Package io.envoyproxy.envoy.api.v2.auth

Interface CertificateValidationContextOrBuilder

All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder
All Known Implementing Classes:
CertificateValidationContext, CertificateValidationContext.Builder
public interface CertificateValidationContextOrBuilder extends com.google.protobuf.MessageOrBuilder

  • Method Details

    • hasTrustedCa

      boolean hasTrustedCa()
       TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.

 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.

 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
      .envoy.api.v2.core.DataSource trusted_ca = 1;
      Returns:
      Whether the trustedCa field is set.

    • getTrustedCa

      DataSource getTrustedCa()
       TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.

 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.

 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
      .envoy.api.v2.core.DataSource trusted_ca = 1;
      Returns:
      The trustedCa.

    • getTrustedCaOrBuilder

      DataSourceOrBuilder getTrustedCaOrBuilder()
       TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.

 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.

 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
      .envoy.api.v2.core.DataSource trusted_ca = 1;

    • getVerifyCertificateSpkiList

      List<String> getVerifyCertificateSpkiList()
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Returns:
      A list containing the verifyCertificateSpki.

    • getVerifyCertificateSpkiCount

      int getVerifyCertificateSpkiCount()
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Returns:
      The count of verifyCertificateSpki.

    • getVerifyCertificateSpki

      String getVerifyCertificateSpki(int index)
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Parameters:
      index - The index of the element to return.
      Returns:
      The verifyCertificateSpki at the given index.

    • getVerifyCertificateSpkiBytes

      com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index)
       An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.

 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=

 This is the format used in HTTP Public Key Pinning.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.

 .. attention::

   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
      repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the verifyCertificateSpki at the given index.

    • getVerifyCertificateHashList

      List<String> getVerifyCertificateHashList()
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Returns:
      A list containing the verifyCertificateHash.

    • getVerifyCertificateHashCount

      int getVerifyCertificateHashCount()
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Returns:
      The count of verifyCertificateHash.

    • getVerifyCertificateHash

      String getVerifyCertificateHash(int index)
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Parameters:
      index - The index of the element to return.
      Returns:
      The verifyCertificateHash at the given index.

    • getVerifyCertificateHashBytes

      com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index)
       An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

 A hex-encoded SHA-256 of the certificate can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a

 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:

 .. code-block:: bash

   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A

 Both of those formats are acceptable.

 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
      repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the verifyCertificateHash at the given index.

    • getVerifySubjectAltNameList

      @Deprecated List<String> getVerifySubjectAltNameList()
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Returns:
      A list containing the verifySubjectAltName.

    • getVerifySubjectAltNameCount

      @Deprecated int getVerifySubjectAltNameCount()
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Returns:
      The count of verifySubjectAltName.

    • getVerifySubjectAltName

      @Deprecated String getVerifySubjectAltName(int index)
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Parameters:
      index - The index of the element to return.
      Returns:
      The verifySubjectAltName at the given index.

    • getVerifySubjectAltNameBytes

      @Deprecated com.google.protobuf.ByteString getVerifySubjectAltNameBytes(int index)
      Deprecated.
      envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
       An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated string verify_subject_alt_name = 4 [deprecated = true];
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the verifySubjectAltName at the given index.

    • getMatchSubjectAltNamesList

      List<StringMatcher> getMatchSubjectAltNamesList()
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • getMatchSubjectAltNames

      StringMatcher getMatchSubjectAltNames(int index)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • getMatchSubjectAltNamesCount

      int getMatchSubjectAltNamesCount()
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • getMatchSubjectAltNamesOrBuilderList

      List<? extends StringMatcherOrBuilder> getMatchSubjectAltNamesOrBuilderList()
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • getMatchSubjectAltNamesOrBuilder

      StringMatcherOrBuilder getMatchSubjectAltNamesOrBuilder(int index)
       An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.

 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.

 .. code-block:: yaml

  match_subject_alt_names:
    exact: "api.example.com"

 .. attention::

   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
      repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

    • hasRequireOcspStaple

      boolean hasRequireOcspStaple()
       [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
      .google.protobuf.BoolValue require_ocsp_staple = 5;
      Returns:
      Whether the requireOcspStaple field is set.

    • getRequireOcspStaple

      com.google.protobuf.BoolValue getRequireOcspStaple()
       [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
      .google.protobuf.BoolValue require_ocsp_staple = 5;
      Returns:
      The requireOcspStaple.

    • getRequireOcspStapleOrBuilder

      com.google.protobuf.BoolValueOrBuilder getRequireOcspStapleOrBuilder()
       [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
      .google.protobuf.BoolValue require_ocsp_staple = 5;

    • hasRequireSignedCertificateTimestamp

      boolean hasRequireSignedCertificateTimestamp()
       [#not-implemented-hide:] Must present signed certificate time-stamp.
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      Returns:
      Whether the requireSignedCertificateTimestamp field is set.

    • getRequireSignedCertificateTimestamp

      com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()
       [#not-implemented-hide:] Must present signed certificate time-stamp.
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
      Returns:
      The requireSignedCertificateTimestamp.

    • getRequireSignedCertificateTimestampOrBuilder

      com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()
       [#not-implemented-hide:] Must present signed certificate time-stamp.
      .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

    • hasCrl

      boolean hasCrl()
       An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
      .envoy.api.v2.core.DataSource crl = 7;
      Returns:
      Whether the crl field is set.

    • getCrl

      DataSource getCrl()
       An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
      .envoy.api.v2.core.DataSource crl = 7;
      Returns:
      The crl.

    • getCrlOrBuilder

      DataSourceOrBuilder getCrlOrBuilder()
       An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
      .envoy.api.v2.core.DataSource crl = 7;

    • getAllowExpiredCertificate

      boolean getAllowExpiredCertificate()
       If specified, Envoy will not reject expired certificates.
      bool allow_expired_certificate = 8;
      Returns:
      The allowExpiredCertificate.

    • getTrustChainVerificationValue

      int getTrustChainVerificationValue()
       Certificate trust chain verification mode.
      .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
      Returns:
      The enum numeric value on the wire for trustChainVerification.

    • getTrustChainVerification

      CertificateValidationContext.TrustChainVerification getTrustChainVerification()
       Certificate trust chain verification mode.
      .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
      Returns:
      The trustChainVerification.