Enum KernelError 

#[non_exhaustive]
pub enum KernelError {
    HkdfExpandFailed,
    SigningFailed,
    SignatureInvalid,
    KeyDecodingFailed,
    SignatureDecodingFailed,
    NotBeforeViolation,
    NotAfterViolation,
    MalformedCaveatBuffer,
    ScopeEscalation,
    ScopeEmpty,
    ScopeTooLarge,
    CaveatsTooLarge,
    EmptyChain,
    ChainTooDeep,
    ParentKeyMismatch,
    LeafCannotDelegate,
    DepthMismatch,
    InvalidRoleByte,
    WireVersionMismatch,
    WireTruncated,
    WireInvalid,
    ResourceTooLong,
    VerbTooLong,
}

Errors returned by QHermes kernel operations.

This enum is marked #[non_exhaustive]. Match arms must include a wildcard to remain compatible with variants added in minor releases.

Variants (Non-exhaustive)

Non-exhaustive enums could have additional variants added in future. Therefore, when matching against variants of non-exhaustive enums, an extra wildcard arm must be added to account for any future variants.

HkdfExpandFailed

HKDF key expansion returned an error.

SigningFailed

The ML-DSA-65 signing operation failed.

SignatureInvalid

The signature does not match the payload under the given public key.

KeyDecodingFailed

The public key bytes are not a valid ML-DSA-65 verifying key.

SignatureDecodingFailed

The signature bytes are not a valid ML-DSA-65 signature.

NotBeforeViolation

A not_before caveat was evaluated with a timestamp earlier than the caveat value.

NotAfterViolation

A not_after caveat was evaluated with a timestamp later than the caveat value.

MalformedCaveatBuffer

The caveat buffer contains an unrecognized tag byte or has an invalid layout.

ScopeEscalation

A child credential claims a permission not covered by the parent scope.

ScopeEmpty

The scope was constructed from an empty slice. Every credential must grant at least one permission.

ScopeTooLarge

The scope contains more than MAX_SCOPE_PERMS permissions.

CaveatsTooLarge

The caveat buffer exceeds CAVEAT_SIZE * MAX_CAVEATS bytes.

EmptyChain

An operation was attempted on an empty credential chain.

ChainTooDeep

The chain depth exceeds MAX_DEPTH.

ParentKeyMismatch

The issuer public key in a link does not match the child public key of the previous link.

LeafCannotDelegate

A credential with role Leaf attempted to issue a further delegation.

DepthMismatch

The depth field of the payload does not equal the expected sequential position in the chain.

InvalidRoleByte

The role byte in the payload is neither 0 (Leaf) nor 1 (Node).

WireVersionMismatch

The first byte of the wire buffer does not match WIRE_VERSION.

WireTruncated

The wire buffer or a sub-slice ends before the expected bytes.

WireInvalid

The wire buffer is structurally inconsistent: a length field, role byte, or trailing-bytes check failed.

ResourceTooLong

The resource argument to perm_tlv exceeds RESOURCE_LEN bytes.

VerbTooLong

The verb argument to perm_tlv exceeds VERB_LEN bytes.

Trait Implementations

impl Debug for KernelError

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq for KernelError

fn eq(&self, other: &KernelError) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Eq for KernelError

impl StructuralPartialEq for KernelError