Enum Error 

#[non_exhaustive]
pub enum Error {
    Revoked {
        serial: SerialNumber,
        reason_code: Option<CrlReason>,
    },
    CrlExpired,
    CrlIssuerMismatch,
    CrlSignatureInvalid,
    CrlParseError(DerError),
    OcspSignatureInvalid,
    OcspResponderIdMismatch,
    OcspCertIdMismatch,
    OcspIssuerCertMismatch,
    OcspStatusUnknown,
    OcspExpired,
    OcspParseError(DerError),
    OcspMalformed,
    OcspResponderEkuMissing,
    OcspResponderEkuMalformed,
    OcspResponderCertNotIssuedByCa,
    OcspResponderCertExpired,
    OcspResponderCertSigInvalid,
    IndirectCrlIssuerMissing,
    IndirectCrlIssuerUnexpected,
    CrlSignMissing,
    CrlSignerNotFound,
    CrlSignerNotTrusted,
    DeltaCrlBaseMismatch,
    CrlNumberMismatch,
    MalformedCertificate,
    OutOfScope(OutOfScopeReason),
    RevocationFetchFailed {
        description: String,
    },
}

Errors returned by revocation checking.

Variant naming convention

Most variants carry a Crl* or Ocsp* prefix indicating which revocation source produced the failure. Four variants intentionally do not:

• Error::Revoked applies to both CRL and OCSP outcomes; no prefix is correct. This is what RevocationChecker::check_revocation returns generically when a serial is found in either kind of response.
• Error::MalformedCertificate fires on the subject certificate being checked (e.g., a missing serial number), not on the CRL or OCSP response.
• Error::DeltaCrlBaseMismatch uses DeltaCrl* rather than CrlDelta* because the failure is scoped to the delta-CRL workflow — the prefix reads as the noun phrase “delta CRL” rather than as a sub-namespace of Crl*.
• Error::OutOfScope applies whenever a revocation source’s stated scope excludes the certificate being checked. Today only CRL IDP scope mismatches produce this; the variant is named generically so that future OCSP / SCT / OCSP-stapling scope-mismatch cases can reuse it without an additional rename.

Renames are a semver break; do not “normalize” these without coordinating a major version.

Variants (Non-exhaustive)

Non-exhaustive enums could have additional variants added in future. Therefore, when matching against variants of non-exhaustive enums, an extra wildcard arm must be added to account for any future variants.

Revoked

The certificate has been revoked.

Fields

serial: SerialNumber

Serial number of the revoked certificate (for logging/diagnostics).

reason_code: Option<CrlReason>

RFC 5280 §5.3.1 reason code from the CRL/OCSP entry, if present. None means no reason code was provided.

CrlExpired

The CRL validity window check failed.

This covers two cases:

• now < thisUpdate: the CRL is not yet valid (clock skew or future-dated CRL)
• now > nextUpdate: the CRL has expired
• nextUpdate absent: treated as expired (no expiry information means stale)

CrlIssuerMismatch

The CRL issuer name does not match the certificate’s issuer.

The CRL’s issuer field must match the certificate’s issuer field for the CRL to apply to that certificate. A mismatch indicates the wrong CRL was provided.

CrlSignatureInvalid

The CRL signature did not verify against the issuer’s SPKI.

CrlParseError(DerError)

DER decoding of a CRL failed.

OcspSignatureInvalid

An OCSP response signature did not verify against the responder’s key.

OcspResponderIdMismatch

The OCSP ResponderId does not match the expected issuer identity.

Returned when the byName DN or byKey SHA-1 hash in the OCSP response does not match the issuer (or trust anchor) used for this check.

• byName: the name in the ResponderId does not match the issuer’s subject DN (RFC 4518 comparison).
• byKey: the hash in the ResponderId does not match SHA-1 of the issuer’s subjectPublicKey bit string (raw bytes, with tag, length, and unused-bits prefix stripped — not SHA-1 of the full SPKI DER).

This is a distinct failure from Error::OcspSignatureInvalid: the response may be cryptographically valid, but it was produced by a different responder than expected.

OcspCertIdMismatch

The OCSP response’s CertID issuer hashes do not match the expected issuer.

The issuerNameHash or issuerKeyHash field in a SingleResponse identifies which issuer the status assertion covers. A mismatch means the response was produced for a certificate from a different CA (or was tampered with) — it is not a responder-reported “unknown” status. Callers MUST NOT treat this error as “try another responder”.

OcspIssuerCertMismatch

The issuer argument passed to RevocationChecker::check_revocation is not the issuer of cert.

This is a caller-contract violation: the subject DN of issuer does not match the issuer DN of cert. The OCSP response was not consulted.

OcspStatusUnknown

The OCSP responder returned an unknown status (hard-fail mode).

OcspExpired

The OCSP response’s validity window is in the past (stale) or absent.

Returned in two cases:

• now > nextUpdate: the SingleResponse has expired
• nextUpdate absent: no freshness guarantee is available; treated as stale

OcspParseError(DerError)

DER decoding of an OCSP response failed.

OcspMalformed

The OCSP response is structurally invalid per RFC 6960 but DER-decodable.

Currently returned in two cases:

• responseBytes is absent in a Successful response (RFC 6960 §4.2.1)
• responseType is not id-pkix-ocsp-basic (unrecognized response format)

OcspResponderEkuMissing

A delegated OCSP responder cert in the response’s certs field lacks the id-kp-OCSPSigning Extended Key Usage (RFC 6960 §4.2.2.2). Without this EKU the cert cannot legitimately sign OCSP responses, so the response is rejected.

OcspResponderEkuMalformed

A delegated OCSP responder cert’s ExtendedKeyUsage extension is present but cannot be DER-decoded.

Fail-closed: a malformed EKU on a candidate responder cert rejects the response rather than silently treating the cert as if it lacked the OCSPSigning purpose.

OcspResponderCertNotIssuedByCa

A delegated OCSP responder cert was found whose ResponderId matches, but it was issued by a different CA than the certificate being checked.

RFC 6960 §4.2.2.2 requires a “CA Designated Responder” cert to be issued directly by the CA whose certificates the responder asserts status for. A responder cert with the OCSPSigning EKU obtained from another CA could otherwise be used to forge revocation status claims on certs from a different CA.

OcspResponderCertExpired

A delegated OCSP responder cert’s validity period does not include the response’s producedAt timestamp. The signing key was not authoritative when the response was generated.

OcspResponderCertSigInvalid

The CA-supplied signature on a delegated OCSP responder cert failed to verify against the issuer’s SPKI.

Distinct from Error::OcspSignatureInvalid (which is the response’s own signature failing): this is the issuer-of-cert’s signature on the responder cert’s TBS, validated to confirm the responder cert was actually issued by the expected CA.

IndirectCrlIssuerMissing

The CRL declares itself an indirect CRL (RFC 5280 §5.2.6: IssuingDistributionPoint.indirectCRL = TRUE) but the checker was constructed without a cRLIssuer certificate.

Use crate::CrlChecker::new_with_crl_issuer (or its delta sibling) and supply the cert that actually signed the CRL.

IndirectCrlIssuerUnexpected

The CRL does NOT declare itself an indirect CRL but the checker was constructed with a cRLIssuer certificate.

This rejects the inverse of Error::IndirectCrlIssuerMissing: a caller asserting a separate CRL signer for what is actually a direct CRL signed by the cert’s own issuer. Direct CRLs should be loaded via crate::CrlChecker::new / with_delta.

CrlSignMissing

The CRL issuer certificate does not have the cRLSign bit set in its KeyUsage extension (RFC 5280 §6.3.3(f)).

Returned when the certificate used to verify a CRL’s signature has a KeyUsage extension present but the cRLSign bit (bit 6) is not asserted. If the KeyUsage extension is absent entirely, this error is not raised (no extension = no constraint).

Disambiguation: pkix_path::Error::CrlSignMissing (same variant name, different crate) fires during path validation when an intermediate CA cert in the chain lacks cRLSign and the caller opted into pkix_path::ValidationPolicy::require_crl_sign_on_cas. This variant fires during CRL verification when the CRL signer cert itself lacks cRLSign.

CrlSignerNotFound

Path-level CRL signer discovery (RFC 5280 §6.3.3(f)) could not locate a certificate in the caller-supplied bundle that signed the CRL.

Returned by CrlChecker::new_with_signer_discovery when neither the CRL’s AuthorityKeyIdentifier matches any bundle cert’s SubjectKeyIdentifier, nor any bundle cert’s subject DN matches the CRL’s issuer DN. The caller must either supply a more complete bundle or use a different constructor.

CrlSignerNotTrusted

Path-level CRL signer discovery found a candidate cert in the bundle, but the candidate does not chain back to a self-signed (anchor-like) cert in the same bundle.

Returned by CrlChecker::new_with_signer_discovery. This is the structural half of RFC 5280 §6.3.3(f)’s “chain back to a trust anchor” gate; it ensures the bundle is not missing the signer’s CA path. Full RFC 5280 §6.1 signature/policy validation of the signer’s chain is the responsibility of higher-layer composers such as pkix-chain and is intentionally not performed here.

DeltaCrlBaseMismatch

The base/delta CRL pair cannot be used together.

Returned in any of these cases:

• The supplied “base” CRL is itself a delta CRL (has a deltaCRLIndicator extension) — RFC 5280 §5.2.4 requires a full CRL as the base.
• The supplied “delta” CRL has no deltaCRLIndicator extension and is therefore not a delta CRL at all.
• The base and delta CRL have different issuers.

Note: when the delta’s BaseCRLNumber exceeds the base CRL’s CRLNumber (a staleness mismatch), Error::CrlNumberMismatch is returned instead.

CrlNumberMismatch

The CRL’s CRL number is lower than expected (base CRL must have a number ≥ the delta’s BaseCRLNumber).

MalformedCertificate

A subject certificate’s BasicConstraints extension is present but could not be DER-decoded.

Returned when the IDP scope check (onlyContainsCACerts / onlyContainsUserCerts) cannot determine whether a CRL applies to cert because cert’s own BasicConstraints is malformed. This is a fail-closed alternative to silently treating the cert as not-a-CA (which would let CA-scoped CRLs be skipped for an actual CA).

OutOfScope(OutOfScopeReason)

The revocation source’s stated scope excludes the certificate being checked, so the checker made no determination about its revocation status.

This is distinct from “verified not-revoked” (the historic ambiguous Ok(()) return that this variant replaces). Hard-fail callers should treat any OutOfScope as a failure; soft-fail callers can match on the OutOfScopeReason and decide which scopes to tolerate.

Currently produced by CrlChecker for the three IssuingDistributionPoint scope-flag mismatches in RFC 5280 §5.2.5 (onlyContainsAttributeCerts, onlyContainsUserCerts, and onlyContainsCACerts). OcspChecker does not produce this variant: it returns Error::OcspStatusUnknown when no matching SingleResponse is found, which is its analogue of “not covered” and already fail-closed.

RevocationFetchFailed

Available on crate feature std only.

All known sources for revocation data failed to produce a usable response.

Returned by network-fetching adapters (pkix-revocation-http’s HttpCrlFetcher / HttpOcspFetcher, future LDAP / out-of-band adapters) when every URL extracted from the certificate failed either at the transport layer (network, TLS, HTTP error) or at the response layer (DER parse, signature, validity). The variant is intentionally generic so that revocation sources beyond HTTP can reuse it.

Distinct from:

• Error::Revoked — source reached and reports revoked
• Error::OcspStatusUnknown — responder reached, reports unknown
• Error::OutOfScope — structurally-valid response that does not cover the certificate

Hard-fail callers MUST reject the chain on this variant. Soft-fail callers MAY treat it permissively.

description is a human-readable summary suitable for logs; it includes per-URL transport / status hints from the adapter. The shape is deliberately a String rather than structured data so the variant remains Clone + PartialEq + Eq (matching the rest of Error) without leaking adapter-specific types into the trait surface. Adapters surface structured failure information through their own APIs.

The variant is feature-gated behind std because String is not available in the bare no_std build path. Network-fetching adapters all require std anyway, so no-std consumers never need to construct or match this variant.

Fields

description: String

Human-readable summary of the failures, one URL per line.

Trait Implementations

impl Clone for Error

fn clone(&self) -> Error

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Error

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for Error

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Display for Error

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Eq for Error

impl Error for Error

Available on crate feature std only.

fn source(&self) -> Option<&(dyn Error + 'static)>

Returns the lower-level source of this error, if any.

fn description(&self) -> &str

👎Deprecated since 1.42.0:

use the Display impl or to_string()

fn cause(&self) -> Option<&dyn Error>

👎Deprecated since 1.33.0:

replaced by Error::source, which can support downcasting

fn provide<'a>(&'a self, request: &mut Request<'a>)

🔬This is a nightly-only experimental API. (error_generic_member_access)

Provides type-based access to context intended for error reports.

impl PartialEq for Error

fn eq(&self, other: &Error) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for Error

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl StructuralPartialEq for Error