xref: /aosp_15_r20/external/grpc-grpc/src/proto/grpc/testing/xds/v3/tls.proto (revision cc02d7e222339f7a4f6ba5f422e6413f4bd931f2) 
1// Copyright 2020 The gRPC Authors
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15// Local copy of Envoy xDS proto file, used for testing only.
16
17syntax = "proto3";
18
19package envoy.extensions.transport_sockets.tls.v3;
20
21import "src/proto/grpc/testing/xds/v3/base.proto";
22import "src/proto/grpc/testing/xds/v3/extension.proto";
23import "src/proto/grpc/testing/xds/v3/string.proto";
24
25import "google/protobuf/wrappers.proto";
26
27// Indicates a certificate to be obtained from a named CertificateProvider plugin instance.
28// The plugin instances are defined in the client's bootstrap file.
29// The plugin allows certificates to be fetched/refreshed over the network asynchronously with
30// respect to the TLS handshake.
31// [#not-implemented-hide:]
32message CertificateProviderPluginInstance {
33  // Provider instance name. If not present, defaults to "default".
34  //
35  // Instance names should generally be defined not in terms of the underlying provider
36  // implementation (e.g., "file_watcher") but rather in terms of the function of the
37  // certificates (e.g., "foo_deployment_identity").
38  string instance_name = 1;
39
40  // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
41  // a root-certificate (validation context) or "example.com" to specify a certificate for a
42  // particular domain. Not all provider instances will actually use this field, so the value
43  // defaults to the empty string.
44  string certificate_name = 2;
45}
46
47message CertificateValidationContext {
48  // Certificate provider instance for fetching TLS certificates.
49  //
50  // Only one of *trusted_ca* and *ca_certificate_provider_instance* may be specified.
51  // [#not-implemented-hide:]
52  CertificateProviderPluginInstance ca_certificate_provider_instance = 13;
53
54  // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
55  // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
56  // matches one of the specified values.
57  //
58  // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
59  // can be generated with the following command:
60  //
61  // .. code-block:: bash
62  //
63  //   $ openssl x509 -in path/to/client.crt -noout -pubkey
64  //     | openssl pkey -pubin -outform DER
65  //     | openssl dgst -sha256 -binary
66  //     | openssl enc -base64
67  //   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
68  //
69  // This is the format used in HTTP Public Key Pinning.
70  //
71  // When both:
72  // :ref:`verify_certificate_hash
73  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
74  // :ref:`verify_certificate_spki
75  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
76  // a hash matching value from either of the lists will result in the certificate being accepted.
77  //
78  // .. attention::
79  //
80  //   This option is preferred over :ref:`verify_certificate_hash
81  //   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
82  //   because SPKI is tied to a private key, so it doesn't change when the certificate
83  //   is renewed using the same private key.
84  repeated string verify_certificate_spki = 3;
85
86  // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
87  // the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
88  //
89  // A hex-encoded SHA-256 of the certificate can be generated with the following command:
90  //
91  // .. code-block:: bash
92  //
93  //   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
94  //   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
95  //
96  // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
97  // can be generated with the following command:
98  //
99  // .. code-block:: bash
100  //
101  //   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
102  //   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
103  //
104  // Both of those formats are acceptable.
105  //
106  // When both:
107  // :ref:`verify_certificate_hash
108  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
109  // :ref:`verify_certificate_spki
110  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
111  // a hash matching value from either of the lists will result in the certificate being accepted.
112  repeated string verify_certificate_hash = 2;
113
114  // An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
115  // Subject Alternative Name of the presented certificate matches one of the specified matchers.
116  //
117  // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
118  // configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
119  // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
120  // it should be configured as shown below.
121  //
122  // .. code-block:: yaml
123  //
124  //  match_subject_alt_names:
125  //    exact: "api.example.com"
126  //
127  // .. attention::
128  //
129  //   Subject Alternative Names are easily spoofable and verifying only them is insecure,
130  //   therefore this option must be used together with :ref:`trusted_ca
131  //   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
132  repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9;
133
134  // [#not-implemented-hide:] Must present signed certificate time-stamp.
135  google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
136
137  // An optional `certificate revocation list
138  // <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
139  // (in PEM format). If specified, Envoy will verify that the presented peer
140  // certificate has not been revoked by this CRL. If this DataSource contains
141  // multiple CRLs, all of them will be used. Note that if a CRL is provided
142  // for any certificate authority in a trust chain, a CRL must be provided
143  // for all certificate authorities in that chain. Failure to do so will
144  // result in verification failure for both revoked and unrevoked certificates
145  // from that chain.
146  config.core.v3.DataSource crl = 7;
147
148  // The configuration of an extension specific certificate validator.
149  // If specified, all validation is done by the specified validator,
150  // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
151  // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
152  // [#extension-category: envoy.tls.cert_validator]
153  config.core.v3.TypedExtensionConfig custom_validator_config = 12;
154}
155
156message UpstreamTlsContext {
157  // Common TLS context settings.
158  //
159  // .. attention::
160  //
161  //   Server certificate verification is not enabled by default. Configure
162  //   :ref:`trusted_ca<envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` to enable
163  //   verification.
164  CommonTlsContext common_tls_context = 1;
165}
166
167message DownstreamTlsContext {
168  enum OcspStaplePolicy {
169    // OCSP responses are optional. If an OCSP response is absent
170    // or expired, the associated certificate will be used for
171    // connections without an OCSP staple.
172    LENIENT_STAPLING = 0;
173
174    // OCSP responses are optional. If an OCSP response is absent,
175    // the associated certificate will be used without an
176    // OCSP staple. If a response is provided but is expired,
177    // the associated certificate will not be used for
178    // subsequent connections. If no suitable certificate is found,
179    // the connection is rejected.
180    STRICT_STAPLING = 1;
181
182    // OCSP responses are required. Configuration will fail if
183    // a certificate is provided without an OCSP response. If a
184    // response expires, the associated certificate will not be
185    // used connections. If no suitable certificate is found, the
186    // connection is rejected.
187    MUST_STAPLE = 2;
188  }
189
190  // Common TLS context settings.
191  CommonTlsContext common_tls_context = 1;
192
193  // If specified, Envoy will reject connections without a valid client
194  // certificate.
195  google.protobuf.BoolValue require_client_certificate = 2;
196
197  // If specified, Envoy will reject connections without a valid and matching SNI.
198  // [#not-implemented-hide:]
199  google.protobuf.BoolValue require_sni = 3;
200
201  // Config for whether to use certificates if they do not have
202  // an accompanying OCSP response or if the response expires at runtime.
203  // Defaults to LENIENT_STAPLING
204  OcspStaplePolicy ocsp_staple_policy = 8;
205}
206
207
208// TLS context shared by both client and server TLS contexts.
209// [#next-free-field: 14]
210message CommonTlsContext {
211  // Similar to CertificateProvider above, but allows the provider instances to be configured on
212  // the client side instead of being sent from the control plane.
213  message CertificateProviderInstance {
214    // Provider instance name. This name must be defined in the client's configuration (e.g., a
215    // bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config
216    // field that would be sent in the CertificateProvider message if the config was sent by the
217    // control plane). If not present, defaults to "default".
218    //
219    // Instance names should generally be defined not in terms of the underlying provider
220    // implementation (e.g., "file_watcher") but rather in terms of the function of the
221    // certificates (e.g., "foo_deployment_identity").
222    string instance_name = 1;
223
224    // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
225    // a root-certificate (validation context) or "example.com" to specify a certificate for a
226    // particular domain. Not all provider instances will actually use this field, so the value
227    // defaults to the empty string.
228    string certificate_name = 2;
229  }
230
231  message CombinedCertificateValidationContext {
232    // How to validate peer certificates.
233    CertificateValidationContext default_validation_context = 1;
234
235    // Certificate provider instance for fetching validation context.
236    // Only one of validation_context_sds_secret_config, validation_context_certificate_provider,
237    // or validation_context_certificate_provider_instance may be used.
238    CertificateProviderInstance validation_context_certificate_provider_instance = 4;
239  }
240
241  message TlsParameters {}
242
243  // TLS protocol versions, cipher suites etc.
244  TlsParameters tls_params = 1;
245
246  message TlsCertificate {}
247
248  // :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
249  // same context to allow both RSA and ECDSA certificates.
250  //
251  // Only a single TLS certificate is supported in client contexts. In server contexts, the first
252  // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
253  // used for clients that support ECDSA.
254  //
255  // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
256  // and *tls_certificate_provider_instance* may be used.
257  // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's
258  // not legal to put a repeated field in a oneof. In the next major version, we should rework
259  // this to avoid this problem.]
260  repeated TlsCertificate tls_certificates = 2;
261
262  message SdsSecretConfig {}
263
264  // Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be
265  // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
266  //
267  // The same number and types of certificates as :ref:`tls_certificates <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.tls_certificates>`
268  // are valid in the the certificates fetched through this setting.
269  //
270  // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
271  // and *tls_certificate_provider_instance* may be used.
272  // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's
273  // not legal to put a repeated field in a oneof. In the next major version, we should rework
274  // this to avoid this problem.]
275  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6;
276
277  // Certificate provider instance for fetching TLS certs.
278  //
279  // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
280  // and *tls_certificate_provider_instance* may be used.
281  // [#not-implemented-hide:]
282  CertificateProviderPluginInstance tls_certificate_provider_instance = 14;
283
284  // Certificate provider instance for fetching TLS certificates.
285  CertificateProviderInstance tls_certificate_certificate_provider_instance = 11;
286
287  oneof validation_context_type {
288    // How to validate peer certificates.
289    CertificateValidationContext validation_context = 3;
290
291    // Config for fetching validation context via SDS API. Note SDS API allows certificates to be
292    // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
293    SdsSecretConfig validation_context_sds_secret_config = 7;
294
295    // Combined certificate validation context holds a default CertificateValidationContext
296    // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
297    // and default CertificateValidationContext are merged into a new CertificateValidationContext
298    // for validation. This merge is done by Message::MergeFrom(), so dynamic
299    // CertificateValidationContext overwrites singular fields in default
300    // CertificateValidationContext, and concatenates repeated fields to default
301    // CertificateValidationContext, and logical OR is applied to boolean fields.
302    CombinedCertificateValidationContext combined_validation_context = 8;
303  }
304
305  // Custom TLS handshaker. If empty, defaults to native TLS handshaking
306  // behavior.
307  config.core.v3.TypedExtensionConfig custom_handshaker = 13;
308}
309