libsignify_rs/

error.rs

//
// signify-rs: cryptographically sign and verify files
// lib/src/error.rs: Error handling functions
//
// Copyright (c) 2025, 2026 Ali Polatel <alip@chesswob.org>
// Based in part upon OpenBSD's signify which is:
//   Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
//   Copyright (c) 2016 Marc Espie <espie@openbsd.org>
//   Copyright (c) 2019 Adrian Perez de Castro <aperez@igalia.com>
//   Copyright (c) 2019 Scott Bennett and other contributors
//   SPDX-License-Identifier: ISC
//
// SPDX-License-Identifier: ISC

use std::fmt;
use std::io;
use std::path::PathBuf;

/// Custom Error type for Signify operations.
#[derive(Debug)]
pub enum Error {
    /// I/O error.
    Io(io::Error),
    /// Key length is invalid.
    InvalidKeyLength,
    /// Unsupported public key algorithm (expected Ed).
    UnsupportedPkAlgo,
    /// Unsupported KDF algorithm (expected BK).
    UnsupportedKdfAlgo,
    /// File is too short.
    FileTooShort,
    /// File is too large (exceeds 1GB limit for embedded verification).
    FileTooLarge,
    /// Invalid comment header (expected "untrusted comment: ...").
    InvalidCommentHeader,
    /// Invalid comment (not utf8)
    InvalidCommentUtf8,
    /// Password confirmation failed.
    PasswordMismatch,
    /// Failed to read password.
    PasswordReadFailed,
    /// Incorrect passphrase (checksum mismatch).
    IncorrectPassphrase,
    /// Missing public key (no comment or autolocate failed).
    MissingPubKey,
    /// Key fingerprint mismatch.
    KeyMismatch,
    /// Signature verification failed.
    VerifyFailed,
    /// Autolocate failed to find the key.
    AutolocateFailed(PathBuf, Box<Error>),
    /// Key name compliance check failed.
    InvalidKeyName,
    /// Path does not contain a filename.
    InvalidPath,
    /// Checksum verification failed.
    CheckFailed,
    /// Checksum mismatch for a specific file.
    ChecksumMismatch(String),
    /// Unable to parse checksum line.
    ChecksumParseFailed(String),
    /// Unsupported hash algorithm.
    UnsupportedHashAlgo(String),
    /// Integer overflow.
    Overflow,
    /// Base64 decoding failed.
    Base64Decode(base64ct::Error),
    /// Argument parsing error.
    Arg(lexopt::Error),
    /// Invalid signature length.
    InvalidSignatureLength,
    /// Missing Gzip header.
    MissingGzipHeader,
    /// Missing signature in Gzip comment.
    MissingGzipSignature,
    /// Missing newline in signature.
    MissingSignatureNewline,
    /// Keyring support is disabled.
    KeyringDisabled,
    /// Invalid key ID.
    InvalidKeyId,
    /// Required argument missing.
    RequiredArg(&'static str),
    /// Mode not specified.
    MissingMode,
    /// Invalid UTF-8 in password.
    InvalidPasswordUtf8,
    /// Invalid UTF-8 in signature.
    InvalidSignatureUtf8,
    /// Password is too weak.
    WeakPassword(Option<String>),
    /// Keyring error.
    #[cfg(any(target_os = "linux", target_os = "android"))]
    Keyring(linux_keyutils::KeyError),
    /// Cryptographic error (e.g., invalid key format).
    Crypto(ed25519_compact::Error),
    /// RNG error.
    Rng(rand_core::OsError),
    #[cfg(unix)]
    /// UNIX error.
    Nix(nix::errno::Errno),
    /// Landlock error.
    #[cfg(any(target_os = "linux", target_os = "android"))]
    Landlock(landlock::RulesetError),
    /// Capsicum error.
    #[cfg(target_os = "freebsd")]
    Capsicum(io::Error),
    /// Pledge error.
    #[cfg(target_os = "openbsd")]
    Pledge(pledge::Error),
    /// Unveil error.
    #[cfg(target_os = "openbsd")]
    Unveil(unveil::Error),
}

impl std::error::Error for Error {
    fn source(&self) -> Option<&(dyn std::error::Error + 'static)> {
        match self {
            Self::Io(err) => Some(err),
            Self::Base64Decode(err) => Some(err),
            Self::Arg(err) => Some(err),
            #[cfg(unix)]
            Self::Nix(err) => Some(err),
            #[cfg(any(target_os = "linux", target_os = "android"))]
            Self::Landlock(err) => Some(err),
            #[cfg(target_os = "freebsd")]
            Self::Capsicum(err) => Some(err),
            #[cfg(target_os = "openbsd")]
            Self::Pledge(err) => Some(err),
            #[cfg(target_os = "openbsd")]
            Self::Unveil(err) => Some(err),
            _ => None,
        }
    }
}

impl fmt::Display for Error {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::Io(err) => write!(f, "IO error: {err}"),
            Self::InvalidKeyLength => write!(f, "invalid key length"),
            Self::UnsupportedPkAlgo => write!(f, "unsupported public key algorithm"),
            Self::UnsupportedKdfAlgo => write!(f, "unsupported KDF algorithm"),
            Self::FileTooShort => write!(f, "file too short"),
            Self::FileTooLarge => write!(f, "file too large (memory limit exceeded)"),
            Self::InvalidCommentHeader => write!(f, "invalid comment header"),
            Self::InvalidCommentUtf8 => write!(f, "invalid comment (not utf8)"),
            Self::InvalidPasswordUtf8 => write!(f, "invalid password (not utf8)"),
            Self::InvalidSignatureUtf8 => write!(f, "invalid signature (base64 is not utf8)"),
            Self::Base64Decode(err) => write!(f, "base64 decode error: {err}"),
            Self::Arg(err) => write!(f, "argument error: {err}"),
            Self::PasswordMismatch => write!(f, "password mismatch"),
            Self::PasswordReadFailed => write!(f, "failed to read password"),
            Self::IncorrectPassphrase => write!(f, "incorrect passphrase"),
            Self::MissingPubKey => write!(f, "public key not found"),
            Self::KeyMismatch => write!(f, "verification failed: checked against wrong key"),
            Self::VerifyFailed => write!(f, "signature verification failed"),
            Self::AutolocateFailed(path, err) => {
                write!(f, "autolocate failed loading {}: {err}", path.display())
            }
            Self::InvalidKeyName => write!(f, "invalid key name"),
            Self::InvalidPath => write!(f, "invalid path"),
            Self::CheckFailed => write!(f, "checksum check failed"),
            Self::ChecksumMismatch(file) => write!(f, "{file}: FAIL"),
            Self::ChecksumParseFailed(line) => write!(f, "unable to parse: {line}"),
            Self::UnsupportedHashAlgo(algo) => write!(f, "unsupported hash algorithm: {algo}"),
            Self::Overflow => write!(f, "limit exceeded"),
            Self::InvalidSignatureLength => write!(f, "invalid signature length"),
            Self::MissingGzipHeader => write!(f, "missing gzip header"),
            Self::MissingGzipSignature => write!(f, "missing signature in gzip comment"),
            Self::MissingSignatureNewline => write!(f, "missing newline in signature"),
            Self::KeyringDisabled => write!(f, "keyring support disabled"),
            Self::InvalidKeyId => write!(f, "invalid key id"),
            Self::RequiredArg(arg) => write!(f, "missing required argument: {arg}"),
            Self::MissingMode => write!(f, "must specify mode"),
            Self::WeakPassword(feedback) => {
                if let Some(msg) = feedback {
                    write!(f, "password too weak: {msg}")
                } else {
                    write!(f, "password too weak")
                }
            }
            #[cfg(any(target_os = "linux", target_os = "android"))]
            Self::Keyring(err) => write!(f, "keyring error: {err:?}"),
            Self::Crypto(err) => write!(f, "crypto error: {err}"),
            Self::Rng(err) => write!(f, "rng error: {err}"),
            #[cfg(unix)]
            Self::Nix(err) => write!(f, "UNIX error: {err}"),
            #[cfg(any(target_os = "linux", target_os = "android"))]
            Self::Landlock(err) => write!(f, "landlock error: {err}"),
            #[cfg(target_os = "freebsd")]
            Self::Capsicum(err) => write!(f, "capsicum error: {err}"),
            #[cfg(target_os = "openbsd")]
            Self::Pledge(err) => write!(f, "pledge error: {err}"),
            #[cfg(target_os = "openbsd")]
            Self::Unveil(err) => write!(f, "unveil error: {err}"),
        }
    }
}

impl From<ed25519_compact::Error> for Error {
    fn from(err: ed25519_compact::Error) -> Self {
        Self::Crypto(err)
    }
}

#[cfg(unix)]
impl From<nix::errno::Errno> for Error {
    fn from(err: nix::errno::Errno) -> Self {
        Self::Nix(err)
    }
}

impl From<io::Error> for Error {
    fn from(err: io::Error) -> Self {
        Self::Io(err)
    }
}

impl From<base64ct::Error> for Error {
    fn from(err: base64ct::Error) -> Self {
        Self::Base64Decode(err)
    }
}

impl From<lexopt::Error> for Error {
    fn from(err: lexopt::Error) -> Self {
        Self::Arg(err)
    }
}

#[cfg(any(target_os = "linux", target_os = "android"))]
impl From<linux_keyutils::KeyError> for Error {
    fn from(err: linux_keyutils::KeyError) -> Self {
        Self::Keyring(err)
    }
}

impl From<rand_core::OsError> for Error {
    fn from(err: rand_core::OsError) -> Self {
        Self::Rng(err)
    }
}

#[cfg(target_os = "openbsd")]
impl From<pledge::Error> for Error {
    fn from(err: pledge::Error) -> Self {
        Self::Pledge(err)
    }
}

#[cfg(target_os = "openbsd")]
impl From<unveil::Error> for Error {
    fn from(err: unveil::Error) -> Self {
        Self::Unveil(err)
    }
}

#[cfg(any(target_os = "linux", target_os = "android"))]
impl From<landlock::RulesetError> for Error {
    fn from(err: landlock::RulesetError) -> Self {
        Self::Landlock(err)
    }
}

/// Result alias for Signify operations.
pub type Result<T> = std::result::Result<T, Error>;