1syntax = "proto3"; 2 3package envoy.api.v2.auth; 4 5import "envoy/api/v2/core/base.proto"; 6import "envoy/type/matcher/string.proto"; 7 8import "google/protobuf/any.proto"; 9import "google/protobuf/struct.proto"; 10import "google/protobuf/wrappers.proto"; 11 12import "udpa/annotations/migrate.proto"; 13import "udpa/annotations/sensitive.proto"; 14import "udpa/annotations/status.proto"; 15import "validate/validate.proto"; 16 17option java_package = "io.envoyproxy.envoy.api.v2.auth"; 18option java_outer_classname = "CommonProto"; 19option java_multiple_files = true; 20option go_package = "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth"; 21option (udpa.annotations.file_migrate).move_to_package = 22 "envoy.extensions.transport_sockets.tls.v3"; 23option (udpa.annotations.file_status).package_version_status = FROZEN; 24 25// [#protodoc-title: Common TLS configuration] 26 27message TlsParameters { 28 enum TlsProtocol { 29 // Envoy will choose the optimal TLS version. 30 TLS_AUTO = 0; 31 32 // TLS 1.0 33 TLSv1_0 = 1; 34 35 // TLS 1.1 36 TLSv1_1 = 2; 37 38 // TLS 1.2 39 TLSv1_2 = 3; 40 41 // TLS 1.3 42 TLSv1_3 = 4; 43 } 44 45 // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for both clients and servers. 46 TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}]; 47 48 // Maximum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_3`` for 49 // servers. 50 TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}]; 51 52 // If specified, the TLS listener will only support the specified `cipher list 53 // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ 54 // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not 55 // specified, the default list will be used. 56 // 57 // In non-FIPS builds, the default cipher list is: 58 // 59 // .. code-block:: none 60 // 61 // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] 62 // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] 63 // ECDHE-ECDSA-AES128-SHA 64 // ECDHE-RSA-AES128-SHA 65 // AES128-GCM-SHA256 66 // AES128-SHA 67 // ECDHE-ECDSA-AES256-GCM-SHA384 68 // ECDHE-RSA-AES256-GCM-SHA384 69 // ECDHE-ECDSA-AES256-SHA 70 // ECDHE-RSA-AES256-SHA 71 // AES256-GCM-SHA384 72 // AES256-SHA 73 // 74 // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is: 75 // 76 // .. code-block:: none 77 // 78 // ECDHE-ECDSA-AES128-GCM-SHA256 79 // ECDHE-RSA-AES128-GCM-SHA256 80 // ECDHE-ECDSA-AES128-SHA 81 // ECDHE-RSA-AES128-SHA 82 // AES128-GCM-SHA256 83 // AES128-SHA 84 // ECDHE-ECDSA-AES256-GCM-SHA384 85 // ECDHE-RSA-AES256-GCM-SHA384 86 // ECDHE-ECDSA-AES256-SHA 87 // ECDHE-RSA-AES256-SHA 88 // AES256-GCM-SHA384 89 // AES256-SHA 90 repeated string cipher_suites = 3; 91 92 // If specified, the TLS connection will only support the specified ECDH 93 // curves. If not specified, the default curves will be used. 94 // 95 // In non-FIPS builds, the default curves are: 96 // 97 // .. code-block:: none 98 // 99 // X25519 100 // P-256 101 // 102 // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is: 103 // 104 // .. code-block:: none 105 // 106 // P-256 107 repeated string ecdh_curves = 4; 108} 109 110// BoringSSL private key method configuration. The private key methods are used for external 111// (potentially asynchronous) signing and decryption operations. Some use cases for private key 112// methods would be TPM support and TLS acceleration. 113message PrivateKeyProvider { 114 // Private key method provider name. The name must match a 115 // supported private key method provider type. 116 string provider_name = 1 [(validate.rules).string = {min_bytes: 1}]; 117 118 // Private key method provider specific configuration. 119 oneof config_type { 120 google.protobuf.Struct config = 2 [deprecated = true, (udpa.annotations.sensitive) = true]; 121 122 google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true]; 123 } 124} 125 126// [#next-free-field: 7] 127message TlsCertificate { 128 // The TLS certificate chain. 129 core.DataSource certificate_chain = 1; 130 131 // The TLS private key. 132 core.DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; 133 134 // BoringSSL private key method provider. This is an alternative to :ref:`private_key 135 // <envoy_api_field_auth.TlsCertificate.private_key>` field. This can't be 136 // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key 137 // <envoy_api_field_auth.TlsCertificate.private_key>` and 138 // :ref:`private_key_provider 139 // <envoy_api_field_auth.TlsCertificate.private_key_provider>` fields will result in an 140 // error. 141 PrivateKeyProvider private_key_provider = 6; 142 143 // The password to decrypt the TLS private key. If this field is not set, it is assumed that the 144 // TLS private key is not password encrypted. 145 core.DataSource password = 3 [(udpa.annotations.sensitive) = true]; 146 147 // [#not-implemented-hide:] 148 core.DataSource ocsp_staple = 4; 149 150 // [#not-implemented-hide:] 151 repeated core.DataSource signed_certificate_timestamp = 5; 152} 153 154message TlsSessionTicketKeys { 155 // Keys for encrypting and decrypting TLS session tickets. The 156 // first key in the array contains the key to encrypt all new sessions created by this context. 157 // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys 158 // by, for example, putting the new key first, and the previous key second. 159 // 160 // If :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>` 161 // is not specified, the TLS library will still support resuming sessions via tickets, but it will 162 // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts 163 // or on different hosts. 164 // 165 // Each key must contain exactly 80 bytes of cryptographically-secure random data. For 166 // example, the output of ``openssl rand 80``. 167 // 168 // .. attention:: 169 // 170 // Using this feature has serious security considerations and risks. Improper handling of keys 171 // may result in loss of secrecy in connections, even if ciphers supporting perfect forward 172 // secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some 173 // discussion. To minimize the risk, you must: 174 // 175 // * Keep the session ticket keys at least as secure as your TLS certificate private keys 176 // * Rotate session ticket keys at least daily, and preferably hourly 177 // * Always generate keys using a cryptographically-secure random data source 178 repeated core.DataSource keys = 1 179 [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; 180} 181 182// [#next-free-field: 11] 183message CertificateValidationContext { 184 // Peer certificate verification mode. 185 enum TrustChainVerification { 186 // Perform default certificate verification (e.g., against CA / verification lists) 187 VERIFY_TRUST_CHAIN = 0; 188 189 // Connections where the certificate fails verification will be permitted. 190 // For HTTP connections, the result of certificate verification can be used in route matching. ( 191 // see :ref:`validated <envoy_api_field_route.RouteMatch.TlsContextMatchOptions.validated>` ). 192 ACCEPT_UNTRUSTED = 1; 193 } 194 195 // TLS certificate data containing certificate authority certificates to use in verifying 196 // a presented peer certificate (e.g. server certificate for clusters or client certificate 197 // for listeners). If not specified and a peer certificate is presented it will not be 198 // verified. By default, a client certificate is optional, unless one of the additional 199 // options (:ref:`require_client_certificate 200 // <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, 201 // :ref:`verify_certificate_spki 202 // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, 203 // :ref:`verify_certificate_hash 204 // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or 205 // :ref:`match_subject_alt_names 206 // <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also 207 // specified. 208 // 209 // It can optionally contain certificate revocation lists, in which case Envoy will verify 210 // that the presented peer certificate has not been revoked by one of the included CRLs. 211 // 212 // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common 213 // system CA locations. 214 core.DataSource trusted_ca = 1; 215 216 // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the 217 // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate 218 // matches one of the specified values. 219 // 220 // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate 221 // can be generated with the following command: 222 // 223 // .. code-block:: bash 224 // 225 // $ openssl x509 -in path/to/client.crt -noout -pubkey 226 // | openssl pkey -pubin -outform DER 227 // | openssl dgst -sha256 -binary 228 // | openssl enc -base64 229 // NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= 230 // 231 // This is the format used in HTTP Public Key Pinning. 232 // 233 // When both: 234 // :ref:`verify_certificate_hash 235 // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and 236 // :ref:`verify_certificate_spki 237 // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, 238 // a hash matching value from either of the lists will result in the certificate being accepted. 239 // 240 // .. attention:: 241 // 242 // This option is preferred over :ref:`verify_certificate_hash 243 // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, 244 // because SPKI is tied to a private key, so it doesn't change when the certificate 245 // is renewed using the same private key. 246 repeated string verify_certificate_spki = 3 247 [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}]; 248 249 // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that 250 // the SHA-256 of the DER-encoded presented certificate matches one of the specified values. 251 // 252 // A hex-encoded SHA-256 of the certificate can be generated with the following command: 253 // 254 // .. code-block:: bash 255 // 256 // $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 257 // df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a 258 // 259 // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate 260 // can be generated with the following command: 261 // 262 // .. code-block:: bash 263 // 264 // $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 265 // DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A 266 // 267 // Both of those formats are acceptable. 268 // 269 // When both: 270 // :ref:`verify_certificate_hash 271 // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and 272 // :ref:`verify_certificate_spki 273 // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, 274 // a hash matching value from either of the lists will result in the certificate being accepted. 275 repeated string verify_certificate_hash = 2 276 [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}]; 277 278 // An optional list of Subject Alternative Names. If specified, Envoy will verify that the 279 // Subject Alternative Name of the presented certificate matches one of the specified values. 280 // 281 // .. attention:: 282 // 283 // Subject Alternative Names are easily spoofable and verifying only them is insecure, 284 // therefore this option must be used together with :ref:`trusted_ca 285 // <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`. 286 repeated string verify_subject_alt_name = 4 [deprecated = true]; 287 288 // An optional list of Subject Alternative name matchers. Envoy will verify that the 289 // Subject Alternative Name of the presented certificate matches one of the specified matches. 290 // 291 // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be 292 // configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`. 293 // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", 294 // it should be configured as shown below. 295 // 296 // .. code-block:: yaml 297 // 298 // match_subject_alt_names: 299 // exact: "api.example.com" 300 // 301 // .. attention:: 302 // 303 // Subject Alternative Names are easily spoofable and verifying only them is insecure, 304 // therefore this option must be used together with :ref:`trusted_ca 305 // <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`. 306 repeated type.matcher.StringMatcher match_subject_alt_names = 9; 307 308 // [#not-implemented-hide:] Must present a signed time-stamped OCSP response. 309 google.protobuf.BoolValue require_ocsp_staple = 5; 310 311 // [#not-implemented-hide:] Must present signed certificate time-stamp. 312 google.protobuf.BoolValue require_signed_certificate_timestamp = 6; 313 314 // An optional `certificate revocation list 315 // <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ 316 // (in PEM format). If specified, Envoy will verify that the presented peer 317 // certificate has not been revoked by this CRL. If this DataSource contains 318 // multiple CRLs, all of them will be used. 319 core.DataSource crl = 7; 320 321 // If specified, Envoy will not reject expired certificates. 322 bool allow_expired_certificate = 8; 323 324 // Certificate trust chain verification mode. 325 TrustChainVerification trust_chain_verification = 10 326 [(validate.rules).enum = {defined_only: true}]; 327} 328