Revise errors for CertificateSigningRequestParams::from_der

dwhjames · dwhjames · commit 0c9946e1b698 · 2025-10-10T00:07:41.000-07:00
- Introduce specific error for CSR signature verification
- Make error name more specific for unsupported CSR extensions
diff --git a/rcgen/src/csr.rs b/rcgen/src/csr.rs
@@ -105,7 +105,8 @@ impl CertificateSigningRequestParams {
 		let csr = x509_parser::certification_request::X509CertificationRequest::from_der(csr)
 			.map_err(|_| Error::CouldNotParseCertificationRequest)?
 			.1;
-		csr.verify_signature().map_err(|_| Error::RingUnspecified)?;
+		csr.verify_signature()
+			.map_err(|_| Error::InvalidSignatureInCsr)?;
 		let alg_oid = csr
 			.signature_algorithm
 			.algorithm
@@ -161,10 +162,10 @@ impl CertificateSigningRequestParams {
 							params.insert_extended_key_usage(ExtendedKeyUsagePurpose::OcspSigning);
 						}
 						if !eku.other.is_empty() {
-							return Err(Error::UnsupportedExtension);
+							return Err(Error::UnsupportedExtensionInCsr);
 						}
 					},
-					_ => return Err(Error::UnsupportedExtension),
+					_ => return Err(Error::UnsupportedExtensionInCsr),
 				}
 			}
 		}
diff --git a/rcgen/src/error.rs b/rcgen/src/error.rs
@@ -22,7 +22,7 @@ pub enum Error {
 	KeyGenerationUnavailable,
 	#[cfg(feature = "x509-parser")]
 	/// Unsupported extension requested in CSR
-	UnsupportedExtension,
+	UnsupportedExtensionInCsr,
 	/// The requested signature algorithm is not supported
 	UnsupportedSignatureAlgorithm,
 	/// Unspecified `ring` error
@@ -48,6 +48,9 @@ pub enum Error {
 	/// X509 parsing error
 	#[cfg(feature = "x509-parser")]
 	X509(String),
+	/// Invalid signature when decoding a CSR
+	#[cfg(feature = "x509-parser")]
+	InvalidSignatureInCsr,
 }
 
 impl fmt::Display for Error {
@@ -78,7 +81,7 @@ impl fmt::Display for Error {
 				is not supported"
 			)?,
 			#[cfg(feature = "x509-parser")]
-			UnsupportedExtension => write!(f, "Unsupported extension requested in CSR")?,
+			UnsupportedExtensionInCsr => write!(f, "Unsupported extension requested in CSR")?,
 			RingUnspecified => write!(f, "Unspecified ring error")?,
 			RingKeyRejected(e) => write!(f, "Key rejected by ring: {e}")?,
 
@@ -96,6 +99,8 @@ impl fmt::Display for Error {
 			MissingSerialNumber => write!(f, "A serial number must be specified")?,
 			#[cfg(feature = "x509-parser")]
 			X509(e) => write!(f, "X.509 parsing error: {e}")?,
+			#[cfg(feature = "x509-parser")]
+			InvalidSignatureInCsr => write!(f, "Signature of CSR does not verify")?,
 		};
 		Ok(())
 	}

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,8 @@ impl CertificateSigningRequestParams {`
`105`	`105`	`let csr = x509_parser::certification_request::X509CertificationRequest::from_der(csr)`
`106`	`106`	`.map_err(\|_\| Error::CouldNotParseCertificationRequest)?`
`107`	`107`	`.1;`
`108`		`- csr.verify_signature().map_err(\|_\| Error::RingUnspecified)?;`
	`108`	`+ csr.verify_signature()`
	`109`	`+ .map_err(\|_\| Error::InvalidSignatureInCsr)?;`
`109`	`110`	`let alg_oid = csr`
`110`	`111`	`.signature_algorithm`
`111`	`112`	`.algorithm`
`@@ -161,10 +162,10 @@ impl CertificateSigningRequestParams {`
`161`	`162`	`params.insert_extended_key_usage(ExtendedKeyUsagePurpose::OcspSigning);`
`162`	`163`	`}`
`163`	`164`	`if !eku.other.is_empty() {`
`164`		`- return Err(Error::UnsupportedExtension);`
	`165`	`+ return Err(Error::UnsupportedExtensionInCsr);`
`165`	`166`	`}`
`166`	`167`	`},`
`167`		`- _ => return Err(Error::UnsupportedExtension),`
	`168`	`+ _ => return Err(Error::UnsupportedExtensionInCsr),`
`168`	`169`	`}`
`169`	`170`	`}`
`170`	`171`	`}`