envoy.api.v2.auth

Interface Cert.CertificateValidationContextOrBuilder

All Superinterfaces:

com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder

All Known Implementing Classes:

Cert.CertificateValidationContext, Cert.CertificateValidationContext.Builder

Enclosing class:

Cert

public static interface Cert.CertificateValidationContextOrBuilder
extends com.google.protobuf.MessageOrBuilder

Method Summary

Modifier and Type	Method and Description
Base.DataSource	getCrl() An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
Base.DataSourceOrBuilder	getCrlOrBuilder() An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
com.google.protobuf.BoolValue	getRequireOcspStaple() [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
com.google.protobuf.BoolValueOrBuilder	getRequireOcspStapleOrBuilder() [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
com.google.protobuf.BoolValue	getRequireSignedCertificateTimestamp() [#not-implemented-hide:] Must present signed certificate time-stamp.
com.google.protobuf.BoolValueOrBuilder	getRequireSignedCertificateTimestampOrBuilder() [#not-implemented-hide:] Must present signed certificate time-stamp.
Base.DataSource	getTrustedCa() TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
Base.DataSourceOrBuilder	getTrustedCaOrBuilder() TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).
String	getVerifyCertificateHash(int index) If specified, Envoy will verify (pin) the hex-encoded SHA-256 fingerprint of the presented certificate.
com.google.protobuf.ByteString	getVerifyCertificateHashBytes(int index) If specified, Envoy will verify (pin) the hex-encoded SHA-256 fingerprint of the presented certificate.
int	getVerifyCertificateHashCount() If specified, Envoy will verify (pin) the hex-encoded SHA-256 fingerprint of the presented certificate.
List<String>	getVerifyCertificateHashList() If specified, Envoy will verify (pin) the hex-encoded SHA-256 fingerprint of the presented certificate.
String	getVerifySpkiSha256(int index) If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of the Subject Public Key Information (SPKI) of the presented certificate.
com.google.protobuf.ByteString	getVerifySpkiSha256Bytes(int index) If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of the Subject Public Key Information (SPKI) of the presented certificate.
int	getVerifySpkiSha256Count() If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of the Subject Public Key Information (SPKI) of the presented certificate.
List<String>	getVerifySpkiSha256List() If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of the Subject Public Key Information (SPKI) of the presented certificate.
String	getVerifySubjectAltName(int index) An optional list of subject alternative names.
com.google.protobuf.ByteString	getVerifySubjectAltNameBytes(int index) An optional list of subject alternative names.
int	getVerifySubjectAltNameCount() An optional list of subject alternative names.
List<String>	getVerifySubjectAltNameList() An optional list of subject alternative names.
boolean	hasCrl() An optional `certificate revocation list <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
boolean	hasRequireOcspStaple() [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
boolean	hasRequireSignedCertificateTimestamp() [#not-implemented-hide:] Must present signed certificate time-stamp.
boolean	hasTrustedCa() TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners).

Methods inherited from interface com.google.protobuf.MessageOrBuilder

findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder

isInitialized

Method Detail

hasTrustedCa

boolean hasTrustedCa()

 TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`verify_subject_alt_name
 <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
 specified.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 

.envoy.api.v2.core.DataSource trusted_ca = 1;

getTrustedCa

Base.DataSource getTrustedCa()

 TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`verify_subject_alt_name
 <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
 specified.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 

.envoy.api.v2.core.DataSource trusted_ca = 1;

getTrustedCaOrBuilder

Base.DataSourceOrBuilder getTrustedCaOrBuilder()

 TLS certificate data containing certificate authority certificates to use in verifying
 a presented peer certificate (e.g. server certificate for clusters or client certificate
 for listeners). If not specified and a peer certificate is presented it will not be
 verified. By default, a client certificate is optional, unless one of the additional
 options (:ref:`require_client_certificate
 <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
 :ref:`verify_certificate_hash
 <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
 :ref:`verify_subject_alt_name
 <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
 specified.
 See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
 system CA locations.
 

.envoy.api.v2.core.DataSource trusted_ca = 1;

getVerifyCertificateHashList

List<String> getVerifyCertificateHashList()

 If specified, Envoy will verify (pin) the hex-encoded SHA-256 fingerprint of
 the presented certificate.
 For example, ``openssl`` can produce a SHA-256 fingerprint of an x509 certificate
 with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256
 

repeated string verify_certificate_hash = 2;

getVerifyCertificateHashCount

int getVerifyCertificateHashCount()

 If specified, Envoy will verify (pin) the hex-encoded SHA-256 fingerprint of
 the presented certificate.
 For example, ``openssl`` can produce a SHA-256 fingerprint of an x509 certificate
 with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256
 

repeated string verify_certificate_hash = 2;

getVerifyCertificateHash

String getVerifyCertificateHash(int index)

 If specified, Envoy will verify (pin) the hex-encoded SHA-256 fingerprint of
 the presented certificate.
 For example, ``openssl`` can produce a SHA-256 fingerprint of an x509 certificate
 with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256
 

repeated string verify_certificate_hash = 2;

getVerifyCertificateHashBytes

com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index)

 If specified, Envoy will verify (pin) the hex-encoded SHA-256 fingerprint of
 the presented certificate.
 For example, ``openssl`` can produce a SHA-256 fingerprint of an x509 certificate
 with the following command:
 .. code-block:: bash
   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256
 

repeated string verify_certificate_hash = 2;

getVerifySpkiSha256List

List<String> getVerifySpkiSha256List()

 If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of
 the Subject Public Key Information (SPKI) of the presented certificate.
 This is the same format as used in HTTP Public Key Pinning.
 [#not-implemented-hide:]
 

repeated string verify_spki_sha256 = 3;

getVerifySpkiSha256Count

int getVerifySpkiSha256Count()

 If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of
 the Subject Public Key Information (SPKI) of the presented certificate.
 This is the same format as used in HTTP Public Key Pinning.
 [#not-implemented-hide:]
 

repeated string verify_spki_sha256 = 3;

getVerifySpkiSha256

String getVerifySpkiSha256(int index)

 If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of
 the Subject Public Key Information (SPKI) of the presented certificate.
 This is the same format as used in HTTP Public Key Pinning.
 [#not-implemented-hide:]
 

repeated string verify_spki_sha256 = 3;

getVerifySpkiSha256Bytes

com.google.protobuf.ByteString getVerifySpkiSha256Bytes(int index)

 If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of
 the Subject Public Key Information (SPKI) of the presented certificate.
 This is the same format as used in HTTP Public Key Pinning.
 [#not-implemented-hide:]
 

repeated string verify_spki_sha256 = 3;

getVerifySubjectAltNameList

List<String> getVerifySubjectAltNameList()

 An optional list of subject alternative names. If specified, Envoy will verify that
 the certificate’s subject alternative name matches one of the specified values.
 

repeated string verify_subject_alt_name = 4;

getVerifySubjectAltNameCount

int getVerifySubjectAltNameCount()

 An optional list of subject alternative names. If specified, Envoy will verify that
 the certificate’s subject alternative name matches one of the specified values.
 

repeated string verify_subject_alt_name = 4;

getVerifySubjectAltName

String getVerifySubjectAltName(int index)

 An optional list of subject alternative names. If specified, Envoy will verify that
 the certificate’s subject alternative name matches one of the specified values.
 

repeated string verify_subject_alt_name = 4;

getVerifySubjectAltNameBytes

com.google.protobuf.ByteString getVerifySubjectAltNameBytes(int index)

 An optional list of subject alternative names. If specified, Envoy will verify that
 the certificate’s subject alternative name matches one of the specified values.
 

repeated string verify_subject_alt_name = 4;

hasRequireOcspStaple

boolean hasRequireOcspStaple()

 [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
 

.google.protobuf.BoolValue require_ocsp_staple = 5;

getRequireOcspStaple

com.google.protobuf.BoolValue getRequireOcspStaple()

 [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
 

.google.protobuf.BoolValue require_ocsp_staple = 5;

getRequireOcspStapleOrBuilder

com.google.protobuf.BoolValueOrBuilder getRequireOcspStapleOrBuilder()

 [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
 

.google.protobuf.BoolValue require_ocsp_staple = 5;

hasRequireSignedCertificateTimestamp

boolean hasRequireSignedCertificateTimestamp()

 [#not-implemented-hide:] Must present signed certificate time-stamp.
 

.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

getRequireSignedCertificateTimestamp

com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()

 [#not-implemented-hide:] Must present signed certificate time-stamp.
 

.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

getRequireSignedCertificateTimestampOrBuilder

com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()

 [#not-implemented-hide:] Must present signed certificate time-stamp.
 

.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

hasCrl

boolean hasCrl()

 An optional `certificate revocation list
 <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
 

.envoy.api.v2.core.DataSource crl = 7;

getCrl

Base.DataSource getCrl()

 An optional `certificate revocation list
 <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
 

.envoy.api.v2.core.DataSource crl = 7;

getCrlOrBuilder

Base.DataSourceOrBuilder getCrlOrBuilder()

 An optional `certificate revocation list
 <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
 (in PEM format). If specified, Envoy will verify that the presented peer
 certificate has not been revoked by this CRL. If this DataSource contains
 multiple CRLs, all of them will be used.
 

.envoy.api.v2.core.DataSource crl = 7;