io.envoyproxy.envoy.api.v2.auth

Class CertificateValidationContext

java.lang.Object

com.google.protobuf.AbstractMessageLite

com.google.protobuf.AbstractMessage

com.google.protobuf.GeneratedMessageV3

io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext

All Implemented Interfaces:

com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, CertificateValidationContextOrBuilder, Serializable

public final class CertificateValidationContext
extends com.google.protobuf.GeneratedMessageV3
implements CertificateValidationContextOrBuilder

Protobuf type envoy.api.v2.auth.CertificateValidationContext

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	CertificateValidationContext.Builder Protobuf type envoy.api.v2.auth.CertificateValidationContext

Nested classes/interfaces inherited from class com.google.protobuf.GeneratedMessageV3

com.google.protobuf.GeneratedMessageV3.BuilderParent, com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage,BuilderType extends com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType,BuilderType>>, com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.ExtendableMessageOrBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.FieldAccessorTable

Field Summary

Fields

Modifier and Type	Field and Description
static int	ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER
static int	CRL_FIELD_NUMBER
static int	REQUIRE_OCSP_STAPLE_FIELD_NUMBER
static int	REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER
static int	TRUSTED_CA_FIELD_NUMBER
static int	VERIFY_CERTIFICATE_HASH_FIELD_NUMBER
static int	VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER
static int	VERIFY_SUBJECT_ALT_NAME_FIELD_NUMBER

Fields inherited from class com.google.protobuf.GeneratedMessageV3

alwaysUseFieldBuilders, unknownFields

Fields inherited from class com.google.protobuf.AbstractMessage

memoizedSize

Fields inherited from class com.google.protobuf.AbstractMessageLite

memoizedHashCode

Method Summary

Modifier and Type	Method and Description
boolean	equals(Object obj)
boolean	getAllowExpiredCertificate() If specified, Envoy will not reject expired certificates.
DataSource	getCrl() An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
DataSourceOrBuilder	getCrlOrBuilder() An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
static CertificateValidationContext	getDefaultInstance()
CertificateValidationContext	getDefaultInstanceForType()
static com.google.protobuf.Descriptors.Descriptor	getDescriptor()
com.google.protobuf.Parser<CertificateValidationContext>	getParserForType()
com.google.protobuf.BoolValue	getRequireOcspStaple() [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
com.google.protobuf.BoolValueOrBuilder	getRequireOcspStapleOrBuilder() [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
com.google.protobuf.BoolValue	getRequireSignedCertificateTimestamp() [#not-implemented-hide:] Must present signed certificate time-stamp.
com.google.protobuf.BoolValueOrBuilder	getRequireSignedCertificateTimestampOrBuilder() [#not-implemented-hide:] Must present signed certificate time-stamp.
int	getSerializedSize()
DataSource	getTrustedCa() TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
DataSourceOrBuilder	getTrustedCaOrBuilder() TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
com.google.protobuf.UnknownFieldSet	getUnknownFields()
String	getVerifyCertificateHash(int index) An optional list of hex-encoded SHA-256 hashes.
com.google.protobuf.ByteString	getVerifyCertificateHashBytes(int index) An optional list of hex-encoded SHA-256 hashes.
int	getVerifyCertificateHashCount() An optional list of hex-encoded SHA-256 hashes.
com.google.protobuf.ProtocolStringList	getVerifyCertificateHashList() An optional list of hex-encoded SHA-256 hashes.
String	getVerifyCertificateSpki(int index) An optional list of base64-encoded SHA-256 hashes.
com.google.protobuf.ByteString	getVerifyCertificateSpkiBytes(int index) An optional list of base64-encoded SHA-256 hashes.
int	getVerifyCertificateSpkiCount() An optional list of base64-encoded SHA-256 hashes.
com.google.protobuf.ProtocolStringList	getVerifyCertificateSpkiList() An optional list of base64-encoded SHA-256 hashes.
String	getVerifySubjectAltName(int index) An optional list of Subject Alternative Names.
com.google.protobuf.ByteString	getVerifySubjectAltNameBytes(int index) An optional list of Subject Alternative Names.
int	getVerifySubjectAltNameCount() An optional list of Subject Alternative Names.
com.google.protobuf.ProtocolStringList	getVerifySubjectAltNameList() An optional list of Subject Alternative Names.
boolean	hasCrl() An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
int	hashCode()
boolean	hasRequireOcspStaple() [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
boolean	hasRequireSignedCertificateTimestamp() [#not-implemented-hide:] Must present signed certificate time-stamp.
boolean	hasTrustedCa() TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable	internalGetFieldAccessorTable()
boolean	isInitialized()
static CertificateValidationContext.Builder	newBuilder()
static CertificateValidationContext.Builder	newBuilder(CertificateValidationContext prototype)
CertificateValidationContext.Builder	newBuilderForType()
protected CertificateValidationContext.Builder	newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
static CertificateValidationContext	parseDelimitedFrom(InputStream input)
static CertificateValidationContext	parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
static CertificateValidationContext	parseFrom(byte[] data)
static CertificateValidationContext	parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
static CertificateValidationContext	parseFrom(ByteBuffer data)
static CertificateValidationContext	parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
static CertificateValidationContext	parseFrom(com.google.protobuf.ByteString data)
static CertificateValidationContext	parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
static CertificateValidationContext	parseFrom(com.google.protobuf.CodedInputStream input)
static CertificateValidationContext	parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
static CertificateValidationContext	parseFrom(InputStream input)
static CertificateValidationContext	parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
static com.google.protobuf.Parser<CertificateValidationContext>	parser()
CertificateValidationContext.Builder	toBuilder()
void	writeTo(com.google.protobuf.CodedOutputStream output)

Methods inherited from class com.google.protobuf.GeneratedMessageV3

canUseUnsafe, computeStringSize, computeStringSizeNoTag, getAllFields, getDescriptorForType, getField, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, hasField, hasOneof, internalGetMapField, makeExtensionsImmutable, newBuilderForType, parseDelimitedWithIOException, parseDelimitedWithIOException, parseUnknownField, parseUnknownFieldProto3, parseWithIOException, parseWithIOException, parseWithIOException, parseWithIOException, serializeBooleanMapTo, serializeIntegerMapTo, serializeLongMapTo, serializeStringMapTo, writeReplace, writeString, writeStringNoTag

Methods inherited from class com.google.protobuf.AbstractMessage

findInitializationErrors, getInitializationErrorString, hashBoolean, hashEnum, hashEnumList, hashFields, hashLong, toString

Methods inherited from class com.google.protobuf.AbstractMessageLite

addAll, addAll, checkByteStringIsUtf8, toByteArray, toByteString, writeDelimitedTo, writeTo

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Methods inherited from interface com.google.protobuf.MessageOrBuilder

findInitializationErrors, getAllFields, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, hasField, hasOneof

Methods inherited from interface com.google.protobuf.MessageLite

toByteArray, toByteString, writeDelimitedTo, writeTo

Field Detail

TRUSTED_CA_FIELD_NUMBER

public static final int TRUSTED_CA_FIELD_NUMBER

See Also:

Constant Field Values

VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER

public static final int VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER

See Also:

Constant Field Values

VERIFY_CERTIFICATE_HASH_FIELD_NUMBER

public static final int VERIFY_CERTIFICATE_HASH_FIELD_NUMBER

See Also:

Constant Field Values

VERIFY_SUBJECT_ALT_NAME_FIELD_NUMBER

public static final int VERIFY_SUBJECT_ALT_NAME_FIELD_NUMBER

See Also:

Constant Field Values

REQUIRE_OCSP_STAPLE_FIELD_NUMBER

public static final int REQUIRE_OCSP_STAPLE_FIELD_NUMBER

See Also:

Constant Field Values

REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER

public static final int REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER

See Also:

Constant Field Values

CRL_FIELD_NUMBER

public static final int CRL_FIELD_NUMBER

See Also:

Constant Field Values

ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER

public static final int ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER

See Also:

Constant Field Values

Method Detail

getUnknownFields

public final com.google.protobuf.UnknownFieldSet getUnknownFields()

Specified by:

getUnknownFields in interface com.google.protobuf.MessageOrBuilder

Overrides:

getUnknownFields in class com.google.protobuf.GeneratedMessageV3

getDescriptor

public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

internalGetFieldAccessorTable

protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()

Specified by:

internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

hasTrustedCa

public boolean hasTrustedCa()

 TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`verify_subject_alt_name
 <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 

.envoy.api.v2.core.DataSource trusted_ca = 1;

Specified by:

hasTrustedCa in interface CertificateValidationContextOrBuilder

getTrustedCa

public DataSource getTrustedCa()

 TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`verify_subject_alt_name
 <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 

.envoy.api.v2.core.DataSource trusted_ca = 1;

Specified by:

getTrustedCa in interface CertificateValidationContextOrBuilder

getTrustedCaOrBuilder

public DataSourceOrBuilder getTrustedCaOrBuilder()

 TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`verify_subject_alt_name
 <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
 specified.
 It can optionally contain certificate revocation lists, in which case Envoy will verify
 that the presented peer certificate has not been revoked by one of the included CRLs.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 

.envoy.api.v2.core.DataSource trusted_ca = 1;

Specified by:

getTrustedCaOrBuilder in interface CertificateValidationContextOrBuilder

getVerifyCertificateSpkiList

public com.google.protobuf.ProtocolStringList getVerifyCertificateSpkiList()

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey \
     | openssl pkey -pubin -outform DER \
     | openssl dgst -sha256 -binary \
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
 

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateSpkiList in interface CertificateValidationContextOrBuilder

getVerifyCertificateSpkiCount

public int getVerifyCertificateSpkiCount()

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey \
     | openssl pkey -pubin -outform DER \
     | openssl dgst -sha256 -binary \
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
 

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateSpkiCount in interface CertificateValidationContextOrBuilder

getVerifyCertificateSpki

public String getVerifyCertificateSpki(int index)

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey \
     | openssl pkey -pubin -outform DER \
     | openssl dgst -sha256 -binary \
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
 

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateSpki in interface CertificateValidationContextOrBuilder

getVerifyCertificateSpkiBytes

public com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index)

 An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
 SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
 matches one of the specified values.
 A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -pubkey \
     | openssl pkey -pubin -outform DER \
     | openssl dgst -sha256 -binary \
     | openssl enc -base64
   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
 This is the format used in HTTP Public Key Pinning.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 .. attention::
   This option is preferred over :ref:`verify_certificate_hash
   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
   because SPKI is tied to a private key, so it doesn't change when the certificate
   is renewed using the same private key.
 

repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateSpkiBytes in interface CertificateValidationContextOrBuilder

getVerifyCertificateHashList

public com.google.protobuf.ProtocolStringList getVerifyCertificateHashList()

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateHashList in interface CertificateValidationContextOrBuilder

getVerifyCertificateHashCount

public int getVerifyCertificateHashCount()

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateHashCount in interface CertificateValidationContextOrBuilder

getVerifyCertificateHash

public String getVerifyCertificateHash(int index)

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateHash in interface CertificateValidationContextOrBuilder

getVerifyCertificateHashBytes

public com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index)

 An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
 the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
 A hex-encoded SHA-256 of the certificate can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
 A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
 can be generated with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
 Both of those formats are acceptable.
 When both:
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
 :ref:`verify_certificate_spki
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
 a hash matching value from either of the lists will result in the certificate being accepted.
 

repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }

Specified by:

getVerifyCertificateHashBytes in interface CertificateValidationContextOrBuilder

getVerifySubjectAltNameList

public com.google.protobuf.ProtocolStringList getVerifySubjectAltNameList()

 An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated string verify_subject_alt_name = 4;

Specified by:

getVerifySubjectAltNameList in interface CertificateValidationContextOrBuilder

getVerifySubjectAltNameCount

public int getVerifySubjectAltNameCount()

 An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated string verify_subject_alt_name = 4;

Specified by:

getVerifySubjectAltNameCount in interface CertificateValidationContextOrBuilder

getVerifySubjectAltName

public String getVerifySubjectAltName(int index)

 An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated string verify_subject_alt_name = 4;

Specified by:

getVerifySubjectAltName in interface CertificateValidationContextOrBuilder

getVerifySubjectAltNameBytes

public com.google.protobuf.ByteString getVerifySubjectAltNameBytes(int index)

 An optional list of Subject Alternative Names. If specified, Envoy will verify that the
 Subject Alternative Name of the presented certificate matches one of the specified values.
 .. attention::
   Subject Alternative Names are easily spoofable and verifying only them is insecure,
   therefore this option must be used together with :ref:`trusted_ca
   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
 

repeated string verify_subject_alt_name = 4;

Specified by:

getVerifySubjectAltNameBytes in interface CertificateValidationContextOrBuilder

hasRequireOcspStaple

public boolean hasRequireOcspStaple()

 [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
 

.google.protobuf.BoolValue require_ocsp_staple = 5;

Specified by:

hasRequireOcspStaple in interface CertificateValidationContextOrBuilder

getRequireOcspStaple

public com.google.protobuf.BoolValue getRequireOcspStaple()

 [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
 

.google.protobuf.BoolValue require_ocsp_staple = 5;

Specified by:

getRequireOcspStaple in interface CertificateValidationContextOrBuilder

getRequireOcspStapleOrBuilder

public com.google.protobuf.BoolValueOrBuilder getRequireOcspStapleOrBuilder()

 [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
 

.google.protobuf.BoolValue require_ocsp_staple = 5;

Specified by:

getRequireOcspStapleOrBuilder in interface CertificateValidationContextOrBuilder

hasRequireSignedCertificateTimestamp

public boolean hasRequireSignedCertificateTimestamp()

 [#not-implemented-hide:] Must present signed certificate time-stamp.
 

.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

Specified by:

hasRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilder

getRequireSignedCertificateTimestamp

public com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()

 [#not-implemented-hide:] Must present signed certificate time-stamp.
 

.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

Specified by:

getRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilder

getRequireSignedCertificateTimestampOrBuilder

public com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()

 [#not-implemented-hide:] Must present signed certificate time-stamp.
 

.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

Specified by:

getRequireSignedCertificateTimestampOrBuilder in interface CertificateValidationContextOrBuilder

hasCrl

public boolean hasCrl()

 An optional `certificate revocation list
 <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
 

.envoy.api.v2.core.DataSource crl = 7;

Specified by:

hasCrl in interface CertificateValidationContextOrBuilder

getCrl

public DataSource getCrl()

 An optional `certificate revocation list
 <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
 

.envoy.api.v2.core.DataSource crl = 7;

Specified by:

getCrl in interface CertificateValidationContextOrBuilder

getCrlOrBuilder

public DataSourceOrBuilder getCrlOrBuilder()

 An optional `certificate revocation list
 <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
 

.envoy.api.v2.core.DataSource crl = 7;

Specified by:

getCrlOrBuilder in interface CertificateValidationContextOrBuilder

getAllowExpiredCertificate

public boolean getAllowExpiredCertificate()

 If specified, Envoy will not reject expired certificates.
 

bool allow_expired_certificate = 8;

Specified by:

getAllowExpiredCertificate in interface CertificateValidationContextOrBuilder

isInitialized

public final boolean isInitialized()

Specified by:

isInitialized in interface com.google.protobuf.MessageLiteOrBuilder

Overrides:

isInitialized in class com.google.protobuf.GeneratedMessageV3

writeTo

public void writeTo(com.google.protobuf.CodedOutputStream output)
             throws IOException

Specified by:

writeTo in interface com.google.protobuf.MessageLite

Overrides:

writeTo in class com.google.protobuf.GeneratedMessageV3

Throws:

IOException

getSerializedSize

public int getSerializedSize()

Specified by:

getSerializedSize in interface com.google.protobuf.MessageLite

Overrides:

getSerializedSize in class com.google.protobuf.GeneratedMessageV3

equals

public boolean equals(Object obj)

Specified by:

equals in interface com.google.protobuf.Message

Overrides:

equals in class com.google.protobuf.AbstractMessage

hashCode

public int hashCode()

Specified by:

hashCode in interface com.google.protobuf.Message

Overrides:

hashCode in class com.google.protobuf.AbstractMessage

parseFrom

public static CertificateValidationContext parseFrom(ByteBuffer data)
                                              throws com.google.protobuf.InvalidProtocolBufferException

Throws:

com.google.protobuf.InvalidProtocolBufferException

parseFrom

public static CertificateValidationContext parseFrom(ByteBuffer data,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws com.google.protobuf.InvalidProtocolBufferException

Throws:

com.google.protobuf.InvalidProtocolBufferException

parseFrom

public static CertificateValidationContext parseFrom(com.google.protobuf.ByteString data)
                                              throws com.google.protobuf.InvalidProtocolBufferException

Throws:

com.google.protobuf.InvalidProtocolBufferException

parseFrom

public static CertificateValidationContext parseFrom(com.google.protobuf.ByteString data,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws com.google.protobuf.InvalidProtocolBufferException

Throws:

com.google.protobuf.InvalidProtocolBufferException

parseFrom

public static CertificateValidationContext parseFrom(byte[] data)
                                              throws com.google.protobuf.InvalidProtocolBufferException

Throws:

com.google.protobuf.InvalidProtocolBufferException

parseFrom

public static CertificateValidationContext parseFrom(byte[] data,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws com.google.protobuf.InvalidProtocolBufferException

Throws:

com.google.protobuf.InvalidProtocolBufferException

parseFrom

public static CertificateValidationContext parseFrom(InputStream input)
                                              throws IOException

Throws:

IOException

parseFrom

public static CertificateValidationContext parseFrom(InputStream input,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws IOException

Throws:

IOException

parseDelimitedFrom

public static CertificateValidationContext parseDelimitedFrom(InputStream input)
                                                       throws IOException

Throws:

IOException

parseDelimitedFrom

public static CertificateValidationContext parseDelimitedFrom(InputStream input,
                                                              com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                                       throws IOException

Throws:

IOException

parseFrom

public static CertificateValidationContext parseFrom(com.google.protobuf.CodedInputStream input)
                                              throws IOException

Throws:

IOException

parseFrom

public static CertificateValidationContext parseFrom(com.google.protobuf.CodedInputStream input,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws IOException

Throws:

IOException

newBuilderForType

public CertificateValidationContext.Builder newBuilderForType()

Specified by:

newBuilderForType in interface com.google.protobuf.Message

Specified by:

newBuilderForType in interface com.google.protobuf.MessageLite

newBuilder

public static CertificateValidationContext.Builder newBuilder()

newBuilder

public static CertificateValidationContext.Builder newBuilder(CertificateValidationContext prototype)

toBuilder

public CertificateValidationContext.Builder toBuilder()

Specified by:

toBuilder in interface com.google.protobuf.Message

Specified by:

toBuilder in interface com.google.protobuf.MessageLite

newBuilderForType

protected CertificateValidationContext.Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)

Specified by:

newBuilderForType in class com.google.protobuf.GeneratedMessageV3

getDefaultInstance

public static CertificateValidationContext getDefaultInstance()

parser

public static com.google.protobuf.Parser<CertificateValidationContext> parser()

getParserForType

public com.google.protobuf.Parser<CertificateValidationContext> getParserForType()

Specified by:

getParserForType in interface com.google.protobuf.Message

Specified by:

getParserForType in interface com.google.protobuf.MessageLite

Overrides:

getParserForType in class com.google.protobuf.GeneratedMessageV3

getDefaultInstanceForType

public CertificateValidationContext getDefaultInstanceForType()

Specified by:

getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder

Specified by:

getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder