io.envoyproxy.envoy.api.v2.auth

Interface CertificateValidationContextOrBuilder

All Superinterfaces:

com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder

All Known Implementing Classes:

CertificateValidationContext, CertificateValidationContext.Builder

public interface CertificateValidationContextOrBuilder
extends com.google.protobuf.MessageOrBuilder

Method Summary

Modifier and Type	Method and Description
boolean	getAllowExpiredCertificate() If specified, Envoy will not reject expired certificates.
DataSource	getCrl() An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
DataSourceOrBuilder	getCrlOrBuilder() An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
StringMatcher	getMatchSubjectAltNames(int index) An optional list of Subject Alternative name matchers.
int	getMatchSubjectAltNamesCount() An optional list of Subject Alternative name matchers.
List<StringMatcher>	getMatchSubjectAltNamesList() An optional list of Subject Alternative name matchers.
StringMatcherOrBuilder	getMatchSubjectAltNamesOrBuilder(int index) An optional list of Subject Alternative name matchers.
List<? extends StringMatcherOrBuilder>	getMatchSubjectAltNamesOrBuilderList() An optional list of Subject Alternative name matchers.
com.google.protobuf.BoolValue	getRequireOcspStaple() [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
com.google.protobuf.BoolValueOrBuilder	getRequireOcspStapleOrBuilder() [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
com.google.protobuf.BoolValue	getRequireSignedCertificateTimestamp() [#not-implemented-hide:] Must present signed certificate time-stamp.
com.google.protobuf.BoolValueOrBuilder	getRequireSignedCertificateTimestampOrBuilder() [#not-implemented-hide:] Must present signed certificate time-stamp.
CertificateValidationContext.TrustChainVerification	getTrustChainVerification() Certificate trust chain verification mode.
int	getTrustChainVerificationValue() Certificate trust chain verification mode.
DataSource	getTrustedCa() TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
DataSourceOrBuilder	getTrustedCaOrBuilder() TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
String	getVerifyCertificateHash(int index) An optional list of hex-encoded SHA-256 hashes.
com.google.protobuf.ByteString	getVerifyCertificateHashBytes(int index) An optional list of hex-encoded SHA-256 hashes.
int	getVerifyCertificateHashCount() An optional list of hex-encoded SHA-256 hashes.
List<String>	getVerifyCertificateHashList() An optional list of hex-encoded SHA-256 hashes.
String	getVerifyCertificateSpki(int index) An optional list of base64-encoded SHA-256 hashes.
com.google.protobuf.ByteString	getVerifyCertificateSpkiBytes(int index) An optional list of base64-encoded SHA-256 hashes.
int	getVerifyCertificateSpkiCount() An optional list of base64-encoded SHA-256 hashes.
List<String>	getVerifyCertificateSpkiList() An optional list of base64-encoded SHA-256 hashes.
String	getVerifySubjectAltName(int index) Deprecated.
com.google.protobuf.ByteString	getVerifySubjectAltNameBytes(int index) Deprecated.
int	getVerifySubjectAltNameCount() Deprecated.
List<String>	getVerifySubjectAltNameList() Deprecated.
boolean	hasCrl() An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
boolean	hasRequireOcspStaple() [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
boolean	hasRequireSignedCertificateTimestamp() [#not-implemented-hide:] Must present signed certificate time-stamp.
boolean	hasTrustedCa() TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).

Methods inherited from interface com.google.protobuf.MessageOrBuilder

findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder

isInitialized

Method Detail

hasTrustedCa

boolean hasTrustedCa()

 TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 

.envoy.api.v2.core.DataSource trusted_ca = 1;

getTrustedCa

DataSource getTrustedCa()

 TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 

.envoy.api.v2.core.DataSource trusted_ca = 1;

getTrustedCaOrBuilder

DataSourceOrBuilder getTrustedCaOrBuilder()

 TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 

.envoy.api.v2.core.DataSource trusted_ca = 1;

getVerifyCertificateSpkiList

List<String> getVerifyCertificateSpkiList()

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
 

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

getVerifyCertificateSpkiCount

int getVerifyCertificateSpkiCount()

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
 

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

getVerifyCertificateSpki

String getVerifyCertificateSpki(int index)

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
 

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

getVerifyCertificateSpkiBytes

com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index)

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
 

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

getVerifyCertificateHashList

List<String> getVerifyCertificateHashList()

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

getVerifyCertificateHashCount

int getVerifyCertificateHashCount()

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

getVerifyCertificateHash

String getVerifyCertificateHash(int index)

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

getVerifyCertificateHashBytes

com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index)

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

getVerifySubjectAltNameList

@Deprecated
List<String> getVerifySubjectAltNameList()

Deprecated.

 An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated string verify_subject_alt_name = 4 [deprecated = true];

getVerifySubjectAltNameCount

@Deprecated
int getVerifySubjectAltNameCount()

Deprecated.

 An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated string verify_subject_alt_name = 4 [deprecated = true];

getVerifySubjectAltName

@Deprecated
String getVerifySubjectAltName(int index)

Deprecated.

 An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated string verify_subject_alt_name = 4 [deprecated = true];

getVerifySubjectAltNameBytes

@Deprecated
com.google.protobuf.ByteString getVerifySubjectAltNameBytes(int index)

Deprecated.

 An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated string verify_subject_alt_name = 4 [deprecated = true];

getMatchSubjectAltNamesList

List<StringMatcher> getMatchSubjectAltNamesList()

 An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

getMatchSubjectAltNames

StringMatcher getMatchSubjectAltNames(int index)

 An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

getMatchSubjectAltNamesCount

int getMatchSubjectAltNamesCount()

 An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

getMatchSubjectAltNamesOrBuilderList

List<? extends StringMatcherOrBuilder> getMatchSubjectAltNamesOrBuilderList()

 An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

getMatchSubjectAltNamesOrBuilder

StringMatcherOrBuilder getMatchSubjectAltNamesOrBuilder(int index)

 An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;

hasRequireOcspStaple

boolean hasRequireOcspStaple()

 [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
 

.google.protobuf.BoolValue require_ocsp_staple = 5;

getRequireOcspStaple

com.google.protobuf.BoolValue getRequireOcspStaple()

 [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
 

.google.protobuf.BoolValue require_ocsp_staple = 5;

getRequireOcspStapleOrBuilder

com.google.protobuf.BoolValueOrBuilder getRequireOcspStapleOrBuilder()

 [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
 

.google.protobuf.BoolValue require_ocsp_staple = 5;

hasRequireSignedCertificateTimestamp

boolean hasRequireSignedCertificateTimestamp()

 [#not-implemented-hide:] Must present signed certificate time-stamp.
 

.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

getRequireSignedCertificateTimestamp

com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()

 [#not-implemented-hide:] Must present signed certificate time-stamp.
 

.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

getRequireSignedCertificateTimestampOrBuilder

com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()

 [#not-implemented-hide:] Must present signed certificate time-stamp.
 

.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

hasCrl

boolean hasCrl()

 An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
 

.envoy.api.v2.core.DataSource crl = 7;

getCrl

DataSource getCrl()

 An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
 

.envoy.api.v2.core.DataSource crl = 7;

getCrlOrBuilder

DataSourceOrBuilder getCrlOrBuilder()

 An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
 

.envoy.api.v2.core.DataSource crl = 7;

getAllowExpiredCertificate

boolean getAllowExpiredCertificate()

 If specified, Envoy will not reject expired certificates.
 

bool allow_expired_certificate = 8;

getTrustChainVerificationValue

int getTrustChainVerificationValue()

 Certificate trust chain verification mode.
 

.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }

getTrustChainVerification

CertificateValidationContext.TrustChainVerification getTrustChainVerification()

 Certificate trust chain verification mode.
 

.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }