Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

tls: add support for string matcher for subject alt name validation (#9264)

Browse Source 
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>

Mirrored from https://github.com/envoyproxy/envoy @ bc654f504a9daef1302e34d7373939c10a401217
master-ci-test
data-plane-api(CircleCI) 5 years ago
parent c152cb4319
commit 91b0fe1cd7
4 changed files with 27 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      envoy/api/v2/auth/BUILD
  2. 15
      envoy/api/v2/auth/cert.proto
  3. 1
      envoy/api/v3alpha/auth/BUILD
  4. 13
      envoy/api/v3alpha/auth/cert.proto

5
envoy/api/v2/auth/BUILD
Unescape View File

@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
licenses(["notice"]) # Apache 2
api_proto_package(
deps = ["//envoy/api/v2/core:pkg"],
deps = [
"//envoy/api/v2/core:pkg",
"//envoy/type/matcher:pkg",
],
)

15
envoy/api/v2/auth/cert.proto
Unescape View File

@ -4,6 +4,7 @@ package envoy.api.v2.auth;
import "envoy/api/v2/core/base.proto";
import "envoy/api/v2/core/config_source.proto";
import "envoy/type/matcher/string.proto";
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
@ -172,7 +173,7 @@ message TlsSessionTicketKeys {
repeated core.DataSource keys = 1 [(validate.rules).repeated = {min_items: 1}];
}
// [#next-free-field: 9]
// [#next-free-field: 10]
message CertificateValidationContext {
// TLS certificate data containing certificate authority certificates to use in verifying
// a presented peer certificate (e.g. server certificate for clusters or client certificate
@ -265,7 +266,17 @@ message CertificateValidationContext {
// Subject Alternative Names are easily spoofable and verifying only them is insecure,
// therefore this option must be used together with :ref:`trusted_ca
// <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4;
repeated string verify_subject_alt_name = 4 [deprecated = true];
// An optional list of Subject Alternative name matchers. Envoy will verify that the
// Subject Alternative Name of the presented certificate matches one of the specified matches.
//
// .. attention::
//
// Subject Alternative Names are easily spoofable and verifying only them is insecure,
// therefore this option must be used together with :ref:`trusted_ca
// <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated type.matcher.StringMatcher match_subject_alt_names = 9;
// [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
google.protobuf.BoolValue require_ocsp_staple = 5;

1
envoy/api/v3alpha/auth/BUILD
Unescape View File

@ -8,6 +8,7 @@ api_proto_package(
deps = [
"//envoy/api/v2/auth:pkg",
"//envoy/api/v3alpha/core:pkg",
"//envoy/type/matcher/v3alpha:pkg",
"@com_github_cncf_udpa//udpa/annotations:pkg",
],
)

13
envoy/api/v3alpha/auth/cert.proto
Unescape View File

@ -4,6 +4,7 @@ package envoy.api.v3alpha.auth;
import "envoy/api/v3alpha/core/base.proto";
import "envoy/api/v3alpha/core/config_source.proto";
import "envoy/type/matcher/v3alpha/string.proto";
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
@ -187,11 +188,15 @@ message TlsSessionTicketKeys {
repeated core.DataSource keys = 1 [(validate.rules).repeated = {min_items: 1}];
}
// [#next-free-field: 9]
// [#next-free-field: 10]
message CertificateValidationContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.CertificateValidationContext";
reserved 4;
reserved "verify_subject_alt_name";
// TLS certificate data containing certificate authority certificates to use in verifying
// a presented peer certificate (e.g. server certificate for clusters or client certificate
// for listeners). If not specified and a peer certificate is presented it will not be
@ -277,15 +282,15 @@ message CertificateValidationContext {
repeated string verify_certificate_hash = 2
[(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
// An optional list of Subject Alternative Names. If specified, Envoy will verify that the
// Subject Alternative Name of the presented certificate matches one of the specified values.
// An optional list of Subject Alternative name matchers. Envoy will verify that the
// Subject Alternative Name of the presented certificate matches one of the specified matches.
//
// .. attention::
//
// Subject Alternative Names are easily spoofable and verifying only them is insecure,
// therefore this option must be used together with :ref:`trusted_ca
// <envoy_api_field_api.v3alpha.auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4;
repeated type.matcher.v3alpha.StringMatcher match_subject_alt_names = 9;
// [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
google.protobuf.BoolValue require_ocsp_staple = 5;

Write Preview
Loading…
Cancel
Save