Package io.envoyproxy.envoy.extensions.transport_sockets.tls.v3

Interface CertificateValidationContextOrBuilder

    • Method Detail

      • hasTrustedCa

        boolean hasTrustedCa()
         TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs. Note
 that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
 provided for all certificate authorities in that chain. Failure to do so will result in
 verification failure for both revoked and unrevoked certificates from that chain.
 The behavior of requiring all certificates to contain CRLs if any do can be altered by
 setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
 true. If set to true, only the final certificate in the chain undergoes CRL verification.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
 directory for any file moves to support rotation. This currently only
 applies to dynamic secrets, when the ``CertificateValidationContext`` is
 delivered via SDS.
 Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
 [#next-major-version: This field and watched_directory below should ideally be moved into a
 separate sub-message, since there's no point in specifying the latter field without this one.]
        .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
        Returns:
        Whether the trustedCa field is set.

      • getTrustedCa

        DataSource getTrustedCa()
         TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs. Note
 that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
 provided for all certificate authorities in that chain. Failure to do so will result in
 verification failure for both revoked and unrevoked certificates from that chain.
 The behavior of requiring all certificates to contain CRLs if any do can be altered by
 setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
 true. If set to true, only the final certificate in the chain undergoes CRL verification.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
 directory for any file moves to support rotation. This currently only
 applies to dynamic secrets, when the ``CertificateValidationContext`` is
 delivered via SDS.
 Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
 [#next-major-version: This field and watched_directory below should ideally be moved into a
 separate sub-message, since there's no point in specifying the latter field without this one.]
        .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }
        Returns:
        The trustedCa.

      • getTrustedCaOrBuilder

        DataSourceOrBuilder getTrustedCaOrBuilder()
         TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs. Note
 that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
 provided for all certificate authorities in that chain. Failure to do so will result in
 verification failure for both revoked and unrevoked certificates from that chain.
 The behavior of requiring all certificates to contain CRLs if any do can be altered by
 setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
 true. If set to true, only the final certificate in the chain undergoes CRL verification.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 If ``trusted_ca`` is a filesystem path, a watch will be added to the parent
 directory for any file moves to support rotation. This currently only
 applies to dynamic secrets, when the ``CertificateValidationContext`` is
 delivered via SDS.
 Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
 [#next-major-version: This field and watched_directory below should ideally be moved into a
 separate sub-message, since there's no point in specifying the latter field without this one.]
        .envoy.config.core.v3.DataSource trusted_ca = 1 [(.udpa.annotations.field_migrate) = { ... }

      • hasCaCertificateProviderInstance

        boolean hasCaCertificateProviderInstance()
         Certificate provider instance for fetching TLS certificates.
 Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
 [#not-implemented-hide:]
        .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
        Returns:
        Whether the caCertificateProviderInstance field is set.

      • getCaCertificateProviderInstance

        CertificateProviderPluginInstance getCaCertificateProviderInstance()
         Certificate provider instance for fetching TLS certificates.
 Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
 [#not-implemented-hide:]
        .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }
        Returns:
        The caCertificateProviderInstance.

      • getCaCertificateProviderInstanceOrBuilder

        CertificateProviderPluginInstanceOrBuilder getCaCertificateProviderInstanceOrBuilder()
         Certificate provider instance for fetching TLS certificates.
 Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
 [#not-implemented-hide:]
        .envoy.extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance ca_certificate_provider_instance = 13 [(.udpa.annotations.field_migrate) = { ... }

      • hasWatchedDirectory

        boolean hasWatchedDirectory()
         If specified, updates of a file-based ``trusted_ca`` source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in ``trusted_ca`` is
 watched if this field is not specified. This only applies when a
 ``CertificateValidationContext`` is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.
        .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
        Returns:
        Whether the watchedDirectory field is set.

      • getWatchedDirectory

        WatchedDirectory getWatchedDirectory()
         If specified, updates of a file-based ``trusted_ca`` source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in ``trusted_ca`` is
 watched if this field is not specified. This only applies when a
 ``CertificateValidationContext`` is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.
        .envoy.config.core.v3.WatchedDirectory watched_directory = 11;
        Returns:
        The watchedDirectory.

      • getWatchedDirectoryOrBuilder

        WatchedDirectoryOrBuilder getWatchedDirectoryOrBuilder()
         If specified, updates of a file-based ``trusted_ca`` source will be triggered
 by this watch. This allows explicit control over the path watched, by
 default the parent directory of the filesystem path in ``trusted_ca`` is
 watched if this field is not specified. This only applies when a
 ``CertificateValidationContext`` is delivered by SDS with references to
 filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
 documentation for further details.
        .envoy.config.core.v3.WatchedDirectory watched_directory = 11;

      • getVerifyCertificateSpkiList

        List<String> getVerifyCertificateSpkiList()
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Returns:
        A list containing the verifyCertificateSpki.

      • getVerifyCertificateSpkiCount

        int getVerifyCertificateSpkiCount()
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Returns:
        The count of verifyCertificateSpki.

      • getVerifyCertificateSpki

        String getVerifyCertificateSpki​(int index)
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Parameters:
        index - The index of the element to return.
        Returns:
        The verifyCertificateSpki at the given index.

      • getVerifyCertificateSpkiBytes

        com.google.protobuf.ByteString getVerifyCertificateSpkiBytes​(int index)
         An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey
     | openssl pkey -pubin -outform DER
     | openssl dgst -sha256 -binary
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
        repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the verifyCertificateSpki at the given index.

      • getVerifyCertificateHashList

        List<String> getVerifyCertificateHashList()
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Returns:
        A list containing the verifyCertificateHash.

      • getVerifyCertificateHashCount

        int getVerifyCertificateHashCount()
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Returns:
        The count of verifyCertificateHash.

      • getVerifyCertificateHash

        String getVerifyCertificateHash​(int index)
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Parameters:
        index - The index of the element to return.
        Returns:
        The verifyCertificateHash at the given index.

      • getVerifyCertificateHashBytes

        com.google.protobuf.ByteString getVerifyCertificateHashBytes​(int index)
         An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
        repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the verifyCertificateHash at the given index.

      • getMatchTypedSubjectAltNamesList

        List<SubjectAltNameMatcher> getMatchTypedSubjectAltNamesList()
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matchers.
 The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
 matched.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_typed_subject_alt_names:
  - san_type: DNS
    matcher:
      exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;

      • getMatchTypedSubjectAltNames

        SubjectAltNameMatcher getMatchTypedSubjectAltNames​(int index)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matchers.
 The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
 matched.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_typed_subject_alt_names:
  - san_type: DNS
    matcher:
      exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;

      • getMatchTypedSubjectAltNamesCount

        int getMatchTypedSubjectAltNamesCount()
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matchers.
 The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
 matched.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_typed_subject_alt_names:
  - san_type: DNS
    matcher:
      exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;

      • getMatchTypedSubjectAltNamesOrBuilderList

        List<? extends SubjectAltNameMatcherOrBuilder> getMatchTypedSubjectAltNamesOrBuilderList()
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matchers.
 The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
 matched.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_typed_subject_alt_names:
  - san_type: DNS
    matcher:
      exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;

      • getMatchTypedSubjectAltNamesOrBuilder

        SubjectAltNameMatcherOrBuilder getMatchTypedSubjectAltNamesOrBuilder​(int index)
         An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified matchers.
 The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
 matched.
 When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
 configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
 For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
 it should be configured as shown below.
 .. code-block:: yaml
  match_typed_subject_alt_names:
  - san_type: DNS
    matcher:
      exact: "api.example.com"
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
        repeated .envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher match_typed_subject_alt_names = 15;

      • getMatchSubjectAltNamesList

        @Deprecated
List<StringMatcher> getMatchSubjectAltNamesList()
        Deprecated.
         This field is deprecated in favor of
 :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
 Note that if both this field and :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
 are specified, the former (deprecated field) is ignored.
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];

      • getMatchSubjectAltNames

        @Deprecated
StringMatcher getMatchSubjectAltNames​(int index)
        Deprecated.
         This field is deprecated in favor of
 :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
 Note that if both this field and :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
 are specified, the former (deprecated field) is ignored.
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];

      • getMatchSubjectAltNamesCount

        @Deprecated
int getMatchSubjectAltNamesCount()
        Deprecated.
         This field is deprecated in favor of
 :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
 Note that if both this field and :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
 are specified, the former (deprecated field) is ignored.
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];

      • getMatchSubjectAltNamesOrBuilderList

        @Deprecated
List<? extends StringMatcherOrBuilder> getMatchSubjectAltNamesOrBuilderList()
        Deprecated.
         This field is deprecated in favor of
 :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
 Note that if both this field and :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
 are specified, the former (deprecated field) is ignored.
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];

      • getMatchSubjectAltNamesOrBuilder

        @Deprecated
StringMatcherOrBuilder getMatchSubjectAltNamesOrBuilder​(int index)
        Deprecated.
         This field is deprecated in favor of
 :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
 Note that if both this field and :ref:`match_typed_subject_alt_names
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
 are specified, the former (deprecated field) is ignored.
        repeated .envoy.type.matcher.v3.StringMatcher match_subject_alt_names = 9 [deprecated = true, (.envoy.annotations.deprecated_at_minor_version) = "3.0"];

      • hasRequireSignedCertificateTimestamp

        boolean hasRequireSignedCertificateTimestamp()
         [#not-implemented-hide:] Must present signed certificate time-stamp.
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
        Returns:
        Whether the requireSignedCertificateTimestamp field is set.

      • getRequireSignedCertificateTimestamp

        com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()
         [#not-implemented-hide:] Must present signed certificate time-stamp.
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
        Returns:
        The requireSignedCertificateTimestamp.

      • getRequireSignedCertificateTimestampOrBuilder

        com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()
         [#not-implemented-hide:] Must present signed certificate time-stamp.
        .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

      • hasCrl

        boolean hasCrl()
         An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used. Note that if a CRL is provided
 for any certificate authority in a trust chain, a CRL must be provided
 for all certificate authorities in that chain. Failure to do so will
 result in verification failure for both revoked and unrevoked certificates
 from that chain. This default behavior can be altered by setting
 :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
 true.
        .envoy.config.core.v3.DataSource crl = 7;
        Returns:
        Whether the crl field is set.

      • getCrl

        DataSource getCrl()
         An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used. Note that if a CRL is provided
 for any certificate authority in a trust chain, a CRL must be provided
 for all certificate authorities in that chain. Failure to do so will
 result in verification failure for both revoked and unrevoked certificates
 from that chain. This default behavior can be altered by setting
 :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
 true.
        .envoy.config.core.v3.DataSource crl = 7;
        Returns:
        The crl.

      • getCrlOrBuilder

        DataSourceOrBuilder getCrlOrBuilder()
         An optional `certificate revocation list
 <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used. Note that if a CRL is provided
 for any certificate authority in a trust chain, a CRL must be provided
 for all certificate authorities in that chain. Failure to do so will
 result in verification failure for both revoked and unrevoked certificates
 from that chain. This default behavior can be altered by setting
 :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
 true.
        .envoy.config.core.v3.DataSource crl = 7;

      • getAllowExpiredCertificate

        boolean getAllowExpiredCertificate()
         If specified, Envoy will not reject expired certificates.
        bool allow_expired_certificate = 8;
        Returns:
        The allowExpiredCertificate.

      • getTrustChainVerificationValue

        int getTrustChainVerificationValue()
         Certificate trust chain verification mode.
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
        Returns:
        The enum numeric value on the wire for trustChainVerification.

      • getTrustChainVerification

        CertificateValidationContext.TrustChainVerification getTrustChainVerification()
         Certificate trust chain verification mode.
        .envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
        Returns:
        The trustChainVerification.

      • hasCustomValidatorConfig

        boolean hasCustomValidatorConfig()
         The configuration of an extension specific certificate validator.
 If specified, all validation is done by the specified validator,
 and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
 Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
 [#extension-category: envoy.tls.cert_validator]
        .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
        Returns:
        Whether the customValidatorConfig field is set.

      • getCustomValidatorConfig

        TypedExtensionConfig getCustomValidatorConfig()
         The configuration of an extension specific certificate validator.
 If specified, all validation is done by the specified validator,
 and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
 Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
 [#extension-category: envoy.tls.cert_validator]
        .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;
        Returns:
        The customValidatorConfig.

      • getCustomValidatorConfigOrBuilder

        TypedExtensionConfigOrBuilder getCustomValidatorConfigOrBuilder()
         The configuration of an extension specific certificate validator.
 If specified, all validation is done by the specified validator,
 and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
 Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
 [#extension-category: envoy.tls.cert_validator]
        .envoy.config.core.v3.TypedExtensionConfig custom_validator_config = 12;

      • getOnlyVerifyLeafCertCrl

        boolean getOnlyVerifyLeafCertCrl()
         If this option is set to true, only the certificate at the end of the
 certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
        bool only_verify_leaf_cert_crl = 14;
        Returns:
        The onlyVerifyLeafCertCrl.

      • hasMaxVerifyDepth

        boolean hasMaxVerifyDepth()
         Config for the max number of intermediate certificates in chain that are parsed during verification.
 This does not include the leaf certificate. If configured, and the certificate chain is longer than allowed, the certificates
 above the limit are ignored, and certificate validation will fail. The default limit is 100,
 though this can be system-dependent.
 https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify_depth.html
        .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
        Returns:
        Whether the maxVerifyDepth field is set.

      • getMaxVerifyDepth

        com.google.protobuf.UInt32Value getMaxVerifyDepth()
         Config for the max number of intermediate certificates in chain that are parsed during verification.
 This does not include the leaf certificate. If configured, and the certificate chain is longer than allowed, the certificates
 above the limit are ignored, and certificate validation will fail. The default limit is 100,
 though this can be system-dependent.
 https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify_depth.html
        .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }
        Returns:
        The maxVerifyDepth.

      • getMaxVerifyDepthOrBuilder

        com.google.protobuf.UInt32ValueOrBuilder getMaxVerifyDepthOrBuilder()
         Config for the max number of intermediate certificates in chain that are parsed during verification.
 This does not include the leaf certificate. If configured, and the certificate chain is longer than allowed, the certificates
 above the limit are ignored, and certificate validation will fail. The default limit is 100,
 though this can be system-dependent.
 https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify_depth.html
        .google.protobuf.UInt32Value max_verify_depth = 16 [(.validate.rules) = { ... }