http: add support for forwarding peer cert chains (#7026)

Description: This adds support for forwarding peer cert chains via the XFCC header. Risk Level: Low Testing: Updated existing tests Docs Changes: Updated XFCC doc Release Notes: Added a note about the feature Fixes #6135 Also see #6230 Signed-off-by: Venil Noronha <veniln@vmware.com> Mirrored from https://github.com/envoyproxy/envoy @ 15abaec72b0374e29490e8e074751e6246980e87
6 years ago · ed85e15770
parent 85632cf0eb
commit ed85e15770
1 changed files with 7 additions and 0 deletions
--- a/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
+++ b/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
@ -317,6 +317,7 @@ message HttpConnectionManager {
  ForwardClientCertDetails forward_client_cert_details = 16
      [(validate.rules).enum.defined_only = true];

+  // [#comment:next free field: 7]
  message SetCurrentClientCertDetails {
    // Whether to forward the subject of the client cert. Defaults to false.
    google.protobuf.BoolValue subject = 1;
@ -328,6 +329,12 @@ message HttpConnectionManager {
    // Defaults to false.
    bool cert = 3;

+    // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
+    // format. This will appear in the XFCC header comma separated from other values with the value
+    // Chain="PEM".
+    // Defaults to false.
+    bool chain = 6;
+
    // Whether to forward the DNS type Subject Alternative Names of the client cert.
    // Defaults to false.
    bool dns = 4;