Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

tls: Add support for intermediate CA as trusted_ca (#22350)

Browse Source 
Add support for intermediate CA as trusted_ca with
X509_V_FLAG_PARTIAL_CHAIN

Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>

Mirrored from https://github.com/envoyproxy/envoy @ 14015bb2a68d44e9429556e447bfa6fe84e3bb37
pull/626/head
data-plane-api(Azure Pipelines) 2 years ago
parent 8503b91639
commit ae9ad877da
1 changed files with 12 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 17
      envoy/extensions/transport_sockets/tls/v3/common.proto

17
envoy/extensions/transport_sockets/tls/v3/common.proto
Unescape View File

@ -332,6 +332,10 @@ message CertificateValidationContext {
// applies to dynamic secrets, when the ``CertificateValidationContext`` is
// delivered via SDS.
//
// X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca``
// can be treated as trust anchor as well. It allows verification with building valid partial chain instead
// of a full chain.
//
// Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
//
// [#next-major-version: This field and watched_directory below should ideally be moved into a
@ -484,10 +488,13 @@ message CertificateValidationContext {
// certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
bool only_verify_leaf_cert_crl = 14;
// Config for the max number of intermediate certificates in chain that are parsed during verification.
// This does not include the leaf certificate. If configured, and the certificate chain is longer than allowed, the certificates
// above the limit are ignored, and certificate validation will fail. The default limit is 100,
// though this can be system-dependent.
// https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify_depth.html
// Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent.
// This number does not include the leaf, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain,
// but in a depth larger than configured, the certificate validation will fail.
// See `BoringSSL SSL_CTX_set_verify_depth <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_verify_depth>`
// If you use OpenSSL, its behavior is different from BoringSSL, this will define a limit on the number of certificates between the end-entity and trust-anchor certificates.
// Neither the end-entity nor the trust-anchor certificates count against depth.
// See `OpenSSL SSL set_verify_depth <https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify_depth.html>`_.
// Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`
google.protobuf.UInt32Value max_verify_depth = 16 [(validate.rules).uint32 = {lte: 100}];
}

Write Preview
Loading…
Cancel
Save