Package io.envoyproxy.envoy.api.v2.auth

Class CertificateValidationContext.Builder

java.lang.Object
com.google.protobuf.AbstractMessageLite.Builder
com.google.protobuf.AbstractMessage.Builder<BuilderT>
com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.Builder
All Implemented Interfaces:
com.google.protobuf.Message.Builder, com.google.protobuf.MessageLite.Builder, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, CertificateValidationContextOrBuilder, Cloneable
Enclosing class:
CertificateValidationContext
public static final class CertificateValidationContext.Builder extends com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder> implements CertificateValidationContextOrBuilder
 [#next-free-field: 11]
Protobuf type envoy.api.v2.auth.CertificateValidationContext

  • Method Details

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

    • clear

      public CertificateValidationContext.Builder clear()
      Specified by:
      clear in interface com.google.protobuf.Message.Builder
      Specified by:
      clear in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clear in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

    • getDescriptorForType

      public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
      Specified by:
      getDescriptorForType in interface com.google.protobuf.Message.Builder
      Specified by:
      getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
      Overrides:
      getDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

    • getDefaultInstanceForType

      public CertificateValidationContext getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder

    • build

      public CertificateValidationContext build()
      Specified by:
      build in interface com.google.protobuf.Message.Builder
      Specified by:
      build in interface com.google.protobuf.MessageLite.Builder

    • buildPartial

      public CertificateValidationContext buildPartial()
      Specified by:
      buildPartial in interface com.google.protobuf.Message.Builder
      Specified by:
      buildPartial in interface com.google.protobuf.MessageLite.Builder

    • clone

      public CertificateValidationContext.Builder clone()
      Specified by:
      clone in interface com.google.protobuf.Message.Builder
      Specified by:
      clone in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clone in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

    • setField

      public CertificateValidationContext.Builder setField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
      Specified by:
      setField in interface com.google.protobuf.Message.Builder
      Overrides:
      setField in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

    • clearField

      public CertificateValidationContext.Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field)
      Specified by:
      clearField in interface com.google.protobuf.Message.Builder
      Overrides:
      clearField in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

    • clearOneof

      public CertificateValidationContext.Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof)
      Specified by:
      clearOneof in interface com.google.protobuf.Message.Builder
      Overrides:
      clearOneof in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

    • setRepeatedField

      public CertificateValidationContext.Builder setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, int index, Object value)
      Specified by:
      setRepeatedField in interface com.google.protobuf.Message.Builder
      Overrides:
      setRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

    • addRepeatedField

      public CertificateValidationContext.Builder addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
      Specified by:
      addRepeatedField in interface com.google.protobuf.Message.Builder
      Overrides:
      addRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

    • mergeFrom

      public CertificateValidationContext.Builder mergeFrom(com.google.protobuf.Message other)
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<CertificateValidationContext.Builder>

    • mergeFrom

      public CertificateValidationContext.Builder mergeFrom(CertificateValidationContext other)

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

    • mergeFrom

      public CertificateValidationContext.Builder mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Specified by:
      mergeFrom in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<CertificateValidationContext.Builder>
      Throws:
      IOException

    • hasTrustedCa

      public boolean hasTrustedCa()
       TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.

 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.

 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
      .envoy.api.v2.core.DataSource trusted_ca = 1;
      Specified by:
      hasTrustedCa in interface CertificateValidationContextOrBuilder
      Returns:
      Whether the trustedCa field is set.

    • getTrustedCa

      public DataSource getTrustedCa()
       TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.

 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.

 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
      .envoy.api.v2.core.DataSource trusted_ca = 1;
      Specified by:
      getTrustedCa in interface CertificateValidationContextOrBuilder
      Returns:
      The trustedCa.

    • setTrustedCa

      public CertificateValidationContext.Builder setTrustedCa(DataSource value)
       TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.

 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.

 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
      .envoy.api.v2.core.DataSource trusted_ca = 1;

    • setTrustedCa

      public CertificateValidationContext.Builder setTrustedCa(DataSource.Builder builderForValue)
       TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.

 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.

 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
      .envoy.api.v2.core.DataSource trusted_ca = 1;

    • mergeTrustedCa

      public CertificateValidationContext.Builder mergeTrustedCa(DataSource value)
       TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.

 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.

 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
      .envoy.api.v2.core.DataSource trusted_ca = 1;

    • clearTrustedCa

      public CertificateValidationContext.Builder clearTrustedCa()
       TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.

 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.

 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
      .envoy.api.v2.core.DataSource trusted_ca = 1;

    • getTrustedCaBuilder

      public DataSource.Builder getTrustedCaBuilder()
       TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.

 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.

 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
      .envoy.api.v2.core.DataSource trusted_ca = 1;

    • getTrustedCaOrBuilder

      public DataSourceOrBuilder getTrustedCaOrBuilder()
       TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.

 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.

 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
      .envoy.api.v2.core.DataSource trusted_ca = 1;
      Specified by:
      getTrustedCaOrBuilder in interface CertificateValidationContextOrBuilder

    • getVerifyCertificateSpkiList

      public com.google.protobuf.ProtocolStringList getVerifyCertificateSpkiList()
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateSpkiList in interface CertificateValidationContextOrBuilder
      Returns:
      A list containing the verifyCertificateSpki.

    • getVerifyCertificateSpkiCount

      public int getVerifyCertificateSpkiCount()
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateSpkiCount in interface CertificateValidationContextOrBuilder
      Returns:
      The count of verifyCertificateSpki.

    • getVerifyCertificateSpki

      public String getVerifyCertificateSpki(int index)
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateSpki in interface CertificateValidationContextOrBuilder
      Parameters:
      index - The index of the element to return.
      Returns:
      The verifyCertificateSpki at the given index.

    • getVerifyCertificateSpkiBytes

      public com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index)
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateSpkiBytes in interface CertificateValidationContextOrBuilder
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the verifyCertificateSpki at the given index.

    • setVerifyCertificateSpki

      public CertificateValidationContext.Builder setVerifyCertificateSpki(int index, String value)
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Parameters:
      index - The index to set the value at.
      value - The verifyCertificateSpki to set.
      Returns:
      This builder for chaining.

    • addVerifyCertificateSpki

      public CertificateValidationContext.Builder addVerifyCertificateSpki(String value)
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Parameters:
      value - The verifyCertificateSpki to add.
      Returns:
      This builder for chaining.

    • addAllVerifyCertificateSpki

      public CertificateValidationContext.Builder addAllVerifyCertificateSpki(Iterable<String> values)
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Parameters:
      values - The verifyCertificateSpki to add.
      Returns:
      This builder for chaining.

    • clearVerifyCertificateSpki

      public CertificateValidationContext.Builder clearVerifyCertificateSpki()
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Returns:
      This builder for chaining.

    • addVerifyCertificateSpkiBytes

      public CertificateValidationContext.Builder addVerifyCertificateSpkiBytes(com.google.protobuf.ByteString value)
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Parameters:
      value - The bytes of the verifyCertificateSpki to add.
      Returns:
      This builder for chaining.

    • getVerifyCertificateHashList

      public com.google.protobuf.ProtocolStringList getVerifyCertificateHashList()
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateHashList in interface CertificateValidationContextOrBuilder
      Returns:
      A list containing the verifyCertificateHash.

    • getVerifyCertificateHashCount

      public int getVerifyCertificateHashCount()
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateHashCount in interface CertificateValidationContextOrBuilder
      Returns:
      The count of verifyCertificateHash.

    • getVerifyCertificateHash

      public String getVerifyCertificateHash(int index)
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateHash in interface CertificateValidationContextOrBuilder
      Parameters:
      index - The index of the element to return.
      Returns:
      The verifyCertificateHash at the given index.

    • getVerifyCertificateHashBytes

      public com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index)
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Specified by:
      getVerifyCertificateHashBytes in interface CertificateValidationContextOrBuilder
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the verifyCertificateHash at the given index.

    • setVerifyCertificateHash

      public CertificateValidationContext.Builder setVerifyCertificateHash(int index, String value)
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Parameters:
      index - The index to set the value at.
      value - The verifyCertificateHash to set.
      Returns:
      This builder for chaining.

    • addVerifyCertificateHash

      public CertificateValidationContext.Builder addVerifyCertificateHash(String value)
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Parameters:
      value - The verifyCertificateHash to add.
      Returns:
      This builder for chaining.

    • addAllVerifyCertificateHash

      public CertificateValidationContext.Builder addAllVerifyCertificateHash(Iterable<String> values)
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Parameters:
      values - The verifyCertificateHash to add.
      Returns:
      This builder for chaining.

    • clearVerifyCertificateHash

      public CertificateValidationContext.Builder clearVerifyCertificateHash()
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Returns:
      This builder for chaining.

    • addVerifyCertificateHashBytes

      public CertificateValidationContext.Builder addVerifyCertificateHashBytes(com.google.protobuf.ByteString value)
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Parameters:
      value - The bytes of the verifyCertificateHash to add.
      Returns:
      This builder for chaining.

    • getVerifySubjectAltNameList

      @Deprecated public com.google.protobuf.ProtocolStringList getVerifySubjectAltNameList()
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Specified by:
      getVerifySubjectAltNameList in interface CertificateValidationContextOrBuilder
      Returns:
      A list containing the verifySubjectAltName.

    • getVerifySubjectAltNameCount

      @Deprecated public int getVerifySubjectAltNameCount()
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Specified by:
      getVerifySubjectAltNameCount in interface CertificateValidationContextOrBuilder
      Returns:
      The count of verifySubjectAltName.

    • getVerifySubjectAltName

      @Deprecated public String getVerifySubjectAltName(int index)
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Specified by:
      getVerifySubjectAltName in interface CertificateValidationContextOrBuilder
      Parameters:
      index - The index of the element to return.
      Returns:
      The verifySubjectAltName at the given index.

    • getVerifySubjectAltNameBytes

      @Deprecated public com.google.protobuf.ByteString getVerifySubjectAltNameBytes(int index)
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Specified by:
      getVerifySubjectAltNameBytes in interface CertificateValidationContextOrBuilder
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the verifySubjectAltName at the given index.

    • setVerifySubjectAltName

      @Deprecated public CertificateValidationContext.Builder setVerifySubjectAltName(int index, String value)
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Parameters:
      index - The index to set the value at.
      value - The verifySubjectAltName to set.
      Returns:
      This builder for chaining.

    • addVerifySubjectAltName

      @Deprecated public CertificateValidationContext.Builder addVerifySubjectAltName(String value)
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Parameters:
      value - The verifySubjectAltName to add.
      Returns:
      This builder for chaining.

    • addAllVerifySubjectAltName

      @Deprecated public CertificateValidationContext.Builder addAllVerifySubjectAltName(Iterable<String> values)
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Parameters:
      values - The verifySubjectAltName to add.
      Returns:
      This builder for chaining.

    • clearVerifySubjectAltName

      @Deprecated public CertificateValidationContext.Builder clearVerifySubjectAltName()
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Returns:
      This builder for chaining.

    • addVerifySubjectAltNameBytes

      @Deprecated public CertificateValidationContext.Builder addVerifySubjectAltNameBytes(com.google.protobuf.ByteString value)
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Parameters:
      value - The bytes of the verifySubjectAltName to add.
      Returns:
      This builder for chaining.

    • getMatchSubjectAltNamesList

      public List<StringMatcher> getMatchSubjectAltNamesList()
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
      Specified by:
      getMatchSubjectAltNamesList in interface CertificateValidationContextOrBuilder

    • getMatchSubjectAltNamesCount

      public int getMatchSubjectAltNamesCount()
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
      Specified by:
      getMatchSubjectAltNamesCount in interface CertificateValidationContextOrBuilder

    • getMatchSubjectAltNames

      public StringMatcher getMatchSubjectAltNames(int index)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
      Specified by:
      getMatchSubjectAltNames in interface CertificateValidationContextOrBuilder

    • setMatchSubjectAltNames

      public CertificateValidationContext.Builder setMatchSubjectAltNames(int index, StringMatcher value)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • setMatchSubjectAltNames

      public CertificateValidationContext.Builder setMatchSubjectAltNames(int index, StringMatcher.Builder builderForValue)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • addMatchSubjectAltNames

      public CertificateValidationContext.Builder addMatchSubjectAltNames(StringMatcher value)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • addMatchSubjectAltNames

      public CertificateValidationContext.Builder addMatchSubjectAltNames(int index, StringMatcher value)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • addMatchSubjectAltNames

      public CertificateValidationContext.Builder addMatchSubjectAltNames(StringMatcher.Builder builderForValue)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • addMatchSubjectAltNames

      public CertificateValidationContext.Builder addMatchSubjectAltNames(int index, StringMatcher.Builder builderForValue)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • addAllMatchSubjectAltNames

      public CertificateValidationContext.Builder addAllMatchSubjectAltNames(Iterable<? extends StringMatcher> values)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • clearMatchSubjectAltNames

      public CertificateValidationContext.Builder clearMatchSubjectAltNames()
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • removeMatchSubjectAltNames

      public CertificateValidationContext.Builder removeMatchSubjectAltNames(int index)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • getMatchSubjectAltNamesBuilder

      public StringMatcher.Builder getMatchSubjectAltNamesBuilder(int index)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • getMatchSubjectAltNamesOrBuilder

      public StringMatcherOrBuilder getMatchSubjectAltNamesOrBuilder(int index)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
      Specified by:
      getMatchSubjectAltNamesOrBuilder in interface CertificateValidationContextOrBuilder

    • getMatchSubjectAltNamesOrBuilderList

      public List<? extends StringMatcherOrBuilder> getMatchSubjectAltNamesOrBuilderList()
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
      Specified by:
      getMatchSubjectAltNamesOrBuilderList in interface CertificateValidationContextOrBuilder

    • addMatchSubjectAltNamesBuilder

      public StringMatcher.Builder addMatchSubjectAltNamesBuilder()
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • addMatchSubjectAltNamesBuilder

      public StringMatcher.Builder addMatchSubjectAltNamesBuilder(int index)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • getMatchSubjectAltNamesBuilderList

      public List<StringMatcher.Builder> getMatchSubjectAltNamesBuilderList()
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • hasRequireOcspStaple

      public boolean hasRequireOcspStaple()
       [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
      .google.protobuf.BoolValue require_ocsp_staple = 5;
      Specified by:
      hasRequireOcspStaple in interface CertificateValidationContextOrBuilder
      Returns:
      Whether the requireOcspStaple field is set.

    • getRequireOcspStaple

      public com.google.protobuf.BoolValue getRequireOcspStaple()
       [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
      .google.protobuf.BoolValue require_ocsp_staple = 5;
      Specified by:
      getRequireOcspStaple in interface CertificateValidationContextOrBuilder
      Returns:
      The requireOcspStaple.

    • setRequireOcspStaple

      public CertificateValidationContext.Builder setRequireOcspStaple(com.google.protobuf.BoolValue value)
       [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
      .google.protobuf.BoolValue require_ocsp_staple = 5;

    • setRequireOcspStaple

      public CertificateValidationContext.Builder setRequireOcspStaple(com.google.protobuf.BoolValue.Builder builderForValue)
       [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
      .google.protobuf.BoolValue require_ocsp_staple = 5;

    • mergeRequireOcspStaple

      public CertificateValidationContext.Builder mergeRequireOcspStaple(com.google.protobuf.BoolValue value)
       [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
      .google.protobuf.BoolValue require_ocsp_staple = 5;

    • clearRequireOcspStaple

      public CertificateValidationContext.Builder clearRequireOcspStaple()
       [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
      .google.protobuf.BoolValue require_ocsp_staple = 5;

    • getRequireOcspStapleBuilder

      public com.google.protobuf.BoolValue.Builder getRequireOcspStapleBuilder()
       [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
      .google.protobuf.BoolValue require_ocsp_staple = 5;

    • getRequireOcspStapleOrBuilder

      public com.google.protobuf.BoolValueOrBuilder getRequireOcspStapleOrBuilder()
       [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
      .google.protobuf.BoolValue require_ocsp_staple = 5;
      Specified by:
      getRequireOcspStapleOrBuilder in interface CertificateValidationContextOrBuilder

    • hasRequireSignedCertificateTimestamp

      public boolean hasRequireSignedCertificateTimestamp()
       [#not-implemented-hide:] Must present signed certificate time-stamp.
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      Specified by:
      hasRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilder
      Returns:
      Whether the requireSignedCertificateTimestamp field is set.

    • getRequireSignedCertificateTimestamp

      public com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()
       [#not-implemented-hide:] Must present signed certificate time-stamp.
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      Specified by:
      getRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilder
      Returns:
      The requireSignedCertificateTimestamp.

    • setRequireSignedCertificateTimestamp

      public CertificateValidationContext.Builder setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
       [#not-implemented-hide:] Must present signed certificate time-stamp.
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

    • setRequireSignedCertificateTimestamp

      public CertificateValidationContext.Builder setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue.Builder builderForValue)
       [#not-implemented-hide:] Must present signed certificate time-stamp.
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

    • mergeRequireSignedCertificateTimestamp

      public CertificateValidationContext.Builder mergeRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
       [#not-implemented-hide:] Must present signed certificate time-stamp.
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

    • clearRequireSignedCertificateTimestamp

      public CertificateValidationContext.Builder clearRequireSignedCertificateTimestamp()
       [#not-implemented-hide:] Must present signed certificate time-stamp.
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

    • getRequireSignedCertificateTimestampBuilder

      public com.google.protobuf.BoolValue.Builder getRequireSignedCertificateTimestampBuilder()
       [#not-implemented-hide:] Must present signed certificate time-stamp.
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

    • getRequireSignedCertificateTimestampOrBuilder

      public com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()
       [#not-implemented-hide:] Must present signed certificate time-stamp.
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      Specified by:
      getRequireSignedCertificateTimestampOrBuilder in interface CertificateValidationContextOrBuilder

    • hasCrl

      public boolean hasCrl()
       An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
      .envoy.api.v2.core.DataSource crl = 7;
      Specified by:
      hasCrl in interface CertificateValidationContextOrBuilder
      Returns:
      Whether the crl field is set.

    • getCrl

      public DataSource getCrl()
       An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
      .envoy.api.v2.core.DataSource crl = 7;
      Specified by:
      getCrl in interface CertificateValidationContextOrBuilder
      Returns:
      The crl.

    • setCrl

      public CertificateValidationContext.Builder setCrl(DataSource value)
       An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
      .envoy.api.v2.core.DataSource crl = 7;

    • setCrl

      public CertificateValidationContext.Builder setCrl(DataSource.Builder builderForValue)
       An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
      .envoy.api.v2.core.DataSource crl = 7;

    • mergeCrl

      public CertificateValidationContext.Builder mergeCrl(DataSource value)
       An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
      .envoy.api.v2.core.DataSource crl = 7;

    • clearCrl

      public CertificateValidationContext.Builder clearCrl()
       An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
      .envoy.api.v2.core.DataSource crl = 7;

    • getCrlBuilder

      public DataSource.Builder getCrlBuilder()
       An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
      .envoy.api.v2.core.DataSource crl = 7;

    • getCrlOrBuilder

      public DataSourceOrBuilder getCrlOrBuilder()
       An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
      .envoy.api.v2.core.DataSource crl = 7;
      Specified by:
      getCrlOrBuilder in interface CertificateValidationContextOrBuilder

    • getAllowExpiredCertificate

      public boolean getAllowExpiredCertificate()
       If specified, Envoy will not reject expired certificates.
      bool allow_expired_certificate = 8;
      Specified by:
      getAllowExpiredCertificate in interface CertificateValidationContextOrBuilder
      Returns:
      The allowExpiredCertificate.

    • setAllowExpiredCertificate

      public CertificateValidationContext.Builder setAllowExpiredCertificate(boolean value)
       If specified, Envoy will not reject expired certificates.
      bool allow_expired_certificate = 8;
      Parameters:
      value - The allowExpiredCertificate to set.
      Returns:
      This builder for chaining.

    • clearAllowExpiredCertificate

      public CertificateValidationContext.Builder clearAllowExpiredCertificate()
       If specified, Envoy will not reject expired certificates.
      bool allow_expired_certificate = 8;
      Returns:
      This builder for chaining.

    • getTrustChainVerificationValue

      public int getTrustChainVerificationValue()
       Certificate trust chain verification mode.
      .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
      Specified by:
      getTrustChainVerificationValue in interface CertificateValidationContextOrBuilder
      Returns:
      The enum numeric value on the wire for trustChainVerification.

    • setTrustChainVerificationValue

      public CertificateValidationContext.Builder setTrustChainVerificationValue(int value)
       Certificate trust chain verification mode.
      .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
      Parameters:
      value - The enum numeric value on the wire for trustChainVerification to set.
      Returns:
      This builder for chaining.

    • getTrustChainVerification

      public CertificateValidationContext.TrustChainVerification getTrustChainVerification()
       Certificate trust chain verification mode.
      .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
      Specified by:
      getTrustChainVerification in interface CertificateValidationContextOrBuilder
      Returns:
      The trustChainVerification.

    • setTrustChainVerification

      public CertificateValidationContext.Builder setTrustChainVerification(CertificateValidationContext.TrustChainVerification value)
       Certificate trust chain verification mode.
      .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
      Parameters:
      value - The trustChainVerification to set.
      Returns:
      This builder for chaining.

    • clearTrustChainVerification

      public CertificateValidationContext.Builder clearTrustChainVerification()
       Certificate trust chain verification mode.
      .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
      Returns:
      This builder for chaining.

    • setUnknownFields

      public final CertificateValidationContext.Builder setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
      Specified by:
      setUnknownFields in interface com.google.protobuf.Message.Builder
      Overrides:
      setUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>

    • mergeUnknownFields

      public final CertificateValidationContext.Builder mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
      Specified by:
      mergeUnknownFields in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>