Package io.envoyproxy.envoy.extensions.transport_sockets.tls.v3

Class TlsCertificate

  • All Implemented Interfaces:
    com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, TlsCertificateOrBuilder, java.io.Serializable
    public final class TlsCertificate
extends com.google.protobuf.GeneratedMessage
implements TlsCertificateOrBuilder
     [#next-free-field: 9]
    Protobuf type envoy.extensions.transport_sockets.tls.v3.TlsCertificate
    See Also:
    Serialized Form

    • Field Detail

      • bitField0_

        private int bitField0_

      • CERTIFICATE_CHAIN_FIELD_NUMBER

        public static final int CERTIFICATE_CHAIN_FIELD_NUMBER
        See Also:
        Constant Field Values

      • certificateChain_

        private DataSource certificateChain_

      • PRIVATE_KEY_FIELD_NUMBER

        public static final int PRIVATE_KEY_FIELD_NUMBER
        See Also:
        Constant Field Values

      • WATCHED_DIRECTORY_FIELD_NUMBER

        public static final int WATCHED_DIRECTORY_FIELD_NUMBER
        See Also:
        Constant Field Values

      • PRIVATE_KEY_PROVIDER_FIELD_NUMBER

        public static final int PRIVATE_KEY_PROVIDER_FIELD_NUMBER
        See Also:
        Constant Field Values

      • OCSP_STAPLE_FIELD_NUMBER

        public static final int OCSP_STAPLE_FIELD_NUMBER
        See Also:
        Constant Field Values

      • SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER

        public static final int SIGNED_CERTIFICATE_TIMESTAMP_FIELD_NUMBER
        See Also:
        Constant Field Values

      • signedCertificateTimestamp_

        private java.util.List<DataSource> signedCertificateTimestamp_

      • memoizedIsInitialized

        private byte memoizedIsInitialized

      • DEFAULT_INSTANCE

        private static final TlsCertificate DEFAULT_INSTANCE

      • PARSER

        private static final com.google.protobuf.Parser<TlsCertificate> PARSER

    • Constructor Detail

      • TlsCertificate

        private TlsCertificate​(com.google.protobuf.GeneratedMessage.Builder<?> builder)

      • TlsCertificate

        private TlsCertificate()

    • Method Detail

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessage.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessage

      • hasCertificateChain

        public boolean hasCertificateChain()
         The TLS certificate chain.

 If ``certificate_chain`` is a filesystem path, a watch will be added to the
 parent directory for any file moves to support rotation. This currently
 only applies to dynamic secrets, when the ``TlsCertificate`` is delivered via
 SDS.
        .envoy.config.core.v3.DataSource certificate_chain = 1;
        Specified by:
        hasCertificateChain in interface TlsCertificateOrBuilder
        Returns:
        Whether the certificateChain field is set.

      • getCertificateChain

        public DataSource getCertificateChain()
         The TLS certificate chain.

 If ``certificate_chain`` is a filesystem path, a watch will be added to the
 parent directory for any file moves to support rotation. This currently
 only applies to dynamic secrets, when the ``TlsCertificate`` is delivered via
 SDS.
        .envoy.config.core.v3.DataSource certificate_chain = 1;
        Specified by:
        getCertificateChain in interface TlsCertificateOrBuilder
        Returns:
        The certificateChain.

      • getCertificateChainOrBuilder

        public DataSourceOrBuilder getCertificateChainOrBuilder()
         The TLS certificate chain.

 If ``certificate_chain`` is a filesystem path, a watch will be added to the
 parent directory for any file moves to support rotation. This currently
 only applies to dynamic secrets, when the ``TlsCertificate`` is delivered via
 SDS.
        .envoy.config.core.v3.DataSource certificate_chain = 1;
        Specified by:
        getCertificateChainOrBuilder in interface TlsCertificateOrBuilder

      • hasPrivateKey

        public boolean hasPrivateKey()
         The TLS private key.

 If ``private_key`` is a filesystem path, a watch will be added to the parent
 directory for any file moves to support rotation. This currently only
 applies to dynamic secrets, when the ``TlsCertificate`` is delivered via SDS.
        .envoy.config.core.v3.DataSource private_key = 2 [(.udpa.annotations.sensitive) = true];
        Specified by:
        hasPrivateKey in interface TlsCertificateOrBuilder
        Returns:
        Whether the privateKey field is set.

      • getPrivateKey

        public DataSource getPrivateKey()
         The TLS private key.

 If ``private_key`` is a filesystem path, a watch will be added to the parent
 directory for any file moves to support rotation. This currently only
 applies to dynamic secrets, when the ``TlsCertificate`` is delivered via SDS.
        .envoy.config.core.v3.DataSource private_key = 2 [(.udpa.annotations.sensitive) = true];
        Specified by:
        getPrivateKey in interface TlsCertificateOrBuilder
        Returns:
        The privateKey.

      • getPrivateKeyOrBuilder

        public DataSourceOrBuilder getPrivateKeyOrBuilder()
         The TLS private key.

 If ``private_key`` is a filesystem path, a watch will be added to the parent
 directory for any file moves to support rotation. This currently only
 applies to dynamic secrets, when the ``TlsCertificate`` is delivered via SDS.
        .envoy.config.core.v3.DataSource private_key = 2 [(.udpa.annotations.sensitive) = true];
        Specified by:
        getPrivateKeyOrBuilder in interface TlsCertificateOrBuilder

      • hasPkcs12

        public boolean hasPkcs12()
         ``Pkcs12`` data containing TLS certificate, chain, and private key.

 If ``pkcs12`` is a filesystem path, the file will be read, but no watch will
 be added to the parent directory, since ``pkcs12`` isn't used by SDS.
 This field is mutually exclusive with ``certificate_chain``, ``private_key`` and ``private_key_provider``.
 This can't be marked as ``oneof`` due to API compatibility reasons. Setting
 both :ref:`private_key <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>`,
 :ref:`certificate_chain <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.certificate_chain>`,
 or :ref:`private_key_provider <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>`
 and :ref:`pkcs12 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.pkcs12>`
 fields will result in an error. Use :ref:`password
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.password>`
 to specify the password to unprotect the ``PKCS12`` data, if necessary.
        .envoy.config.core.v3.DataSource pkcs12 = 8 [(.udpa.annotations.sensitive) = true];
        Specified by:
        hasPkcs12 in interface TlsCertificateOrBuilder
        Returns:
        Whether the pkcs12 field is set.

      • getPkcs12

        public DataSource getPkcs12()
         ``Pkcs12`` data containing TLS certificate, chain, and private key.

 If ``pkcs12`` is a filesystem path, the file will be read, but no watch will
 be added to the parent directory, since ``pkcs12`` isn't used by SDS.
 This field is mutually exclusive with ``certificate_chain``, ``private_key`` and ``private_key_provider``.
 This can't be marked as ``oneof`` due to API compatibility reasons. Setting
 both :ref:`private_key <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>`,
 :ref:`certificate_chain <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.certificate_chain>`,
 or :ref:`private_key_provider <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>`
 and :ref:`pkcs12 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.pkcs12>`
 fields will result in an error. Use :ref:`password
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.password>`
 to specify the password to unprotect the ``PKCS12`` data, if necessary.
        .envoy.config.core.v3.DataSource pkcs12 = 8 [(.udpa.annotations.sensitive) = true];
        Specified by:
        getPkcs12 in interface TlsCertificateOrBuilder
        Returns:
        The pkcs12.

      • getPkcs12OrBuilder

        public DataSourceOrBuilder getPkcs12OrBuilder()
         ``Pkcs12`` data containing TLS certificate, chain, and private key.

 If ``pkcs12`` is a filesystem path, the file will be read, but no watch will
 be added to the parent directory, since ``pkcs12`` isn't used by SDS.
 This field is mutually exclusive with ``certificate_chain``, ``private_key`` and ``private_key_provider``.
 This can't be marked as ``oneof`` due to API compatibility reasons. Setting
 both :ref:`private_key <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>`,
 :ref:`certificate_chain <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.certificate_chain>`,
 or :ref:`private_key_provider <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>`
 and :ref:`pkcs12 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.pkcs12>`
 fields will result in an error. Use :ref:`password
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.password>`
 to specify the password to unprotect the ``PKCS12`` data, if necessary.
        .envoy.config.core.v3.DataSource pkcs12 = 8 [(.udpa.annotations.sensitive) = true];
        Specified by:
        getPkcs12OrBuilder in interface TlsCertificateOrBuilder

      • hasWatchedDirectory

        public boolean hasWatchedDirectory()
         If specified, updates of file-based ``certificate_chain`` and ``private_key``
 sources will be triggered by this watch. The certificate/key pair will be
 read together and validated for atomic read consistency (i.e. no
 intervening modification occurred between cert/key read, verified by file
 hash comparisons). This allows explicit control over the path watched, by
 default the parent directories of the filesystem paths in
 ``certificate_chain`` and ``private_key`` are watched if this field is not
 specified. This only applies when a ``TlsCertificate`` is delivered by SDS
 with references to filesystem paths. See the :ref:`SDS key rotation
 <sds_key_rotation>` documentation for further details.
        .envoy.config.core.v3.WatchedDirectory watched_directory = 7;
        Specified by:
        hasWatchedDirectory in interface TlsCertificateOrBuilder
        Returns:
        Whether the watchedDirectory field is set.

      • getWatchedDirectory

        public WatchedDirectory getWatchedDirectory()
         If specified, updates of file-based ``certificate_chain`` and ``private_key``
 sources will be triggered by this watch. The certificate/key pair will be
 read together and validated for atomic read consistency (i.e. no
 intervening modification occurred between cert/key read, verified by file
 hash comparisons). This allows explicit control over the path watched, by
 default the parent directories of the filesystem paths in
 ``certificate_chain`` and ``private_key`` are watched if this field is not
 specified. This only applies when a ``TlsCertificate`` is delivered by SDS
 with references to filesystem paths. See the :ref:`SDS key rotation
 <sds_key_rotation>` documentation for further details.
        .envoy.config.core.v3.WatchedDirectory watched_directory = 7;
        Specified by:
        getWatchedDirectory in interface TlsCertificateOrBuilder
        Returns:
        The watchedDirectory.

      • getWatchedDirectoryOrBuilder

        public WatchedDirectoryOrBuilder getWatchedDirectoryOrBuilder()
         If specified, updates of file-based ``certificate_chain`` and ``private_key``
 sources will be triggered by this watch. The certificate/key pair will be
 read together and validated for atomic read consistency (i.e. no
 intervening modification occurred between cert/key read, verified by file
 hash comparisons). This allows explicit control over the path watched, by
 default the parent directories of the filesystem paths in
 ``certificate_chain`` and ``private_key`` are watched if this field is not
 specified. This only applies when a ``TlsCertificate`` is delivered by SDS
 with references to filesystem paths. See the :ref:`SDS key rotation
 <sds_key_rotation>` documentation for further details.
        .envoy.config.core.v3.WatchedDirectory watched_directory = 7;
        Specified by:
        getWatchedDirectoryOrBuilder in interface TlsCertificateOrBuilder

      • hasPrivateKeyProvider

        public boolean hasPrivateKeyProvider()
         BoringSSL private key method provider. This is an alternative to :ref:`private_key
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be
 marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and
 :ref:`private_key_provider
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an
 error.
        .envoy.extensions.transport_sockets.tls.v3.PrivateKeyProvider private_key_provider = 6;
        Specified by:
        hasPrivateKeyProvider in interface TlsCertificateOrBuilder
        Returns:
        Whether the privateKeyProvider field is set.

      • getPrivateKeyProvider

        public PrivateKeyProvider getPrivateKeyProvider()
         BoringSSL private key method provider. This is an alternative to :ref:`private_key
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be
 marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and
 :ref:`private_key_provider
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an
 error.
        .envoy.extensions.transport_sockets.tls.v3.PrivateKeyProvider private_key_provider = 6;
        Specified by:
        getPrivateKeyProvider in interface TlsCertificateOrBuilder
        Returns:
        The privateKeyProvider.

      • getPrivateKeyProviderOrBuilder

        public PrivateKeyProviderOrBuilder getPrivateKeyProviderOrBuilder()
         BoringSSL private key method provider. This is an alternative to :ref:`private_key
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be
 marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and
 :ref:`private_key_provider
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an
 error.
        .envoy.extensions.transport_sockets.tls.v3.PrivateKeyProvider private_key_provider = 6;
        Specified by:
        getPrivateKeyProviderOrBuilder in interface TlsCertificateOrBuilder

      • hasPassword

        public boolean hasPassword()
         The password to decrypt the TLS private key. If this field is not set, it is assumed that the
 TLS private key is not password encrypted.
        .envoy.config.core.v3.DataSource password = 3 [(.udpa.annotations.sensitive) = true];
        Specified by:
        hasPassword in interface TlsCertificateOrBuilder
        Returns:
        Whether the password field is set.

      • getPassword

        public DataSource getPassword()
         The password to decrypt the TLS private key. If this field is not set, it is assumed that the
 TLS private key is not password encrypted.
        .envoy.config.core.v3.DataSource password = 3 [(.udpa.annotations.sensitive) = true];
        Specified by:
        getPassword in interface TlsCertificateOrBuilder
        Returns:
        The password.

      • getPasswordOrBuilder

        public DataSourceOrBuilder getPasswordOrBuilder()
         The password to decrypt the TLS private key. If this field is not set, it is assumed that the
 TLS private key is not password encrypted.
        .envoy.config.core.v3.DataSource password = 3 [(.udpa.annotations.sensitive) = true];
        Specified by:
        getPasswordOrBuilder in interface TlsCertificateOrBuilder

      • hasOcspStaple

        public boolean hasOcspStaple()
         The OCSP response to be stapled with this certificate during the handshake.
 The response must be DER-encoded and may only be  provided via ``filename`` or
 ``inline_bytes``. The response may pertain to only one certificate.
        .envoy.config.core.v3.DataSource ocsp_staple = 4;
        Specified by:
        hasOcspStaple in interface TlsCertificateOrBuilder
        Returns:
        Whether the ocspStaple field is set.

      • getOcspStaple

        public DataSource getOcspStaple()
         The OCSP response to be stapled with this certificate during the handshake.
 The response must be DER-encoded and may only be  provided via ``filename`` or
 ``inline_bytes``. The response may pertain to only one certificate.
        .envoy.config.core.v3.DataSource ocsp_staple = 4;
        Specified by:
        getOcspStaple in interface TlsCertificateOrBuilder
        Returns:
        The ocspStaple.

      • getOcspStapleOrBuilder

        public DataSourceOrBuilder getOcspStapleOrBuilder()
         The OCSP response to be stapled with this certificate during the handshake.
 The response must be DER-encoded and may only be  provided via ``filename`` or
 ``inline_bytes``. The response may pertain to only one certificate.
        .envoy.config.core.v3.DataSource ocsp_staple = 4;
        Specified by:
        getOcspStapleOrBuilder in interface TlsCertificateOrBuilder

      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessage

      • writeTo

        public void writeTo​(com.google.protobuf.CodedOutputStream output)
             throws java.io.IOException
        Specified by:
        writeTo in interface com.google.protobuf.MessageLite
        Overrides:
        writeTo in class com.google.protobuf.GeneratedMessage
        Throws:
        java.io.IOException

      • getSerializedSize

        public int getSerializedSize()
        Specified by:
        getSerializedSize in interface com.google.protobuf.MessageLite
        Overrides:
        getSerializedSize in class com.google.protobuf.GeneratedMessage

      • equals

        public boolean equals​(java.lang.Object obj)
        Specified by:
        equals in interface com.google.protobuf.Message
        Overrides:
        equals in class com.google.protobuf.AbstractMessage

      • hashCode

        public int hashCode()
        Specified by:
        hashCode in interface com.google.protobuf.Message
        Overrides:
        hashCode in class com.google.protobuf.AbstractMessage

      • parseFrom

        public static TlsCertificate parseFrom​(java.nio.ByteBuffer data)
                                throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static TlsCertificate parseFrom​(java.nio.ByteBuffer data,
                                       com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static TlsCertificate parseFrom​(com.google.protobuf.ByteString data)
                                throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static TlsCertificate parseFrom​(com.google.protobuf.ByteString data,
                                       com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static TlsCertificate parseFrom​(byte[] data)
                                throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static TlsCertificate parseFrom​(byte[] data,
                                       com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static TlsCertificate parseFrom​(java.io.InputStream input)
                                throws java.io.IOException
        Throws:
        java.io.IOException

      • parseFrom

        public static TlsCertificate parseFrom​(java.io.InputStream input,
                                       com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                throws java.io.IOException
        Throws:
        java.io.IOException

      • parseDelimitedFrom

        public static TlsCertificate parseDelimitedFrom​(java.io.InputStream input)
                                         throws java.io.IOException
        Throws:
        java.io.IOException

      • parseDelimitedFrom

        public static TlsCertificate parseDelimitedFrom​(java.io.InputStream input,
                                                com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                         throws java.io.IOException
        Throws:
        java.io.IOException

      • parseFrom

        public static TlsCertificate parseFrom​(com.google.protobuf.CodedInputStream input)
                                throws java.io.IOException
        Throws:
        java.io.IOException

      • parseFrom

        public static TlsCertificate parseFrom​(com.google.protobuf.CodedInputStream input,
                                       com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                throws java.io.IOException
        Throws:
        java.io.IOException

      • newBuilderForType

        public TlsCertificate.Builder newBuilderForType()
        Specified by:
        newBuilderForType in interface com.google.protobuf.Message
        Specified by:
        newBuilderForType in interface com.google.protobuf.MessageLite

      • toBuilder

        public TlsCertificate.Builder toBuilder()
        Specified by:
        toBuilder in interface com.google.protobuf.Message
        Specified by:
        toBuilder in interface com.google.protobuf.MessageLite

      • newBuilderForType

        protected TlsCertificate.Builder newBuilderForType​(com.google.protobuf.AbstractMessage.BuilderParent parent)
        Overrides:
        newBuilderForType in class com.google.protobuf.AbstractMessage

      • getDefaultInstance

        public static TlsCertificate getDefaultInstance()

      • parser

        public static com.google.protobuf.Parser<TlsCertificate> parser()

      • getParserForType

        public com.google.protobuf.Parser<TlsCertificate> getParserForType()
        Specified by:
        getParserForType in interface com.google.protobuf.Message
        Specified by:
        getParserForType in interface com.google.protobuf.MessageLite
        Overrides:
        getParserForType in class com.google.protobuf.GeneratedMessage

      • getDefaultInstanceForType

        public TlsCertificate getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder