Enum TctError 

#[non_exhaustive]
pub enum TctError {
    VersionUnknown,
    SignatureInvalid,
    IssuerMismatch,
    AudienceMismatch,
    Expired,
    ExpiresAfterManifest,
    Revoked,
    EmptyGrants,
    GrantWhitespace(String),
    CnfMalformed,
    ClaimsMalformed(String),
    MissingField(&'static str),
    Canonicalization(String),
    PopNonceMismatch,
    PopFailed,
    PopChallengeExpired,
    PopJtiMismatch,
    Crypto(CryptoError),
}

Errors from TCT issuance and verification.

Variants (Non-exhaustive)

Non-exhaustive enums could have additional variants added in future. Therefore, when matching against variants of non-exhaustive enums, an extra wildcard arm must be added to account for any future variants.

VersionUnknown

Version is not supported by this implementation.

SignatureInvalid

Signature did not verify against issuer’s public key.

IssuerMismatch

The verifying key supplied by the caller does not correspond to the key embedded in tct.issuer. RFC-AITP-0008 §3.3 requires verifiers to establish this issuer-key binding before consulting any revocation source; without it tct.issuer stays attacker-controlled even after a valid signature, enabling revocation evasion and steering of per-issuer revocation lookups.

AudienceMismatch

audience did not equal expected audience or did not equal subject.

Expired

expires_at is in the past, or issued_at is in the future.

ExpiresAfterManifest

expires_at exceeds the issuer Manifest’s expires_at. RFC-AITP-0004 §4.3 / RFC-AITP-0005 §9: a peer-issued TCT MUST NOT outlive the issuer’s published Manifest. Verifiers that have resolved the issuer’s Manifest MUST reject TCTs whose expires_at exceeds the Manifest’s.

Revoked

jti appears in the issuer’s deny list.

EmptyGrants

grants is empty (forbidden by RFC-AITP-0004 §4.1).

GrantWhitespace(String)

One or more grant strings contain whitespace (forbidden by RFC-AITP-0005 §4.2).

CnfMalformed

cnf.jkt does not equal the RFC 7638 thumbprint of the key encoded in the subject AID (RFC-AITP-0005 §3).

ClaimsMalformed(String)

Decoded JWS payload did not deserialize as the artifact’s claims object — unknown claim outside ext, duplicate claim, missing required claim, or a type mismatch (RFC-AITP-0001 §5.4.5 strict parsing).

MissingField(&'static str)

Builder was missing a required field.

Canonicalization(String)

Canonicalization failed.

PopNonceMismatch

PoP nonce echo mismatch (RFC-AITP-0005 §6.2 step 2).

PopFailed

PoP signature failed verification.

PopChallengeExpired

PoP challenge expired.

PopJtiMismatch

PoP response references a different jti than the challenge.

Crypto(CryptoError)

Crypto error.

Trait Implementations

impl Debug for TctError

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Display for TctError

fn fmt(&self, __formatter: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Error for TctError

fn source(&self) -> Option<&(dyn Error + 'static)>

Returns the lower-level source of this error, if any.

fn description(&self) -> &str

👎Deprecated since 1.42.0:

use the Display impl or to_string()

fn cause(&self) -> Option<&dyn Error>

👎Deprecated since 1.33.0:

replaced by Error::source, which can support downcasting

fn provide<'a>(&'a self, request: &mut Request<'a>)

🔬This is a nightly-only experimental API. (error_generic_member_access)

Provides type-based access to context intended for error reports.

impl From<CryptoError> for TctError

fn from(source: CryptoError) -> Self

Converts to this type from the input type.