Skip to main content

Error

pkix_path

Enum Error 

Source 
#[non_exhaustive]
pub enum Error {

Show 19 variants    SignatureInvalid {
        index: usize,
    },
    MalformedCertificate {
        index: usize,
    },
    ValidityPeriod {
        index: usize,
    },
    ChainBroken {
        index: usize,
    },
    NoTrustedPath,
    PathTooLong,
    NotCA {
        index: usize,
    },
    KeyUsageMissing {
        index: usize,
    },
    UnhandledCriticalExtension {
        index: usize,
    },
    NameConstraintViolation {
        index: usize,
    },
    PolicyViolation {
        index: usize,
    },
    Der(DerError),
    ValidityPeriodExceedsMax {
        index: usize,
    },
    AlgorithmNotAllowed {
        index: usize,
    },
    KeyTooSmall {
        index: usize,
    },
    MissingSan,
    MissingRfc822San,
    MissingEku,
    DuplicateCertificate {
        first: usize,
        second: usize,
    },

}
Expand description

Errors returned by path validation.

Variants (Non-exhaustive)§

This enum is marked as non-exhaustive
Non-exhaustive enums could have additional variants added in future. Therefore, when matching against variants of non-exhaustive enums, an extra wildcard arm must be added to account for any future variants.
§

SignatureInvalid

Certificate signature verification failed at the given chain index.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

MalformedCertificate

A structural encoding error was found in a certificate.

Currently returned when the outer signatureAlgorithm OID differs from the inner TBSCertificate.signature OID (RFC 5280 §4.1.1.2). Parameters are not compared; see check_oid_consistency for rationale.

Fields

§index: usize

Zero-based index into the chain slice of the malformed certificate.

The underlying der::Error is intentionally not stored here to keep this variant no_std-compatible and to preserve the stable API shape. Callers that need the root-cause parse error should validate the DER certificate independently before calling validate_path.

§

ValidityPeriod

Certificate validity period check failed (expired or not yet valid).

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

ChainBroken

Issuer/subject name linkage is broken at the given chain index.

Fields

§index: usize

Zero-based index into the chain slice where the break was found.

§

NoTrustedPath

No path from the subject certificate to any trust anchor was found.

§

PathTooLong

Path length exceeds ValidationPolicy::max_path_len.

§

NotCA

An intermediate certificate is missing BasicConstraints cA=TRUE.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

KeyUsageMissing

An intermediate certificate has a KeyUsage extension with keyCertSign not set.

This error is only returned when a KeyUsage extension is present and the keyCertSign bit is explicitly absent or zero (RFC 5280 §6.1.4(n): “If a KeyUsage extension is present, verify that the keyCertSign bit is set.”).

Certificates with no KeyUsage extension are not rejected by this check; RFC 5280 does not require the extension to be present on CA certificates.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

UnhandledCriticalExtension

A critical extension is present that this implementation does not handle.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

NameConstraintViolation

Certificate name constraints violated (RFC 5280 §4.2.1.10); index is the 0-based chain position.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

PolicyViolation

Certificate policy validation failed (RFC 5280 §6.1.5(g)).

Returned when explicit_policy reaches zero and the valid policy tree is empty, meaning no acceptable certificate policy exists for the chain.

Fields

§index: usize

Zero-based index of the certificate where the violation was detected.

§

Der(DerError)

ASN.1 / DER encoding or decoding error.

Returned when a structural encoding error is found in a certificate or when re-encoding TBSCertificate for signature verification fails. Signature verification now uses heap-allocated encoding (no fixed size limit), so this error reflects a genuine DER encoding defect in the certificate, not an implementation size constraint.

The inner DerError is an opaque newtype; the underlying der::Error is intentionally not exposed so a future major-version bump in the der crate cannot cascade into a semver break here.

§

ValidityPeriodExceedsMax

A certificate’s validity period (notAfter − notBefore) exceeds ValidationPolicy::max_validity_secs.

This check fires for every certificate in the chain, not just the leaf.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

AlgorithmNotAllowed

A certificate’s signature algorithm OID is not in ValidationPolicy::allowed_signature_algs.

The check fires before signature verification so the error is diagnostic rather than a confusing SignatureInvalid.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

KeyTooSmall

An RSA public key’s modulus is smaller than ValidationPolicy::min_rsa_key_bits bits.

Non-RSA keys (EC, Ed25519, …) are not affected by this check.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

MissingSan

The leaf certificate (chain index 0) has no SubjectAltName extension, or the extension is present but empty.

Only checked when ValidationPolicy::require_subject_alt_name is true. Intermediate CA certificates are not subject to this check.

§

MissingRfc822San

The leaf certificate (chain index 0) has a SubjectAltName extension but none of its entries is an rfc822Name (email address).

Only checked when ValidationPolicy::require_rfc822_san is true. Intermediate CA certificates are not subject to this check.

§

MissingEku

The leaf certificate (chain index 0) does not assert all OIDs required by ValidationPolicy::required_leaf_eku.

anyExtendedKeyUsage (2.5.29.37.0) does not satisfy a specific OID requirement — each required OID must be listed explicitly.

§

DuplicateCertificate

Two certificates in the chain share the same (issuer DN, serial number).

Per RFC 5280 §4.1.2.2, the combination of issuer DN and serial number uniquely identifies a certificate. A cert appearing twice at different chain positions is a construction error. Returned as a diagnostic rather than a confusing Error::SignatureInvalid or Error::ChainBroken.

Note: two certificates with the same public key but different issuer+serial are distinct certificates (e.g. cross-signed CAs) and are not rejected by this check.

first and second are the zero-based chain indices of the two duplicates.

Fields

§first: usize

First occurrence index.

§second: usize

Second occurrence index.

Trait Implementations§

Source§

impl Clone for Error

Source§

fn clone(&self) -> Error

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Error

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for Error

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Error for Error

Available on crate feature std only.
Source§

fn source(&self) -> Option<&(dyn Error + 'static)>

Returns the lower-level source of this error, if any. Read more
1.0.0 · Source§

fn description(&self) -> &str

👎Deprecated since 1.42.0:

use the Display impl or to_string()

Read more
1.0.0 · Source§

fn cause(&self) -> Option<&dyn Error>

👎Deprecated since 1.33.0:

replaced by Error::source, which can support downcasting

Source§

fn provide<'a>(&'a self, request: &mut Request<'a>)

🔬This is a nightly-only experimental API. (error_generic_member_access)
Provides type-based access to context intended for error reports. Read more
Source§

impl From<Error> for Error

Source§

fn from(e: Error) -> Self

Converts to this type from the input type.
Source§

impl PartialEq for Error

Source§

fn eq(&self, other: &Error) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Eq for Error

Source§

impl StructuralPartialEq for Error

Auto Trait Implementations§

§

impl Freeze for Error

§

impl RefUnwindSafe for Error

§

impl Send for Error

§

impl Sync for Error

§

impl Unpin for Error

§

impl UnsafeUnpin for Error

§

impl UnwindSafe for Error

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V