Line data    Source code

       1             : #pragma once
       2             : 
       3             : #include <string>
       4             : 
       5             : #include "envoy/api/api.h"
       6             : #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"
       7             : #include "envoy/extensions/transport_sockets/tls/v3/common.pb.h"
       8             : #include "envoy/ssl/certificate_validation_context_config.h"
       9             : #include "envoy/type/matcher/v3/string.pb.h"
      10             : 
      11             : #include "absl/status/statusor.h"
      12             : 
      13             : namespace Envoy {
      14             : namespace Ssl {
      15             : 
      16             : class CertificateValidationContextConfigImpl : public CertificateValidationContextConfig {
      17             : public:
      18             :   // Create a CertificateValidationContextConfigImpl or return an error status.
      19             :   static absl::StatusOr<std::unique_ptr<CertificateValidationContextConfigImpl>>
      20             :   create(const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext& context,
      21             :          Api::Api& api);
      22             : 
      23             :   absl::Status initialize();
      24             : 
      25           0 :   const std::string& caCert() const override { return ca_cert_; }
      26           0 :   const std::string& caCertPath() const override { return ca_cert_path_; }
      27           0 :   const std::string& certificateRevocationList() const override {
      28           0 :     return certificate_revocation_list_;
      29           0 :   }
      30           0 :   const std::string& certificateRevocationListPath() const final {
      31           0 :     return certificate_revocation_list_path_;
      32           0 :   }
      33             :   const std::vector<envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher>&
      34           0 :   subjectAltNameMatchers() const override {
      35           0 :     return subject_alt_name_matchers_;
      36           0 :   }
      37           0 :   const std::vector<std::string>& verifyCertificateHashList() const override {
      38           0 :     return verify_certificate_hash_list_;
      39           0 :   }
      40           0 :   const std::vector<std::string>& verifyCertificateSpkiList() const override {
      41           0 :     return verify_certificate_spki_list_;
      42           0 :   }
      43           0 :   bool allowExpiredCertificate() const override { return allow_expired_certificate_; }
      44             :   envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext::
      45             :       TrustChainVerification
      46           0 :       trustChainVerification() const override {
      47           0 :     return trust_chain_verification_;
      48           0 :   }
      49             : 
      50             :   const absl::optional<envoy::config::core::v3::TypedExtensionConfig>&
      51           0 :   customValidatorConfig() const override {
      52           0 :     return custom_validator_config_;
      53           0 :   }
      54             : 
      55           0 :   Api::Api& api() const override { return api_; }
      56             : 
      57           0 :   bool onlyVerifyLeafCertificateCrl() const override { return only_verify_leaf_cert_crl_; }
      58             : 
      59           0 :   absl::optional<uint32_t> maxVerifyDepth() const override { return max_verify_depth_; }
      60             : 
      61             : protected:
      62             :   CertificateValidationContextConfigImpl(
      63             :       const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext& config,
      64             :       Api::Api& api);
      65             : 
      66             : private:
      67             :   static std::vector<envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher>
      68             :   getSubjectAltNameMatchers(
      69             :       const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext& config);
      70             :   const std::string ca_cert_;
      71             :   const std::string ca_cert_path_;
      72             :   const std::string certificate_revocation_list_;
      73             :   const std::string certificate_revocation_list_path_;
      74             :   const std::vector<envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher>
      75             :       subject_alt_name_matchers_;
      76             :   const std::vector<std::string> verify_certificate_hash_list_;
      77             :   const std::vector<std::string> verify_certificate_spki_list_;
      78             :   const bool allow_expired_certificate_;
      79             :   const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext::
      80             :       TrustChainVerification trust_chain_verification_;
      81             :   const absl::optional<envoy::config::core::v3::TypedExtensionConfig> custom_validator_config_;
      82             :   Api::Api& api_;
      83             :   const bool only_verify_leaf_cert_crl_;
      84             :   absl::optional<uint32_t> max_verify_depth_;
      85             : };
      86             : 
      87             : } // namespace Ssl
      88             : } // namespace Envoy