LCOV - code coverage report
Current view: top level - envoy/ssl - certificate_validation_context_config.h (source / functions) Hit Total Coverage
Test: coverage.dat Lines: 0 1 0.0 %
Date: 2024-01-05 06:35:25 Functions: 0 1 0.0 % 

          Line data    Source code
       1             : #pragma once
       2             : 
       3             : #include <memory>
       4             : #include <string>
       5             : #include <vector>
       6             : 
       7             : #include "envoy/api/api.h"
       8             : #include "envoy/common/pure.h"
       9             : #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"
      10             : #include "envoy/extensions/transport_sockets/tls/v3/common.pb.h"
      11             : #include "envoy/type/matcher/v3/string.pb.h"
      12             : 
      13             : #include "absl/types/optional.h"
      14             : 
      15             : namespace Envoy {
      16             : namespace Ssl {
      17             : 
      18             : // SECURITY NOTE
      19             : //
      20             : // When adding or changing this interface, it is likely that a change is needed to
      21             : // `DefaultCertValidator::updateDigestForSessionId` in
      22             : // `source/extensions/transport_sockets/tls/cert_validator/default_validator.cc`.
      23             : class CertificateValidationContextConfig {
      24             : public:
      25           0 :   virtual ~CertificateValidationContextConfig() = default;
      26             : 
      27             :   /**
      28             :    * @return The CA certificate to use for peer validation.
      29             :    */
      30             :   virtual const std::string& caCert() const PURE;
      31             : 
      32             :   /**
      33             :    * @return Path of the CA certificate to use for peer validation or "<inline>"
      34             :    * if the CA certificate was inlined.
      35             :    */
      36             :   virtual const std::string& caCertPath() const PURE;
      37             : 
      38             :   /**
      39             :    * @return The CRL to check if a cert is revoked.
      40             :    */
      41             :   virtual const std::string& certificateRevocationList() const PURE;
      42             : 
      43             :   /**
      44             :    * @return Path of the certificate revocation list, or "<inline>" if the CRL
      45             :    * was inlined.
      46             :    */
      47             :   virtual const std::string& certificateRevocationListPath() const PURE;
      48             : 
      49             :   /**
      50             :    * @return The subject alt name matchers to be verified, if enabled.
      51             :    */
      52             :   virtual const std::vector<envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher>&
      53             :   subjectAltNameMatchers() const PURE;
      54             : 
      55             :   /**
      56             :    * @return A list of a hex-encoded SHA-256 certificate hashes to be verified.
      57             :    */
      58             :   virtual const std::vector<std::string>& verifyCertificateHashList() const PURE;
      59             : 
      60             :   /**
      61             :    * @return A list of a hex-encoded SHA-256 SPKI hashes to be verified.
      62             :    */
      63             :   virtual const std::vector<std::string>& verifyCertificateSpkiList() const PURE;
      64             : 
      65             :   /**
      66             :    * @return whether to ignore expired certificates (both too new and too old).
      67             :    */
      68             :   virtual bool allowExpiredCertificate() const PURE;
      69             : 
      70             :   /**
      71             :    * @return client certificate validation configuration.
      72             :    */
      73             :   virtual envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext::
      74             :       TrustChainVerification
      75             :       trustChainVerification() const PURE;
      76             : 
      77             :   /**
      78             :    * @return the configuration for the custom certificate validator if configured.
      79             :    */
      80             :   virtual const absl::optional<envoy::config::core::v3::TypedExtensionConfig>&
      81             :   customValidatorConfig() const PURE;
      82             : 
      83             :   /**
      84             :    * @return a reference to the api object.
      85             :    */
      86             :   virtual Api::Api& api() const PURE;
      87             : 
      88             :   /**
      89             :    * @return whether to validate certificate chain with all CRL or not.
      90             :    */
      91             :   virtual bool onlyVerifyLeafCertificateCrl() const PURE;
      92             : 
      93             :   /**
      94             :    * @return the max depth used when verifying the certificate-chain
      95             :    */
      96             :   virtual absl::optional<uint32_t> maxVerifyDepth() const PURE;
      97             : };
      98             : 
      99             : using CertificateValidationContextConfigPtr = std::unique_ptr<CertificateValidationContextConfig>;
     100             : 
     101             : } // namespace Ssl
     102             : } // namespace Envoy

Generated by: LCOV version 1.15