io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha

Class CertificateValidationContext

java.lang.Object

com.google.protobuf.AbstractMessageLite

com.google.protobuf.AbstractMessage

com.google.protobuf.GeneratedMessageV3

io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha.CertificateValidationContext

All Implemented Interfaces:

com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, CertificateValidationContextOrBuilder, Serializable

public final class CertificateValidationContext
extends com.google.protobuf.GeneratedMessageV3
implements CertificateValidationContextOrBuilder

 [#next-free-field: 12]
 

Protobuf type envoy.extensions.transport_sockets.tls.v4alpha.CertificateValidationContext

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	CertificateValidationContext.Builder [#next-free-field: 12] Protobuf type envoy.extensions.transport_sockets.tls.v4alpha.CertificateValidationContext
static class	CertificateValidationContext.TrustChainVerification Peer certificate verification mode.

Nested classes/interfaces inherited from class com.google.protobuf.GeneratedMessageV3

com.google.protobuf.GeneratedMessageV3.BuilderParent, com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage,BuilderType extends com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType,BuilderType>>, com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.ExtendableMessageOrBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.FieldAccessorTable, com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter

Field Summary

Fields

Modifier and Type	Field and Description
static int	ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER
static int	CRL_FIELD_NUMBER
static int	MATCH_SUBJECT_ALT_NAMES_FIELD_NUMBER
static int	REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER
static int	TRUST_CHAIN_VERIFICATION_FIELD_NUMBER
static int	TRUSTED_CA_FIELD_NUMBER
static int	VERIFY_CERTIFICATE_HASH_FIELD_NUMBER
static int	VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER
static int	WATCHED_DIRECTORY_FIELD_NUMBER

Fields inherited from class com.google.protobuf.GeneratedMessageV3

alwaysUseFieldBuilders, unknownFields

Fields inherited from class com.google.protobuf.AbstractMessage

memoizedSize

Fields inherited from class com.google.protobuf.AbstractMessageLite

memoizedHashCode

Method Summary

Modifier and Type	Method and Description
boolean	equals(Object obj)
boolean	getAllowExpiredCertificate() If specified, Envoy will not reject expired certificates.
DataSource	getCrl() An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
DataSourceOrBuilder	getCrlOrBuilder() An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
static CertificateValidationContext	getDefaultInstance()
CertificateValidationContext	getDefaultInstanceForType()
static com.google.protobuf.Descriptors.Descriptor	getDescriptor()
StringMatcher	getMatchSubjectAltNames(int index) An optional list of Subject Alternative name matchers.
int	getMatchSubjectAltNamesCount() An optional list of Subject Alternative name matchers.
List<StringMatcher>	getMatchSubjectAltNamesList() An optional list of Subject Alternative name matchers.
StringMatcherOrBuilder	getMatchSubjectAltNamesOrBuilder(int index) An optional list of Subject Alternative name matchers.
List<? extends StringMatcherOrBuilder>	getMatchSubjectAltNamesOrBuilderList() An optional list of Subject Alternative name matchers.
com.google.protobuf.Parser<CertificateValidationContext>	getParserForType()
com.google.protobuf.BoolValue	getRequireSignedCertificateTimestamp() [#not-implemented-hide:] Must present signed certificate time-stamp.
com.google.protobuf.BoolValueOrBuilder	getRequireSignedCertificateTimestampOrBuilder() [#not-implemented-hide:] Must present signed certificate time-stamp.
int	getSerializedSize()
CertificateValidationContext.TrustChainVerification	getTrustChainVerification() Certificate trust chain verification mode.
int	getTrustChainVerificationValue() Certificate trust chain verification mode.
DataSource	getTrustedCa() TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
DataSourceOrBuilder	getTrustedCaOrBuilder() TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
com.google.protobuf.UnknownFieldSet	getUnknownFields()
String	getVerifyCertificateHash(int index) An optional list of hex-encoded SHA-256 hashes.
com.google.protobuf.ByteString	getVerifyCertificateHashBytes(int index) An optional list of hex-encoded SHA-256 hashes.
int	getVerifyCertificateHashCount() An optional list of hex-encoded SHA-256 hashes.
com.google.protobuf.ProtocolStringList	getVerifyCertificateHashList() An optional list of hex-encoded SHA-256 hashes.
String	getVerifyCertificateSpki(int index) An optional list of base64-encoded SHA-256 hashes.
com.google.protobuf.ByteString	getVerifyCertificateSpkiBytes(int index) An optional list of base64-encoded SHA-256 hashes.
int	getVerifyCertificateSpkiCount() An optional list of base64-encoded SHA-256 hashes.
com.google.protobuf.ProtocolStringList	getVerifyCertificateSpkiList() An optional list of base64-encoded SHA-256 hashes.
WatchedDirectory	getWatchedDirectory() If specified, updates of a file-based *trusted_ca* source will be triggered by this watch.
WatchedDirectoryOrBuilder	getWatchedDirectoryOrBuilder() If specified, updates of a file-based *trusted_ca* source will be triggered by this watch.
boolean	hasCrl() An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
int	hashCode()
boolean	hasRequireSignedCertificateTimestamp() [#not-implemented-hide:] Must present signed certificate time-stamp.
boolean	hasTrustedCa() TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
boolean	hasWatchedDirectory() If specified, updates of a file-based *trusted_ca* source will be triggered by this watch.
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable	internalGetFieldAccessorTable()
boolean	isInitialized()
static CertificateValidationContext.Builder	newBuilder()
static CertificateValidationContext.Builder	newBuilder(CertificateValidationContext prototype)
CertificateValidationContext.Builder	newBuilderForType()
protected CertificateValidationContext.Builder	newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
protected Object	newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
static CertificateValidationContext	parseDelimitedFrom(InputStream input)
static CertificateValidationContext	parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
static CertificateValidationContext	parseFrom(byte[] data)
static CertificateValidationContext	parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
static CertificateValidationContext	parseFrom(ByteBuffer data)
static CertificateValidationContext	parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
static CertificateValidationContext	parseFrom(com.google.protobuf.ByteString data)
static CertificateValidationContext	parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
static CertificateValidationContext	parseFrom(com.google.protobuf.CodedInputStream input)
static CertificateValidationContext	parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
static CertificateValidationContext	parseFrom(InputStream input)
static CertificateValidationContext	parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
static com.google.protobuf.Parser<CertificateValidationContext>	parser()
CertificateValidationContext.Builder	toBuilder()
void	writeTo(com.google.protobuf.CodedOutputStream output)

Methods inherited from class com.google.protobuf.GeneratedMessageV3

canUseUnsafe, computeStringSize, computeStringSizeNoTag, emptyBooleanList, emptyDoubleList, emptyFloatList, emptyIntList, emptyLongList, getAllFields, getDescriptorForType, getField, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, hasField, hasOneof, internalGetMapField, makeExtensionsImmutable, mergeFromAndMakeImmutableInternal, mutableCopy, mutableCopy, mutableCopy, mutableCopy, mutableCopy, newBooleanList, newBuilderForType, newDoubleList, newFloatList, newIntList, newLongList, parseDelimitedWithIOException, parseDelimitedWithIOException, parseUnknownField, parseUnknownFieldProto3, parseWithIOException, parseWithIOException, parseWithIOException, parseWithIOException, serializeBooleanMapTo, serializeIntegerMapTo, serializeLongMapTo, serializeStringMapTo, writeReplace, writeString, writeStringNoTag

Methods inherited from class com.google.protobuf.AbstractMessage

findInitializationErrors, getInitializationErrorString, hashBoolean, hashEnum, hashEnumList, hashFields, hashLong, toString

Methods inherited from class com.google.protobuf.AbstractMessageLite

addAll, addAll, checkByteStringIsUtf8, toByteArray, toByteString, writeDelimitedTo, writeTo

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Methods inherited from interface com.google.protobuf.MessageOrBuilder

findInitializationErrors, getAllFields, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, hasField, hasOneof

Methods inherited from interface com.google.protobuf.MessageLite

toByteArray, toByteString, writeDelimitedTo, writeTo

Field Detail

TRUSTED_CA_FIELD_NUMBER

public static final int TRUSTED_CA_FIELD_NUMBER

See Also:

Constant Field Values

WATCHED_DIRECTORY_FIELD_NUMBER

public static final int WATCHED_DIRECTORY_FIELD_NUMBER

See Also:

Constant Field Values

VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER

public static final int VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER

See Also:

Constant Field Values

VERIFY_CERTIFICATE_HASH_FIELD_NUMBER

public static final int VERIFY_CERTIFICATE_HASH_FIELD_NUMBER

See Also:

Constant Field Values

MATCH_SUBJECT_ALT_NAMES_FIELD_NUMBER

public static final int MATCH_SUBJECT_ALT_NAMES_FIELD_NUMBER

See Also:

Constant Field Values

REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER

public static final int REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER

See Also:

Constant Field Values

CRL_FIELD_NUMBER

public static final int CRL_FIELD_NUMBER

See Also:

Constant Field Values

ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER

public static final int ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER

See Also:

Constant Field Values

TRUST_CHAIN_VERIFICATION_FIELD_NUMBER

public static final int TRUST_CHAIN_VERIFICATION_FIELD_NUMBER

See Also:

Constant Field Values

Method Detail

newInstance

protected Object newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)

Overrides:

newInstance in class com.google.protobuf.GeneratedMessageV3

getUnknownFields

public final com.google.protobuf.UnknownFieldSet getUnknownFields()

Specified by:

getUnknownFields in interface com.google.protobuf.MessageOrBuilder

Overrides:

getUnknownFields in class com.google.protobuf.GeneratedMessageV3

getDescriptor

public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

internalGetFieldAccessorTable

protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()

Specified by:

internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

hasTrustedCa

public boolean hasTrustedCa()

 TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs. Note
 that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
 provided for all certificate authorities in that chain. Failure to do so will result in
 verification failure for both revoked and unrevoked certificates from that chain.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 If *trusted_ca* is a filesystem path, a watch will be added to the parent
 directory for any file moves to support rotation. This currently only
 applies to dynamic secrets, when the *CertificateValidationContext* is
 delivered via SDS.
 

.envoy.config.core.v4alpha.DataSource trusted_ca = 1;

Specified by:

hasTrustedCa in interface CertificateValidationContextOrBuilder

getTrustedCa

public DataSource getTrustedCa()

 TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs. Note
 that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
 provided for all certificate authorities in that chain. Failure to do so will result in
 verification failure for both revoked and unrevoked certificates from that chain.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 If *trusted_ca* is a filesystem path, a watch will be added to the parent
 directory for any file moves to support rotation. This currently only
 applies to dynamic secrets, when the *CertificateValidationContext* is
 delivered via SDS.
 

.envoy.config.core.v4alpha.DataSource trusted_ca = 1;

Specified by:

getTrustedCa in interface CertificateValidationContextOrBuilder

getTrustedCaOrBuilder

public DataSourceOrBuilder getTrustedCaOrBuilder()

 TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs. Note
 that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
 provided for all certificate authorities in that chain. Failure to do so will result in
 verification failure for both revoked and unrevoked certificates from that chain.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 If *trusted_ca* is a filesystem path, a watch will be added to the parent
 directory for any file moves to support rotation. This currently only
 applies to dynamic secrets, when the *CertificateValidationContext* is
 delivered via SDS.
 

.envoy.config.core.v4alpha.DataSource trusted_ca = 1;

Specified by:

getTrustedCaOrBuilder in interface CertificateValidationContextOrBuilder

hasWatchedDirectory

public boolean hasWatchedDirectory()

 If specified, updates of a file-based *trusted_ca* source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in *trusted_ca* is
 watched if this field is not specified. This only applies when a
 *CertificateValidationContext* is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.
 

.envoy.config.core.v4alpha.WatchedDirectory watched_directory = 11;

Specified by:

hasWatchedDirectory in interface CertificateValidationContextOrBuilder

getWatchedDirectory

public WatchedDirectory getWatchedDirectory()

 If specified, updates of a file-based *trusted_ca* source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in *trusted_ca* is
 watched if this field is not specified. This only applies when a
 *CertificateValidationContext* is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.
 

.envoy.config.core.v4alpha.WatchedDirectory watched_directory = 11;

Specified by:

getWatchedDirectory in interface CertificateValidationContextOrBuilder

getWatchedDirectoryOrBuilder

public WatchedDirectoryOrBuilder getWatchedDirectoryOrBuilder()

 If specified, updates of a file-based *trusted_ca* source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in *trusted_ca* is
 watched if this field is not specified. This only applies when a
 *CertificateValidationContext* is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.
 

.envoy.config.core.v4alpha.WatchedDirectory watched_directory = 11;

Specified by:

getWatchedDirectoryOrBuilder in interface CertificateValidationContextOrBuilder

getVerifyCertificateSpkiList

public com.google.protobuf.ProtocolStringList getVerifyCertificateSpkiList()

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
 

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateSpkiList in interface CertificateValidationContextOrBuilder

getVerifyCertificateSpkiCount

public int getVerifyCertificateSpkiCount()

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
 

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateSpkiCount in interface CertificateValidationContextOrBuilder

getVerifyCertificateSpki

public String getVerifyCertificateSpki(int index)

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
 

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateSpki in interface CertificateValidationContextOrBuilder

getVerifyCertificateSpkiBytes

public com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index)

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
 

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateSpkiBytes in interface CertificateValidationContextOrBuilder

getVerifyCertificateHashList

public com.google.protobuf.ProtocolStringList getVerifyCertificateHashList()

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateHashList in interface CertificateValidationContextOrBuilder

getVerifyCertificateHashCount

public int getVerifyCertificateHashCount()

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateHashCount in interface CertificateValidationContextOrBuilder

getVerifyCertificateHash

public String getVerifyCertificateHash(int index)

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateHash in interface CertificateValidationContextOrBuilder

getVerifyCertificateHashBytes

public com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index)

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateHashBytes in interface CertificateValidationContextOrBuilder

getMatchSubjectAltNamesList

public List<StringMatcher> getMatchSubjectAltNamesList()

 An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matchers.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.v4alpha.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.trusted_ca>`.
 

repeated .envoy.type.matcher.v4alpha.StringMatcher match_subject_alt_names = 9;

Specified by:

getMatchSubjectAltNamesList in interface CertificateValidationContextOrBuilder

getMatchSubjectAltNamesOrBuilderList

public List<? extends StringMatcherOrBuilder> getMatchSubjectAltNamesOrBuilderList()

 An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matchers.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.v4alpha.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.trusted_ca>`.
 

repeated .envoy.type.matcher.v4alpha.StringMatcher match_subject_alt_names = 9;

Specified by:

getMatchSubjectAltNamesOrBuilderList in interface CertificateValidationContextOrBuilder

getMatchSubjectAltNamesCount

public int getMatchSubjectAltNamesCount()

 An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matchers.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.v4alpha.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.trusted_ca>`.
 

repeated .envoy.type.matcher.v4alpha.StringMatcher match_subject_alt_names = 9;

Specified by:

getMatchSubjectAltNamesCount in interface CertificateValidationContextOrBuilder

getMatchSubjectAltNames

public StringMatcher getMatchSubjectAltNames(int index)

 An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matchers.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.v4alpha.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.trusted_ca>`.
 

repeated .envoy.type.matcher.v4alpha.StringMatcher match_subject_alt_names = 9;

Specified by:

getMatchSubjectAltNames in interface CertificateValidationContextOrBuilder

getMatchSubjectAltNamesOrBuilder

public StringMatcherOrBuilder getMatchSubjectAltNamesOrBuilder(int index)

 An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matchers.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.v4alpha.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.trusted_ca>`.
 

repeated .envoy.type.matcher.v4alpha.StringMatcher match_subject_alt_names = 9;

Specified by:

getMatchSubjectAltNamesOrBuilder in interface CertificateValidationContextOrBuilder

hasRequireSignedCertificateTimestamp

public boolean hasRequireSignedCertificateTimestamp()

 [#not-implemented-hide:] Must present signed certificate time-stamp.
 

.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

Specified by:

hasRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilder

getRequireSignedCertificateTimestamp

public com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()

 [#not-implemented-hide:] Must present signed certificate time-stamp.
 

.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

Specified by:

getRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilder

getRequireSignedCertificateTimestampOrBuilder

public com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()

 [#not-implemented-hide:] Must present signed certificate time-stamp.
 

.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

Specified by:

getRequireSignedCertificateTimestampOrBuilder in interface CertificateValidationContextOrBuilder

hasCrl

public boolean hasCrl()

 An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used. Note that if a CRL is provided
 for any certificate authority in a trust chain, a CRL must be provided
 for all certificate authorities in that chain. Failure to do so will
 result in verification failure for both revoked and unrevoked certificates
 from that chain.
 

.envoy.config.core.v4alpha.DataSource crl = 7;

Specified by:

hasCrl in interface CertificateValidationContextOrBuilder

getCrl

public DataSource getCrl()

 An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used. Note that if a CRL is provided
 for any certificate authority in a trust chain, a CRL must be provided
 for all certificate authorities in that chain. Failure to do so will
 result in verification failure for both revoked and unrevoked certificates
 from that chain.
 

.envoy.config.core.v4alpha.DataSource crl = 7;

Specified by:

getCrl in interface CertificateValidationContextOrBuilder

getCrlOrBuilder

public DataSourceOrBuilder getCrlOrBuilder()

 An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used. Note that if a CRL is provided
 for any certificate authority in a trust chain, a CRL must be provided
 for all certificate authorities in that chain. Failure to do so will
 result in verification failure for both revoked and unrevoked certificates
 from that chain.
 

.envoy.config.core.v4alpha.DataSource crl = 7;

Specified by:

getCrlOrBuilder in interface CertificateValidationContextOrBuilder

getAllowExpiredCertificate

public boolean getAllowExpiredCertificate()

 If specified, Envoy will not reject expired certificates.
 

bool allow_expired_certificate = 8;

Specified by:

getAllowExpiredCertificate in interface CertificateValidationContextOrBuilder

getTrustChainVerificationValue

public int getTrustChainVerificationValue()

 Certificate trust chain verification mode.
 

.envoy.extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }

Specified by:

getTrustChainVerificationValue in interface CertificateValidationContextOrBuilder

getTrustChainVerification

public CertificateValidationContext.TrustChainVerification getTrustChainVerification()

 Certificate trust chain verification mode.
 

.envoy.extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }

Specified by:

getTrustChainVerification in interface CertificateValidationContextOrBuilder

isInitialized

public final boolean isInitialized()

Specified by:

isInitialized in interface com.google.protobuf.MessageLiteOrBuilder

Overrides:

isInitialized in class com.google.protobuf.GeneratedMessageV3

writeTo

public void writeTo(com.google.protobuf.CodedOutputStream output)
             throws IOException

Specified by:

writeTo in interface com.google.protobuf.MessageLite

Overrides:

writeTo in class com.google.protobuf.GeneratedMessageV3

Throws:

IOException

getSerializedSize

public int getSerializedSize()

Specified by:

getSerializedSize in interface com.google.protobuf.MessageLite

Overrides:

getSerializedSize in class com.google.protobuf.GeneratedMessageV3

equals

public boolean equals(Object obj)

Specified by:

equals in interface com.google.protobuf.Message

Overrides:

equals in class com.google.protobuf.AbstractMessage

hashCode

public int hashCode()

Specified by:

hashCode in interface com.google.protobuf.Message

Overrides:

hashCode in class com.google.protobuf.AbstractMessage

parseFrom

public static CertificateValidationContext parseFrom(ByteBuffer data)
                                              throws com.google.protobuf.InvalidProtocolBufferException

Throws:

com.google.protobuf.InvalidProtocolBufferException

parseFrom

public static CertificateValidationContext parseFrom(ByteBuffer data,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws com.google.protobuf.InvalidProtocolBufferException

Throws:

com.google.protobuf.InvalidProtocolBufferException

parseFrom

public static CertificateValidationContext parseFrom(com.google.protobuf.ByteString data)
                                              throws com.google.protobuf.InvalidProtocolBufferException

Throws:

com.google.protobuf.InvalidProtocolBufferException

parseFrom

public static CertificateValidationContext parseFrom(com.google.protobuf.ByteString data,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws com.google.protobuf.InvalidProtocolBufferException

Throws:

com.google.protobuf.InvalidProtocolBufferException

parseFrom

public static CertificateValidationContext parseFrom(byte[] data)
                                              throws com.google.protobuf.InvalidProtocolBufferException

Throws:

com.google.protobuf.InvalidProtocolBufferException

parseFrom

public static CertificateValidationContext parseFrom(byte[] data,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws com.google.protobuf.InvalidProtocolBufferException

Throws:

com.google.protobuf.InvalidProtocolBufferException

parseFrom

public static CertificateValidationContext parseFrom(InputStream input)
                                              throws IOException

Throws:

IOException

parseFrom

public static CertificateValidationContext parseFrom(InputStream input,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws IOException

Throws:

IOException

parseDelimitedFrom

public static CertificateValidationContext parseDelimitedFrom(InputStream input)
                                                       throws IOException

Throws:

IOException

parseDelimitedFrom

public static CertificateValidationContext parseDelimitedFrom(InputStream input,
                                                              com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                                       throws IOException

Throws:

IOException

parseFrom

public static CertificateValidationContext parseFrom(com.google.protobuf.CodedInputStream input)
                                              throws IOException

Throws:

IOException

parseFrom

public static CertificateValidationContext parseFrom(com.google.protobuf.CodedInputStream input,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws IOException

Throws:

IOException

newBuilderForType

public CertificateValidationContext.Builder newBuilderForType()

Specified by:

newBuilderForType in interface com.google.protobuf.Message

Specified by:

newBuilderForType in interface com.google.protobuf.MessageLite

newBuilder

public static CertificateValidationContext.Builder newBuilder()

newBuilder

public static CertificateValidationContext.Builder newBuilder(CertificateValidationContext prototype)

toBuilder

public CertificateValidationContext.Builder toBuilder()

Specified by:

toBuilder in interface com.google.protobuf.Message

Specified by:

toBuilder in interface com.google.protobuf.MessageLite

newBuilderForType

protected CertificateValidationContext.Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)

Specified by:

newBuilderForType in class com.google.protobuf.GeneratedMessageV3

getDefaultInstance

public static CertificateValidationContext getDefaultInstance()

parser

public static com.google.protobuf.Parser<CertificateValidationContext> parser()

getParserForType

public com.google.protobuf.Parser<CertificateValidationContext> getParserForType()

Specified by:

getParserForType in interface com.google.protobuf.Message

Specified by:

getParserForType in interface com.google.protobuf.MessageLite

Overrides:

getParserForType in class com.google.protobuf.GeneratedMessageV3

getDefaultInstanceForType

public CertificateValidationContext getDefaultInstanceForType()

Specified by:

getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder

Specified by:

getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder