protobuf.UInt32Value getMaxVerifyDepth()Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
- Returns:
- The maxVerifyDepth.
-
getMaxVerifyDepthOrBuilder
com.google.protobuf.UInt32ValueOrBuilder getMaxVerifyDepthOrBuilder()Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-