1// Copyright 2020 The gRPC Authors 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15// Local copy of Envoy xDS proto file, used for testing only. 16 17syntax = "proto3"; 18 19package envoy.extensions.transport_sockets.tls.v3; 20 21import "src/proto/grpc/testing/xds/v3/string.proto"; 22 23import "google/protobuf/wrappers.proto"; 24 25message CertificateValidationContext { 26 // An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the 27 // Subject Alternative Name of the presented certificate matches one of the specified matchers. 28 // 29 // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be 30 // configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.v3.StringMatcher>`. 31 // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", 32 // it should be configured as shown below. 33 // 34 // .. code-block:: yaml 35 // 36 // match_subject_alt_names: 37 // exact: "api.example.com" 38 // 39 // .. attention:: 40 // 41 // Subject Alternative Names are easily spoofable and verifying only them is insecure, 42 // therefore this option must be used together with :ref:`trusted_ca 43 // <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`. 44 repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9; 45} 46 47message UpstreamTlsContext { 48 // Common TLS context settings. 49 // 50 // .. attention:: 51 // 52 // Server certificate verification is not enabled by default. Configure 53 // :ref:`trusted_ca<envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` to enable 54 // verification. 55 CommonTlsContext common_tls_context = 1; 56} 57 58message DownstreamTlsContext { 59 // Common TLS context settings. 60 CommonTlsContext common_tls_context = 1; 61 62 // If specified, Envoy will reject connections without a valid client 63 // certificate. 64 google.protobuf.BoolValue require_client_certificate = 2; 65} 66 67 68// TLS context shared by both client and server TLS contexts. 69// [#next-free-field: 14] 70message CommonTlsContext { 71 // Similar to CertificateProvider above, but allows the provider instances to be configured on 72 // the client side instead of being sent from the control plane. 73 message CertificateProviderInstance { 74 // Provider instance name. This name must be defined in the client's configuration (e.g., a 75 // bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config 76 // field that would be sent in the CertificateProvider message if the config was sent by the 77 // control plane). If not present, defaults to "default". 78 // 79 // Instance names should generally be defined not in terms of the underlying provider 80 // implementation (e.g., "file_watcher") but rather in terms of the function of the 81 // certificates (e.g., "foo_deployment_identity"). 82 string instance_name = 1; 83 84 // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify 85 // a root-certificate (validation context) or "example.com" to specify a certificate for a 86 // particular domain. Not all provider instances will actually use this field, so the value 87 // defaults to the empty string. 88 string certificate_name = 2; 89 } 90 91 message CombinedCertificateValidationContext { 92 // How to validate peer certificates. 93 CertificateValidationContext default_validation_context = 1; 94 95 // Certificate provider instance for fetching validation context. 96 // Only one of validation_context_sds_secret_config, validation_context_certificate_provider, 97 // or validation_context_certificate_provider_instance may be used. 98 CertificateProviderInstance validation_context_certificate_provider_instance = 4; 99 } 100 101 // Certificate provider instance for fetching TLS certificates. 102 CertificateProviderInstance tls_certificate_certificate_provider_instance = 11; 103 104 oneof validation_context_type { 105 // Combined certificate validation context holds a default CertificateValidationContext 106 // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic 107 // and default CertificateValidationContext are merged into a new CertificateValidationContext 108 // for validation. This merge is done by Message::MergeFrom(), so dynamic 109 // CertificateValidationContext overwrites singular fields in default 110 // CertificateValidationContext, and concatenates repeated fields to default 111 // CertificateValidationContext, and logical OR is applied to boolean fields. 112 CombinedCertificateValidationContext combined_validation_context = 8; 113 } 114} 115