hsh_kms/error.rs
1// Copyright © 2023-2026 Hash (HSH) library contributors. All rights reserved.
2// SPDX-License-Identifier: Apache-2.0 OR MIT
3
4//! Structured error type for the `hsh-kms` crate.
5
6use thiserror::Error;
7
8use crate::KeyVersion;
9
10/// Errors returned by [`Pepper`](crate::Pepper) implementations.
11#[derive(Debug, Error)]
12#[non_exhaustive]
13pub enum PepperError {
14 /// The provider does not hold a key for the requested version.
15 #[error("unknown key version: {0}")]
16 UnknownVersion(KeyVersion),
17
18 /// The provider has no keys registered at all — typically a builder
19 /// configuration error.
20 #[error("pepper provider has no keys registered")]
21 EmptyKeyset,
22
23 /// A registered key was shorter than the 16-byte safety floor.
24 #[error("pepper key version {version} is {actual} bytes; must be at least {minimum}")]
25 KeyTooShort {
26 /// Version that failed validation.
27 version: KeyVersion,
28 /// Actual length in bytes.
29 actual: usize,
30 /// Required minimum.
31 minimum: usize,
32 },
33
34 /// The underlying KMS / HSM backend returned an error.
35 #[error("pepper backend error: {0}")]
36 Backend(String),
37}