mirror of https://github.com/briansmith/webpki
145 lines
5.1 KiB
Rust
145 lines
5.1 KiB
Rust
// Copyright 2015 Brian Smith.
|
|
//
|
|
// Permission to use, copy, modify, and/or distribute this software for any
|
|
// purpose with or without fee is hereby granted, provided that the above
|
|
// copyright notice and this permission notice appear in all copies.
|
|
//
|
|
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
|
|
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
|
|
// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
|
use core::fmt;
|
|
|
|
/// An error that occurs during certificate validation or name validation.
|
|
#[derive(Clone, Copy, Debug, PartialEq)]
|
|
pub enum Error {
|
|
/// The encoding of some ASN.1 DER-encoded item is invalid.
|
|
BadDer,
|
|
|
|
/// The encoding of an ASN.1 DER-encoded time is invalid.
|
|
BadDerTime,
|
|
|
|
/// A CA certificate is being used as an end-entity certificate.
|
|
CaUsedAsEndEntity,
|
|
|
|
/// The certificate is expired; i.e. the time it is being validated for is
|
|
/// later than the certificate's notAfter time.
|
|
CertExpired,
|
|
|
|
/// The certificate is not valid for the name it is being validated for.
|
|
CertNotValidForName,
|
|
|
|
/// The certificate is not valid yet; i.e. the time it is being validated
|
|
/// for is earlier than the certificate's notBefore time.
|
|
CertNotValidYet,
|
|
|
|
/// An end-entity certificate is being used as a CA certificate.
|
|
EndEntityUsedAsCa,
|
|
|
|
/// An X.509 extension is invalid.
|
|
ExtensionValueInvalid,
|
|
|
|
/// The certificate validity period (notBefore, notAfter) is invalid; e.g.
|
|
/// the notAfter time is earlier than the notBefore time.
|
|
InvalidCertValidity,
|
|
|
|
/// The signature is invalid for the given public key.
|
|
InvalidSignatureForPublicKey,
|
|
|
|
/// The certificate violates one or more name constraints.
|
|
NameConstraintViolation,
|
|
|
|
/// The certificate violates one or more path length constraints.
|
|
PathLenConstraintViolated,
|
|
|
|
/// The algorithm in the TBSCertificate "signature" field of a certificate
|
|
/// does not match the algorithm in the signature of the certificate.
|
|
SignatureAlgorithmMismatch,
|
|
|
|
/// The certificate is not valid for the Extended Key Usage for which it is
|
|
/// being validated.
|
|
RequiredEkuNotFound,
|
|
|
|
/// A valid issuer for the certificate could not be found.
|
|
UnknownIssuer,
|
|
|
|
/// The certificate is not a v3 X.509 certificate.
|
|
///
|
|
/// This error may be also reported if the certificate version field
|
|
/// is malformed.
|
|
UnsupportedCertVersion,
|
|
|
|
/// The certificate extensions are missing or malformed.
|
|
///
|
|
/// In particular, webpki requires the DNS name(s) be in the subjectAltName
|
|
/// extension as required by the CA/Browser Forum Baseline Requirements
|
|
/// and as recommended by RFC6125.
|
|
MissingOrMalformedExtensions,
|
|
|
|
/// The certificate contains an unsupported critical extension.
|
|
UnsupportedCriticalExtension,
|
|
|
|
/// The signature's algorithm does not match the algorithm of the public
|
|
/// key it is being validated for. This may be because the public key
|
|
/// algorithm's OID isn't recognized (e.g. DSA), or the public key
|
|
/// algorithm's parameters don't match the supported parameters for that
|
|
/// algorithm (e.g. ECC keys for unsupported curves), or the public key
|
|
/// algorithm and the signature algorithm simply don't match (e.g.
|
|
/// verifying an RSA signature with an ECC public key).
|
|
UnsupportedSignatureAlgorithmForPublicKey,
|
|
|
|
/// The signature algorithm for a signature is not in the set of supported
|
|
/// signature algorithms given.
|
|
UnsupportedSignatureAlgorithm,
|
|
}
|
|
|
|
impl fmt::Display for Error {
|
|
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
|
|
write!(f, "{:?}", self)
|
|
}
|
|
}
|
|
|
|
/// Requires the `std` feature.
|
|
#[cfg(feature = "std")]
|
|
impl ::std::error::Error for Error {}
|
|
|
|
/// An error that occurs during certificate validation or name validation.
|
|
///
|
|
/// `ErrorExt` effectively extends `Error` to support reporting new errors. Because `Error` is not
|
|
/// declared `#[non_exhaustive]` it could not be directly extended in a backward-compatible way.
|
|
#[non_exhaustive]
|
|
pub enum ErrorExt {
|
|
Error(Error),
|
|
MaximumSignatureChecksExceeded,
|
|
/// The maximum number of internal path building calls has been reached. Path complexity is too great.
|
|
MaximumPathBuildCallsExceeded,
|
|
}
|
|
|
|
impl ErrorExt {
|
|
pub(crate) fn is_fatal(&self) -> bool {
|
|
match self {
|
|
Self::Error(_) => false,
|
|
Self::MaximumSignatureChecksExceeded | Self::MaximumPathBuildCallsExceeded => true,
|
|
}
|
|
}
|
|
|
|
pub(crate) fn into_error_lossy(self) -> Error {
|
|
match self {
|
|
Self::Error(e) => e,
|
|
Self::MaximumSignatureChecksExceeded | Self::MaximumPathBuildCallsExceeded => {
|
|
Error::UnknownIssuer
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
impl From<Error> for ErrorExt {
|
|
fn from(error: Error) -> Self {
|
|
Self::Error(error)
|
|
}
|
|
}
|