public static final class Cert.CertificateValidationContext.Builder extends com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder> implements Cert.CertificateValidationContextOrBuilder
envoy.api.v2.auth.CertificateValidationContext| Modifier and Type | Method and Description |
|---|---|
Cert.CertificateValidationContext.Builder |
addAllVerifyCertificateHash(Iterable<String> values)
An optional list of hex-encoded SHA-256 hashes.
|
Cert.CertificateValidationContext.Builder |
addAllVerifyCertificateSpki(Iterable<String> values)
An optional list of base64-encoded SHA-256 hashes.
|
Cert.CertificateValidationContext.Builder |
addAllVerifySubjectAltName(Iterable<String> values)
An optional list of Subject Alternative Names.
|
Cert.CertificateValidationContext.Builder |
addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field,
Object value) |
Cert.CertificateValidationContext.Builder |
addVerifyCertificateHash(String value)
An optional list of hex-encoded SHA-256 hashes.
|
Cert.CertificateValidationContext.Builder |
addVerifyCertificateHashBytes(com.google.protobuf.ByteString value)
An optional list of hex-encoded SHA-256 hashes.
|
Cert.CertificateValidationContext.Builder |
addVerifyCertificateSpki(String value)
An optional list of base64-encoded SHA-256 hashes.
|
Cert.CertificateValidationContext.Builder |
addVerifyCertificateSpkiBytes(com.google.protobuf.ByteString value)
An optional list of base64-encoded SHA-256 hashes.
|
Cert.CertificateValidationContext.Builder |
addVerifySubjectAltName(String value)
An optional list of Subject Alternative Names.
|
Cert.CertificateValidationContext.Builder |
addVerifySubjectAltNameBytes(com.google.protobuf.ByteString value)
An optional list of Subject Alternative Names.
|
Cert.CertificateValidationContext |
build() |
Cert.CertificateValidationContext |
buildPartial() |
Cert.CertificateValidationContext.Builder |
clear() |
Cert.CertificateValidationContext.Builder |
clearAllowExpiredCertificate()
If specified, Envoy will not reject expired certificates.
|
Cert.CertificateValidationContext.Builder |
clearCrl()
An optional `certificate revocation list
<http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
Cert.CertificateValidationContext.Builder |
clearField(com.google.protobuf.Descriptors.FieldDescriptor field) |
Cert.CertificateValidationContext.Builder |
clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof) |
Cert.CertificateValidationContext.Builder |
clearRequireOcspStaple()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
Cert.CertificateValidationContext.Builder |
clearRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
Cert.CertificateValidationContext.Builder |
clearTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
Cert.CertificateValidationContext.Builder |
clearVerifyCertificateHash()
An optional list of hex-encoded SHA-256 hashes.
|
Cert.CertificateValidationContext.Builder |
clearVerifyCertificateSpki()
An optional list of base64-encoded SHA-256 hashes.
|
Cert.CertificateValidationContext.Builder |
clearVerifySubjectAltName()
An optional list of Subject Alternative Names.
|
Cert.CertificateValidationContext.Builder |
clone() |
boolean |
getAllowExpiredCertificate()
If specified, Envoy will not reject expired certificates.
|
Base.DataSource |
getCrl()
An optional `certificate revocation list
<http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
Base.DataSource.Builder |
getCrlBuilder()
An optional `certificate revocation list
<http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
Base.DataSourceOrBuilder |
getCrlOrBuilder()
An optional `certificate revocation list
<http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
Cert.CertificateValidationContext |
getDefaultInstanceForType() |
static com.google.protobuf.Descriptors.Descriptor |
getDescriptor() |
com.google.protobuf.Descriptors.Descriptor |
getDescriptorForType() |
com.google.protobuf.BoolValue |
getRequireOcspStaple()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
com.google.protobuf.BoolValue.Builder |
getRequireOcspStapleBuilder()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
com.google.protobuf.BoolValueOrBuilder |
getRequireOcspStapleOrBuilder()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
com.google.protobuf.BoolValue |
getRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
com.google.protobuf.BoolValue.Builder |
getRequireSignedCertificateTimestampBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
com.google.protobuf.BoolValueOrBuilder |
getRequireSignedCertificateTimestampOrBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
Base.DataSource |
getTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
Base.DataSource.Builder |
getTrustedCaBuilder()
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
Base.DataSourceOrBuilder |
getTrustedCaOrBuilder()
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
String |
getVerifyCertificateHash(int index)
An optional list of hex-encoded SHA-256 hashes.
|
com.google.protobuf.ByteString |
getVerifyCertificateHashBytes(int index)
An optional list of hex-encoded SHA-256 hashes.
|
int |
getVerifyCertificateHashCount()
An optional list of hex-encoded SHA-256 hashes.
|
com.google.protobuf.ProtocolStringList |
getVerifyCertificateHashList()
An optional list of hex-encoded SHA-256 hashes.
|
String |
getVerifyCertificateSpki(int index)
An optional list of base64-encoded SHA-256 hashes.
|
com.google.protobuf.ByteString |
getVerifyCertificateSpkiBytes(int index)
An optional list of base64-encoded SHA-256 hashes.
|
int |
getVerifyCertificateSpkiCount()
An optional list of base64-encoded SHA-256 hashes.
|
com.google.protobuf.ProtocolStringList |
getVerifyCertificateSpkiList()
An optional list of base64-encoded SHA-256 hashes.
|
String |
getVerifySubjectAltName(int index)
An optional list of Subject Alternative Names.
|
com.google.protobuf.ByteString |
getVerifySubjectAltNameBytes(int index)
An optional list of Subject Alternative Names.
|
int |
getVerifySubjectAltNameCount()
An optional list of Subject Alternative Names.
|
com.google.protobuf.ProtocolStringList |
getVerifySubjectAltNameList()
An optional list of Subject Alternative Names.
|
boolean |
hasCrl()
An optional `certificate revocation list
<http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
boolean |
hasRequireOcspStaple()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
boolean |
hasRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
boolean |
hasTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable |
internalGetFieldAccessorTable() |
boolean |
isInitialized() |
Cert.CertificateValidationContext.Builder |
mergeCrl(Base.DataSource value)
An optional `certificate revocation list
<http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
Cert.CertificateValidationContext.Builder |
mergeFrom(Cert.CertificateValidationContext other) |
Cert.CertificateValidationContext.Builder |
mergeFrom(com.google.protobuf.CodedInputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry) |
Cert.CertificateValidationContext.Builder |
mergeFrom(com.google.protobuf.Message other) |
Cert.CertificateValidationContext.Builder |
mergeRequireOcspStaple(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
Cert.CertificateValidationContext.Builder |
mergeRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
Cert.CertificateValidationContext.Builder |
mergeTrustedCa(Base.DataSource value)
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
Cert.CertificateValidationContext.Builder |
mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields) |
Cert.CertificateValidationContext.Builder |
setAllowExpiredCertificate(boolean value)
If specified, Envoy will not reject expired certificates.
|
Cert.CertificateValidationContext.Builder |
setCrl(Base.DataSource.Builder builderForValue)
An optional `certificate revocation list
<http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
Cert.CertificateValidationContext.Builder |
setCrl(Base.DataSource value)
An optional `certificate revocation list
<http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
Cert.CertificateValidationContext.Builder |
setField(com.google.protobuf.Descriptors.FieldDescriptor field,
Object value) |
Cert.CertificateValidationContext.Builder |
setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field,
int index,
Object value) |
Cert.CertificateValidationContext.Builder |
setRequireOcspStaple(com.google.protobuf.BoolValue.Builder builderForValue)
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
Cert.CertificateValidationContext.Builder |
setRequireOcspStaple(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
Cert.CertificateValidationContext.Builder |
setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue.Builder builderForValue)
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
Cert.CertificateValidationContext.Builder |
setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
Cert.CertificateValidationContext.Builder |
setTrustedCa(Base.DataSource.Builder builderForValue)
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
Cert.CertificateValidationContext.Builder |
setTrustedCa(Base.DataSource value)
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
Cert.CertificateValidationContext.Builder |
setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields) |
Cert.CertificateValidationContext.Builder |
setVerifyCertificateHash(int index,
String value)
An optional list of hex-encoded SHA-256 hashes.
|
Cert.CertificateValidationContext.Builder |
setVerifyCertificateSpki(int index,
String value)
An optional list of base64-encoded SHA-256 hashes.
|
Cert.CertificateValidationContext.Builder |
setVerifySubjectAltName(int index,
String value)
An optional list of Subject Alternative Names.
|
getAllFields, getField, getFieldBuilder, getOneofFieldDescriptor, getParentForChildren, getRepeatedField, getRepeatedFieldBuilder, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof, internalGetMapField, internalGetMutableMapField, isClean, markClean, newBuilderForField, onBuilt, onChanged, setUnknownFieldsProto3findInitializationErrors, getInitializationErrorString, internalMergeFrom, mergeDelimitedFrom, mergeDelimitedFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, newUninitializedMessageException, toStringaddAll, addAll, mergeFrom, newUninitializedMessageExceptionequals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, waitpublic static final com.google.protobuf.Descriptors.Descriptor getDescriptor()
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder>public Cert.CertificateValidationContext.Builder clear()
clear in interface com.google.protobuf.Message.Builderclear in interface com.google.protobuf.MessageLite.Builderclear in class com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder>public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
getDescriptorForType in interface com.google.protobuf.Message.BuildergetDescriptorForType in interface com.google.protobuf.MessageOrBuildergetDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder>public Cert.CertificateValidationContext getDefaultInstanceForType()
getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuildergetDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilderpublic Cert.CertificateValidationContext build()
build in interface com.google.protobuf.Message.Builderbuild in interface com.google.protobuf.MessageLite.Builderpublic Cert.CertificateValidationContext buildPartial()
buildPartial in interface com.google.protobuf.Message.BuilderbuildPartial in interface com.google.protobuf.MessageLite.Builderpublic Cert.CertificateValidationContext.Builder clone()
clone in interface com.google.protobuf.Message.Builderclone in interface com.google.protobuf.MessageLite.Builderclone in class com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder>public Cert.CertificateValidationContext.Builder setField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
setField in interface com.google.protobuf.Message.BuildersetField in class com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder>public Cert.CertificateValidationContext.Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field)
clearField in interface com.google.protobuf.Message.BuilderclearField in class com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder>public Cert.CertificateValidationContext.Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof)
clearOneof in interface com.google.protobuf.Message.BuilderclearOneof in class com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder>public Cert.CertificateValidationContext.Builder setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, int index, Object value)
setRepeatedField in interface com.google.protobuf.Message.BuildersetRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder>public Cert.CertificateValidationContext.Builder addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
addRepeatedField in interface com.google.protobuf.Message.BuilderaddRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder>public Cert.CertificateValidationContext.Builder mergeFrom(com.google.protobuf.Message other)
mergeFrom in interface com.google.protobuf.Message.BuildermergeFrom in class com.google.protobuf.AbstractMessage.Builder<Cert.CertificateValidationContext.Builder>public Cert.CertificateValidationContext.Builder mergeFrom(Cert.CertificateValidationContext other)
public final boolean isInitialized()
isInitialized in interface com.google.protobuf.MessageLiteOrBuilderisInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder>public Cert.CertificateValidationContext.Builder mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
mergeFrom in interface com.google.protobuf.Message.BuildermergeFrom in interface com.google.protobuf.MessageLite.BuildermergeFrom in class com.google.protobuf.AbstractMessage.Builder<Cert.CertificateValidationContext.Builder>IOExceptionpublic boolean hasTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`verify_subject_alt_name <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also specified. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;hasTrustedCa in interface Cert.CertificateValidationContextOrBuilderpublic Base.DataSource getTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`verify_subject_alt_name <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also specified. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;getTrustedCa in interface Cert.CertificateValidationContextOrBuilderpublic Cert.CertificateValidationContext.Builder setTrustedCa(Base.DataSource value)
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`verify_subject_alt_name <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also specified. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;public Cert.CertificateValidationContext.Builder setTrustedCa(Base.DataSource.Builder builderForValue)
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`verify_subject_alt_name <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also specified. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;public Cert.CertificateValidationContext.Builder mergeTrustedCa(Base.DataSource value)
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`verify_subject_alt_name <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also specified. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;public Cert.CertificateValidationContext.Builder clearTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`verify_subject_alt_name <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also specified. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;public Base.DataSource.Builder getTrustedCaBuilder()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`verify_subject_alt_name <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also specified. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;public Base.DataSourceOrBuilder getTrustedCaOrBuilder()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`verify_subject_alt_name <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also specified. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;getTrustedCaOrBuilder in interface Cert.CertificateValidationContextOrBuilderpublic com.google.protobuf.ProtocolStringList getVerifyCertificateSpkiList()
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 -binary \
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }getVerifyCertificateSpkiList in interface Cert.CertificateValidationContextOrBuilderpublic int getVerifyCertificateSpkiCount()
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 -binary \
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }getVerifyCertificateSpkiCount in interface Cert.CertificateValidationContextOrBuilderpublic String getVerifyCertificateSpki(int index)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 -binary \
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }getVerifyCertificateSpki in interface Cert.CertificateValidationContextOrBuilderpublic com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 -binary \
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }getVerifyCertificateSpkiBytes in interface Cert.CertificateValidationContextOrBuilderpublic Cert.CertificateValidationContext.Builder setVerifyCertificateSpki(int index, String value)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 -binary \
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }public Cert.CertificateValidationContext.Builder addVerifyCertificateSpki(String value)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 -binary \
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }public Cert.CertificateValidationContext.Builder addAllVerifyCertificateSpki(Iterable<String> values)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 -binary \
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }public Cert.CertificateValidationContext.Builder clearVerifyCertificateSpki()
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 -binary \
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }public Cert.CertificateValidationContext.Builder addVerifyCertificateSpkiBytes(com.google.protobuf.ByteString value)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl dgst -sha256 -binary \
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }public com.google.protobuf.ProtocolStringList getVerifyCertificateHashList()
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }getVerifyCertificateHashList in interface Cert.CertificateValidationContextOrBuilderpublic int getVerifyCertificateHashCount()
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }getVerifyCertificateHashCount in interface Cert.CertificateValidationContextOrBuilderpublic String getVerifyCertificateHash(int index)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }getVerifyCertificateHash in interface Cert.CertificateValidationContextOrBuilderpublic com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }getVerifyCertificateHashBytes in interface Cert.CertificateValidationContextOrBuilderpublic Cert.CertificateValidationContext.Builder setVerifyCertificateHash(int index, String value)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }public Cert.CertificateValidationContext.Builder addVerifyCertificateHash(String value)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }public Cert.CertificateValidationContext.Builder addAllVerifyCertificateHash(Iterable<String> values)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }public Cert.CertificateValidationContext.Builder clearVerifyCertificateHash()
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }public Cert.CertificateValidationContext.Builder addVerifyCertificateHashBytes(com.google.protobuf.ByteString value)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }public com.google.protobuf.ProtocolStringList getVerifySubjectAltNameList()
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4;getVerifySubjectAltNameList in interface Cert.CertificateValidationContextOrBuilderpublic int getVerifySubjectAltNameCount()
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4;getVerifySubjectAltNameCount in interface Cert.CertificateValidationContextOrBuilderpublic String getVerifySubjectAltName(int index)
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4;getVerifySubjectAltName in interface Cert.CertificateValidationContextOrBuilderpublic com.google.protobuf.ByteString getVerifySubjectAltNameBytes(int index)
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4;getVerifySubjectAltNameBytes in interface Cert.CertificateValidationContextOrBuilderpublic Cert.CertificateValidationContext.Builder setVerifySubjectAltName(int index, String value)
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4;public Cert.CertificateValidationContext.Builder addVerifySubjectAltName(String value)
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4;public Cert.CertificateValidationContext.Builder addAllVerifySubjectAltName(Iterable<String> values)
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4;public Cert.CertificateValidationContext.Builder clearVerifySubjectAltName()
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4;public Cert.CertificateValidationContext.Builder addVerifySubjectAltNameBytes(com.google.protobuf.ByteString value)
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4;public boolean hasRequireOcspStaple()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;hasRequireOcspStaple in interface Cert.CertificateValidationContextOrBuilderpublic com.google.protobuf.BoolValue getRequireOcspStaple()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;getRequireOcspStaple in interface Cert.CertificateValidationContextOrBuilderpublic Cert.CertificateValidationContext.Builder setRequireOcspStaple(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;public Cert.CertificateValidationContext.Builder setRequireOcspStaple(com.google.protobuf.BoolValue.Builder builderForValue)
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;public Cert.CertificateValidationContext.Builder mergeRequireOcspStaple(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;public Cert.CertificateValidationContext.Builder clearRequireOcspStaple()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;public com.google.protobuf.BoolValue.Builder getRequireOcspStapleBuilder()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;public com.google.protobuf.BoolValueOrBuilder getRequireOcspStapleOrBuilder()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;getRequireOcspStapleOrBuilder in interface Cert.CertificateValidationContextOrBuilderpublic boolean hasRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;hasRequireSignedCertificateTimestamp in interface Cert.CertificateValidationContextOrBuilderpublic com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;getRequireSignedCertificateTimestamp in interface Cert.CertificateValidationContextOrBuilderpublic Cert.CertificateValidationContext.Builder setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;public Cert.CertificateValidationContext.Builder setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue.Builder builderForValue)
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;public Cert.CertificateValidationContext.Builder mergeRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;public Cert.CertificateValidationContext.Builder clearRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;public com.google.protobuf.BoolValue.Builder getRequireSignedCertificateTimestampBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;public com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;getRequireSignedCertificateTimestampOrBuilder in interface Cert.CertificateValidationContextOrBuilderpublic boolean hasCrl()
An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;hasCrl in interface Cert.CertificateValidationContextOrBuilderpublic Base.DataSource getCrl()
An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;getCrl in interface Cert.CertificateValidationContextOrBuilderpublic Cert.CertificateValidationContext.Builder setCrl(Base.DataSource value)
An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;public Cert.CertificateValidationContext.Builder setCrl(Base.DataSource.Builder builderForValue)
An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;public Cert.CertificateValidationContext.Builder mergeCrl(Base.DataSource value)
An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;public Cert.CertificateValidationContext.Builder clearCrl()
An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;public Base.DataSource.Builder getCrlBuilder()
An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;public Base.DataSourceOrBuilder getCrlOrBuilder()
An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;getCrlOrBuilder in interface Cert.CertificateValidationContextOrBuilderpublic boolean getAllowExpiredCertificate()
If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;getAllowExpiredCertificate in interface Cert.CertificateValidationContextOrBuilderpublic Cert.CertificateValidationContext.Builder setAllowExpiredCertificate(boolean value)
If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;public Cert.CertificateValidationContext.Builder clearAllowExpiredCertificate()
If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;public final Cert.CertificateValidationContext.Builder setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
setUnknownFields in interface com.google.protobuf.Message.BuildersetUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder>public final Cert.CertificateValidationContext.Builder mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
mergeUnknownFields in interface com.google.protobuf.Message.BuildermergeUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<Cert.CertificateValidationContext.Builder>Copyright © 2018 The Envoy Project. All rights reserved.