rustls-platform-verifier icon indicating copy to clipboard operation
rustls-platform-verifier copied to clipboard
verified publisher icon rustls

`rustls_platform_verifier::Verifier::new_with_extra_roots`: Improve error clarity for invalid certificates

Open LukeMathWalker opened this issue 2 months ago • 2 comments

The error returned by rustls_platform_verifier::Verifier::new_with_extra_roots doesn't specify which of the provided extra roots was invalid:

    pub fn new_with_extra_roots(
        roots: impl IntoIterator<Item = pki_types::CertificateDer<'static>>,
        crypto_provider: Arc<CryptoProvider>,
    ) -> Result<Self, TlsError> {
        let extra_roots = roots
            .into_iter()
            .map(|root| {
                SecCertificate::from_der(&root)
                    .map_err(|_| TlsError::InvalidCertificate(CertificateError::BadEncoding))
            })
            .collect::<Result<Vec<_>, _>>()?;
        Ok(Self {
            extra_roots,
            #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
            test_only_root_ca_override: None,
            crypto_provider,
        })
    }

Would there be a way (and interest) in at least mentioning the index of the faulty certificate?

LukeMathWalker avatar Oct 02 '25 09:10 LukeMathWalker

I think that could make sense. Want to submit a PR?

djc avatar Oct 02 '25 10:10 djc

Sure thing! I'll whip something up tomorrow.

LukeMathWalker avatar Oct 02 '25 10:10 LukeMathWalker