1 // Copyright 2015 Brian Smith.
2 //
3 // Permission to use, copy, modify, and/or distribute this software for any
4 // purpose with or without fee is hereby granted, provided that the above
5 // copyright notice and this permission notice appear in all copies.
6 //
7 // THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
8 // WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 // MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
10 // ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 // WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 // ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13 // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 
15 use core::fmt;
16 
17 /// An error that occurs during certificate validation or name validation.
18 #[derive(Clone, Copy, Debug, PartialEq)]
19 pub enum Error {
20     /// The encoding of some ASN.1 DER-encoded item is invalid.
21     BadDer,
22 
23     /// The encoding of an ASN.1 DER-encoded time is invalid.
24     BadDerTime,
25 
26     /// A CA certificate is being used as an end-entity certificate.
27     CaUsedAsEndEntity,
28 
29     /// The certificate is expired; i.e. the time it is being validated for is
30     /// later than the certificate's notAfter time.
31     CertExpired,
32 
33     /// The certificate is not valid for the name it is being validated for.
34     CertNotValidForName,
35 
36     /// The certificate is not valid yet; i.e. the time it is being validated
37     /// for is earlier than the certificate's notBefore time.
38     CertNotValidYet,
39 
40     /// An end-entity certificate is being used as a CA certificate.
41     EndEntityUsedAsCa,
42 
43     /// An X.509 extension is invalid.
44     ExtensionValueInvalid,
45 
46     /// The certificate validity period (notBefore, notAfter) is invalid; e.g.
47     /// the notAfter time is earlier than the notBefore time.
48     InvalidCertValidity,
49 
50     /// The signature is invalid for the given public key.
51     InvalidSignatureForPublicKey,
52 
53     /// The certificate violates one or more name constraints.
54     NameConstraintViolation,
55 
56     /// The certificate violates one or more path length constraints.
57     PathLenConstraintViolated,
58 
59     /// The algorithm in the TBSCertificate "signature" field of a certificate
60     /// does not match the algorithm in the signature of the certificate.
61     SignatureAlgorithmMismatch,
62 
63     /// The certificate is not valid for the Extended Key Usage for which it is
64     /// being validated.
65     RequiredEkuNotFound,
66 
67     /// A valid issuer for the certificate could not be found.
68     UnknownIssuer,
69 
70     /// The certificate is not a v3 X.509 certificate.
71     ///
72     /// This error may be also reported if the certificate version field
73     /// is malformed.
74     UnsupportedCertVersion,
75 
76     /// The certificate extensions are missing or malformed.
77     ///
78     /// In particular, webpki requires the DNS name(s) be in the subjectAltName
79     /// extension as required by the CA/Browser Forum Baseline Requirements
80     /// and as recommended by RFC6125.
81     MissingOrMalformedExtensions,
82 
83     /// The certificate contains an unsupported critical extension.
84     UnsupportedCriticalExtension,
85 
86     /// The signature's algorithm does not match the algorithm of the public
87     /// key it is being validated for. This may be because the public key
88     /// algorithm's OID isn't recognized (e.g. DSA), or the public key
89     /// algorithm's parameters don't match the supported parameters for that
90     /// algorithm (e.g. ECC keys for unsupported curves), or the public key
91     /// algorithm and the signature algorithm simply don't match (e.g.
92     /// verifying an RSA signature with an ECC public key).
93     UnsupportedSignatureAlgorithmForPublicKey,
94 
95     /// The signature algorithm for a signature is not in the set of supported
96     /// signature algorithms given.
97     UnsupportedSignatureAlgorithm,
98 }
99 
100 impl fmt::Display for Error {
fmt(&self, f: &mut fmt::Formatter) -> fmt::Result101     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
102         write!(f, "{:?}", self)
103     }
104 }
105 
106 /// Requires the `std` feature.
107 #[cfg(feature = "std")]
108 impl ::std::error::Error for Error {}
109 
110 /// An error that occurs during certificate validation or name validation.
111 ///
112 /// `ErrorExt` effectively extends `Error` to support reporting new errors. Because `Error` is not
113 /// declared `#[non_exhaustive]` it could not be directly extended in a backward-compatible way.
114 #[non_exhaustive]
115 pub enum ErrorExt {
116     Error(Error),
117     MaximumSignatureChecksExceeded,
118     /// The maximum number of internal path building calls has been reached. Path complexity is too great.
119     MaximumPathBuildCallsExceeded,
120 }
121 
122 impl ErrorExt {
is_fatal(&self) -> bool123     pub(crate) fn is_fatal(&self) -> bool {
124         match self {
125             Self::Error(_) => false,
126             Self::MaximumSignatureChecksExceeded | Self::MaximumPathBuildCallsExceeded => true,
127         }
128     }
129 
into_error_lossy(self) -> Error130     pub(crate) fn into_error_lossy(self) -> Error {
131         match self {
132             Self::Error(e) => e,
133             Self::MaximumSignatureChecksExceeded | Self::MaximumPathBuildCallsExceeded => {
134                 Error::UnknownIssuer
135             }
136         }
137     }
138 }
139 
140 impl From<Error> for ErrorExt {
from(error: Error) -> Self141     fn from(error: Error) -> Self {
142         Self::Error(error)
143     }
144 }
145