io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext Maven / Gradle / Ivy
// Generated by the protocol buffer compiler. DO NOT EDIT!
// source: envoy/api/v2/auth/cert.proto
package io.envoyproxy.envoy.api.v2.auth;
/**
* Protobuf type {@code envoy.api.v2.auth.CertificateValidationContext}
*/
public final class CertificateValidationContext extends
com.google.protobuf.GeneratedMessageV3 implements
// @@protoc_insertion_point(message_implements:envoy.api.v2.auth.CertificateValidationContext)
CertificateValidationContextOrBuilder {
private static final long serialVersionUID = 0L;
// Use CertificateValidationContext.newBuilder() to construct.
private CertificateValidationContext(com.google.protobuf.GeneratedMessageV3.Builder builder) {
super(builder);
}
private CertificateValidationContext() {
verifyCertificateSpki_ = com.google.protobuf.LazyStringArrayList.EMPTY;
verifyCertificateHash_ = com.google.protobuf.LazyStringArrayList.EMPTY;
verifySubjectAltName_ = com.google.protobuf.LazyStringArrayList.EMPTY;
allowExpiredCertificate_ = false;
}
@java.lang.Override
public final com.google.protobuf.UnknownFieldSet
getUnknownFields() {
return this.unknownFields;
}
private CertificateValidationContext(
com.google.protobuf.CodedInputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws com.google.protobuf.InvalidProtocolBufferException {
this();
if (extensionRegistry == null) {
throw new java.lang.NullPointerException();
}
int mutable_bitField0_ = 0;
com.google.protobuf.UnknownFieldSet.Builder unknownFields =
com.google.protobuf.UnknownFieldSet.newBuilder();
try {
boolean done = false;
while (!done) {
int tag = input.readTag();
switch (tag) {
case 0:
done = true;
break;
default: {
if (!parseUnknownFieldProto3(
input, unknownFields, extensionRegistry, tag)) {
done = true;
}
break;
}
case 10: {
io.envoyproxy.envoy.api.v2.core.DataSource.Builder subBuilder = null;
if (trustedCa_ != null) {
subBuilder = trustedCa_.toBuilder();
}
trustedCa_ = input.readMessage(io.envoyproxy.envoy.api.v2.core.DataSource.parser(), extensionRegistry);
if (subBuilder != null) {
subBuilder.mergeFrom(trustedCa_);
trustedCa_ = subBuilder.buildPartial();
}
break;
}
case 18: {
java.lang.String s = input.readStringRequireUtf8();
if (!((mutable_bitField0_ & 0x00000004) == 0x00000004)) {
verifyCertificateHash_ = new com.google.protobuf.LazyStringArrayList();
mutable_bitField0_ |= 0x00000004;
}
verifyCertificateHash_.add(s);
break;
}
case 26: {
java.lang.String s = input.readStringRequireUtf8();
if (!((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
verifyCertificateSpki_ = new com.google.protobuf.LazyStringArrayList();
mutable_bitField0_ |= 0x00000002;
}
verifyCertificateSpki_.add(s);
break;
}
case 34: {
java.lang.String s = input.readStringRequireUtf8();
if (!((mutable_bitField0_ & 0x00000008) == 0x00000008)) {
verifySubjectAltName_ = new com.google.protobuf.LazyStringArrayList();
mutable_bitField0_ |= 0x00000008;
}
verifySubjectAltName_.add(s);
break;
}
case 42: {
com.google.protobuf.BoolValue.Builder subBuilder = null;
if (requireOcspStaple_ != null) {
subBuilder = requireOcspStaple_.toBuilder();
}
requireOcspStaple_ = input.readMessage(com.google.protobuf.BoolValue.parser(), extensionRegistry);
if (subBuilder != null) {
subBuilder.mergeFrom(requireOcspStaple_);
requireOcspStaple_ = subBuilder.buildPartial();
}
break;
}
case 50: {
com.google.protobuf.BoolValue.Builder subBuilder = null;
if (requireSignedCertificateTimestamp_ != null) {
subBuilder = requireSignedCertificateTimestamp_.toBuilder();
}
requireSignedCertificateTimestamp_ = input.readMessage(com.google.protobuf.BoolValue.parser(), extensionRegistry);
if (subBuilder != null) {
subBuilder.mergeFrom(requireSignedCertificateTimestamp_);
requireSignedCertificateTimestamp_ = subBuilder.buildPartial();
}
break;
}
case 58: {
io.envoyproxy.envoy.api.v2.core.DataSource.Builder subBuilder = null;
if (crl_ != null) {
subBuilder = crl_.toBuilder();
}
crl_ = input.readMessage(io.envoyproxy.envoy.api.v2.core.DataSource.parser(), extensionRegistry);
if (subBuilder != null) {
subBuilder.mergeFrom(crl_);
crl_ = subBuilder.buildPartial();
}
break;
}
case 64: {
allowExpiredCertificate_ = input.readBool();
break;
}
}
}
} catch (com.google.protobuf.InvalidProtocolBufferException e) {
throw e.setUnfinishedMessage(this);
} catch (java.io.IOException e) {
throw new com.google.protobuf.InvalidProtocolBufferException(
e).setUnfinishedMessage(this);
} finally {
if (((mutable_bitField0_ & 0x00000004) == 0x00000004)) {
verifyCertificateHash_ = verifyCertificateHash_.getUnmodifiableView();
}
if (((mutable_bitField0_ & 0x00000002) == 0x00000002)) {
verifyCertificateSpki_ = verifyCertificateSpki_.getUnmodifiableView();
}
if (((mutable_bitField0_ & 0x00000008) == 0x00000008)) {
verifySubjectAltName_ = verifySubjectAltName_.getUnmodifiableView();
}
this.unknownFields = unknownFields.build();
makeExtensionsImmutable();
}
}
public static final com.google.protobuf.Descriptors.Descriptor
getDescriptor() {
return io.envoyproxy.envoy.api.v2.auth.CertProto.internal_static_envoy_api_v2_auth_CertificateValidationContext_descriptor;
}
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
internalGetFieldAccessorTable() {
return io.envoyproxy.envoy.api.v2.auth.CertProto.internal_static_envoy_api_v2_auth_CertificateValidationContext_fieldAccessorTable
.ensureFieldAccessorsInitialized(
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.class, io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.Builder.class);
}
private int bitField0_;
public static final int TRUSTED_CA_FIELD_NUMBER = 1;
private io.envoyproxy.envoy.api.v2.core.DataSource trustedCa_;
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`verify_subject_alt_name
* <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
public boolean hasTrustedCa() {
return trustedCa_ != null;
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`verify_subject_alt_name
* <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
public io.envoyproxy.envoy.api.v2.core.DataSource getTrustedCa() {
return trustedCa_ == null ? io.envoyproxy.envoy.api.v2.core.DataSource.getDefaultInstance() : trustedCa_;
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`verify_subject_alt_name
* <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
public io.envoyproxy.envoy.api.v2.core.DataSourceOrBuilder getTrustedCaOrBuilder() {
return getTrustedCa();
}
public static final int VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER = 3;
private com.google.protobuf.LazyStringList verifyCertificateSpki_;
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public com.google.protobuf.ProtocolStringList
getVerifyCertificateSpkiList() {
return verifyCertificateSpki_;
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public int getVerifyCertificateSpkiCount() {
return verifyCertificateSpki_.size();
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public java.lang.String getVerifyCertificateSpki(int index) {
return verifyCertificateSpki_.get(index);
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public com.google.protobuf.ByteString
getVerifyCertificateSpkiBytes(int index) {
return verifyCertificateSpki_.getByteString(index);
}
public static final int VERIFY_CERTIFICATE_HASH_FIELD_NUMBER = 2;
private com.google.protobuf.LazyStringList verifyCertificateHash_;
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public com.google.protobuf.ProtocolStringList
getVerifyCertificateHashList() {
return verifyCertificateHash_;
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public int getVerifyCertificateHashCount() {
return verifyCertificateHash_.size();
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public java.lang.String getVerifyCertificateHash(int index) {
return verifyCertificateHash_.get(index);
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public com.google.protobuf.ByteString
getVerifyCertificateHashBytes(int index) {
return verifyCertificateHash_.getByteString(index);
}
public static final int VERIFY_SUBJECT_ALT_NAME_FIELD_NUMBER = 4;
private com.google.protobuf.LazyStringList verifySubjectAltName_;
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public com.google.protobuf.ProtocolStringList
getVerifySubjectAltNameList() {
return verifySubjectAltName_;
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public int getVerifySubjectAltNameCount() {
return verifySubjectAltName_.size();
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public java.lang.String getVerifySubjectAltName(int index) {
return verifySubjectAltName_.get(index);
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public com.google.protobuf.ByteString
getVerifySubjectAltNameBytes(int index) {
return verifySubjectAltName_.getByteString(index);
}
public static final int REQUIRE_OCSP_STAPLE_FIELD_NUMBER = 5;
private com.google.protobuf.BoolValue requireOcspStaple_;
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
*/
public boolean hasRequireOcspStaple() {
return requireOcspStaple_ != null;
}
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
*/
public com.google.protobuf.BoolValue getRequireOcspStaple() {
return requireOcspStaple_ == null ? com.google.protobuf.BoolValue.getDefaultInstance() : requireOcspStaple_;
}
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
*/
public com.google.protobuf.BoolValueOrBuilder getRequireOcspStapleOrBuilder() {
return getRequireOcspStaple();
}
public static final int REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER = 6;
private com.google.protobuf.BoolValue requireSignedCertificateTimestamp_;
/**
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
public boolean hasRequireSignedCertificateTimestamp() {
return requireSignedCertificateTimestamp_ != null;
}
/**
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
public com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp() {
return requireSignedCertificateTimestamp_ == null ? com.google.protobuf.BoolValue.getDefaultInstance() : requireSignedCertificateTimestamp_;
}
/**
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
public com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder() {
return getRequireSignedCertificateTimestamp();
}
public static final int CRL_FIELD_NUMBER = 7;
private io.envoyproxy.envoy.api.v2.core.DataSource crl_;
/**
*
* An optional `certificate revocation list
* <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
public boolean hasCrl() {
return crl_ != null;
}
/**
*
* An optional `certificate revocation list
* <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
public io.envoyproxy.envoy.api.v2.core.DataSource getCrl() {
return crl_ == null ? io.envoyproxy.envoy.api.v2.core.DataSource.getDefaultInstance() : crl_;
}
/**
*
* An optional `certificate revocation list
* <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
public io.envoyproxy.envoy.api.v2.core.DataSourceOrBuilder getCrlOrBuilder() {
return getCrl();
}
public static final int ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER = 8;
private boolean allowExpiredCertificate_;
/**
*
* If specified, Envoy will not reject expired certificates.
*
*
* bool allow_expired_certificate = 8;
*/
public boolean getAllowExpiredCertificate() {
return allowExpiredCertificate_;
}
private byte memoizedIsInitialized = -1;
public final boolean isInitialized() {
byte isInitialized = memoizedIsInitialized;
if (isInitialized == 1) return true;
if (isInitialized == 0) return false;
memoizedIsInitialized = 1;
return true;
}
public void writeTo(com.google.protobuf.CodedOutputStream output)
throws java.io.IOException {
if (trustedCa_ != null) {
output.writeMessage(1, getTrustedCa());
}
for (int i = 0; i < verifyCertificateHash_.size(); i++) {
com.google.protobuf.GeneratedMessageV3.writeString(output, 2, verifyCertificateHash_.getRaw(i));
}
for (int i = 0; i < verifyCertificateSpki_.size(); i++) {
com.google.protobuf.GeneratedMessageV3.writeString(output, 3, verifyCertificateSpki_.getRaw(i));
}
for (int i = 0; i < verifySubjectAltName_.size(); i++) {
com.google.protobuf.GeneratedMessageV3.writeString(output, 4, verifySubjectAltName_.getRaw(i));
}
if (requireOcspStaple_ != null) {
output.writeMessage(5, getRequireOcspStaple());
}
if (requireSignedCertificateTimestamp_ != null) {
output.writeMessage(6, getRequireSignedCertificateTimestamp());
}
if (crl_ != null) {
output.writeMessage(7, getCrl());
}
if (allowExpiredCertificate_ != false) {
output.writeBool(8, allowExpiredCertificate_);
}
unknownFields.writeTo(output);
}
public int getSerializedSize() {
int size = memoizedSize;
if (size != -1) return size;
size = 0;
if (trustedCa_ != null) {
size += com.google.protobuf.CodedOutputStream
.computeMessageSize(1, getTrustedCa());
}
{
int dataSize = 0;
for (int i = 0; i < verifyCertificateHash_.size(); i++) {
dataSize += computeStringSizeNoTag(verifyCertificateHash_.getRaw(i));
}
size += dataSize;
size += 1 * getVerifyCertificateHashList().size();
}
{
int dataSize = 0;
for (int i = 0; i < verifyCertificateSpki_.size(); i++) {
dataSize += computeStringSizeNoTag(verifyCertificateSpki_.getRaw(i));
}
size += dataSize;
size += 1 * getVerifyCertificateSpkiList().size();
}
{
int dataSize = 0;
for (int i = 0; i < verifySubjectAltName_.size(); i++) {
dataSize += computeStringSizeNoTag(verifySubjectAltName_.getRaw(i));
}
size += dataSize;
size += 1 * getVerifySubjectAltNameList().size();
}
if (requireOcspStaple_ != null) {
size += com.google.protobuf.CodedOutputStream
.computeMessageSize(5, getRequireOcspStaple());
}
if (requireSignedCertificateTimestamp_ != null) {
size += com.google.protobuf.CodedOutputStream
.computeMessageSize(6, getRequireSignedCertificateTimestamp());
}
if (crl_ != null) {
size += com.google.protobuf.CodedOutputStream
.computeMessageSize(7, getCrl());
}
if (allowExpiredCertificate_ != false) {
size += com.google.protobuf.CodedOutputStream
.computeBoolSize(8, allowExpiredCertificate_);
}
size += unknownFields.getSerializedSize();
memoizedSize = size;
return size;
}
@java.lang.Override
public boolean equals(final java.lang.Object obj) {
if (obj == this) {
return true;
}
if (!(obj instanceof io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext)) {
return super.equals(obj);
}
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext other = (io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext) obj;
boolean result = true;
result = result && (hasTrustedCa() == other.hasTrustedCa());
if (hasTrustedCa()) {
result = result && getTrustedCa()
.equals(other.getTrustedCa());
}
result = result && getVerifyCertificateSpkiList()
.equals(other.getVerifyCertificateSpkiList());
result = result && getVerifyCertificateHashList()
.equals(other.getVerifyCertificateHashList());
result = result && getVerifySubjectAltNameList()
.equals(other.getVerifySubjectAltNameList());
result = result && (hasRequireOcspStaple() == other.hasRequireOcspStaple());
if (hasRequireOcspStaple()) {
result = result && getRequireOcspStaple()
.equals(other.getRequireOcspStaple());
}
result = result && (hasRequireSignedCertificateTimestamp() == other.hasRequireSignedCertificateTimestamp());
if (hasRequireSignedCertificateTimestamp()) {
result = result && getRequireSignedCertificateTimestamp()
.equals(other.getRequireSignedCertificateTimestamp());
}
result = result && (hasCrl() == other.hasCrl());
if (hasCrl()) {
result = result && getCrl()
.equals(other.getCrl());
}
result = result && (getAllowExpiredCertificate()
== other.getAllowExpiredCertificate());
result = result && unknownFields.equals(other.unknownFields);
return result;
}
@java.lang.Override
public int hashCode() {
if (memoizedHashCode != 0) {
return memoizedHashCode;
}
int hash = 41;
hash = (19 * hash) + getDescriptor().hashCode();
if (hasTrustedCa()) {
hash = (37 * hash) + TRUSTED_CA_FIELD_NUMBER;
hash = (53 * hash) + getTrustedCa().hashCode();
}
if (getVerifyCertificateSpkiCount() > 0) {
hash = (37 * hash) + VERIFY_CERTIFICATE_SPKI_FIELD_NUMBER;
hash = (53 * hash) + getVerifyCertificateSpkiList().hashCode();
}
if (getVerifyCertificateHashCount() > 0) {
hash = (37 * hash) + VERIFY_CERTIFICATE_HASH_FIELD_NUMBER;
hash = (53 * hash) + getVerifyCertificateHashList().hashCode();
}
if (getVerifySubjectAltNameCount() > 0) {
hash = (37 * hash) + VERIFY_SUBJECT_ALT_NAME_FIELD_NUMBER;
hash = (53 * hash) + getVerifySubjectAltNameList().hashCode();
}
if (hasRequireOcspStaple()) {
hash = (37 * hash) + REQUIRE_OCSP_STAPLE_FIELD_NUMBER;
hash = (53 * hash) + getRequireOcspStaple().hashCode();
}
if (hasRequireSignedCertificateTimestamp()) {
hash = (37 * hash) + REQUIRE_SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER;
hash = (53 * hash) + getRequireSignedCertificateTimestamp().hashCode();
}
if (hasCrl()) {
hash = (37 * hash) + CRL_FIELD_NUMBER;
hash = (53 * hash) + getCrl().hashCode();
}
hash = (37 * hash) + ALLOW_EXPIRED_CERTIFICATE_FIELD_NUMBER;
hash = (53 * hash) + com.google.protobuf.Internal.hashBoolean(
getAllowExpiredCertificate());
hash = (29 * hash) + unknownFields.hashCode();
memoizedHashCode = hash;
return hash;
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
java.nio.ByteBuffer data)
throws com.google.protobuf.InvalidProtocolBufferException {
return PARSER.parseFrom(data);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
java.nio.ByteBuffer data,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws com.google.protobuf.InvalidProtocolBufferException {
return PARSER.parseFrom(data, extensionRegistry);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
com.google.protobuf.ByteString data)
throws com.google.protobuf.InvalidProtocolBufferException {
return PARSER.parseFrom(data);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
com.google.protobuf.ByteString data,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws com.google.protobuf.InvalidProtocolBufferException {
return PARSER.parseFrom(data, extensionRegistry);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(byte[] data)
throws com.google.protobuf.InvalidProtocolBufferException {
return PARSER.parseFrom(data);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
byte[] data,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws com.google.protobuf.InvalidProtocolBufferException {
return PARSER.parseFrom(data, extensionRegistry);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(java.io.InputStream input)
throws java.io.IOException {
return com.google.protobuf.GeneratedMessageV3
.parseWithIOException(PARSER, input);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
java.io.InputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws java.io.IOException {
return com.google.protobuf.GeneratedMessageV3
.parseWithIOException(PARSER, input, extensionRegistry);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseDelimitedFrom(java.io.InputStream input)
throws java.io.IOException {
return com.google.protobuf.GeneratedMessageV3
.parseDelimitedWithIOException(PARSER, input);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseDelimitedFrom(
java.io.InputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws java.io.IOException {
return com.google.protobuf.GeneratedMessageV3
.parseDelimitedWithIOException(PARSER, input, extensionRegistry);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
com.google.protobuf.CodedInputStream input)
throws java.io.IOException {
return com.google.protobuf.GeneratedMessageV3
.parseWithIOException(PARSER, input);
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parseFrom(
com.google.protobuf.CodedInputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws java.io.IOException {
return com.google.protobuf.GeneratedMessageV3
.parseWithIOException(PARSER, input, extensionRegistry);
}
public Builder newBuilderForType() { return newBuilder(); }
public static Builder newBuilder() {
return DEFAULT_INSTANCE.toBuilder();
}
public static Builder newBuilder(io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext prototype) {
return DEFAULT_INSTANCE.toBuilder().mergeFrom(prototype);
}
public Builder toBuilder() {
return this == DEFAULT_INSTANCE
? new Builder() : new Builder().mergeFrom(this);
}
@java.lang.Override
protected Builder newBuilderForType(
com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
Builder builder = new Builder(parent);
return builder;
}
/**
* Protobuf type {@code envoy.api.v2.auth.CertificateValidationContext}
*/
public static final class Builder extends
com.google.protobuf.GeneratedMessageV3.Builder implements
// @@protoc_insertion_point(builder_implements:envoy.api.v2.auth.CertificateValidationContext)
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContextOrBuilder {
public static final com.google.protobuf.Descriptors.Descriptor
getDescriptor() {
return io.envoyproxy.envoy.api.v2.auth.CertProto.internal_static_envoy_api_v2_auth_CertificateValidationContext_descriptor;
}
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
internalGetFieldAccessorTable() {
return io.envoyproxy.envoy.api.v2.auth.CertProto.internal_static_envoy_api_v2_auth_CertificateValidationContext_fieldAccessorTable
.ensureFieldAccessorsInitialized(
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.class, io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.Builder.class);
}
// Construct using io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.newBuilder()
private Builder() {
maybeForceBuilderInitialization();
}
private Builder(
com.google.protobuf.GeneratedMessageV3.BuilderParent parent) {
super(parent);
maybeForceBuilderInitialization();
}
private void maybeForceBuilderInitialization() {
if (com.google.protobuf.GeneratedMessageV3
.alwaysUseFieldBuilders) {
}
}
public Builder clear() {
super.clear();
if (trustedCaBuilder_ == null) {
trustedCa_ = null;
} else {
trustedCa_ = null;
trustedCaBuilder_ = null;
}
verifyCertificateSpki_ = com.google.protobuf.LazyStringArrayList.EMPTY;
bitField0_ = (bitField0_ & ~0x00000002);
verifyCertificateHash_ = com.google.protobuf.LazyStringArrayList.EMPTY;
bitField0_ = (bitField0_ & ~0x00000004);
verifySubjectAltName_ = com.google.protobuf.LazyStringArrayList.EMPTY;
bitField0_ = (bitField0_ & ~0x00000008);
if (requireOcspStapleBuilder_ == null) {
requireOcspStaple_ = null;
} else {
requireOcspStaple_ = null;
requireOcspStapleBuilder_ = null;
}
if (requireSignedCertificateTimestampBuilder_ == null) {
requireSignedCertificateTimestamp_ = null;
} else {
requireSignedCertificateTimestamp_ = null;
requireSignedCertificateTimestampBuilder_ = null;
}
if (crlBuilder_ == null) {
crl_ = null;
} else {
crl_ = null;
crlBuilder_ = null;
}
allowExpiredCertificate_ = false;
return this;
}
public com.google.protobuf.Descriptors.Descriptor
getDescriptorForType() {
return io.envoyproxy.envoy.api.v2.auth.CertProto.internal_static_envoy_api_v2_auth_CertificateValidationContext_descriptor;
}
public io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext getDefaultInstanceForType() {
return io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.getDefaultInstance();
}
public io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext build() {
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext result = buildPartial();
if (!result.isInitialized()) {
throw newUninitializedMessageException(result);
}
return result;
}
public io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext buildPartial() {
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext result = new io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext(this);
int from_bitField0_ = bitField0_;
int to_bitField0_ = 0;
if (trustedCaBuilder_ == null) {
result.trustedCa_ = trustedCa_;
} else {
result.trustedCa_ = trustedCaBuilder_.build();
}
if (((bitField0_ & 0x00000002) == 0x00000002)) {
verifyCertificateSpki_ = verifyCertificateSpki_.getUnmodifiableView();
bitField0_ = (bitField0_ & ~0x00000002);
}
result.verifyCertificateSpki_ = verifyCertificateSpki_;
if (((bitField0_ & 0x00000004) == 0x00000004)) {
verifyCertificateHash_ = verifyCertificateHash_.getUnmodifiableView();
bitField0_ = (bitField0_ & ~0x00000004);
}
result.verifyCertificateHash_ = verifyCertificateHash_;
if (((bitField0_ & 0x00000008) == 0x00000008)) {
verifySubjectAltName_ = verifySubjectAltName_.getUnmodifiableView();
bitField0_ = (bitField0_ & ~0x00000008);
}
result.verifySubjectAltName_ = verifySubjectAltName_;
if (requireOcspStapleBuilder_ == null) {
result.requireOcspStaple_ = requireOcspStaple_;
} else {
result.requireOcspStaple_ = requireOcspStapleBuilder_.build();
}
if (requireSignedCertificateTimestampBuilder_ == null) {
result.requireSignedCertificateTimestamp_ = requireSignedCertificateTimestamp_;
} else {
result.requireSignedCertificateTimestamp_ = requireSignedCertificateTimestampBuilder_.build();
}
if (crlBuilder_ == null) {
result.crl_ = crl_;
} else {
result.crl_ = crlBuilder_.build();
}
result.allowExpiredCertificate_ = allowExpiredCertificate_;
result.bitField0_ = to_bitField0_;
onBuilt();
return result;
}
public Builder clone() {
return (Builder) super.clone();
}
public Builder setField(
com.google.protobuf.Descriptors.FieldDescriptor field,
java.lang.Object value) {
return (Builder) super.setField(field, value);
}
public Builder clearField(
com.google.protobuf.Descriptors.FieldDescriptor field) {
return (Builder) super.clearField(field);
}
public Builder clearOneof(
com.google.protobuf.Descriptors.OneofDescriptor oneof) {
return (Builder) super.clearOneof(oneof);
}
public Builder setRepeatedField(
com.google.protobuf.Descriptors.FieldDescriptor field,
int index, java.lang.Object value) {
return (Builder) super.setRepeatedField(field, index, value);
}
public Builder addRepeatedField(
com.google.protobuf.Descriptors.FieldDescriptor field,
java.lang.Object value) {
return (Builder) super.addRepeatedField(field, value);
}
public Builder mergeFrom(com.google.protobuf.Message other) {
if (other instanceof io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext) {
return mergeFrom((io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext)other);
} else {
super.mergeFrom(other);
return this;
}
}
public Builder mergeFrom(io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext other) {
if (other == io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext.getDefaultInstance()) return this;
if (other.hasTrustedCa()) {
mergeTrustedCa(other.getTrustedCa());
}
if (!other.verifyCertificateSpki_.isEmpty()) {
if (verifyCertificateSpki_.isEmpty()) {
verifyCertificateSpki_ = other.verifyCertificateSpki_;
bitField0_ = (bitField0_ & ~0x00000002);
} else {
ensureVerifyCertificateSpkiIsMutable();
verifyCertificateSpki_.addAll(other.verifyCertificateSpki_);
}
onChanged();
}
if (!other.verifyCertificateHash_.isEmpty()) {
if (verifyCertificateHash_.isEmpty()) {
verifyCertificateHash_ = other.verifyCertificateHash_;
bitField0_ = (bitField0_ & ~0x00000004);
} else {
ensureVerifyCertificateHashIsMutable();
verifyCertificateHash_.addAll(other.verifyCertificateHash_);
}
onChanged();
}
if (!other.verifySubjectAltName_.isEmpty()) {
if (verifySubjectAltName_.isEmpty()) {
verifySubjectAltName_ = other.verifySubjectAltName_;
bitField0_ = (bitField0_ & ~0x00000008);
} else {
ensureVerifySubjectAltNameIsMutable();
verifySubjectAltName_.addAll(other.verifySubjectAltName_);
}
onChanged();
}
if (other.hasRequireOcspStaple()) {
mergeRequireOcspStaple(other.getRequireOcspStaple());
}
if (other.hasRequireSignedCertificateTimestamp()) {
mergeRequireSignedCertificateTimestamp(other.getRequireSignedCertificateTimestamp());
}
if (other.hasCrl()) {
mergeCrl(other.getCrl());
}
if (other.getAllowExpiredCertificate() != false) {
setAllowExpiredCertificate(other.getAllowExpiredCertificate());
}
this.mergeUnknownFields(other.unknownFields);
onChanged();
return this;
}
public final boolean isInitialized() {
return true;
}
public Builder mergeFrom(
com.google.protobuf.CodedInputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws java.io.IOException {
io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext parsedMessage = null;
try {
parsedMessage = PARSER.parsePartialFrom(input, extensionRegistry);
} catch (com.google.protobuf.InvalidProtocolBufferException e) {
parsedMessage = (io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext) e.getUnfinishedMessage();
throw e.unwrapIOException();
} finally {
if (parsedMessage != null) {
mergeFrom(parsedMessage);
}
}
return this;
}
private int bitField0_;
private io.envoyproxy.envoy.api.v2.core.DataSource trustedCa_ = null;
private com.google.protobuf.SingleFieldBuilderV3<
io.envoyproxy.envoy.api.v2.core.DataSource, io.envoyproxy.envoy.api.v2.core.DataSource.Builder, io.envoyproxy.envoy.api.v2.core.DataSourceOrBuilder> trustedCaBuilder_;
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`verify_subject_alt_name
* <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
public boolean hasTrustedCa() {
return trustedCaBuilder_ != null || trustedCa_ != null;
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`verify_subject_alt_name
* <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
public io.envoyproxy.envoy.api.v2.core.DataSource getTrustedCa() {
if (trustedCaBuilder_ == null) {
return trustedCa_ == null ? io.envoyproxy.envoy.api.v2.core.DataSource.getDefaultInstance() : trustedCa_;
} else {
return trustedCaBuilder_.getMessage();
}
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`verify_subject_alt_name
* <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
public Builder setTrustedCa(io.envoyproxy.envoy.api.v2.core.DataSource value) {
if (trustedCaBuilder_ == null) {
if (value == null) {
throw new NullPointerException();
}
trustedCa_ = value;
onChanged();
} else {
trustedCaBuilder_.setMessage(value);
}
return this;
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`verify_subject_alt_name
* <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
public Builder setTrustedCa(
io.envoyproxy.envoy.api.v2.core.DataSource.Builder builderForValue) {
if (trustedCaBuilder_ == null) {
trustedCa_ = builderForValue.build();
onChanged();
} else {
trustedCaBuilder_.setMessage(builderForValue.build());
}
return this;
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`verify_subject_alt_name
* <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
public Builder mergeTrustedCa(io.envoyproxy.envoy.api.v2.core.DataSource value) {
if (trustedCaBuilder_ == null) {
if (trustedCa_ != null) {
trustedCa_ =
io.envoyproxy.envoy.api.v2.core.DataSource.newBuilder(trustedCa_).mergeFrom(value).buildPartial();
} else {
trustedCa_ = value;
}
onChanged();
} else {
trustedCaBuilder_.mergeFrom(value);
}
return this;
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`verify_subject_alt_name
* <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
public Builder clearTrustedCa() {
if (trustedCaBuilder_ == null) {
trustedCa_ = null;
onChanged();
} else {
trustedCa_ = null;
trustedCaBuilder_ = null;
}
return this;
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`verify_subject_alt_name
* <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
public io.envoyproxy.envoy.api.v2.core.DataSource.Builder getTrustedCaBuilder() {
onChanged();
return getTrustedCaFieldBuilder().getBuilder();
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`verify_subject_alt_name
* <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
public io.envoyproxy.envoy.api.v2.core.DataSourceOrBuilder getTrustedCaOrBuilder() {
if (trustedCaBuilder_ != null) {
return trustedCaBuilder_.getMessageOrBuilder();
} else {
return trustedCa_ == null ?
io.envoyproxy.envoy.api.v2.core.DataSource.getDefaultInstance() : trustedCa_;
}
}
/**
*
* TLS certificate data containing certificate authority certificates to use in verifying
* a presented peer certificate (e.g. server certificate for clusters or client certificate
* for listeners). If not specified and a peer certificate is presented it will not be
* verified. By default, a client certificate is optional, unless one of the additional
* options (:ref:`require_client_certificate
* <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
* :ref:`verify_subject_alt_name
* <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
* specified.
* It can optionally contain certificate revocation lists, in which case Envoy will verify
* that the presented peer certificate has not been revoked by one of the included CRLs.
* See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
* system CA locations.
*
*
* .envoy.api.v2.core.DataSource trusted_ca = 1;
*/
private com.google.protobuf.SingleFieldBuilderV3<
io.envoyproxy.envoy.api.v2.core.DataSource, io.envoyproxy.envoy.api.v2.core.DataSource.Builder, io.envoyproxy.envoy.api.v2.core.DataSourceOrBuilder>
getTrustedCaFieldBuilder() {
if (trustedCaBuilder_ == null) {
trustedCaBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
io.envoyproxy.envoy.api.v2.core.DataSource, io.envoyproxy.envoy.api.v2.core.DataSource.Builder, io.envoyproxy.envoy.api.v2.core.DataSourceOrBuilder>(
getTrustedCa(),
getParentForChildren(),
isClean());
trustedCa_ = null;
}
return trustedCaBuilder_;
}
private com.google.protobuf.LazyStringList verifyCertificateSpki_ = com.google.protobuf.LazyStringArrayList.EMPTY;
private void ensureVerifyCertificateSpkiIsMutable() {
if (!((bitField0_ & 0x00000002) == 0x00000002)) {
verifyCertificateSpki_ = new com.google.protobuf.LazyStringArrayList(verifyCertificateSpki_);
bitField0_ |= 0x00000002;
}
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public com.google.protobuf.ProtocolStringList
getVerifyCertificateSpkiList() {
return verifyCertificateSpki_.getUnmodifiableView();
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public int getVerifyCertificateSpkiCount() {
return verifyCertificateSpki_.size();
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public java.lang.String getVerifyCertificateSpki(int index) {
return verifyCertificateSpki_.get(index);
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public com.google.protobuf.ByteString
getVerifyCertificateSpkiBytes(int index) {
return verifyCertificateSpki_.getByteString(index);
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public Builder setVerifyCertificateSpki(
int index, java.lang.String value) {
if (value == null) {
throw new NullPointerException();
}
ensureVerifyCertificateSpkiIsMutable();
verifyCertificateSpki_.set(index, value);
onChanged();
return this;
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public Builder addVerifyCertificateSpki(
java.lang.String value) {
if (value == null) {
throw new NullPointerException();
}
ensureVerifyCertificateSpkiIsMutable();
verifyCertificateSpki_.add(value);
onChanged();
return this;
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public Builder addAllVerifyCertificateSpki(
java.lang.Iterable values) {
ensureVerifyCertificateSpkiIsMutable();
com.google.protobuf.AbstractMessageLite.Builder.addAll(
values, verifyCertificateSpki_);
onChanged();
return this;
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public Builder clearVerifyCertificateSpki() {
verifyCertificateSpki_ = com.google.protobuf.LazyStringArrayList.EMPTY;
bitField0_ = (bitField0_ & ~0x00000002);
onChanged();
return this;
}
/**
*
* An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
* SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
* matches one of the specified values.
* A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -pubkey \
* | openssl pkey -pubin -outform DER \
* | openssl dgst -sha256 -binary \
* | openssl enc -base64
* NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
* This is the format used in HTTP Public Key Pinning.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
* .. attention::
* This option is preferred over :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
* because SPKI is tied to a private key, so it doesn't change when the certificate
* is renewed using the same private key.
*
*
* repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }
*/
public Builder addVerifyCertificateSpkiBytes(
com.google.protobuf.ByteString value) {
if (value == null) {
throw new NullPointerException();
}
checkByteStringIsUtf8(value);
ensureVerifyCertificateSpkiIsMutable();
verifyCertificateSpki_.add(value);
onChanged();
return this;
}
private com.google.protobuf.LazyStringList verifyCertificateHash_ = com.google.protobuf.LazyStringArrayList.EMPTY;
private void ensureVerifyCertificateHashIsMutable() {
if (!((bitField0_ & 0x00000004) == 0x00000004)) {
verifyCertificateHash_ = new com.google.protobuf.LazyStringArrayList(verifyCertificateHash_);
bitField0_ |= 0x00000004;
}
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public com.google.protobuf.ProtocolStringList
getVerifyCertificateHashList() {
return verifyCertificateHash_.getUnmodifiableView();
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public int getVerifyCertificateHashCount() {
return verifyCertificateHash_.size();
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public java.lang.String getVerifyCertificateHash(int index) {
return verifyCertificateHash_.get(index);
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public com.google.protobuf.ByteString
getVerifyCertificateHashBytes(int index) {
return verifyCertificateHash_.getByteString(index);
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public Builder setVerifyCertificateHash(
int index, java.lang.String value) {
if (value == null) {
throw new NullPointerException();
}
ensureVerifyCertificateHashIsMutable();
verifyCertificateHash_.set(index, value);
onChanged();
return this;
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public Builder addVerifyCertificateHash(
java.lang.String value) {
if (value == null) {
throw new NullPointerException();
}
ensureVerifyCertificateHashIsMutable();
verifyCertificateHash_.add(value);
onChanged();
return this;
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public Builder addAllVerifyCertificateHash(
java.lang.Iterable values) {
ensureVerifyCertificateHashIsMutable();
com.google.protobuf.AbstractMessageLite.Builder.addAll(
values, verifyCertificateHash_);
onChanged();
return this;
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public Builder clearVerifyCertificateHash() {
verifyCertificateHash_ = com.google.protobuf.LazyStringArrayList.EMPTY;
bitField0_ = (bitField0_ & ~0x00000004);
onChanged();
return this;
}
/**
*
* An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
* the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
* A hex-encoded SHA-256 of the certificate can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
* df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
* A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
* can be generated with the following command:
* .. code-block:: bash
* $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
* DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
* Both of those formats are acceptable.
* When both:
* :ref:`verify_certificate_hash
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
* :ref:`verify_certificate_spki
* <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
* a hash matching value from either of the lists will result in the certificate being accepted.
*
*
* repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }
*/
public Builder addVerifyCertificateHashBytes(
com.google.protobuf.ByteString value) {
if (value == null) {
throw new NullPointerException();
}
checkByteStringIsUtf8(value);
ensureVerifyCertificateHashIsMutable();
verifyCertificateHash_.add(value);
onChanged();
return this;
}
private com.google.protobuf.LazyStringList verifySubjectAltName_ = com.google.protobuf.LazyStringArrayList.EMPTY;
private void ensureVerifySubjectAltNameIsMutable() {
if (!((bitField0_ & 0x00000008) == 0x00000008)) {
verifySubjectAltName_ = new com.google.protobuf.LazyStringArrayList(verifySubjectAltName_);
bitField0_ |= 0x00000008;
}
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public com.google.protobuf.ProtocolStringList
getVerifySubjectAltNameList() {
return verifySubjectAltName_.getUnmodifiableView();
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public int getVerifySubjectAltNameCount() {
return verifySubjectAltName_.size();
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public java.lang.String getVerifySubjectAltName(int index) {
return verifySubjectAltName_.get(index);
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public com.google.protobuf.ByteString
getVerifySubjectAltNameBytes(int index) {
return verifySubjectAltName_.getByteString(index);
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public Builder setVerifySubjectAltName(
int index, java.lang.String value) {
if (value == null) {
throw new NullPointerException();
}
ensureVerifySubjectAltNameIsMutable();
verifySubjectAltName_.set(index, value);
onChanged();
return this;
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public Builder addVerifySubjectAltName(
java.lang.String value) {
if (value == null) {
throw new NullPointerException();
}
ensureVerifySubjectAltNameIsMutable();
verifySubjectAltName_.add(value);
onChanged();
return this;
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public Builder addAllVerifySubjectAltName(
java.lang.Iterable values) {
ensureVerifySubjectAltNameIsMutable();
com.google.protobuf.AbstractMessageLite.Builder.addAll(
values, verifySubjectAltName_);
onChanged();
return this;
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public Builder clearVerifySubjectAltName() {
verifySubjectAltName_ = com.google.protobuf.LazyStringArrayList.EMPTY;
bitField0_ = (bitField0_ & ~0x00000008);
onChanged();
return this;
}
/**
*
* An optional list of Subject Alternative Names. If specified, Envoy will verify that the
* Subject Alternative Name of the presented certificate matches one of the specified values.
* .. attention::
* Subject Alternative Names are easily spoofable and verifying only them is insecure,
* therefore this option must be used together with :ref:`trusted_ca
* <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
*
*
* repeated string verify_subject_alt_name = 4;
*/
public Builder addVerifySubjectAltNameBytes(
com.google.protobuf.ByteString value) {
if (value == null) {
throw new NullPointerException();
}
checkByteStringIsUtf8(value);
ensureVerifySubjectAltNameIsMutable();
verifySubjectAltName_.add(value);
onChanged();
return this;
}
private com.google.protobuf.BoolValue requireOcspStaple_ = null;
private com.google.protobuf.SingleFieldBuilderV3<
com.google.protobuf.BoolValue, com.google.protobuf.BoolValue.Builder, com.google.protobuf.BoolValueOrBuilder> requireOcspStapleBuilder_;
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
*/
public boolean hasRequireOcspStaple() {
return requireOcspStapleBuilder_ != null || requireOcspStaple_ != null;
}
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
*/
public com.google.protobuf.BoolValue getRequireOcspStaple() {
if (requireOcspStapleBuilder_ == null) {
return requireOcspStaple_ == null ? com.google.protobuf.BoolValue.getDefaultInstance() : requireOcspStaple_;
} else {
return requireOcspStapleBuilder_.getMessage();
}
}
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
*/
public Builder setRequireOcspStaple(com.google.protobuf.BoolValue value) {
if (requireOcspStapleBuilder_ == null) {
if (value == null) {
throw new NullPointerException();
}
requireOcspStaple_ = value;
onChanged();
} else {
requireOcspStapleBuilder_.setMessage(value);
}
return this;
}
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
*/
public Builder setRequireOcspStaple(
com.google.protobuf.BoolValue.Builder builderForValue) {
if (requireOcspStapleBuilder_ == null) {
requireOcspStaple_ = builderForValue.build();
onChanged();
} else {
requireOcspStapleBuilder_.setMessage(builderForValue.build());
}
return this;
}
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
*/
public Builder mergeRequireOcspStaple(com.google.protobuf.BoolValue value) {
if (requireOcspStapleBuilder_ == null) {
if (requireOcspStaple_ != null) {
requireOcspStaple_ =
com.google.protobuf.BoolValue.newBuilder(requireOcspStaple_).mergeFrom(value).buildPartial();
} else {
requireOcspStaple_ = value;
}
onChanged();
} else {
requireOcspStapleBuilder_.mergeFrom(value);
}
return this;
}
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
*/
public Builder clearRequireOcspStaple() {
if (requireOcspStapleBuilder_ == null) {
requireOcspStaple_ = null;
onChanged();
} else {
requireOcspStaple_ = null;
requireOcspStapleBuilder_ = null;
}
return this;
}
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
*/
public com.google.protobuf.BoolValue.Builder getRequireOcspStapleBuilder() {
onChanged();
return getRequireOcspStapleFieldBuilder().getBuilder();
}
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
*/
public com.google.protobuf.BoolValueOrBuilder getRequireOcspStapleOrBuilder() {
if (requireOcspStapleBuilder_ != null) {
return requireOcspStapleBuilder_.getMessageOrBuilder();
} else {
return requireOcspStaple_ == null ?
com.google.protobuf.BoolValue.getDefaultInstance() : requireOcspStaple_;
}
}
/**
*
* [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
*
*
* .google.protobuf.BoolValue require_ocsp_staple = 5;
*/
private com.google.protobuf.SingleFieldBuilderV3<
com.google.protobuf.BoolValue, com.google.protobuf.BoolValue.Builder, com.google.protobuf.BoolValueOrBuilder>
getRequireOcspStapleFieldBuilder() {
if (requireOcspStapleBuilder_ == null) {
requireOcspStapleBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
com.google.protobuf.BoolValue, com.google.protobuf.BoolValue.Builder, com.google.protobuf.BoolValueOrBuilder>(
getRequireOcspStaple(),
getParentForChildren(),
isClean());
requireOcspStaple_ = null;
}
return requireOcspStapleBuilder_;
}
private com.google.protobuf.BoolValue requireSignedCertificateTimestamp_ = null;
private com.google.protobuf.SingleFieldBuilderV3<
com.google.protobuf.BoolValue, com.google.protobuf.BoolValue.Builder, com.google.protobuf.BoolValueOrBuilder> requireSignedCertificateTimestampBuilder_;
/**
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
public boolean hasRequireSignedCertificateTimestamp() {
return requireSignedCertificateTimestampBuilder_ != null || requireSignedCertificateTimestamp_ != null;
}
/**
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
public com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp() {
if (requireSignedCertificateTimestampBuilder_ == null) {
return requireSignedCertificateTimestamp_ == null ? com.google.protobuf.BoolValue.getDefaultInstance() : requireSignedCertificateTimestamp_;
} else {
return requireSignedCertificateTimestampBuilder_.getMessage();
}
}
/**
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
public Builder setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value) {
if (requireSignedCertificateTimestampBuilder_ == null) {
if (value == null) {
throw new NullPointerException();
}
requireSignedCertificateTimestamp_ = value;
onChanged();
} else {
requireSignedCertificateTimestampBuilder_.setMessage(value);
}
return this;
}
/**
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
public Builder setRequireSignedCertificateTimestamp(
com.google.protobuf.BoolValue.Builder builderForValue) {
if (requireSignedCertificateTimestampBuilder_ == null) {
requireSignedCertificateTimestamp_ = builderForValue.build();
onChanged();
} else {
requireSignedCertificateTimestampBuilder_.setMessage(builderForValue.build());
}
return this;
}
/**
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
public Builder mergeRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value) {
if (requireSignedCertificateTimestampBuilder_ == null) {
if (requireSignedCertificateTimestamp_ != null) {
requireSignedCertificateTimestamp_ =
com.google.protobuf.BoolValue.newBuilder(requireSignedCertificateTimestamp_).mergeFrom(value).buildPartial();
} else {
requireSignedCertificateTimestamp_ = value;
}
onChanged();
} else {
requireSignedCertificateTimestampBuilder_.mergeFrom(value);
}
return this;
}
/**
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
public Builder clearRequireSignedCertificateTimestamp() {
if (requireSignedCertificateTimestampBuilder_ == null) {
requireSignedCertificateTimestamp_ = null;
onChanged();
} else {
requireSignedCertificateTimestamp_ = null;
requireSignedCertificateTimestampBuilder_ = null;
}
return this;
}
/**
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
public com.google.protobuf.BoolValue.Builder getRequireSignedCertificateTimestampBuilder() {
onChanged();
return getRequireSignedCertificateTimestampFieldBuilder().getBuilder();
}
/**
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
public com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder() {
if (requireSignedCertificateTimestampBuilder_ != null) {
return requireSignedCertificateTimestampBuilder_.getMessageOrBuilder();
} else {
return requireSignedCertificateTimestamp_ == null ?
com.google.protobuf.BoolValue.getDefaultInstance() : requireSignedCertificateTimestamp_;
}
}
/**
*
* [#not-implemented-hide:] Must present signed certificate time-stamp.
*
*
* .google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
*/
private com.google.protobuf.SingleFieldBuilderV3<
com.google.protobuf.BoolValue, com.google.protobuf.BoolValue.Builder, com.google.protobuf.BoolValueOrBuilder>
getRequireSignedCertificateTimestampFieldBuilder() {
if (requireSignedCertificateTimestampBuilder_ == null) {
requireSignedCertificateTimestampBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
com.google.protobuf.BoolValue, com.google.protobuf.BoolValue.Builder, com.google.protobuf.BoolValueOrBuilder>(
getRequireSignedCertificateTimestamp(),
getParentForChildren(),
isClean());
requireSignedCertificateTimestamp_ = null;
}
return requireSignedCertificateTimestampBuilder_;
}
private io.envoyproxy.envoy.api.v2.core.DataSource crl_ = null;
private com.google.protobuf.SingleFieldBuilderV3<
io.envoyproxy.envoy.api.v2.core.DataSource, io.envoyproxy.envoy.api.v2.core.DataSource.Builder, io.envoyproxy.envoy.api.v2.core.DataSourceOrBuilder> crlBuilder_;
/**
*
* An optional `certificate revocation list
* <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
public boolean hasCrl() {
return crlBuilder_ != null || crl_ != null;
}
/**
*
* An optional `certificate revocation list
* <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
public io.envoyproxy.envoy.api.v2.core.DataSource getCrl() {
if (crlBuilder_ == null) {
return crl_ == null ? io.envoyproxy.envoy.api.v2.core.DataSource.getDefaultInstance() : crl_;
} else {
return crlBuilder_.getMessage();
}
}
/**
*
* An optional `certificate revocation list
* <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
public Builder setCrl(io.envoyproxy.envoy.api.v2.core.DataSource value) {
if (crlBuilder_ == null) {
if (value == null) {
throw new NullPointerException();
}
crl_ = value;
onChanged();
} else {
crlBuilder_.setMessage(value);
}
return this;
}
/**
*
* An optional `certificate revocation list
* <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
public Builder setCrl(
io.envoyproxy.envoy.api.v2.core.DataSource.Builder builderForValue) {
if (crlBuilder_ == null) {
crl_ = builderForValue.build();
onChanged();
} else {
crlBuilder_.setMessage(builderForValue.build());
}
return this;
}
/**
*
* An optional `certificate revocation list
* <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
public Builder mergeCrl(io.envoyproxy.envoy.api.v2.core.DataSource value) {
if (crlBuilder_ == null) {
if (crl_ != null) {
crl_ =
io.envoyproxy.envoy.api.v2.core.DataSource.newBuilder(crl_).mergeFrom(value).buildPartial();
} else {
crl_ = value;
}
onChanged();
} else {
crlBuilder_.mergeFrom(value);
}
return this;
}
/**
*
* An optional `certificate revocation list
* <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
public Builder clearCrl() {
if (crlBuilder_ == null) {
crl_ = null;
onChanged();
} else {
crl_ = null;
crlBuilder_ = null;
}
return this;
}
/**
*
* An optional `certificate revocation list
* <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
public io.envoyproxy.envoy.api.v2.core.DataSource.Builder getCrlBuilder() {
onChanged();
return getCrlFieldBuilder().getBuilder();
}
/**
*
* An optional `certificate revocation list
* <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
public io.envoyproxy.envoy.api.v2.core.DataSourceOrBuilder getCrlOrBuilder() {
if (crlBuilder_ != null) {
return crlBuilder_.getMessageOrBuilder();
} else {
return crl_ == null ?
io.envoyproxy.envoy.api.v2.core.DataSource.getDefaultInstance() : crl_;
}
}
/**
*
* An optional `certificate revocation list
* <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
* (in PEM format). If specified, Envoy will verify that the presented peer
* certificate has not been revoked by this CRL. If this DataSource contains
* multiple CRLs, all of them will be used.
*
*
* .envoy.api.v2.core.DataSource crl = 7;
*/
private com.google.protobuf.SingleFieldBuilderV3<
io.envoyproxy.envoy.api.v2.core.DataSource, io.envoyproxy.envoy.api.v2.core.DataSource.Builder, io.envoyproxy.envoy.api.v2.core.DataSourceOrBuilder>
getCrlFieldBuilder() {
if (crlBuilder_ == null) {
crlBuilder_ = new com.google.protobuf.SingleFieldBuilderV3<
io.envoyproxy.envoy.api.v2.core.DataSource, io.envoyproxy.envoy.api.v2.core.DataSource.Builder, io.envoyproxy.envoy.api.v2.core.DataSourceOrBuilder>(
getCrl(),
getParentForChildren(),
isClean());
crl_ = null;
}
return crlBuilder_;
}
private boolean allowExpiredCertificate_ ;
/**
*
* If specified, Envoy will not reject expired certificates.
*
*
* bool allow_expired_certificate = 8;
*/
public boolean getAllowExpiredCertificate() {
return allowExpiredCertificate_;
}
/**
*
* If specified, Envoy will not reject expired certificates.
*
*
* bool allow_expired_certificate = 8;
*/
public Builder setAllowExpiredCertificate(boolean value) {
allowExpiredCertificate_ = value;
onChanged();
return this;
}
/**
*
* If specified, Envoy will not reject expired certificates.
*
*
* bool allow_expired_certificate = 8;
*/
public Builder clearAllowExpiredCertificate() {
allowExpiredCertificate_ = false;
onChanged();
return this;
}
public final Builder setUnknownFields(
final com.google.protobuf.UnknownFieldSet unknownFields) {
return super.setUnknownFieldsProto3(unknownFields);
}
public final Builder mergeUnknownFields(
final com.google.protobuf.UnknownFieldSet unknownFields) {
return super.mergeUnknownFields(unknownFields);
}
// @@protoc_insertion_point(builder_scope:envoy.api.v2.auth.CertificateValidationContext)
}
// @@protoc_insertion_point(class_scope:envoy.api.v2.auth.CertificateValidationContext)
private static final io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext DEFAULT_INSTANCE;
static {
DEFAULT_INSTANCE = new io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext();
}
public static io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext getDefaultInstance() {
return DEFAULT_INSTANCE;
}
private static final com.google.protobuf.Parser
PARSER = new com.google.protobuf.AbstractParser() {
public CertificateValidationContext parsePartialFrom(
com.google.protobuf.CodedInputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry)
throws com.google.protobuf.InvalidProtocolBufferException {
return new CertificateValidationContext(input, extensionRegistry);
}
};
public static com.google.protobuf.Parser parser() {
return PARSER;
}
@java.lang.Override
public com.google.protobuf.Parser getParserForType() {
return PARSER;
}
public io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext getDefaultInstanceForType() {
return DEFAULT_INSTANCE;
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy