Skip to main content

Error

pkix_path

Enum Error 

Source 
#[non_exhaustive]
pub enum Error {

Show 22 variants    SignatureInvalid {
        index: usize,
    },
    MalformedCertificate {
        index: usize,
    },
    ValidityPeriod {
        index: usize,
    },
    ChainBroken {
        index: usize,
    },
    NoTrustedPath,
    PathTooLong,
    NotCA {
        index: usize,
    },
    KeyUsageMissing {
        index: usize,
    },
    CrlSignMissing {
        index: usize,
    },
    UnhandledCriticalExtension {
        index: usize,
    },
    NameConstraintViolation {
        index: usize,
    },
    PolicyViolation {
        index: usize,
    },
    Der(DerError),
    ValidityPeriodExceedsMax {
        index: usize,
    },
    AlgorithmNotAllowed {
        index: usize,
    },
    KeyTooSmall {
        index: usize,
    },
    MissingSan,
    MissingRfc822San,
    MissingEku,
    MissingLeafPolicyOid {
        required: ObjectIdentifier,
    },
    SubjectDnAttrRuleUnmet,
    DuplicateCertificate {
        first: usize,
        second: usize,
    },

}
Expand description

Errors returned by path validation.

Variants (Non-exhaustive)§

This enum is marked as non-exhaustive
Non-exhaustive enums could have additional variants added in future. Therefore, when matching against variants of non-exhaustive enums, an extra wildcard arm must be added to account for any future variants.
§

SignatureInvalid

Certificate signature verification failed at the given chain index.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

MalformedCertificate

A structural encoding error was found in a certificate.

Currently returned when the outer signatureAlgorithm OID differs from the inner TBSCertificate.signature OID (RFC 5280 §4.1.1.2). Parameters are not compared; see check_oid_consistency for rationale.

Fields

§index: usize

Zero-based index into the chain slice of the malformed certificate.

The underlying der::Error is intentionally not stored here to keep this variant no_std-compatible and to preserve the stable API shape. Callers that need the root-cause parse error should validate the DER certificate independently before calling validate_path.

§

ValidityPeriod

Certificate validity period check failed (expired or not yet valid).

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

ChainBroken

Issuer/subject name linkage is broken at the given chain index.

Fields

§index: usize

Zero-based index into the chain slice where the break was found.

§

NoTrustedPath

No path from the subject certificate to any trust anchor was found.

§

PathTooLong

Path length exceeds ValidationPolicy::max_path_len.

§

NotCA

An intermediate certificate is missing BasicConstraints cA=TRUE.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

KeyUsageMissing

An intermediate certificate has a KeyUsage extension with keyCertSign not set.

This error is only returned when a KeyUsage extension is present and the keyCertSign bit is explicitly absent or zero (RFC 5280 §6.1.4(n): “If a KeyUsage extension is present, verify that the keyCertSign bit is set.”).

Certificates with no KeyUsage extension are not rejected by this check; RFC 5280 does not require the extension to be present on CA certificates.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

CrlSignMissing

An intermediate certificate has a KeyUsage extension with cRLSign not set.

This error is only returned when ValidationPolicy::require_crl_sign_on_cas is true and the intermediate’s KeyUsage extension is present with the cRLSign bit explicitly absent or zero. Certificates with no KeyUsage extension are not rejected by this check (RFC 5280 does not require the extension to be present on CA certificates).

RFC 5280 §6.1 does not mandate this check; it is an opt-in policy that restores PKITS §4.7.4 / §4.7.5 conformance for callers who treat a CA cert without cRLSign as non-issuable. Default is off.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

UnhandledCriticalExtension

A critical extension is present that this implementation does not handle.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

NameConstraintViolation

Certificate name constraints violated (RFC 5280 §4.2.1.10); index is the 0-based chain position.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

PolicyViolation

Certificate policy validation failed (RFC 5280 §6.1.5(g)).

Returned when explicit_policy reaches zero and the valid policy tree is empty, meaning no acceptable certificate policy exists for the chain.

Fields

§index: usize

Zero-based index of the certificate where the violation was detected.

§

Der(DerError)

ASN.1 / DER encoding or decoding error.

Returned when a structural encoding error is found in a certificate or when re-encoding TBSCertificate for signature verification fails. Signature verification now uses heap-allocated encoding (no fixed size limit), so this error reflects a genuine DER encoding defect in the certificate, not an implementation size constraint.

The inner DerError is an opaque newtype; the underlying der::Error is intentionally not exposed so a future major-version bump in the der crate cannot cascade into a semver break here.

§

ValidityPeriodExceedsMax

A certificate’s validity period (notAfter − notBefore) exceeds ValidationPolicy::max_validity_secs.

This check fires for every certificate in the chain, not just the leaf.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

AlgorithmNotAllowed

A certificate’s signature algorithm OID is not in ValidationPolicy::allowed_signature_algs.

The check fires before signature verification so the error is diagnostic rather than a confusing SignatureInvalid.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

KeyTooSmall

An RSA public key’s modulus is smaller than ValidationPolicy::min_rsa_key_bits bits.

Non-RSA keys (EC, Ed25519, …) are not affected by this check.

Fields

§index: usize

Zero-based index into the chain slice of the failing certificate.

§

MissingSan

The leaf certificate (chain index 0) has no SubjectAltName extension, or the extension is present but empty.

Only checked when ValidationPolicy::require_subject_alt_name is true. Intermediate CA certificates are not subject to this check.

§

MissingRfc822San

The leaf certificate (chain index 0) has a SubjectAltName extension but none of its entries is an rfc822Name (email address).

Only checked when ValidationPolicy::require_rfc822_san is true. Intermediate CA certificates are not subject to this check.

§

MissingEku

The leaf certificate (chain index 0) does not assert all OIDs required by ValidationPolicy::required_leaf_eku.

anyExtendedKeyUsage (2.5.29.37.0) does not satisfy a specific OID requirement — each required OID must be listed explicitly.

§

MissingLeafPolicyOid

The leaf certificate’s CertificatePolicies extension does not assert a required policy OID from ValidationPolicy::required_leaf_policy_oids.

anyPolicy (2.5.29.32.0) does not satisfy a specific OID requirement; each required OID must be listed explicitly in the leaf’s CertificatePolicies extension.

Distinct from Error::PolicyViolation, which signals failure of the RFC 5280 §6.1 policy tree (initial_policy_set / initial_explicit_policy). MissingLeafPolicyOid signals a leaf-only assertion check that is independent of the policy tree.

Fields

§required: ObjectIdentifier

The required policy OID that the leaf does not assert.

§

SubjectDnAttrRuleUnmet

The leaf certificate’s Subject DN does not satisfy ValidationPolicy::required_leaf_subject_dn_attrs.

This variant carries no payload; richer “which branch of the rule failed” diagnostics are a non-breaking follow-up.

§

DuplicateCertificate

Two certificates in the chain share the same (issuer DN, serial number).

Per RFC 5280 §4.1.2.2, the combination of issuer DN and serial number uniquely identifies a certificate. A cert appearing twice at different chain positions is a construction error. Returned as a diagnostic rather than a confusing Error::SignatureInvalid or Error::ChainBroken.

Note: two certificates with the same public key but different issuer+serial are distinct certificates (e.g. cross-signed CAs) and are not rejected by this check.

first and second are the zero-based chain indices of the two duplicates.

Fields

§first: usize

First occurrence index.

§second: usize

Second occurrence index.

Trait Implementations§

Source§

impl Clone for Error

Source§

fn clone(&self) -> Error

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Error

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<'de> Deserialize<'de> for Error

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Display for Error

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Eq for Error

Source§

impl Error for Error

Available on crate feature std only.
Source§

fn source(&self) -> Option<&(dyn Error + 'static)>

Returns the lower-level source of this error, if any. Read more
1.0.0 · Source§

fn description(&self) -> &str

👎Deprecated since 1.42.0:

use the Display impl or to_string()

Read more
1.0.0 · Source§

fn cause(&self) -> Option<&dyn Error>

👎Deprecated since 1.33.0:

replaced by Error::source, which can support downcasting

Source§

fn provide<'a>(&'a self, request: &mut Request<'a>)

🔬This is a nightly-only experimental API. (error_generic_member_access)
Provides type-based access to context intended for error reports. Read more
Source§

impl From<Error> for Error

Source§

fn from(e: Error) -> Self

Converts to this type from the input type.
Source§

impl PartialEq for Error

Source§

fn eq(&self, other: &Error) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for Error

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl StructuralPartialEq for Error

Auto Trait Implementations§

§

impl Freeze for Error

§

impl RefUnwindSafe for Error

§

impl Send for Error

§

impl Sync for Error

§

impl Unpin for Error

§

impl UnsafeUnpin for Error

§

impl UnwindSafe for Error

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V