Package io.envoyproxy.envoy.api.v2.auth

Class CertificateValidationContext

    • Field Detail

      • TRUSTED_CA_FIELD_NUMBER

        public static final int TRUSTED_CA_FIELD_NUMBER
        See Also:
        Constant Field Values

      • VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER

        public static final int VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER
        See Also:
        Constant Field Values

      • VERIFY_CERTIFICATE_HASH_FIELD_NUMBER

        public static final int VERIFY_CERTIFICATE_HASH_FIELD_NUMBER
        See Also:
        Constant Field Values

      • VERIFY_SUBJECT_ALT_NAME_FIELD_NUMBER

        public static final int VERIFY_SUBJECT_ALT_NAME_FIELD_NUMBER
        See Also:
        Constant Field Values

      • MATCH_SUBJECT_ALT_NAMES_FIELD_NUMBER

        public static final int MATCH_SUBJECT_ALT_NAMES_FIELD_NUMBER
        See Also:
        Constant Field Values

      • REQUIRE_OCSP_STAPLE_FIELD_NUMBER

        public static final int REQUIRE_OCSP_STAPLE_FIELD_NUMBER
        See Also:
        Constant Field Values

      • REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER

        public static final int REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER
        See Also:
        Constant Field Values

      • ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER

        public static final int ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER
        See Also:
        Constant Field Values

      • TRUST_CHAIN_VERIFICATION_FIELD_NUMBER

        public static final int TRUST_CHAIN_VERIFICATION_FIELD_NUMBER
        See Also:
        Constant Field Values

    • Method Detail

      • newInstance

        protected Object newInstance​(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
        Overrides:
        newInstance in class com.google.protobuf.GeneratedMessageV3

      • getUnknownFields

        public final com.google.protobuf.UnknownFieldSet getUnknownFields()
        Specified by:
        getUnknownFields in interface com.google.protobuf.MessageOrBuilder
        Overrides:
        getUnknownFields in class com.google.protobuf.GeneratedMessageV3

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

      • hasTrustedCa

        public boolean hasTrustedCa()
         TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
        .envoy.api.v2.core.DataSource trusted_ca = 1;
        Specified by:
        hasTrustedCa in interface CertificateValidationContextOrBuilder
        Returns:
        Whether the trustedCa field is set.

      • getTrustedCa

        public DataSource getTrustedCa()
         TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
        .envoy.api.v2.core.DataSource trusted_ca = 1;
        Specified by:
        getTrustedCa in interface CertificateValidationContextOrBuilder
        Returns:
        The trustedCa.

      • getTrustedCaOrBuilder

        public DataSourceOrBuilder getTrustedCaOrBuilder()
         TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_subject_alt_names
 <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
        .envoy.api.v2.core.DataSource trusted_ca = 1;
        Specified by:
        getTrustedCaOrBuilder in interface CertificateValidationContextOrBuilder

      • getVerifyCertificateSpkiList

        public com.google.protobuf.ProtocolStringList getVerifyCertificateSpkiList()
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateSpkiList in interface CertificateValidationContextOrBuilder
        Returns:
        A list containing the verifyCertificateSpki.

      • getVerifyCertificateSpkiCount

        public int getVerifyCertificateSpkiCount()
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateSpkiCount in interface CertificateValidationContextOrBuilder
        Returns:
        The count of verifyCertificateSpki.

      • getVerifyCertificateSpki

        public String getVerifyCertificateSpki​(int index)
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateSpki in interface CertificateValidationContextOrBuilder
        Parameters:
        index - The index of the element to return.
        Returns:
        The verifyCertificateSpki at the given index.

      • getVerifyCertificateSpkiBytes

        public com.google.protobuf.ByteString getVerifyCertificateSpkiBytes​(int index)
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateSpkiBytes in interface CertificateValidationContextOrBuilder
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the verifyCertificateSpki at the given index.

      • getVerifyCertificateHashList

        public com.google.protobuf.ProtocolStringList getVerifyCertificateHashList()
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateHashList in interface CertificateValidationContextOrBuilder
        Returns:
        A list containing the verifyCertificateHash.

      • getVerifyCertificateHashCount

        public int getVerifyCertificateHashCount()
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateHashCount in interface CertificateValidationContextOrBuilder
        Returns:
        The count of verifyCertificateHash.

      • getVerifyCertificateHash

        public String getVerifyCertificateHash​(int index)
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateHash in interface CertificateValidationContextOrBuilder
        Parameters:
        index - The index of the element to return.
        Returns:
        The verifyCertificateHash at the given index.

      • getVerifyCertificateHashBytes

        public com.google.protobuf.ByteString getVerifyCertificateHashBytes​(int index)
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Specified by:
        getVerifyCertificateHashBytes in interface CertificateValidationContextOrBuilder
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the verifyCertificateHash at the given index.

      • getVerifySubjectAltNameList

        @Deprecated
public com.google.protobuf.ProtocolStringList getVerifySubjectAltNameList()
        Deprecated.
        envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
         An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
        repeated string verify_subject_alt_name = 4 [deprecated = true];
        Specified by:
        getVerifySubjectAltNameList in interface CertificateValidationContextOrBuilder
        Returns:
        A list containing the verifySubjectAltName.

      • getVerifySubjectAltNameCount

        @Deprecated
public int getVerifySubjectAltNameCount()
        Deprecated.
        envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
         An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
        repeated string verify_subject_alt_name = 4 [deprecated = true];
        Specified by:
        getVerifySubjectAltNameCount in interface CertificateValidationContextOrBuilder
        Returns:
        The count of verifySubjectAltName.

      • getVerifySubjectAltName

        @Deprecated
public String getVerifySubjectAltName​(int index)
        Deprecated.
        envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
         An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
        repeated string verify_subject_alt_name = 4 [deprecated = true];
        Specified by:
        getVerifySubjectAltName in interface CertificateValidationContextOrBuilder
        Parameters:
        index - The index of the element to return.
        Returns:
        The verifySubjectAltName at the given index.

      • getVerifySubjectAltNameBytes

        @Deprecated
public com.google.protobuf.ByteString getVerifySubjectAltNameBytes​(int index)
        Deprecated.
        envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated. See envoy/api/v2/auth/common.proto;l=285
         An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
        repeated string verify_subject_alt_name = 4 [deprecated = true];
        Specified by:
        getVerifySubjectAltNameBytes in interface CertificateValidationContextOrBuilder
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the verifySubjectAltName at the given index.

      • getMatchSubjectAltNamesList

        public List<StringMatcher> getMatchSubjectAltNamesList()
         An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
        repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
        Specified by:
        getMatchSubjectAltNamesList in interface CertificateValidationContextOrBuilder

      • getMatchSubjectAltNamesOrBuilderList

        public List<? extends StringMatcherOrBuilder> getMatchSubjectAltNamesOrBuilderList()
         An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
        repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
        Specified by:
        getMatchSubjectAltNamesOrBuilderList in interface CertificateValidationContextOrBuilder

      • getMatchSubjectAltNamesCount

        public int getMatchSubjectAltNamesCount()
         An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
        repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
        Specified by:
        getMatchSubjectAltNamesCount in interface CertificateValidationContextOrBuilder

      • getMatchSubjectAltNames

        public StringMatcher getMatchSubjectAltNames​(int index)
         An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
        repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
        Specified by:
        getMatchSubjectAltNames in interface CertificateValidationContextOrBuilder

      • getMatchSubjectAltNamesOrBuilder

        public StringMatcherOrBuilder getMatchSubjectAltNamesOrBuilder​(int index)
         An optional list of Subject Alternative name matchers. Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matches.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_subject_alt_names:
    exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
        repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
        Specified by:
        getMatchSubjectAltNamesOrBuilder in interface CertificateValidationContextOrBuilder

      • hasRequireOcspStaple

        public boolean hasRequireOcspStaple()
         [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
        .google.protobuf.BoolValue require_ocsp_staple = 5;
        Specified by:
        hasRequireOcspStaple in interface CertificateValidationContextOrBuilder
        Returns:
        Whether the requireOcspStaple field is set.

      • getRequireOcspStaple

        public com.google.protobuf.BoolValue getRequireOcspStaple()
         [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
        .google.protobuf.BoolValue require_ocsp_staple = 5;
        Specified by:
        getRequireOcspStaple in interface CertificateValidationContextOrBuilder
        Returns:
        The requireOcspStaple.

      • getRequireOcspStapleOrBuilder

        public com.google.protobuf.BoolValueOrBuilder getRequireOcspStapleOrBuilder()
         [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
        .google.protobuf.BoolValue require_ocsp_staple = 5;
        Specified by:
        getRequireOcspStapleOrBuilder in interface CertificateValidationContextOrBuilder

      • hasRequireSignedCertificateTimestamp

        public boolean hasRequireSignedCertificateTimestamp()
         [#not-implemented-hide:] Must present signed certificate time-stamp.
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
        Specified by:
        hasRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilder
        Returns:
        Whether the requireSignedCertificateTimestamp field is set.

      • getRequireSignedCertificateTimestamp

        public com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()
         [#not-implemented-hide:] Must present signed certificate time-stamp.
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
        Specified by:
        getRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilder
        Returns:
        The requireSignedCertificateTimestamp.

      • hasCrl

        public boolean hasCrl()
         An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
        .envoy.api.v2.core.DataSource crl = 7;
        Specified by:
        hasCrl in interface CertificateValidationContextOrBuilder
        Returns:
        Whether the crl field is set.

      • getCrl

        public DataSource getCrl()
         An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
        .envoy.api.v2.core.DataSource crl = 7;
        Specified by:
        getCrl in interface CertificateValidationContextOrBuilder
        Returns:
        The crl.

      • getCrlOrBuilder

        public DataSourceOrBuilder getCrlOrBuilder()
         An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
        .envoy.api.v2.core.DataSource crl = 7;
        Specified by:
        getCrlOrBuilder in interface CertificateValidationContextOrBuilder

      • getTrustChainVerificationValue

        public int getTrustChainVerificationValue()
         Certificate trust chain verification mode.
        .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
        Specified by:
        getTrustChainVerificationValue in interface CertificateValidationContextOrBuilder
        Returns:
        The enum numeric value on the wire for trustChainVerification.

      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessageV3

      • writeTo

        public void writeTo​(com.google.protobuf.CodedOutputStream output)
             throws IOException
        Specified by:
        writeTo in interface com.google.protobuf.MessageLite
        Overrides:
        writeTo in class com.google.protobuf.GeneratedMessageV3
        Throws:
        IOException

      • getSerializedSize

        public int getSerializedSize()
        Specified by:
        getSerializedSize in interface com.google.protobuf.MessageLite
        Overrides:
        getSerializedSize in class com.google.protobuf.GeneratedMessageV3

      • equals

        public boolean equals​(Object obj)
        Specified by:
        equals in interface com.google.protobuf.Message
        Overrides:
        equals in class com.google.protobuf.AbstractMessage

      • hashCode

        public int hashCode()
        Specified by:
        hashCode in interface com.google.protobuf.Message
        Overrides:
        hashCode in class com.google.protobuf.AbstractMessage

      • parseFrom

        public static CertificateValidationContext parseFrom​(ByteBuffer data)
                                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static CertificateValidationContext parseFrom​(ByteBuffer data,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static CertificateValidationContext parseFrom​(com.google.protobuf.ByteString data)
                                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static CertificateValidationContext parseFrom​(com.google.protobuf.ByteString data,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static CertificateValidationContext parseFrom​(byte[] data)
                                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static CertificateValidationContext parseFrom​(byte[] data,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • newBuilderForType

        public CertificateValidationContext.Builder newBuilderForType()
        Specified by:
        newBuilderForType in interface com.google.protobuf.Message
        Specified by:
        newBuilderForType in interface com.google.protobuf.MessageLite

      • toBuilder

        public CertificateValidationContext.Builder toBuilder()
        Specified by:
        toBuilder in interface com.google.protobuf.Message
        Specified by:
        toBuilder in interface com.google.protobuf.MessageLite

      • newBuilderForType

        protected CertificateValidationContext.Builder newBuilderForType​(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
        Specified by:
        newBuilderForType in class com.google.protobuf.GeneratedMessageV3

      • getParserForType

        public com.google.protobuf.Parser<CertificateValidationContext> getParserForType()
        Specified by:
        getParserForType in interface com.google.protobuf.Message
        Specified by:
        getParserForType in interface com.google.protobuf.MessageLite
        Overrides:
        getParserForType in class com.google.protobuf.GeneratedMessageV3

      • getDefaultInstanceForType

        public CertificateValidationContext getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder