Package io.envoyproxy.envoy.extensions.transport_sockets.tls.v3

Class SPIFFECertValidatorConfig

  • All Implemented Interfaces:
    com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, SPIFFECertValidatorConfigOrBuilder, Serializable
    public final class SPIFFECertValidatorConfig
extends com.google.protobuf.GeneratedMessageV3
implements SPIFFECertValidatorConfigOrBuilder
     Configuration specific to the `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.
 Example:
 .. validated-code-block:: yaml
   :type-name: envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext
   custom_validator_config:
     name: envoy.tls.cert_validator.spiffe
     typed_config:
       "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
       trust_domains:
       - name: foo.com
         trust_bundle:
           filename: "foo.pem"
       - name: envoy.com
         trust_bundle:
           filename: "envoy.pem"
 In this example, a presented peer certificate whose SAN matches ``spiffe//foo.com/**`` is validated against
 the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
 a SVID belonging to another trust domain. That means, in this example, a SVID signed by ``envoy.com``'s CA with ``spiffe//foo.com/**``
 SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.
 Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.CertificateValidationContext>`.
 - :ref:`allow_expired_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.allow_expired_certificate>` to allow expired certificates.
 - :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types.
    Protobuf type envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
    See Also:
    Serialized Form

    • Field Detail

      • TRUST_DOMAINS_FIELD_NUMBER

        public static final int TRUST_DOMAINS_FIELD_NUMBER
        See Also:
        Constant Field Values

    • Method Detail

      • newInstance

        protected Object newInstance​(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
        Overrides:
        newInstance in class com.google.protobuf.GeneratedMessageV3

      • getUnknownFields

        public final com.google.protobuf.UnknownFieldSet getUnknownFields()
        Specified by:
        getUnknownFields in interface com.google.protobuf.MessageOrBuilder
        Overrides:
        getUnknownFields in class com.google.protobuf.GeneratedMessageV3

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

      • getTrustDomainsCount

        public int getTrustDomainsCount()
         This field specifies trust domains used for validating incoming X.509-SVID(s).
        repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }
        Specified by:
        getTrustDomainsCount in interface SPIFFECertValidatorConfigOrBuilder

      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessageV3

      • writeTo

        public void writeTo​(com.google.protobuf.CodedOutputStream output)
             throws IOException
        Specified by:
        writeTo in interface com.google.protobuf.MessageLite
        Overrides:
        writeTo in class com.google.protobuf.GeneratedMessageV3
        Throws:
        IOException

      • getSerializedSize

        public int getSerializedSize()
        Specified by:
        getSerializedSize in interface com.google.protobuf.MessageLite
        Overrides:
        getSerializedSize in class com.google.protobuf.GeneratedMessageV3

      • equals

        public boolean equals​(Object obj)
        Specified by:
        equals in interface com.google.protobuf.Message
        Overrides:
        equals in class com.google.protobuf.AbstractMessage

      • hashCode

        public int hashCode()
        Specified by:
        hashCode in interface com.google.protobuf.Message
        Overrides:
        hashCode in class com.google.protobuf.AbstractMessage

      • parseFrom

        public static SPIFFECertValidatorConfig parseFrom​(ByteBuffer data)
                                           throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static SPIFFECertValidatorConfig parseFrom​(ByteBuffer data,
                                                  com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                           throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static SPIFFECertValidatorConfig parseFrom​(com.google.protobuf.ByteString data)
                                           throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static SPIFFECertValidatorConfig parseFrom​(com.google.protobuf.ByteString data,
                                                  com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                           throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static SPIFFECertValidatorConfig parseFrom​(byte[] data)
                                           throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static SPIFFECertValidatorConfig parseFrom​(byte[] data,
                                                  com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                           throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • newBuilderForType

        public SPIFFECertValidatorConfig.Builder newBuilderForType()
        Specified by:
        newBuilderForType in interface com.google.protobuf.Message
        Specified by:
        newBuilderForType in interface com.google.protobuf.MessageLite

      • toBuilder

        public SPIFFECertValidatorConfig.Builder toBuilder()
        Specified by:
        toBuilder in interface com.google.protobuf.Message
        Specified by:
        toBuilder in interface com.google.protobuf.MessageLite

      • newBuilderForType

        protected SPIFFECertValidatorConfig.Builder newBuilderForType​(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
        Specified by:
        newBuilderForType in class com.google.protobuf.GeneratedMessageV3

      • getParserForType

        public com.google.protobuf.Parser<SPIFFECertValidatorConfig> getParserForType()
        Specified by:
        getParserForType in interface com.google.protobuf.Message
        Specified by:
        getParserForType in interface com.google.protobuf.MessageLite
        Overrides:
        getParserForType in class com.google.protobuf.GeneratedMessageV3

      • getDefaultInstanceForType

        public SPIFFECertValidatorConfig getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder