Class CertificateValidationContext.Builder
- java.lang.Object
-
- com.google.protobuf.AbstractMessageLite.Builder
-
- com.google.protobuf.AbstractMessage.Builder<BuilderT>
-
- com.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
-
- io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.Builder
-
- All Implemented Interfaces:
com.google.protobuf.Message.Builder
,com.google.protobuf.MessageLite.Builder
,com.google.protobuf.MessageLiteOrBuilder
,com.google.protobuf.MessageOrBuilder
,CertificateValidationContextOrBuilder
,java.lang.Cloneable
- Enclosing class:
- CertificateValidationContext
public static final class CertificateValidationContext.Builder extends com.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder> implements CertificateValidationContextOrBuilder
[#next-free-field: 18]
Protobuf typeenvoy.extensions.transport_sockets.tls.v3.CertificateValidationContext
-
-
Field Summary
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description CertificateValidationContext.Builder
addAllMatchSubjectAltNames(java.lang.Iterable<? extends StringMatcher> values)
Deprecated.CertificateValidationContext.Builder
addAllMatchTypedSubjectAltNames(java.lang.Iterable<? extends SubjectAltNameMatcher> values)
An optional list of Subject Alternative name matchers.CertificateValidationContext.Builder
addAllVerifyCertificateHash(java.lang.Iterable<java.lang.String> values)
An optional list of hex-encoded SHA-256 hashes.CertificateValidationContext.Builder
addAllVerifyCertificateSpki(java.lang.Iterable<java.lang.String> values)
An optional list of base64-encoded SHA-256 hashes.CertificateValidationContext.Builder
addMatchSubjectAltNames(int index, StringMatcher value)
Deprecated.CertificateValidationContext.Builder
addMatchSubjectAltNames(int index, StringMatcher.Builder builderForValue)
Deprecated.CertificateValidationContext.Builder
addMatchSubjectAltNames(StringMatcher value)
Deprecated.CertificateValidationContext.Builder
addMatchSubjectAltNames(StringMatcher.Builder builderForValue)
Deprecated.StringMatcher.Builder
addMatchSubjectAltNamesBuilder()
Deprecated.StringMatcher.Builder
addMatchSubjectAltNamesBuilder(int index)
Deprecated.CertificateValidationContext.Builder
addMatchTypedSubjectAltNames(int index, SubjectAltNameMatcher value)
An optional list of Subject Alternative name matchers.CertificateValidationContext.Builder
addMatchTypedSubjectAltNames(int index, SubjectAltNameMatcher.Builder builderForValue)
An optional list of Subject Alternative name matchers.CertificateValidationContext.Builder
addMatchTypedSubjectAltNames(SubjectAltNameMatcher value)
An optional list of Subject Alternative name matchers.CertificateValidationContext.Builder
addMatchTypedSubjectAltNames(SubjectAltNameMatcher.Builder builderForValue)
An optional list of Subject Alternative name matchers.SubjectAltNameMatcher.Builder
addMatchTypedSubjectAltNamesBuilder()
An optional list of Subject Alternative name matchers.SubjectAltNameMatcher.Builder
addMatchTypedSubjectAltNamesBuilder(int index)
An optional list of Subject Alternative name matchers.CertificateValidationContext.Builder
addVerifyCertificateHash(java.lang.String value)
An optional list of hex-encoded SHA-256 hashes.CertificateValidationContext.Builder
addVerifyCertificateHashBytes(com.google.protobuf.ByteString value)
An optional list of hex-encoded SHA-256 hashes.CertificateValidationContext.Builder
addVerifyCertificateSpki(java.lang.String value)
An optional list of base64-encoded SHA-256 hashes.CertificateValidationContext.Builder
addVerifyCertificateSpkiBytes(com.google.protobuf.ByteString value)
An optional list of base64-encoded SHA-256 hashes.CertificateValidationContext
build()
CertificateValidationContext
buildPartial()
private void
buildPartial0(CertificateValidationContext result)
private void
buildPartialRepeatedFields(CertificateValidationContext result)
CertificateValidationContext.Builder
clear()
CertificateValidationContext.Builder
clearAllowExpiredCertificate()
If specified, Envoy will not reject expired certificates.CertificateValidationContext.Builder
clearCaCertificateProviderInstance()
Certificate provider instance for fetching TLS certificates.CertificateValidationContext.Builder
clearCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).CertificateValidationContext.Builder
clearCustomValidatorConfig()
The configuration of an extension specific certificate validator.CertificateValidationContext.Builder
clearMatchSubjectAltNames()
Deprecated.CertificateValidationContext.Builder
clearMatchTypedSubjectAltNames()
An optional list of Subject Alternative name matchers.CertificateValidationContext.Builder
clearMaxVerifyDepth()
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.CertificateValidationContext.Builder
clearOnlyVerifyLeafCertCrl()
If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.CertificateValidationContext.Builder
clearRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.CertificateValidationContext.Builder
clearSystemRootCerts()
Use system root certs for validation.CertificateValidationContext.Builder
clearTrustChainVerification()
Certificate trust chain verification mode.CertificateValidationContext.Builder
clearTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.CertificateValidationContext.Builder
clearVerifyCertificateHash()
An optional list of hex-encoded SHA-256 hashes.CertificateValidationContext.Builder
clearVerifyCertificateSpki()
An optional list of base64-encoded SHA-256 hashes.CertificateValidationContext.Builder
clearWatchedDirectory()
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.private void
ensureMatchSubjectAltNamesIsMutable()
private void
ensureMatchTypedSubjectAltNamesIsMutable()
private void
ensureVerifyCertificateHashIsMutable()
private void
ensureVerifyCertificateSpkiIsMutable()
boolean
getAllowExpiredCertificate()
If specified, Envoy will not reject expired certificates.CertificateProviderPluginInstance
getCaCertificateProviderInstance()
Certificate provider instance for fetching TLS certificates.CertificateProviderPluginInstance.Builder
getCaCertificateProviderInstanceBuilder()
Certificate provider instance for fetching TLS certificates.private com.google.protobuf.SingleFieldBuilder<CertificateProviderPluginInstance,CertificateProviderPluginInstance.Builder,CertificateProviderPluginInstanceOrBuilder>
getCaCertificateProviderInstanceFieldBuilder()
Certificate provider instance for fetching TLS certificates.CertificateProviderPluginInstanceOrBuilder
getCaCertificateProviderInstanceOrBuilder()
Certificate provider instance for fetching TLS certificates.DataSource
getCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).DataSource.Builder
getCrlBuilder()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).private com.google.protobuf.SingleFieldBuilder<DataSource,DataSource.Builder,DataSourceOrBuilder>
getCrlFieldBuilder()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).DataSourceOrBuilder
getCrlOrBuilder()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).TypedExtensionConfig
getCustomValidatorConfig()
The configuration of an extension specific certificate validator.TypedExtensionConfig.Builder
getCustomValidatorConfigBuilder()
The configuration of an extension specific certificate validator.private com.google.protobuf.SingleFieldBuilder<TypedExtensionConfig,TypedExtensionConfig.Builder,TypedExtensionConfigOrBuilder>
getCustomValidatorConfigFieldBuilder()
The configuration of an extension specific certificate validator.TypedExtensionConfigOrBuilder
getCustomValidatorConfigOrBuilder()
The configuration of an extension specific certificate validator.CertificateValidationContext
getDefaultInstanceForType()
static com.google.protobuf.Descriptors.Descriptor
getDescriptor()
com.google.protobuf.Descriptors.Descriptor
getDescriptorForType()
StringMatcher
getMatchSubjectAltNames(int index)
Deprecated.StringMatcher.Builder
getMatchSubjectAltNamesBuilder(int index)
Deprecated.java.util.List<StringMatcher.Builder>
getMatchSubjectAltNamesBuilderList()
Deprecated.int
getMatchSubjectAltNamesCount()
Deprecated.private com.google.protobuf.RepeatedFieldBuilder<StringMatcher,StringMatcher.Builder,StringMatcherOrBuilder>
getMatchSubjectAltNamesFieldBuilder()
java.util.List<StringMatcher>
getMatchSubjectAltNamesList()
Deprecated.StringMatcherOrBuilder
getMatchSubjectAltNamesOrBuilder(int index)
Deprecated.java.util.List<? extends StringMatcherOrBuilder>
getMatchSubjectAltNamesOrBuilderList()
Deprecated.SubjectAltNameMatcher
getMatchTypedSubjectAltNames(int index)
An optional list of Subject Alternative name matchers.SubjectAltNameMatcher.Builder
getMatchTypedSubjectAltNamesBuilder(int index)
An optional list of Subject Alternative name matchers.java.util.List<SubjectAltNameMatcher.Builder>
getMatchTypedSubjectAltNamesBuilderList()
An optional list of Subject Alternative name matchers.int
getMatchTypedSubjectAltNamesCount()
An optional list of Subject Alternative name matchers.private com.google.protobuf.RepeatedFieldBuilder<SubjectAltNameMatcher,SubjectAltNameMatcher.Builder,SubjectAltNameMatcherOrBuilder>
getMatchTypedSubjectAltNamesFieldBuilder()
java.util.List<SubjectAltNameMatcher>
getMatchTypedSubjectAltNamesList()
An optional list of Subject Alternative name matchers.SubjectAltNameMatcherOrBuilder
getMatchTypedSubjectAltNamesOrBuilder(int index)
An optional list of Subject Alternative name matchers.java.util.List<? extends SubjectAltNameMatcherOrBuilder>
getMatchTypedSubjectAltNamesOrBuilderList()
An optional list of Subject Alternative name matchers.com.google.protobuf.UInt32Value
getMaxVerifyDepth()
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.com.google.protobuf.UInt32Value.Builder
getMaxVerifyDepthBuilder()
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.private com.google.protobuf.SingleFieldBuilder<com.google.protobuf.UInt32Value,com.google.protobuf.UInt32Value.Builder,com.google.protobuf.UInt32ValueOrBuilder>
getMaxVerifyDepthFieldBuilder()
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.com.google.protobuf.UInt32ValueOrBuilder
getMaxVerifyDepthOrBuilder()
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.boolean
getOnlyVerifyLeafCertCrl()
If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.com.google.protobuf.BoolValue
getRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.com.google.protobuf.BoolValue.Builder
getRequireSignedCertificateTimestampBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.private com.google.protobuf.SingleFieldBuilder<com.google.protobuf.BoolValue,com.google.protobuf.BoolValue.Builder,com.google.protobuf.BoolValueOrBuilder>
getRequireSignedCertificateTimestampFieldBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.com.google.protobuf.BoolValueOrBuilder
getRequireSignedCertificateTimestampOrBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.CertificateValidationContext.SystemRootCerts
getSystemRootCerts()
Use system root certs for validation.CertificateValidationContext.SystemRootCerts.Builder
getSystemRootCertsBuilder()
Use system root certs for validation.private com.google.protobuf.SingleFieldBuilder<CertificateValidationContext.SystemRootCerts,CertificateValidationContext.SystemRootCerts.Builder,CertificateValidationContext.SystemRootCertsOrBuilder>
getSystemRootCertsFieldBuilder()
Use system root certs for validation.CertificateValidationContext.SystemRootCertsOrBuilder
getSystemRootCertsOrBuilder()
Use system root certs for validation.CertificateValidationContext.TrustChainVerification
getTrustChainVerification()
Certificate trust chain verification mode.int
getTrustChainVerificationValue()
Certificate trust chain verification mode.DataSource
getTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.DataSource.Builder
getTrustedCaBuilder()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.private com.google.protobuf.SingleFieldBuilder<DataSource,DataSource.Builder,DataSourceOrBuilder>
getTrustedCaFieldBuilder()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.DataSourceOrBuilder
getTrustedCaOrBuilder()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.java.lang.String
getVerifyCertificateHash(int index)
An optional list of hex-encoded SHA-256 hashes.com.google.protobuf.ByteString
getVerifyCertificateHashBytes(int index)
An optional list of hex-encoded SHA-256 hashes.int
getVerifyCertificateHashCount()
An optional list of hex-encoded SHA-256 hashes.com.google.protobuf.ProtocolStringList
getVerifyCertificateHashList()
An optional list of hex-encoded SHA-256 hashes.java.lang.String
getVerifyCertificateSpki(int index)
An optional list of base64-encoded SHA-256 hashes.com.google.protobuf.ByteString
getVerifyCertificateSpkiBytes(int index)
An optional list of base64-encoded SHA-256 hashes.int
getVerifyCertificateSpkiCount()
An optional list of base64-encoded SHA-256 hashes.com.google.protobuf.ProtocolStringList
getVerifyCertificateSpkiList()
An optional list of base64-encoded SHA-256 hashes.WatchedDirectory
getWatchedDirectory()
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.WatchedDirectory.Builder
getWatchedDirectoryBuilder()
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.private com.google.protobuf.SingleFieldBuilder<WatchedDirectory,WatchedDirectory.Builder,WatchedDirectoryOrBuilder>
getWatchedDirectoryFieldBuilder()
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.WatchedDirectoryOrBuilder
getWatchedDirectoryOrBuilder()
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.boolean
hasCaCertificateProviderInstance()
Certificate provider instance for fetching TLS certificates.boolean
hasCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).boolean
hasCustomValidatorConfig()
The configuration of an extension specific certificate validator.boolean
hasMaxVerifyDepth()
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.boolean
hasRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.boolean
hasSystemRootCerts()
Use system root certs for validation.boolean
hasTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.boolean
hasWatchedDirectory()
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.protected com.google.protobuf.GeneratedMessage.FieldAccessorTable
internalGetFieldAccessorTable()
boolean
isInitialized()
private void
maybeForceBuilderInitialization()
CertificateValidationContext.Builder
mergeCaCertificateProviderInstance(CertificateProviderPluginInstance value)
Certificate provider instance for fetching TLS certificates.CertificateValidationContext.Builder
mergeCrl(DataSource value)
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).CertificateValidationContext.Builder
mergeCustomValidatorConfig(TypedExtensionConfig value)
The configuration of an extension specific certificate validator.CertificateValidationContext.Builder
mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
CertificateValidationContext.Builder
mergeFrom(com.google.protobuf.Message other)
CertificateValidationContext.Builder
mergeFrom(CertificateValidationContext other)
CertificateValidationContext.Builder
mergeMaxVerifyDepth(com.google.protobuf.UInt32Value value)
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.CertificateValidationContext.Builder
mergeRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present signed certificate time-stamp.CertificateValidationContext.Builder
mergeSystemRootCerts(CertificateValidationContext.SystemRootCerts value)
Use system root certs for validation.CertificateValidationContext.Builder
mergeTrustedCa(DataSource value)
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.CertificateValidationContext.Builder
mergeWatchedDirectory(WatchedDirectory value)
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.CertificateValidationContext.Builder
removeMatchSubjectAltNames(int index)
Deprecated.CertificateValidationContext.Builder
removeMatchTypedSubjectAltNames(int index)
An optional list of Subject Alternative name matchers.CertificateValidationContext.Builder
setAllowExpiredCertificate(boolean value)
If specified, Envoy will not reject expired certificates.CertificateValidationContext.Builder
setCaCertificateProviderInstance(CertificateProviderPluginInstance value)
Certificate provider instance for fetching TLS certificates.CertificateValidationContext.Builder
setCaCertificateProviderInstance(CertificateProviderPluginInstance.Builder builderForValue)
Certificate provider instance for fetching TLS certificates.CertificateValidationContext.Builder
setCrl(DataSource value)
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).CertificateValidationContext.Builder
setCrl(DataSource.Builder builderForValue)
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).CertificateValidationContext.Builder
setCustomValidatorConfig(TypedExtensionConfig value)
The configuration of an extension specific certificate validator.CertificateValidationContext.Builder
setCustomValidatorConfig(TypedExtensionConfig.Builder builderForValue)
The configuration of an extension specific certificate validator.CertificateValidationContext.Builder
setMatchSubjectAltNames(int index, StringMatcher value)
Deprecated.CertificateValidationContext.Builder
setMatchSubjectAltNames(int index, StringMatcher.Builder builderForValue)
Deprecated.CertificateValidationContext.Builder
setMatchTypedSubjectAltNames(int index, SubjectAltNameMatcher value)
An optional list of Subject Alternative name matchers.CertificateValidationContext.Builder
setMatchTypedSubjectAltNames(int index, SubjectAltNameMatcher.Builder builderForValue)
An optional list of Subject Alternative name matchers.CertificateValidationContext.Builder
setMaxVerifyDepth(com.google.protobuf.UInt32Value value)
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.CertificateValidationContext.Builder
setMaxVerifyDepth(com.google.protobuf.UInt32Value.Builder builderForValue)
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.CertificateValidationContext.Builder
setOnlyVerifyLeafCertCrl(boolean value)
If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.CertificateValidationContext.Builder
setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present signed certificate time-stamp.CertificateValidationContext.Builder
setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue.Builder builderForValue)
[#not-implemented-hide:] Must present signed certificate time-stamp.CertificateValidationContext.Builder
setSystemRootCerts(CertificateValidationContext.SystemRootCerts value)
Use system root certs for validation.CertificateValidationContext.Builder
setSystemRootCerts(CertificateValidationContext.SystemRootCerts.Builder builderForValue)
Use system root certs for validation.CertificateValidationContext.Builder
setTrustChainVerification(CertificateValidationContext.TrustChainVerification value)
Certificate trust chain verification mode.CertificateValidationContext.Builder
setTrustChainVerificationValue(int value)
Certificate trust chain verification mode.CertificateValidationContext.Builder
setTrustedCa(DataSource value)
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.CertificateValidationContext.Builder
setTrustedCa(DataSource.Builder builderForValue)
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g.CertificateValidationContext.Builder
setVerifyCertificateHash(int index, java.lang.String value)
An optional list of hex-encoded SHA-256 hashes.CertificateValidationContext.Builder
setVerifyCertificateSpki(int index, java.lang.String value)
An optional list of base64-encoded SHA-256 hashes.CertificateValidationContext.Builder
setWatchedDirectory(WatchedDirectory value)
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.CertificateValidationContext.Builder
setWatchedDirectory(WatchedDirectory.Builder builderForValue)
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch.-
Methods inherited from class com.google.protobuf.GeneratedMessage.Builder
addRepeatedField, clearField, clearOneof, clone, getAllFields, getField, getFieldBuilder, getOneofFieldDescriptor, getParentForChildren, getRepeatedField, getRepeatedFieldBuilder, getRepeatedFieldCount, getUnknownFields, getUnknownFieldSetBuilder, hasField, hasOneof, internalGetMapField, internalGetMapFieldReflection, internalGetMutableMapField, internalGetMutableMapFieldReflection, isClean, markClean, mergeUnknownFields, mergeUnknownLengthDelimitedField, mergeUnknownVarintField, newBuilderForField, onBuilt, onChanged, parseUnknownField, setField, setRepeatedField, setUnknownFields, setUnknownFieldSetBuilder, setUnknownFieldsProto3
-
Methods inherited from class com.google.protobuf.AbstractMessage.Builder
findInitializationErrors, getInitializationErrorString, internalMergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, newUninitializedMessageException, toString
-
Methods inherited from class com.google.protobuf.AbstractMessageLite.Builder
addAll, addAll, mergeDelimitedFrom, mergeDelimitedFrom, mergeFrom, newUninitializedMessageException
-
Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
-
-
-
-
Field Detail
-
bitField0_
private int bitField0_
-
trustedCa_
private DataSource trustedCa_
-
trustedCaBuilder_
private com.google.protobuf.SingleFieldBuilder<DataSource,DataSource.Builder,DataSourceOrBuilder> trustedCaBuilder_
-
caCertificateProviderInstance_
private CertificateProviderPluginInstance caCertificateProviderInstance_
-
caCertificateProviderInstanceBuilder_
private com.google.protobuf.SingleFieldBuilder<CertificateProviderPluginInstance,CertificateProviderPluginInstance.Builder,CertificateProviderPluginInstanceOrBuilder> caCertificateProviderInstanceBuilder_
-
systemRootCerts_
private CertificateValidationContext.SystemRootCerts systemRootCerts_
-
systemRootCertsBuilder_
private com.google.protobuf.SingleFieldBuilder<CertificateValidationContext.SystemRootCerts,CertificateValidationContext.SystemRootCerts.Builder,CertificateValidationContext.SystemRootCertsOrBuilder> systemRootCertsBuilder_
-
watchedDirectory_
private WatchedDirectory watchedDirectory_
-
watchedDirectoryBuilder_
private com.google.protobuf.SingleFieldBuilder<WatchedDirectory,WatchedDirectory.Builder,WatchedDirectoryOrBuilder> watchedDirectoryBuilder_
-
verifyCertificateSpki_
private com.google.protobuf.LazyStringArrayList verifyCertificateSpki_
-
verifyCertificateHash_
private com.google.protobuf.LazyStringArrayList verifyCertificateHash_
-
matchTypedSubjectAltNames_
private java.util.List<SubjectAltNameMatcher> matchTypedSubjectAltNames_
-
matchTypedSubjectAltNamesBuilder_
private com.google.protobuf.RepeatedFieldBuilder<SubjectAltNameMatcher,SubjectAltNameMatcher.Builder,SubjectAltNameMatcherOrBuilder> matchTypedSubjectAltNamesBuilder_
-
matchSubjectAltNames_
private java.util.List<StringMatcher> matchSubjectAltNames_
-
matchSubjectAltNamesBuilder_
private com.google.protobuf.RepeatedFieldBuilder<StringMatcher,StringMatcher.Builder,StringMatcherOrBuilder> matchSubjectAltNamesBuilder_
-
requireSignedCertificateTimestamp_
private com.google.protobuf.BoolValue requireSignedCertificateTimestamp_
-
requireSignedCertificateTimestampBuilder_
private com.google.protobuf.SingleFieldBuilder<com.google.protobuf.BoolValue,com.google.protobuf.BoolValue.Builder,com.google.protobuf.BoolValueOrBuilder> requireSignedCertificateTimestampBuilder_
-
crl_
private DataSource crl_
-
crlBuilder_
private com.google.protobuf.SingleFieldBuilder<DataSource,DataSource.Builder,DataSourceOrBuilder> crlBuilder_
-
allowExpiredCertificate_
private boolean allowExpiredCertificate_
-
trustChainVerification_
private int trustChainVerification_
-
customValidatorConfig_
private TypedExtensionConfig customValidatorConfig_
-
customValidatorConfigBuilder_
private com.google.protobuf.SingleFieldBuilder<TypedExtensionConfig,TypedExtensionConfig.Builder,TypedExtensionConfigOrBuilder> customValidatorConfigBuilder_
-
onlyVerifyLeafCertCrl_
private boolean onlyVerifyLeafCertCrl_
-
maxVerifyDepth_
private com.google.protobuf.UInt32Value maxVerifyDepth_
-
maxVerifyDepthBuilder_
private com.google.protobuf.SingleFieldBuilder<com.google.protobuf.UInt32Value,com.google.protobuf.UInt32Value.Builder,com.google.protobuf.UInt32ValueOrBuilder> maxVerifyDepthBuilder_
-
-
Method Detail
-
getDescriptor
public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()
-
internalGetFieldAccessorTable
protected com.google.protobuf.GeneratedMessage.FieldAccessorTable internalGetFieldAccessorTable()
- Specified by:
internalGetFieldAccessorTable
in classcom.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
-
maybeForceBuilderInitialization
private void maybeForceBuilderInitialization()
-
clear
public CertificateValidationContext.Builder clear()
- Specified by:
clear
in interfacecom.google.protobuf.Message.Builder
- Specified by:
clear
in interfacecom.google.protobuf.MessageLite.Builder
- Overrides:
clear
in classcom.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
-
getDescriptorForType
public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
- Specified by:
getDescriptorForType
in interfacecom.google.protobuf.Message.Builder
- Specified by:
getDescriptorForType
in interfacecom.google.protobuf.MessageOrBuilder
- Overrides:
getDescriptorForType
in classcom.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
-
getDefaultInstanceForType
public CertificateValidationContext getDefaultInstanceForType()
- Specified by:
getDefaultInstanceForType
in interfacecom.google.protobuf.MessageLiteOrBuilder
- Specified by:
getDefaultInstanceForType
in interfacecom.google.protobuf.MessageOrBuilder
-
build
public CertificateValidationContext build()
- Specified by:
build
in interfacecom.google.protobuf.Message.Builder
- Specified by:
build
in interfacecom.google.protobuf.MessageLite.Builder
-
buildPartial
public CertificateValidationContext buildPartial()
- Specified by:
buildPartial
in interfacecom.google.protobuf.Message.Builder
- Specified by:
buildPartial
in interfacecom.google.protobuf.MessageLite.Builder
-
buildPartialRepeatedFields
private void buildPartialRepeatedFields(CertificateValidationContext result)
-
buildPartial0
private void buildPartial0(CertificateValidationContext result)
-
mergeFrom
public CertificateValidationContext.Builder mergeFrom(com.google.protobuf.Message other)
- Specified by:
mergeFrom
in interfacecom.google.protobuf.Message.Builder
- Overrides:
mergeFrom
in classcom.google.protobuf.AbstractMessage.Builder<CertificateValidationContext.Builder>
-
mergeFrom
public CertificateValidationContext.Builder mergeFrom(CertificateValidationContext other)
-
isInitialized
public final boolean isInitialized()
- Specified by:
isInitialized
in interfacecom.google.protobuf.MessageLiteOrBuilder
- Overrides:
isInitialized
in classcom.google.protobuf.GeneratedMessage.Builder<CertificateValidationContext.Builder>
-
mergeFrom
public CertificateValidationContext.Builder mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws java.io.IOException
- Specified by:
mergeFrom
in interfacecom.google.protobuf.Message.Builder
- Specified by:
mergeFrom
in interfacecom.google.protobuf.MessageLite.Builder
- Overrides:
mergeFrom
in classcom.google.protobuf.AbstractMessage.Builder<CertificateValidationContext.Builder>
- Throws:
java.io.IOException
-
hasTrustedCa
public boolean hasTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
hasTrustedCa
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the trustedCa field is set.
-
getTrustedCa
public DataSource getTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
getTrustedCa
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The trustedCa.
-
setTrustedCa
public CertificateValidationContext.Builder setTrustedCa(DataSource value)
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
setTrustedCa
public CertificateValidationContext.Builder setTrustedCa(DataSource.Builder builderForValue)
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
mergeTrustedCa
public CertificateValidationContext.Builder mergeTrustedCa(DataSource value)
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
clearTrustedCa
public CertificateValidationContext.Builder clearTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
getTrustedCaBuilder
public DataSource.Builder getTrustedCaBuilder()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
getTrustedCaOrBuilder
public DataSourceOrBuilder getTrustedCaOrBuilder()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
getTrustedCaOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getTrustedCaFieldBuilder
private com.google.protobuf.SingleFieldBuilder<DataSource,DataSource.Builder,DataSourceOrBuilder> getTrustedCaFieldBuilder()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` true. If set to true, only the final certificate in the chain undergoes CRL verification. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations. If ``trusted_ca`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS. X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain. If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
.envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
-
hasCaCertificateProviderInstance
public boolean hasCaCertificateProviderInstance()
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
hasCaCertificateProviderInstance
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the caCertificateProviderInstance field is set.
-
getCaCertificateProviderInstance
public CertificateProviderPluginInstance getCaCertificateProviderInstance()
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
getCaCertificateProviderInstance
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The caCertificateProviderInstance.
-
setCaCertificateProviderInstance
public CertificateValidationContext.Builder setCaCertificateProviderInstance(CertificateProviderPluginInstance value)
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
setCaCertificateProviderInstance
public CertificateValidationContext.Builder setCaCertificateProviderInstance(CertificateProviderPluginInstance.Builder builderForValue)
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
mergeCaCertificateProviderInstance
public CertificateValidationContext.Builder mergeCaCertificateProviderInstance(CertificateProviderPluginInstance value)
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
clearCaCertificateProviderInstance
public CertificateValidationContext.Builder clearCaCertificateProviderInstance()
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
getCaCertificateProviderInstanceBuilder
public CertificateProviderPluginInstance.Builder getCaCertificateProviderInstanceBuilder()
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
getCaCertificateProviderInstanceOrBuilder
public CertificateProviderPluginInstanceOrBuilder getCaCertificateProviderInstanceOrBuilder()
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
- Specified by:
getCaCertificateProviderInstanceOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getCaCertificateProviderInstanceFieldBuilder
private com.google.protobuf.SingleFieldBuilder<CertificateProviderPluginInstance,CertificateProviderPluginInstance.Builder,CertificateProviderPluginInstanceOrBuilder> getCaCertificateProviderInstanceFieldBuilder()
Certificate provider instance for fetching TLS certificates. If set, takes precedence over ``trusted_ca``. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
-
hasSystemRootCerts
public boolean hasSystemRootCerts()
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
- Specified by:
hasSystemRootCerts
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the systemRootCerts field is set.
-
getSystemRootCerts
public CertificateValidationContext.SystemRootCerts getSystemRootCerts()
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
- Specified by:
getSystemRootCerts
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The systemRootCerts.
-
setSystemRootCerts
public CertificateValidationContext.Builder setSystemRootCerts(CertificateValidationContext.SystemRootCerts value)
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
setSystemRootCerts
public CertificateValidationContext.Builder setSystemRootCerts(CertificateValidationContext.SystemRootCerts.Builder builderForValue)
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
mergeSystemRootCerts
public CertificateValidationContext.Builder mergeSystemRootCerts(CertificateValidationContext.SystemRootCerts value)
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
clearSystemRootCerts
public CertificateValidationContext.Builder clearSystemRootCerts()
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
getSystemRootCertsBuilder
public CertificateValidationContext.SystemRootCerts.Builder getSystemRootCertsBuilder()
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
getSystemRootCertsOrBuilder
public CertificateValidationContext.SystemRootCertsOrBuilder getSystemRootCertsOrBuilder()
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
- Specified by:
getSystemRootCertsOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getSystemRootCertsFieldBuilder
private com.google.protobuf.SingleFieldBuilder<CertificateValidationContext.SystemRootCerts,CertificateValidationContext.SystemRootCerts.Builder,CertificateValidationContext.SystemRootCertsOrBuilder> getSystemRootCertsFieldBuilder()
Use system root certs for validation. If present, system root certs are used only if neither of the ``trusted_ca`` or ``ca_certificate_provider_instance`` fields are set. [#not-implemented-hide:]
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts system_root_certs = 17;
-
hasWatchedDirectory
public boolean hasWatchedDirectory()
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
- Specified by:
hasWatchedDirectory
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the watchedDirectory field is set.
-
getWatchedDirectory
public WatchedDirectory getWatchedDirectory()
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
- Specified by:
getWatchedDirectory
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The watchedDirectory.
-
setWatchedDirectory
public CertificateValidationContext.Builder setWatchedDirectory(WatchedDirectory value)
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
setWatchedDirectory
public CertificateValidationContext.Builder setWatchedDirectory(WatchedDirectory.Builder builderForValue)
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
mergeWatchedDirectory
public CertificateValidationContext.Builder mergeWatchedDirectory(WatchedDirectory value)
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
clearWatchedDirectory
public CertificateValidationContext.Builder clearWatchedDirectory()
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
getWatchedDirectoryBuilder
public WatchedDirectory.Builder getWatchedDirectoryBuilder()
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
getWatchedDirectoryOrBuilder
public WatchedDirectoryOrBuilder getWatchedDirectoryOrBuilder()
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
- Specified by:
getWatchedDirectoryOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getWatchedDirectoryFieldBuilder
private com.google.protobuf.SingleFieldBuilder<WatchedDirectory,WatchedDirectory.Builder,WatchedDirectoryOrBuilder> getWatchedDirectoryFieldBuilder()
If specified, updates of a file-based ``trusted_ca`` source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path in ``trusted_ca`` is watched if this field is not specified. This only applies when a ``CertificateValidationContext`` is delivered by SDS with references to filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` documentation for further details.
.envoy.config.core.v3.WatchedDirectory watched_directory = 11;
-
ensureVerifyCertificateSpkiIsMutable
private void ensureVerifyCertificateSpkiIsMutable()
-
getVerifyCertificateSpkiList
public com.google.protobuf.ProtocolStringList getVerifyCertificateSpkiList()
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateSpkiList
in interfaceCertificateValidationContextOrBuilder
- Returns:
- A list containing the verifyCertificateSpki.
-
getVerifyCertificateSpkiCount
public int getVerifyCertificateSpkiCount()
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateSpkiCount
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The count of verifyCertificateSpki.
-
getVerifyCertificateSpki
public java.lang.String getVerifyCertificateSpki(int index)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateSpki
in interfaceCertificateValidationContextOrBuilder
- Parameters:
index
- The index of the element to return.- Returns:
- The verifyCertificateSpki at the given index.
-
getVerifyCertificateSpkiBytes
public com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateSpkiBytes
in interfaceCertificateValidationContextOrBuilder
- Parameters:
index
- The index of the value to return.- Returns:
- The bytes of the verifyCertificateSpki at the given index.
-
setVerifyCertificateSpki
public CertificateValidationContext.Builder setVerifyCertificateSpki(int index, java.lang.String value)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Parameters:
index
- The index to set the value at.value
- The verifyCertificateSpki to set.- Returns:
- This builder for chaining.
-
addVerifyCertificateSpki
public CertificateValidationContext.Builder addVerifyCertificateSpki(java.lang.String value)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Parameters:
value
- The verifyCertificateSpki to add.- Returns:
- This builder for chaining.
-
addAllVerifyCertificateSpki
public CertificateValidationContext.Builder addAllVerifyCertificateSpki(java.lang.Iterable<java.lang.String> values)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Parameters:
values
- The verifyCertificateSpki to add.- Returns:
- This builder for chaining.
-
clearVerifyCertificateSpki
public CertificateValidationContext.Builder clearVerifyCertificateSpki()
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Returns:
- This builder for chaining.
-
addVerifyCertificateSpkiBytes
public CertificateValidationContext.Builder addVerifyCertificateSpkiBytes(com.google.protobuf.ByteString value)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= This is the format used in HTTP Public Key Pinning. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted. .. attention:: This option is preferred over :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, because SPKI is tied to a private key, so it doesn't change when the certificate is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
- Parameters:
value
- The bytes of the verifyCertificateSpki to add.- Returns:
- This builder for chaining.
-
ensureVerifyCertificateHashIsMutable
private void ensureVerifyCertificateHashIsMutable()
-
getVerifyCertificateHashList
public com.google.protobuf.ProtocolStringList getVerifyCertificateHashList()
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateHashList
in interfaceCertificateValidationContextOrBuilder
- Returns:
- A list containing the verifyCertificateHash.
-
getVerifyCertificateHashCount
public int getVerifyCertificateHashCount()
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateHashCount
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The count of verifyCertificateHash.
-
getVerifyCertificateHash
public java.lang.String getVerifyCertificateHash(int index)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateHash
in interfaceCertificateValidationContextOrBuilder
- Parameters:
index
- The index of the element to return.- Returns:
- The verifyCertificateHash at the given index.
-
getVerifyCertificateHashBytes
public com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Specified by:
getVerifyCertificateHashBytes
in interfaceCertificateValidationContextOrBuilder
- Parameters:
index
- The index of the value to return.- Returns:
- The bytes of the verifyCertificateHash at the given index.
-
setVerifyCertificateHash
public CertificateValidationContext.Builder setVerifyCertificateHash(int index, java.lang.String value)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Parameters:
index
- The index to set the value at.value
- The verifyCertificateHash to set.- Returns:
- This builder for chaining.
-
addVerifyCertificateHash
public CertificateValidationContext.Builder addVerifyCertificateHash(java.lang.String value)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Parameters:
value
- The verifyCertificateHash to add.- Returns:
- This builder for chaining.
-
addAllVerifyCertificateHash
public CertificateValidationContext.Builder addAllVerifyCertificateHash(java.lang.Iterable<java.lang.String> values)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Parameters:
values
- The verifyCertificateHash to add.- Returns:
- This builder for chaining.
-
clearVerifyCertificateHash
public CertificateValidationContext.Builder clearVerifyCertificateHash()
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Returns:
- This builder for chaining.
-
addVerifyCertificateHashBytes
public CertificateValidationContext.Builder addVerifyCertificateHashBytes(com.google.protobuf.ByteString value)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
- Parameters:
value
- The bytes of the verifyCertificateHash to add.- Returns:
- This builder for chaining.
-
ensureMatchTypedSubjectAltNamesIsMutable
private void ensureMatchTypedSubjectAltNamesIsMutable()
-
getMatchTypedSubjectAltNamesList
public java.util.List<SubjectAltNameMatcher> getMatchTypedSubjectAltNamesList()
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNamesList
in interfaceCertificateValidationContextOrBuilder
-
getMatchTypedSubjectAltNamesCount
public int getMatchTypedSubjectAltNamesCount()
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNamesCount
in interfaceCertificateValidationContextOrBuilder
-
getMatchTypedSubjectAltNames
public SubjectAltNameMatcher getMatchTypedSubjectAltNames(int index)
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNames
in interfaceCertificateValidationContextOrBuilder
-
setMatchTypedSubjectAltNames
public CertificateValidationContext.Builder setMatchTypedSubjectAltNames(int index, SubjectAltNameMatcher value)
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
setMatchTypedSubjectAltNames
public CertificateValidationContext.Builder setMatchTypedSubjectAltNames(int index, SubjectAltNameMatcher.Builder builderForValue)
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
addMatchTypedSubjectAltNames
public CertificateValidationContext.Builder addMatchTypedSubjectAltNames(SubjectAltNameMatcher value)
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
addMatchTypedSubjectAltNames
public CertificateValidationContext.Builder addMatchTypedSubjectAltNames(int index, SubjectAltNameMatcher value)
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
addMatchTypedSubjectAltNames
public CertificateValidationContext.Builder addMatchTypedSubjectAltNames(SubjectAltNameMatcher.Builder builderForValue)
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
addMatchTypedSubjectAltNames
public CertificateValidationContext.Builder addMatchTypedSubjectAltNames(int index, SubjectAltNameMatcher.Builder builderForValue)
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
addAllMatchTypedSubjectAltNames
public CertificateValidationContext.Builder addAllMatchTypedSubjectAltNames(java.lang.Iterable<? extends SubjectAltNameMatcher> values)
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
clearMatchTypedSubjectAltNames
public CertificateValidationContext.Builder clearMatchTypedSubjectAltNames()
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
removeMatchTypedSubjectAltNames
public CertificateValidationContext.Builder removeMatchTypedSubjectAltNames(int index)
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
getMatchTypedSubjectAltNamesBuilder
public SubjectAltNameMatcher.Builder getMatchTypedSubjectAltNamesBuilder(int index)
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
getMatchTypedSubjectAltNamesOrBuilder
public SubjectAltNameMatcherOrBuilder getMatchTypedSubjectAltNamesOrBuilder(int index)
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNamesOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getMatchTypedSubjectAltNamesOrBuilderList
public java.util.List<? extends SubjectAltNameMatcherOrBuilder> getMatchTypedSubjectAltNamesOrBuilderList()
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
- Specified by:
getMatchTypedSubjectAltNamesOrBuilderList
in interfaceCertificateValidationContextOrBuilder
-
addMatchTypedSubjectAltNamesBuilder
public SubjectAltNameMatcher.Builder addMatchTypedSubjectAltNamesBuilder()
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
addMatchTypedSubjectAltNamesBuilder
public SubjectAltNameMatcher.Builder addMatchTypedSubjectAltNamesBuilder(int index)
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
getMatchTypedSubjectAltNamesBuilderList
public java.util.List<SubjectAltNameMatcher.Builder> getMatchTypedSubjectAltNamesBuilderList()
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is matched. When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", it should be configured as shown below. .. code-block:: yaml match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com" .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;
-
getMatchTypedSubjectAltNamesFieldBuilder
private com.google.protobuf.RepeatedFieldBuilder<SubjectAltNameMatcher,SubjectAltNameMatcher.Builder,SubjectAltNameMatcherOrBuilder> getMatchTypedSubjectAltNamesFieldBuilder()
-
ensureMatchSubjectAltNamesIsMutable
private void ensureMatchSubjectAltNamesIsMutable()
-
getMatchSubjectAltNamesList
@Deprecated public java.util.List<StringMatcher> getMatchSubjectAltNamesList()
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNamesList
in interfaceCertificateValidationContextOrBuilder
-
getMatchSubjectAltNamesCount
@Deprecated public int getMatchSubjectAltNamesCount()
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNamesCount
in interfaceCertificateValidationContextOrBuilder
-
getMatchSubjectAltNames
@Deprecated public StringMatcher getMatchSubjectAltNames(int index)
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNames
in interfaceCertificateValidationContextOrBuilder
-
setMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder setMatchSubjectAltNames(int index, StringMatcher value)
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
setMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder setMatchSubjectAltNames(int index, StringMatcher.Builder builderForValue)
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
addMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder addMatchSubjectAltNames(StringMatcher value)
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
addMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder addMatchSubjectAltNames(int index, StringMatcher value)
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
addMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder addMatchSubjectAltNames(StringMatcher.Builder builderForValue)
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
addMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder addMatchSubjectAltNames(int index, StringMatcher.Builder builderForValue)
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
addAllMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder addAllMatchSubjectAltNames(java.lang.Iterable<? extends StringMatcher> values)
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
clearMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder clearMatchSubjectAltNames()
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
removeMatchSubjectAltNames
@Deprecated public CertificateValidationContext.Builder removeMatchSubjectAltNames(int index)
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
getMatchSubjectAltNamesBuilder
@Deprecated public StringMatcher.Builder getMatchSubjectAltNamesBuilder(int index)
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
getMatchSubjectAltNamesOrBuilder
@Deprecated public StringMatcherOrBuilder getMatchSubjectAltNamesOrBuilder(int index)
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNamesOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getMatchSubjectAltNamesOrBuilderList
@Deprecated public java.util.List<? extends StringMatcherOrBuilder> getMatchSubjectAltNamesOrBuilderList()
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
- Specified by:
getMatchSubjectAltNamesOrBuilderList
in interfaceCertificateValidationContextOrBuilder
-
addMatchSubjectAltNamesBuilder
@Deprecated public StringMatcher.Builder addMatchSubjectAltNamesBuilder()
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
addMatchSubjectAltNamesBuilder
@Deprecated public StringMatcher.Builder addMatchSubjectAltNamesBuilder(int index)
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
getMatchSubjectAltNamesBuilderList
@Deprecated public java.util.List<StringMatcher.Builder> getMatchSubjectAltNamesBuilderList()
Deprecated.This field is deprecated in favor of :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. Note that if both this field and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated field) is ignored.
repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];
-
getMatchSubjectAltNamesFieldBuilder
private com.google.protobuf.RepeatedFieldBuilder<StringMatcher,StringMatcher.Builder,StringMatcherOrBuilder> getMatchSubjectAltNamesFieldBuilder()
-
hasRequireSignedCertificateTimestamp
public boolean hasRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
- Specified by:
hasRequireSignedCertificateTimestamp
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the requireSignedCertificateTimestamp field is set.
-
getRequireSignedCertificateTimestamp
public com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
- Specified by:
getRequireSignedCertificateTimestamp
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The requireSignedCertificateTimestamp.
-
setRequireSignedCertificateTimestamp
public CertificateValidationContext.Builder setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
setRequireSignedCertificateTimestamp
public CertificateValidationContext.Builder setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue.Builder builderForValue)
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
mergeRequireSignedCertificateTimestamp
public CertificateValidationContext.Builder mergeRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
clearRequireSignedCertificateTimestamp
public CertificateValidationContext.Builder clearRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
getRequireSignedCertificateTimestampBuilder
public com.google.protobuf.BoolValue.Builder getRequireSignedCertificateTimestampBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
getRequireSignedCertificateTimestampOrBuilder
public com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
- Specified by:
getRequireSignedCertificateTimestampOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getRequireSignedCertificateTimestampFieldBuilder
private com.google.protobuf.SingleFieldBuilder<com.google.protobuf.BoolValue,com.google.protobuf.BoolValue.Builder,com.google.protobuf.BoolValueOrBuilder> getRequireSignedCertificateTimestampFieldBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
-
hasCrl
public boolean hasCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
- Specified by:
hasCrl
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the crl field is set.
-
getCrl
public DataSource getCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
- Specified by:
getCrl
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The crl.
-
setCrl
public CertificateValidationContext.Builder setCrl(DataSource value)
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
setCrl
public CertificateValidationContext.Builder setCrl(DataSource.Builder builderForValue)
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
mergeCrl
public CertificateValidationContext.Builder mergeCrl(DataSource value)
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
clearCrl
public CertificateValidationContext.Builder clearCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
getCrlBuilder
public DataSource.Builder getCrlBuilder()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
getCrlOrBuilder
public DataSourceOrBuilder getCrlOrBuilder()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
- Specified by:
getCrlOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getCrlFieldBuilder
private com.google.protobuf.SingleFieldBuilder<DataSource,DataSource.Builder,DataSourceOrBuilder> getCrlFieldBuilder()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to true. If ``crl`` is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the ``CertificateValidationContext`` is delivered via SDS.
.envoy.config.core.v3.DataSource crl = 7;
-
getAllowExpiredCertificate
public boolean getAllowExpiredCertificate()
If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
- Specified by:
getAllowExpiredCertificate
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The allowExpiredCertificate.
-
setAllowExpiredCertificate
public CertificateValidationContext.Builder setAllowExpiredCertificate(boolean value)
If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
- Parameters:
value
- The allowExpiredCertificate to set.- Returns:
- This builder for chaining.
-
clearAllowExpiredCertificate
public CertificateValidationContext.Builder clearAllowExpiredCertificate()
If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
- Returns:
- This builder for chaining.
-
getTrustChainVerificationValue
public int getTrustChainVerificationValue()
Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Specified by:
getTrustChainVerificationValue
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The enum numeric value on the wire for trustChainVerification.
-
setTrustChainVerificationValue
public CertificateValidationContext.Builder setTrustChainVerificationValue(int value)
Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Parameters:
value
- The enum numeric value on the wire for trustChainVerification to set.- Returns:
- This builder for chaining.
-
getTrustChainVerification
public CertificateValidationContext.TrustChainVerification getTrustChainVerification()
Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Specified by:
getTrustChainVerification
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The trustChainVerification.
-
setTrustChainVerification
public CertificateValidationContext.Builder setTrustChainVerification(CertificateValidationContext.TrustChainVerification value)
Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Parameters:
value
- The trustChainVerification to set.- Returns:
- This builder for chaining.
-
clearTrustChainVerification
public CertificateValidationContext.Builder clearTrustChainVerification()
Certificate trust chain verification mode.
.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
- Returns:
- This builder for chaining.
-
hasCustomValidatorConfig
public boolean hasCustomValidatorConfig()
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
- Specified by:
hasCustomValidatorConfig
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the customValidatorConfig field is set.
-
getCustomValidatorConfig
public TypedExtensionConfig getCustomValidatorConfig()
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
- Specified by:
getCustomValidatorConfig
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The customValidatorConfig.
-
setCustomValidatorConfig
public CertificateValidationContext.Builder setCustomValidatorConfig(TypedExtensionConfig value)
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
setCustomValidatorConfig
public CertificateValidationContext.Builder setCustomValidatorConfig(TypedExtensionConfig.Builder builderForValue)
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
mergeCustomValidatorConfig
public CertificateValidationContext.Builder mergeCustomValidatorConfig(TypedExtensionConfig value)
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
clearCustomValidatorConfig
public CertificateValidationContext.Builder clearCustomValidatorConfig()
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
getCustomValidatorConfigBuilder
public TypedExtensionConfig.Builder getCustomValidatorConfigBuilder()
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
getCustomValidatorConfigOrBuilder
public TypedExtensionConfigOrBuilder getCustomValidatorConfigOrBuilder()
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
- Specified by:
getCustomValidatorConfigOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getCustomValidatorConfigFieldBuilder
private com.google.protobuf.SingleFieldBuilder<TypedExtensionConfig,TypedExtensionConfig.Builder,TypedExtensionConfigOrBuilder> getCustomValidatorConfigFieldBuilder()
The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. [#extension-category: envoy.tls.cert_validator]
.envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
-
getOnlyVerifyLeafCertCrl
public boolean getOnlyVerifyLeafCertCrl()
If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
bool only_verify_leaf_cert_crl = 14;
- Specified by:
getOnlyVerifyLeafCertCrl
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The onlyVerifyLeafCertCrl.
-
setOnlyVerifyLeafCertCrl
public CertificateValidationContext.Builder setOnlyVerifyLeafCertCrl(boolean value)
If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
bool only_verify_leaf_cert_crl = 14;
- Parameters:
value
- The onlyVerifyLeafCertCrl to set.- Returns:
- This builder for chaining.
-
clearOnlyVerifyLeafCertCrl
public CertificateValidationContext.Builder clearOnlyVerifyLeafCertCrl()
If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
bool only_verify_leaf_cert_crl = 14;
- Returns:
- This builder for chaining.
-
hasMaxVerifyDepth
public boolean hasMaxVerifyDepth()
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
- Specified by:
hasMaxVerifyDepth
in interfaceCertificateValidationContextOrBuilder
- Returns:
- Whether the maxVerifyDepth field is set.
-
getMaxVerifyDepth
public com.google.protobuf.UInt32Value getMaxVerifyDepth()
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
- Specified by:
getMaxVerifyDepth
in interfaceCertificateValidationContextOrBuilder
- Returns:
- The maxVerifyDepth.
-
setMaxVerifyDepth
public CertificateValidationContext.Builder setMaxVerifyDepth(com.google.protobuf.UInt32Value value)
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-
setMaxVerifyDepth
public CertificateValidationContext.Builder setMaxVerifyDepth(com.google.protobuf.UInt32Value.Builder builderForValue)
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-
mergeMaxVerifyDepth
public CertificateValidationContext.Builder mergeMaxVerifyDepth(com.google.protobuf.UInt32Value value)
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-
clearMaxVerifyDepth
public CertificateValidationContext.Builder clearMaxVerifyDepth()
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-
getMaxVerifyDepthBuilder
public com.google.protobuf.UInt32Value.Builder getMaxVerifyDepthBuilder()
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-
getMaxVerifyDepthOrBuilder
public com.google.protobuf.UInt32ValueOrBuilder getMaxVerifyDepthOrBuilder()
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
- Specified by:
getMaxVerifyDepthOrBuilder
in interfaceCertificateValidationContextOrBuilder
-
getMaxVerifyDepthFieldBuilder
private com.google.protobuf.SingleFieldBuilder<com.google.protobuf.UInt32Value,com.google.protobuf.UInt32Value.Builder,com.google.protobuf.UInt32ValueOrBuilder> getMaxVerifyDepthFieldBuilder()
Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
.google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
-
-