diff --git a/envoy/api/v2/auth/cert.proto b/envoy/api/v2/auth/cert.proto index e2302b26..83217872 100644 --- a/envoy/api/v2/auth/cert.proto +++ b/envoy/api/v2/auth/cert.proto @@ -180,8 +180,19 @@ message TlsSessionTicketKeys { [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; } -// [#next-free-field: 10] +// [#next-free-field: 11] message CertificateValidationContext { + // Peer certificate verification mode. + enum TrustChainVerification { + // Perform default certificate verification (e.g., against CA / verification lists) + VERIFY_TRUST_CHAIN = 0; + + // Connections where the certificate fails verification will be permitted. + // For HTTP connections, the result of certificate verification can be used in route matching. ( + // see :ref:`validated ` ). + ACCEPT_UNTRUSTED = 1; + } + // TLS certificate data containing certificate authority certificates to use in verifying // a presented peer certificate (e.g. server certificate for clusters or client certificate // for listeners). If not specified and a peer certificate is presented it will not be @@ -300,6 +311,10 @@ message CertificateValidationContext { // If specified, Envoy will not reject expired certificates. bool allow_expired_certificate = 8; + + // Certificate trust chain verification mode. + TrustChainVerification trust_chain_verification = 10 + [(validate.rules).enum = {defined_only: true}]; } // TLS context shared by both client and server TLS contexts. diff --git a/envoy/api/v2/route/route_components.proto b/envoy/api/v2/route/route_components.proto index d6c18b50..14b4dffc 100644 --- a/envoy/api/v2/route/route_components.proto +++ b/envoy/api/v2/route/route_components.proto @@ -352,7 +352,12 @@ message RouteMatch { message TlsContextMatchOptions { // If specified, the route will match against whether or not a certificate is presented. + // If not specified, certificate presentation status (true or false) will not be considered when route matching. google.protobuf.BoolValue presented = 1; + + // If specified, the route will match against whether or not a certificate is validated. + // If not specified, certificate validation status (true or false) will not be considered when route matching. + google.protobuf.BoolValue validated = 2; } reserved 5; diff --git a/envoy/config/route/v3/route_components.proto b/envoy/config/route/v3/route_components.proto index f28ab12d..2ac0c34a 100644 --- a/envoy/config/route/v3/route_components.proto +++ b/envoy/config/route/v3/route_components.proto @@ -355,7 +355,12 @@ message RouteMatch { "envoy.api.v2.route.RouteMatch.TlsContextMatchOptions"; // If specified, the route will match against whether or not a certificate is presented. + // If not specified, certificate presentation status (true or false) will not be considered when route matching. google.protobuf.BoolValue presented = 1; + + // If specified, the route will match against whether or not a certificate is validated. + // If not specified, certificate validation status (true or false) will not be considered when route matching. + google.protobuf.BoolValue validated = 2; } reserved 5, 3; diff --git a/envoy/extensions/transport_sockets/tls/v3/cert.proto b/envoy/extensions/transport_sockets/tls/v3/cert.proto index e9fa044f..162cdb1d 100644 --- a/envoy/extensions/transport_sockets/tls/v3/cert.proto +++ b/envoy/extensions/transport_sockets/tls/v3/cert.proto @@ -190,11 +190,22 @@ message TlsSessionTicketKeys { [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; } -// [#next-free-field: 10] +// [#next-free-field: 11] message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CertificateValidationContext"; + // Peer certificate verification mode. + enum TrustChainVerification { + // Perform default certificate verification (e.g., against CA / verification lists) + VERIFY_TRUST_CHAIN = 0; + + // Connections where the certificate fails verification will be permitted. + // For HTTP connections, the result of certificate verification can be used in route matching. ( + // see :ref:`validated ` ). + ACCEPT_UNTRUSTED = 1; + } + reserved 4; reserved "verify_subject_alt_name"; @@ -307,6 +318,10 @@ message CertificateValidationContext { // If specified, Envoy will not reject expired certificates. bool allow_expired_certificate = 8; + + // Certificate trust chain verification mode. + TrustChainVerification trust_chain_verification = 10 + [(validate.rules).enum = {defined_only: true}]; } // TLS context shared by both client and server TLS contexts.