X509Verifier
saq.sandwich.proto.api.v1.X509Verifier
Description
Verifier for X.509-based protocols such as TLS.
When X509Verifier is used as the peer verifier in
TLSOptions, the following security requirements are
enforced:
- Partial certificate chains are forbidden
- CA certificates must include the key usage extension (keyUsage), and
must
have the keyCertSign usage.
Some other default parameters are set to be as close as possible to RFC 5280.
message X509Verifier {
// List of trusted certificate authority certificates.
//
// Items of this list can also contain several certificates at once.
// For example, "/etc/ssl/cert.pem" usually contains more that one CA. If this
// file is given, Sandwich will read them all.
//
// See [Certificate](Certificate.md).
repeated Certificate trusted_cas = 1;
// Allow expired certificates.
//
// If true, no error is returned if an expired certificate is present in the
// chain of certificates.
//
// Default: false.
bool allow_expired_certificate = 4;
// Maximum depth of a certificate chain.
// The leaf certificate is ignored when counting certificates.
//
// Default: 100.
uint32 max_verify_depth = 5;
// Loads OpenSSL system-default trust anchors CA certificates.
bool load_cas_from_default_verify_path = 6;
// Next id: 7
}
Fields
trusted_cas
List of trusted certificate authority certificates.
Items of this list can also contain several certificates at once. For example, "/etc/ssl/cert.pem" usually contains more that one CA. If this file is given, Sandwich will read them all.
See Certificate.
allow_expired_certificate
Allow expired certificates.
If true, no error is returned if an expired certificate is present in the chain of certificates.
Default: false.
max_verify_depth
Maximum depth of a certificate chain. The leaf certificate is ignored when counting certificates.
Default: 100.
load_cas_from_default_verify_path
Loads OpenSSL system-default trust anchors CA certificates.