Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance. Project price only 1 $
You can buy this project and download/modify it how often you want.
* Connections where the certificate fails verification will be permitted.
* For HTTP connections, the result of certificate verification can be used in route matching. (
* see :ref:`validated <envoy_api_field_route.RouteMatch.TlsContextMatchOptions.validated>` ).
*
* Perform default certificate verification (e.g., against CA / verification lists)
*
*
* VERIFY_TRUST_CHAIN = 0;
*/
public static final int VERIFY_TRUST_CHAIN_VALUE = 0;
/**
*
* Connections where the certificate fails verification will be permitted.
* For HTTP connections, the result of certificate verification can be used in route matching. (
* see :ref:`validated <envoy_api_field_route.RouteMatch.TlsContextMatchOptions.validated>` ).
*
*
* ACCEPT_UNTRUSTED = 1;
*/
public static final int ACCEPT_UNTRUSTED_VALUE = 1;
public final int getNumber() {
if (this == UNRECOGNIZED) {
throw new java.lang.IllegalArgumentException(
"Can't get the number of an unknown enum value.");
}
return value;
}
/**
* @param value The numeric wire value of the corresponding enum entry.
* @return The enum associated with the given numeric wire value.
* @deprecated Use {@link #forNumber(int)} instead.
*/
@java.lang.Deprecated
public static TrustChainVerification valueOf(int value) {
return forNumber(value);
}
/**
* @param value The numeric wire value of the corresponding enum entry.
* @return The enum associated with the given numeric wire value.
*/
public static TrustChainVerification forNumber(int value) {
switch (value) {
case 0: return VERIFY_TRUST_CHAIN;
case 1: return ACCEPT_UNTRUSTED;
default: return null;
}
}
public static com.google.protobuf.Internal.EnumLiteMap
internalGetValueMap() {
return internalValueMap;
}
private static final com.google.protobuf.Internal.EnumLiteMap<
TrustChainVerification> internalValueMap =
new com.google.protobuf.Internal.EnumLiteMap() {
public TrustChainVerification findValueByNumber(int number) {
return TrustChainVerification.forNumber(number);
}
};
public final com.google.protobuf.Descriptors.EnumValueDescriptor
getValueDescriptor() {
if (this == UNRECOGNIZED) {
throw new java.lang.IllegalStateException(
"Can't get the descriptor of an unrecognized enum value.");
}
return getDescriptor().getValues().get(ordinal());
}
public final com.google.protobuf.Descriptors.EnumDescriptor
getDescriptorForType() {
return getDescriptor();
}
public static final com.google.protobuf.Descriptors.EnumDescriptor
getDescriptor() {
return io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.getDescriptor().getEnumTypes().get(0);
}
private static final TrustChainVerification[] VALUES = values();
public static TrustChainVerification valueOf(
com.google.protobuf.Descriptors.EnumValueDescriptor desc) {
if (desc.getType() != getDescriptor()) {
throw new java.lang.IllegalArgumentException(
"EnumValueDescriptor is not for this type.");
}
if (desc.getIndex() == -1) {
return UNRECOGNIZED;
}
return VALUES[desc.getIndex()];
}
private final int value;
private TrustChainVerification(int value) {
this.value = value;
}
// @@protoc_insertion_point(enum_scope:envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification)
}
public static final int TRUSTED_CA_FIELD_NUMBER = 1;
private io.envoyproxy.envoy.api.v2.core.DataSource trustedCa_;
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`match_subject_alt_names
* <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
* @return Whether the trustedCa field is set.
*/
@java.lang.Override
public boolean hasTrustedCa() {
return trustedCa_ != null;
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`match_subject_alt_names
* <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`match_subject_alt_names
* <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
@java.lang.Override
public io.envoyproxy.envoy.api.v2.core.DataSourceOrBuilder getTrustedCaOrBuilder() {
return getTrustedCa();
}
public static final int VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER = 3;
private com.google.protobuf.LazyStringList verifyCertificateSpki_;
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
* @return A list containing the verifyCertificateSpki.
*/
public com.google.protobuf.ProtocolStringList
getVerifyCertificateSpkiList() {
return verifyCertificateSpki_;
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
* @return The count of verifyCertificateSpki.
*/
public int getVerifyCertificateSpkiCount() {
return verifyCertificateSpki_.size();
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
* @param index The index of the element to return.
* @return The verifyCertificateSpki at the given index.
*/
public java.lang.String getVerifyCertificateSpki(int index) {
return verifyCertificateSpki_.get(index);
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
* @param index The index of the value to return.
* @return The bytes of the verifyCertificateSpki at the given index.
*/
public com.google.protobuf.ByteString
getVerifyCertificateSpkiBytes(int index) {
return verifyCertificateSpki_.getByteString(index);
}
public static final int VERIFY_CERTIFICATE_HASH_FIELD_NUMBER = 2;
private com.google.protobuf.LazyStringList verifyCertificateHash_;
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
* @return A list containing the verifyCertificateHash.
*/
public com.google.protobuf.ProtocolStringList
getVerifyCertificateHashList() {
return verifyCertificateHash_;
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
* @return The count of verifyCertificateHash.
*/
public int getVerifyCertificateHashCount() {
return verifyCertificateHash_.size();
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
* @param index The index of the element to return.
* @return The verifyCertificateHash at the given index.
*/
public java.lang.String getVerifyCertificateHash(int index) {
return verifyCertificateHash_.get(index);
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
* @param index The index of the value to return.
* @return The bytes of the verifyCertificateHash at the given index.
*/
public com.google.protobuf.ByteString
getVerifyCertificateHashBytes(int index) {
return verifyCertificateHash_.getByteString(index);
}
public static final int VERIFY_SUBJECT_ALT_NAME_FIELD_NUMBER = 4;
private com.google.protobuf.LazyStringList verifySubjectAltName_;
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @return A list containing the verifySubjectAltName.
*/
@java.lang.Deprecated public com.google.protobuf.ProtocolStringList
getVerifySubjectAltNameList() {
return verifySubjectAltName_;
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @return The count of verifySubjectAltName.
*/
@java.lang.Deprecated public int getVerifySubjectAltNameCount() {
return verifySubjectAltName_.size();
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @param index The index of the element to return.
* @return The verifySubjectAltName at the given index.
*/
@java.lang.Deprecated public java.lang.String getVerifySubjectAltName(int index) {
return verifySubjectAltName_.get(index);
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @param index The index of the value to return.
* @return The bytes of the verifySubjectAltName at the given index.
*/
@java.lang.Deprecated public com.google.protobuf.ByteString
getVerifySubjectAltNameBytes(int index) {
return verifySubjectAltName_.getByteString(index);
}
public static final int MATCH_SUBJECT_ALT_NAMES_FIELD_NUMBER = 9;
private java.util.List matchSubjectAltNames_;
/**
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
*/
@java.lang.Override
public int getMatchSubjectAltNamesCount() {
return matchSubjectAltNames_.size();
}
/**
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
*/
@java.lang.Override
public io.envoyproxy.envoy.type.matcher.StringMatcherOrBuilder getMatchSubjectAltNamesOrBuilder(
int index) {
return matchSubjectAltNames_.get(index);
}
public static final int REQUIRE_OCSP_STAPLE_FIELD_NUMBER = 5;
private com.google.protobuf.BoolValue requireOcspStaple_;
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
* @return Whether the requireOcspStaple field is set.
*/
@java.lang.Override
public boolean hasRequireOcspStaple() {
return requireOcspStaple_ != null;
}
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
@java.lang.Override
public com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder() {
return getRequireSignedCertificateTimestamp();
}
public static final int CRL_FIELD_NUMBER = 7;
private io.envoyproxy.envoy.api.v2.core.DataSource crl_;
/**
*
* An optional `certificate revocation list
* <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
* @return Whether the crl field is set.
*/
@java.lang.Override
public boolean hasCrl() {
return crl_ != null;
}
/**
*
* An optional `certificate revocation list
* <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
* An optional `certificate revocation list
* <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
@java.lang.Override
public io.envoyproxy.envoy.api.v2.core.DataSourceOrBuilder getCrlOrBuilder() {
return getCrl();
}
public static final int ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER = 8;
private boolean allowExpiredCertificate_;
/**
*
* If specified, Envoy will not reject expired certificates.
*
*
* bool allow_expired_certificate = 8;
* @return The allowExpiredCertificate.
*/
@java.lang.Override
public boolean getAllowExpiredCertificate() {
return allowExpiredCertificate_;
}
public static final int TRUST_CHAIN_VERIFICATION_FIELD_NUMBER = 10;
private int trustChainVerification_;
/**
*
* Certificate trust chain verification mode.
*
*
* .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
* @return The enum numeric value on the wire for trustChainVerification.
*/
@java.lang.Override public int getTrustChainVerificationValue() {
return trustChainVerification_;
}
/**
*
* Certificate trust chain verification mode.
*
*
* .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
* @return The trustChainVerification.
*/
@java.lang.Override public io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification getTrustChainVerification() {
@SuppressWarnings("deprecation")
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification result = io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification.valueOf(trustChainVerification_);
return result == null ? io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification.UNRECOGNIZED : result;
}
private byte memoizedIsInitialized = -1;
@java.lang.Override
public final boolean isInitialized() {
byte isInitialized = memoizedIsInitialized;
if (isInitialized == 1) return true;
if (isInitialized == 0) return false;
memoizedIsInitialized = 1;
return true;
}
@java.lang.Override
public void writeTo(com.google.protobuf.CodedOutputStream output)
throws java.io.IOException {
if (trustedCa_ != null) {
output.writeMessage(1, getTrustedCa());
}
for (int i = 0; i < verifyCertificateHash_.size(); i++) {
com.google.protobuf.GeneratedMessageV3.writeString(output, 2, verifyCertificateHash_.getRaw(i));
}
for (int i = 0; i < verifyCertificateSpki_.size(); i++) {
com.google.protobuf.GeneratedMessageV3.writeString(output, 3, verifyCertificateSpki_.getRaw(i));
}
for (int i = 0; i < verifySubjectAltName_.size(); i++) {
com.google.protobuf.GeneratedMessageV3.writeString(output, 4, verifySubjectAltName_.getRaw(i));
}
if (requireOcspStaple_ != null) {
output.writeMessage(5, getRequireOcspStaple());
}
if (requireSignedCertificateTimestamp_ != null) {
output.writeMessage(6, getRequireSignedCertificateTimestamp());
}
if (crl_ != null) {
output.writeMessage(7, getCrl());
}
if (allowExpiredCertificate_ != false) {
output.writeBool(8, allowExpiredCertificate_);
}
for (int i = 0; i < matchSubjectAltNames_.size(); i++) {
output.writeMessage(9, matchSubjectAltNames_.get(i));
}
if (trustChainVerification_ != io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification.VERIFY_TRUST_CHAIN.getNumber()) {
output.writeEnum(10, trustChainVerification_);
}
unknownFields.writeTo(output);
}
@java.lang.Override
public int getSerializedSize() {
int size = memoizedSize;
if (size != -1) return size;
size = 0;
if (trustedCa_ != null) {
size += com.google.protobuf.CodedOutputStream
.computeMessageSize(1, getTrustedCa());
}
{
int dataSize = 0;
for (int i = 0; i < verifyCertificateHash_.size(); i++) {
dataSize += computeStringSizeNoTag(verifyCertificateHash_.getRaw(i));
}
size += dataSize;
size += 1 * getVerifyCertificateHashList().size();
}
{
int dataSize = 0;
for (int i = 0; i < verifyCertificateSpki_.size(); i++) {
dataSize += computeStringSizeNoTag(verifyCertificateSpki_.getRaw(i));
}
size += dataSize;
size += 1 * getVerifyCertificateSpkiList().size();
}
{
int dataSize = 0;
for (int i = 0; i < verifySubjectAltName_.size(); i++) {
dataSize += computeStringSizeNoTag(verifySubjectAltName_.getRaw(i));
}
size += dataSize;
size += 1 * getVerifySubjectAltNameList().size();
}
if (requireOcspStaple_ != null) {
size += com.google.protobuf.CodedOutputStream
.computeMessageSize(5, getRequireOcspStaple());
}
if (requireSignedCertificateTimestamp_ != null) {
size += com.google.protobuf.CodedOutputStream
.computeMessageSize(6, getRequireSignedCertificateTimestamp());
}
if (crl_ != null) {
size += com.google.protobuf.CodedOutputStream
.computeMessageSize(7, getCrl());
}
if (allowExpiredCertificate_ != false) {
size += com.google.protobuf.CodedOutputStream
.computeBoolSize(8, allowExpiredCertificate_);
}
for (int i = 0; i < matchSubjectAltNames_.size(); i++) {
size += com.google.protobuf.CodedOutputStream
.computeMessageSize(9, matchSubjectAltNames_.get(i));
}
if (trustChainVerification_ != io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification.VERIFY_TRUST_CHAIN.getNumber()) {
size += com.google.protobuf.CodedOutputStream
.computeEnumSize(10, trustChainVerification_);
}
size += unknownFields.getSerializedSize();
memoizedSize = size;
return size;
}
@java.lang.Override
public boolean equals(final java.lang.Object obj) {
if (obj == this) {
return true;
}
if (!(obj instanceof io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext)) {
return super.equals(obj);
}
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext other = (io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext) obj;
if (hasTrustedCa() != other.hasTrustedCa()) return false;
if (hasTrustedCa()) {
if (!getTrustedCa()
.equals(other.getTrustedCa())) return false;
}
if (!getVerifyCertificateSpkiList()
.equals(other.getVerifyCertificateSpkiList())) return false;
if (!getVerifyCertificateHashList()
.equals(other.getVerifyCertificateHashList())) return false;
if (!getVerifySubjectAltNameList()
.equals(other.getVerifySubjectAltNameList())) return false;
if (!getMatchSubjectAltNamesList()
.equals(other.getMatchSubjectAltNamesList())) return false;
if (hasRequireOcspStaple() != other.hasRequireOcspStaple()) return false;
if (hasRequireOcspStaple()) {
if (!getRequireOcspStaple()
.equals(other.getRequireOcspStaple())) return false;
}
if (hasRequireSignedCertificateTimestamp() != other.hasRequireSignedCertificateTimestamp()) return false;
if (hasRequireSignedCertificateTimestamp()) {
if (!getRequireSignedCertificateTimestamp()
.equals(other.getRequireSignedCertificateTimestamp())) return false;
}
if (hasCrl() != other.hasCrl()) return false;
if (hasCrl()) {
if (!getCrl()
.equals(other.getCrl())) return false;
}
if (getAllowExpiredCertificate()
!= other.getAllowExpiredCertificate()) return false;
if (trustChainVerification_ != other.trustChainVerification_) return false;
if (!unknownFields.equals(other.unknownFields)) return false;
return true;
}
@java.lang.Override
public int hashCode() {
if (memoizedHashCode != 0) {
return memoizedHashCode;
}
int hash = 41;
hash = (19 * hash) + getDescriptor().hashCode();
if (hasTrustedCa()) {
hash = (37 * hash) + TRUSTED_CA_FIELD_NUMBER;
hash = (53 * hash) + getTrustedCa().hashCode();
}
if (getVerifyCertificateSpkiCount() > 0) {
hash = (37 * hash) + VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER;
hash = (53 * hash) + getVerifyCertificateSpkiList().hashCode();
}
if (getVerifyCertificateHashCount() > 0) {
hash = (37 * hash) + VERIFY_CERTIFICATE_HASH_FIELD_NUMBER;
hash = (53 * hash) + getVerifyCertificateHashList().hashCode();
}
if (getVerifySubjectAltNameCount() > 0) {
hash = (37 * hash) + VERIFY_SUBJECT_ALT_NAME_FIELD_NUMBER;
hash = (53 * hash) + getVerifySubjectAltNameList().hashCode();
}
if (getMatchSubjectAltNamesCount() > 0) {
hash = (37 * hash) + MATCH_SUBJECT_ALT_NAMES_FIELD_NUMBER;
hash = (53 * hash) + getMatchSubjectAltNamesList().hashCode();
}
if (hasRequireOcspStaple()) {
hash = (37 * hash) + REQUIRE_OCSP_STAPLE_FIELD_NUMBER;
hash = (53 * hash) + getRequireOcspStaple().hashCode();
}
if (hasRequireSignedCertificateTimestamp()) {
hash = (37 * hash) + REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER;
hash = (53 * hash) + getRequireSignedCertificateTimestamp().hashCode();
}
if (hasCrl()) {
hash = (37 * hash) + CRL_FIELD_NUMBER;
hash = (53 * hash) + getCrl().hashCode();
}
hash = (37 * hash) + ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER;
hash = (53 * hash) + com.google.protobuf.Internal.hashBoolean(
getAllowExpiredCertificate());
hash = (37 * hash) + TRUST_CHAIN_VERIFICATION_FIELD_NUMBER;
hash = (53 * hash) + trustChainVerification_;
hash = (29 * hash) + unknownFields.hashCode();
memoizedHashCode = hash;
return hash;
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
java.nio.ByteBuffer data)
throws com.google.protobuf.InvalidProtocolBufferException {
return PARSER.parseFrom(data);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
java.nio.ByteBuffer data,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws com.google.protobuf.InvalidProtocolBufferException {
return PARSER.parseFrom(data, extensionRegistry);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
com.google.protobuf.ByteString data)
throws com.google.protobuf.InvalidProtocolBufferException {
return PARSER.parseFrom(data);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
com.google.protobuf.ByteString data,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws com.google.protobuf.InvalidProtocolBufferException {
return PARSER.parseFrom(data, extensionRegistry);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(byte[] data)
throws com.google.protobuf.InvalidProtocolBufferException {
return PARSER.parseFrom(data);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
byte[] data,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws com.google.protobuf.InvalidProtocolBufferException {
return PARSER.parseFrom(data, extensionRegistry);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(java.io.InputStream input)
throws java.io.IOException {
return com.google.protobuf.GeneratedMessageV3
.parseWithIOException(PARSER, input);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
java.io.InputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws java.io.IOException {
return com.google.protobuf.GeneratedMessageV3
.parseWithIOException(PARSER, input, extensionRegistry);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseDelimitedFrom(java.io.InputStream input)
throws java.io.IOException {
return com.google.protobuf.GeneratedMessageV3
.parseDelimitedWithIOException(PARSER, input);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseDelimitedFrom(
java.io.InputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws java.io.IOException {
return com.google.protobuf.GeneratedMessageV3
.parseDelimitedWithIOException(PARSER, input, extensionRegistry);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
com.google.protobuf.CodedInputStream input)
throws java.io.IOException {
return com.google.protobuf.GeneratedMessageV3
.parseWithIOException(PARSER, input);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
com.google.protobuf.CodedInputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws java.io.IOException {
return com.google.protobuf.GeneratedMessageV3
.parseWithIOException(PARSER, input, extensionRegistry);
}
@java.lang.Override
public Builder newBuilderForType() { return newBuilder(); }
public static Builder newBuilder() {
return DEFAULT_INSTANCE.toBuilder();
}
public static Builder newBuilder(io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext prototype) {
return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
}
@java.lang.Override
public Builder toBuilder() {
return this == DEFAULT_INSTANCE
? new Builder() : new Builder().mergeFrom(this);
}
@java.lang.Override
protected Builder newBuilderForType(
com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
Builder builder = new Builder(parent);
return builder;
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`match_subject_alt_names
* <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
* @return Whether the trustedCa field is set.
*/
public boolean hasTrustedCa() {
return trustedCaBuilder_ != null || trustedCa_ != null;
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`match_subject_alt_names
* <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`match_subject_alt_names
* <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
public Builder setTrustedCa(io.envoyproxy.envoy.api.v2.core.DataSource value) {
if (trustedCaBuilder_ == null) {
if (value == null) {
throw new NullPointerException();
}
trustedCa_ = value;
onChanged();
} else {
trustedCaBuilder_.setMessage(value);
}
return this;
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`match_subject_alt_names
* <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`match_subject_alt_names
* <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`match_subject_alt_names
* <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`match_subject_alt_names
* <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`match_subject_alt_names
* <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`match_subject_alt_names
* <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
* @return A list containing the verifyCertificateSpki.
*/
public com.google.protobuf.ProtocolStringList
getVerifyCertificateSpkiList() {
return verifyCertificateSpki_.getUnmodifiableView();
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
* @return The count of verifyCertificateSpki.
*/
public int getVerifyCertificateSpkiCount() {
return verifyCertificateSpki_.size();
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
* @param index The index of the element to return.
* @return The verifyCertificateSpki at the given index.
*/
public java.lang.String getVerifyCertificateSpki(int index) {
return verifyCertificateSpki_.get(index);
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
* @param index The index of the value to return.
* @return The bytes of the verifyCertificateSpki at the given index.
*/
public com.google.protobuf.ByteString
getVerifyCertificateSpkiBytes(int index) {
return verifyCertificateSpki_.getByteString(index);
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
* @param index The index to set the value at.
* @param value The verifyCertificateSpki to set.
* @return This builder for chaining.
*/
public Builder setVerifyCertificateSpki(
int index, java.lang.String value) {
if (value == null) {
throw new NullPointerException();
}
ensureVerifyCertificateSpkiIsMutable();
verifyCertificateSpki_.set(index, value);
onChanged();
return this;
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
* @param value The verifyCertificateSpki to add.
* @return This builder for chaining.
*/
public Builder addVerifyCertificateSpki(
java.lang.String value) {
if (value == null) {
throw new NullPointerException();
}
ensureVerifyCertificateSpkiIsMutable();
verifyCertificateSpki_.add(value);
onChanged();
return this;
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
* @param values The verifyCertificateSpki to add.
* @return This builder for chaining.
*/
public Builder addAllVerifyCertificateSpki(
java.lang.Iterable values) {
ensureVerifyCertificateSpkiIsMutable();
com.google.protobuf.AbstractMessageLite.Builder.addAll(
values, verifyCertificateSpki_);
onChanged();
return this;
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey
* | openssl pkey -pubin -outform DER
* | openssl dgst -sha256 -binary
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
* @param value The bytes of the verifyCertificateSpki to add.
* @return This builder for chaining.
*/
public Builder addVerifyCertificateSpkiBytes(
com.google.protobuf.ByteString value) {
if (value == null) {
throw new NullPointerException();
}
checkByteStringIsUtf8(value);
ensureVerifyCertificateSpkiIsMutable();
verifyCertificateSpki_.add(value);
onChanged();
return this;
}
private com.google.protobuf.LazyStringList verifyCertificateHash_ = com.google.protobuf.LazyStringArrayList.EMPTY;
private void ensureVerifyCertificateHashIsMutable() {
if (!((bitField0_ & 0x00000002) != 0)) {
verifyCertificateHash_ = new com.google.protobuf.LazyStringArrayList(verifyCertificateHash_);
bitField0_ |= 0x00000002;
}
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
* @return A list containing the verifyCertificateHash.
*/
public com.google.protobuf.ProtocolStringList
getVerifyCertificateHashList() {
return verifyCertificateHash_.getUnmodifiableView();
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
* @return The count of verifyCertificateHash.
*/
public int getVerifyCertificateHashCount() {
return verifyCertificateHash_.size();
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
* @param index The index of the element to return.
* @return The verifyCertificateHash at the given index.
*/
public java.lang.String getVerifyCertificateHash(int index) {
return verifyCertificateHash_.get(index);
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
* @param index The index of the value to return.
* @return The bytes of the verifyCertificateHash at the given index.
*/
public com.google.protobuf.ByteString
getVerifyCertificateHashBytes(int index) {
return verifyCertificateHash_.getByteString(index);
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
* @param index The index to set the value at.
* @param value The verifyCertificateHash to set.
* @return This builder for chaining.
*/
public Builder setVerifyCertificateHash(
int index, java.lang.String value) {
if (value == null) {
throw new NullPointerException();
}
ensureVerifyCertificateHashIsMutable();
verifyCertificateHash_.set(index, value);
onChanged();
return this;
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
* @param value The verifyCertificateHash to add.
* @return This builder for chaining.
*/
public Builder addVerifyCertificateHash(
java.lang.String value) {
if (value == null) {
throw new NullPointerException();
}
ensureVerifyCertificateHashIsMutable();
verifyCertificateHash_.add(value);
onChanged();
return this;
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
* @param values The verifyCertificateHash to add.
* @return This builder for chaining.
*/
public Builder addAllVerifyCertificateHash(
java.lang.Iterable values) {
ensureVerifyCertificateHashIsMutable();
com.google.protobuf.AbstractMessageLite.Builder.addAll(
values, verifyCertificateHash_);
onChanged();
return this;
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
* @param value The bytes of the verifyCertificateHash to add.
* @return This builder for chaining.
*/
public Builder addVerifyCertificateHashBytes(
com.google.protobuf.ByteString value) {
if (value == null) {
throw new NullPointerException();
}
checkByteStringIsUtf8(value);
ensureVerifyCertificateHashIsMutable();
verifyCertificateHash_.add(value);
onChanged();
return this;
}
private com.google.protobuf.LazyStringList verifySubjectAltName_ = com.google.protobuf.LazyStringArrayList.EMPTY;
private void ensureVerifySubjectAltNameIsMutable() {
if (!((bitField0_ & 0x00000004) != 0)) {
verifySubjectAltName_ = new com.google.protobuf.LazyStringArrayList(verifySubjectAltName_);
bitField0_ |= 0x00000004;
}
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @return A list containing the verifySubjectAltName.
*/
@java.lang.Deprecated public com.google.protobuf.ProtocolStringList
getVerifySubjectAltNameList() {
return verifySubjectAltName_.getUnmodifiableView();
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @return The count of verifySubjectAltName.
*/
@java.lang.Deprecated public int getVerifySubjectAltNameCount() {
return verifySubjectAltName_.size();
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @param index The index of the element to return.
* @return The verifySubjectAltName at the given index.
*/
@java.lang.Deprecated public java.lang.String getVerifySubjectAltName(int index) {
return verifySubjectAltName_.get(index);
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @param index The index of the value to return.
* @return The bytes of the verifySubjectAltName at the given index.
*/
@java.lang.Deprecated public com.google.protobuf.ByteString
getVerifySubjectAltNameBytes(int index) {
return verifySubjectAltName_.getByteString(index);
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @param index The index to set the value at.
* @param value The verifySubjectAltName to set.
* @return This builder for chaining.
*/
@java.lang.Deprecated public Builder setVerifySubjectAltName(
int index, java.lang.String value) {
if (value == null) {
throw new NullPointerException();
}
ensureVerifySubjectAltNameIsMutable();
verifySubjectAltName_.set(index, value);
onChanged();
return this;
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @param value The verifySubjectAltName to add.
* @return This builder for chaining.
*/
@java.lang.Deprecated public Builder addVerifySubjectAltName(
java.lang.String value) {
if (value == null) {
throw new NullPointerException();
}
ensureVerifySubjectAltNameIsMutable();
verifySubjectAltName_.add(value);
onChanged();
return this;
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @param values The verifySubjectAltName to add.
* @return This builder for chaining.
*/
@java.lang.Deprecated public Builder addAllVerifySubjectAltName(
java.lang.Iterable values) {
ensureVerifySubjectAltNameIsMutable();
com.google.protobuf.AbstractMessageLite.Builder.addAll(
values, verifySubjectAltName_);
onChanged();
return this;
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @return This builder for chaining.
*/
@java.lang.Deprecated public Builder clearVerifySubjectAltName() {
verifySubjectAltName_ = com.google.protobuf.LazyStringArrayList.EMPTY;
bitField0_ = (bitField0_ & ~0x00000004);
onChanged();
return this;
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4 [deprecated = true];
* @deprecated envoy.api.v2.auth.CertificateValidationContext.verify_subject_alt_name is deprecated.
* See envoy/api/v2/auth/common.proto;l=285
* @param value The bytes of the verifySubjectAltName to add.
* @return This builder for chaining.
*/
@java.lang.Deprecated public Builder addVerifySubjectAltNameBytes(
com.google.protobuf.ByteString value) {
if (value == null) {
throw new NullPointerException();
}
checkByteStringIsUtf8(value);
ensureVerifySubjectAltNameIsMutable();
verifySubjectAltName_.add(value);
onChanged();
return this;
}
private java.util.List matchSubjectAltNames_ =
java.util.Collections.emptyList();
private void ensureMatchSubjectAltNamesIsMutable() {
if (!((bitField0_ & 0x00000008) != 0)) {
matchSubjectAltNames_ = new java.util.ArrayList(matchSubjectAltNames_);
bitField0_ |= 0x00000008;
}
}
private com.google.protobuf.RepeatedFieldBuilderV3<
io.envoyproxy.envoy.type.matcher.StringMatcher, io.envoyproxy.envoy.type.matcher.StringMatcher.Builder, io.envoyproxy.envoy.type.matcher.StringMatcherOrBuilder> matchSubjectAltNamesBuilder_;
/**
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
*/
public int getMatchSubjectAltNamesCount() {
if (matchSubjectAltNamesBuilder_ == null) {
return matchSubjectAltNames_.size();
} else {
return matchSubjectAltNamesBuilder_.getCount();
}
}
/**
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
*/
public Builder setMatchSubjectAltNames(
int index, io.envoyproxy.envoy.type.matcher.StringMatcher value) {
if (matchSubjectAltNamesBuilder_ == null) {
if (value == null) {
throw new NullPointerException();
}
ensureMatchSubjectAltNamesIsMutable();
matchSubjectAltNames_.set(index, value);
onChanged();
} else {
matchSubjectAltNamesBuilder_.setMessage(index, value);
}
return this;
}
/**
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
*/
public Builder addMatchSubjectAltNames(io.envoyproxy.envoy.type.matcher.StringMatcher value) {
if (matchSubjectAltNamesBuilder_ == null) {
if (value == null) {
throw new NullPointerException();
}
ensureMatchSubjectAltNamesIsMutable();
matchSubjectAltNames_.add(value);
onChanged();
} else {
matchSubjectAltNamesBuilder_.addMessage(value);
}
return this;
}
/**
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
*/
public Builder addMatchSubjectAltNames(
int index, io.envoyproxy.envoy.type.matcher.StringMatcher value) {
if (matchSubjectAltNamesBuilder_ == null) {
if (value == null) {
throw new NullPointerException();
}
ensureMatchSubjectAltNamesIsMutable();
matchSubjectAltNames_.add(index, value);
onChanged();
} else {
matchSubjectAltNamesBuilder_.addMessage(index, value);
}
return this;
}
/**
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
*/
public io.envoyproxy.envoy.type.matcher.StringMatcher.Builder getMatchSubjectAltNamesBuilder(
int index) {
return getMatchSubjectAltNamesFieldBuilder().getBuilder(index);
}
/**
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;
*/
public io.envoyproxy.envoy.type.matcher.StringMatcherOrBuilder getMatchSubjectAltNamesOrBuilder(
int index) {
if (matchSubjectAltNamesBuilder_ == null) {
return matchSubjectAltNames_.get(index); } else {
return matchSubjectAltNamesBuilder_.getMessageOrBuilder(index);
}
}
/**
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional list of Subject Alternative name matchers. Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified matches.
* When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
* configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
* For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
* it should be configured as shown below.
* .. code-block:: yaml
* match_subject_alt_names:
* exact: "api.example.com"
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
* An optional `certificate revocation list
* <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
* @return Whether the crl field is set.
*/
public boolean hasCrl() {
return crlBuilder_ != null || crl_ != null;
}
/**
*
* An optional `certificate revocation list
* <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
* An optional `certificate revocation list
* <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
public Builder setCrl(io.envoyproxy.envoy.api.v2.core.DataSource value) {
if (crlBuilder_ == null) {
if (value == null) {
throw new NullPointerException();
}
crl_ = value;
onChanged();
} else {
crlBuilder_.setMessage(value);
}
return this;
}
/**
*
* An optional `certificate revocation list
* <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
* An optional `certificate revocation list
* <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
* An optional `certificate revocation list
* <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
* An optional `certificate revocation list
* <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
* An optional `certificate revocation list
* <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
* An optional `certificate revocation list
* <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
* If specified, Envoy will not reject expired certificates.
*
*
* bool allow_expired_certificate = 8;
* @param value The allowExpiredCertificate to set.
* @return This builder for chaining.
*/
public Builder setAllowExpiredCertificate(boolean value) {
allowExpiredCertificate_ = value;
onChanged();
return this;
}
/**
*
* If specified, Envoy will not reject expired certificates.
*
*
* bool allow_expired_certificate = 8;
* @return This builder for chaining.
*/
public Builder clearAllowExpiredCertificate() {
allowExpiredCertificate_ = false;
onChanged();
return this;
}
private int trustChainVerification_ = 0;
/**
*
* Certificate trust chain verification mode.
*
*
* .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
* @return The enum numeric value on the wire for trustChainVerification.
*/
@java.lang.Override public int getTrustChainVerificationValue() {
return trustChainVerification_;
}
/**
*
* Certificate trust chain verification mode.
*
*
* .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
* @param value The enum numeric value on the wire for trustChainVerification to set.
* @return This builder for chaining.
*/
public Builder setTrustChainVerificationValue(int value) {
trustChainVerification_ = value;
onChanged();
return this;
}
/**
*
* Certificate trust chain verification mode.
*
*
* .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
* @return The trustChainVerification.
*/
@java.lang.Override
public io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification getTrustChainVerification() {
@SuppressWarnings("deprecation")
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification result = io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification.valueOf(trustChainVerification_);
return result == null ? io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification.UNRECOGNIZED : result;
}
/**
*
* Certificate trust chain verification mode.
*
*
* .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
* @param value The trustChainVerification to set.
* @return This builder for chaining.
*/
public Builder setTrustChainVerification(io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification value) {
if (value == null) {
throw new NullPointerException();
}
trustChainVerification_ = value.getNumber();
onChanged();
return this;
}
/**
*
* Certificate trust chain verification mode.
*
*
* .envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }
* @return This builder for chaining.
*/
public Builder clearTrustChainVerification() {
trustChainVerification_ = 0;
onChanged();
return this;
}
@java.lang.Override
public final Builder setUnknownFields(
final com.google.protobuf.UnknownFieldSet unknownFields) {
return super.setUnknownFields(unknownFields);
}
@java.lang.Override
public final Builder mergeUnknownFields(
final com.google.protobuf.UnknownFieldSet unknownFields) {
return super.mergeUnknownFields(unknownFields);
}
// @@protoc_insertion_point(builder_scope:envoy.api.v2.auth.CertificateValidationContext)
}
// @@protoc_insertion_point(class_scope:envoy.api.v2.auth.CertificateValidationContext)
private static final io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext DEFAULT_INSTANCE;
static {
DEFAULT_INSTANCE = new io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext();
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext getDefaultInstance() {
return DEFAULT_INSTANCE;
}
private static final com.google.protobuf.Parser
PARSER = new com.google.protobuf.AbstractParser() {
@java.lang.Override
public CertificateValidationContext parsePartialFrom(
com.google.protobuf.CodedInputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws com.google.protobuf.InvalidProtocolBufferException {
return new CertificateValidationContext(input, extensionRegistry);
}
};
public static com.google.protobuf.Parser parser() {
return PARSER;
}
@java.lang.Override
public com.google.protobuf.Parser getParserForType() {
return PARSER;
}
@java.lang.Override
public io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext getDefaultInstanceForType() {
return DEFAULT_INSTANCE;
}
}
