spiffe 0.13.0

Core SPIFFE identity types and Workload API sources
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

//! Error types for certificate and private key parsing/validation.

use crate::SpiffeIdError;
use x509_parser::asn1_rs::Oid;
use x509_parser::error::X509Error;

/// An error that may arise parsing and validating X.509 certificates.
#[derive(Debug, thiserror::Error, PartialEq)]
#[non_exhaustive]
pub enum CertificateError {
    /// An X.509 extension cannot be found.
    #[error("X.509 extension is missing: {0}")]
    MissingX509Extension(Oid<'static>),

    /// Unexpected X.509 extension encountered.
    #[error("unexpected X.509 extension: {0}")]
    UnexpectedExtension(String),

    /// Error returned by the X.509 parsing library.
    #[error("failed parsing X.509 certificate")]
    ParseX509Certificate(#[from] X509Error),

    /// The certificate does not contain any URI SAN that is a SPIFFE ID.
    #[error("certificate is missing SPIFFE ID in URI SAN")]
    MissingSpiffeId,

    /// The certificate contains more than one URI SAN entry.
    ///
    /// X.509-SVID validation requires exactly one URI SAN entry that carries the
    /// SPIFFE ID.
    #[error("certificate contains multiple URI SAN entries")]
    MultipleUriSanEntries,

    /// The certificate contains more than one URI SAN that parses as a SPIFFE ID.
    ///
    /// Kept for compatibility with callers that match this variant specifically.
    #[error("certificate contains multiple SPIFFE IDs in URI SAN")]
    MultipleSpiffeIds,

    /// The certificate has too many URI SAN entries to process safely.
    #[error("certificate has too many URI SAN entries (max {max})")]
    TooManyUriSanEntries {
        /// Maximum number of URI SAN entries that will be inspected before aborting.
        ///
        /// This bound exists to prevent excessive resource usage when processing
        /// malformed or adversarial certificates.
        max: usize,
    },

    /// The certificate chain has too many certificates to process safely.
    #[error("certificate chain has too many certificates (max {max})")]
    TooManyCertificates {
        /// Maximum number of certificates that will be parsed before aborting.
        ///
        /// This bound exists to prevent excessive memory allocation and processing time
        /// when processing malformed or adversarial certificate chains.
        max: usize,
    },

    /// A URI SAN looked like a candidate but failed SPIFFE ID parsing.
    #[error("failed to parse SPIFFE ID from URI SAN: {0}")]
    InvalidSpiffeId(#[from] SpiffeIdError),
}

/// An error that may arise decoding private keys.
#[derive(Debug, thiserror::Error, PartialEq)]
#[non_exhaustive]
pub enum PrivateKeyError {
    /// Error returned by the pkcs#8 private key decoding library.
    #[error("failed decoding PKCS#8 private key")]
    DecodePkcs8(pkcs8::Error),
}