Skip to content

Support client cert validation (spki, hash, san) #5868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rudrakhp merged 8 commits into from
Jun 30, 2025
+1,852 −12
Merged

Support client cert validation (spki, hash, san) #5868

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
c4fe1ab
feat: support client cert validation (spki, hash, san)
kinolaev Apr 30, 2025
56a24b3
fix: mtls othername san struct
kinolaev Jun 8, 2025
1cf2bf6
chore: add testdata for mtls san
kinolaev Jun 8, 2025
3780f1f
chore: rm clienttrafficpolicy and listener tests
kinolaev Jun 13, 2025
ade7e50
chore: rename publicKeyPins to spkiHashes
kinolaev Jun 13, 2025
539f114
chore: rename OtherNameMatch to OtherSANMatch
kinolaev Jun 29, 2025
a01c7e6
chore: fix testdata
kinolaev Jun 29, 2025
11b890f
Merge branch 'main' into tls-validation-context
rudrakhp Jun 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions api/v1alpha1/tls_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,52 @@ type ClientValidationContext struct {
// +kubebuilder:validation:MaxItems=8
// +optional
CACertificateRefs []gwapiv1.SecretObjectReference `json:"caCertificateRefs,omitempty"`

// An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will
// verify that the SHA-256 of the DER-encoded Subject Public Key Information
// (SPKI) of the presented certificate matches one of the specified values.
// +optional
SPKIHashes []string `json:"spkiHashes,omitempty"`

// An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will
// verify that the SHA-256 of the DER-encoded presented certificate matches
// one of the specified values.
// +optional
CertificateHashes []string `json:"certificateHashes,omitempty"`

// An optional list of Subject Alternative name matchers. If specified, Envoy
// will verify that the Subject Alternative Name of the presented certificate
// matches one of the specified matchers
// +optional
SubjectAltNames *SubjectAltNames `json:"subjectAltNames,omitempty"`
}

type SubjectAltNames struct {
// DNS names matchers
// +optional
DNSNames []StringMatch `json:"dnsNames,omitempty"`

// Email addresses matchers
// +optional
EmailAddresses []StringMatch `json:"emailAddresses,omitempty"`

// IP addresses matchers
// +optional
IPAddresses []StringMatch `json:"ipAddresses,omitempty"`

// URIs matchers
// +optional
URIs []StringMatch `json:"uris,omitempty"`

// Other names matchers
// +optional
OtherNames []OtherSANMatch `json:"otherNames,omitempty"`
}

type OtherSANMatch struct {
// OID Value
Oid string `json:"oid"`
StringMatch `json:",inline"`
}

// Session defines settings related to TLS session management.
Expand Down
81 changes: 81 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

163 changes: 163 additions & 0 deletions ...ts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -854,11 +854,174 @@ spec:
type: object
maxItems: 8
type: array
certificateHashes:
description: |-
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will
verify that the SHA-256 of the DER-encoded presented certificate matches
one of the specified values.
items:
type: string
type: array
optional:
description: |-
Optional set to true accepts connections even when a client doesn't present a certificate.
Defaults to false, which rejects connections without a valid client certificate.
type: boolean
spkiHashes:
description: |-
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will
verify that the SHA-256 of the DER-encoded Subject Public Key Information
(SPKI) of the presented certificate matches one of the specified values.
items:
type: string
type: array
subjectAltNames:
description: |-
An optional list of Subject Alternative name matchers. If specified, Envoy
will verify that the Subject Alternative Name of the presented certificate
matches one of the specified matchers
properties:
dnsNames:
description: DNS names matchers
items:
description: |-
StringMatch defines how to match any strings.
This is a general purpose match condition that can be used by other EG APIs
that need to match against a string.
properties:
type:
default: Exact
description: Type specifies how to match against
a string.
enum:
- Exact
- Prefix
- Suffix
- RegularExpression
type: string
value:
description: Value specifies the string value that
the match must have.
maxLength: 1024
minLength: 1
type: string
required:
- value
type: object
type: array
emailAddresses:
description: Email addresses matchers
items:
description: |-
StringMatch defines how to match any strings.
This is a general purpose match condition that can be used by other EG APIs
that need to match against a string.
properties:
type:
default: Exact
description: Type specifies how to match against
a string.
enum:
- Exact
- Prefix
- Suffix
- RegularExpression
type: string
value:
description: Value specifies the string value that
the match must have.
maxLength: 1024
minLength: 1
type: string
required:
- value
type: object
type: array
ipAddresses:
description: IP addresses matchers
items:
description: |-
StringMatch defines how to match any strings.
This is a general purpose match condition that can be used by other EG APIs
that need to match against a string.
properties:
type:
default: Exact
description: Type specifies how to match against
a string.
enum:
- Exact
- Prefix
- Suffix
- RegularExpression
type: string
value:
description: Value specifies the string value that
the match must have.
maxLength: 1024
minLength: 1
type: string
required:
- value
type: object
type: array
otherNames:
description: Other names matchers
items:
properties:
oid:
description: OID Value
type: string
type:
default: Exact
description: Type specifies how to match against
a string.
enum:
- Exact
- Prefix
- Suffix
- RegularExpression
type: string
value:
description: Value specifies the string value that
the match must have.
maxLength: 1024
minLength: 1
type: string
required:
- oid
- value
type: object
type: array
uris:
description: URIs matchers
items:
description: |-
StringMatch defines how to match any strings.
This is a general purpose match condition that can be used by other EG APIs
that need to match against a string.
properties:
type:
default: Exact
description: Type specifies how to match against
a string.
enum:
- Exact
- Prefix
- Suffix
- RegularExpression
type: string
value:
description: Value specifies the string value that
the match must have.
maxLength: 1024
minLength: 1
type: string
required:
- value
type: object
type: array
type: object
type: object
ecdhCurves:
description: |-
Expand Down
Loading