subject_name: more specific errs for invalid names.

Previously the `presented_id_matches_constraint` and `presented_id_matches_reference_id` functions used by `verify_cert_dns_name` would return an `Option<bool>`, with the `None` case translated into `Error::BadDer`. This makes it difficult for downstream users to know that the encoding error was specific to an invalid presented DNS ID, or a name constraint. This commit introduces two new error variants: `MalformedDnsIdentifier` and `MalformedNameConstraint`. The `presented_id_matches_constraint` and `presented_id_matches_reference_id` functions are changed to return `Result<bool, Error>` using the new error types.
rustls · May 3, 2023 · 9f0f95a · 9f0f95a
1 parent a0c2af2
commit 9f0f95a
Show file tree

Hide file tree

Showing 3 changed files with 361 additions and 172 deletions.
diff --git a/src/error.rs b/src/error.rs
@@ -101,6 +101,14 @@ pub enum Error {
     /// - it had a sparse network mask (ie, cannot be written in CIDR form).
     /// - it was too long or short
     InvalidNetworkMaskConstraint,
+
+    /// A presented or reference DNS identifier was malformed, potentially
+    /// containing invalid characters or invalid labels.
+    MalformedDnsIdentifier,
+
+    /// A name constraint was malformed, potentially containing invalid characters or
+    /// invalid labels.
+    MalformedNameConstraint,
 }
 
 impl fmt::Display for Error {