diff --git a/src/crl/types.rs b/src/crl/types.rs index 84ce2554..1ccfa334 100644 --- a/src/crl/types.rs +++ b/src/crl/types.rs @@ -150,7 +150,7 @@ impl CertRevocationList<'_> { }; if time >= next_update { - return Err(Error::CrlExpired); + return Err(Error::CrlExpired { time, next_update }); } Ok(()) @@ -1254,8 +1254,10 @@ mod tests { let crl = CertRevocationList::from(BorrowedCertRevocationList::from_der(&crl[..]).unwrap()); // Friday, February 2, 2024 8:26:19 PM GMT let time = UnixTime::since_unix_epoch(Duration::from_secs(1_706_905_579)); - - assert!(matches!(crl.check_expiration(time), Err(Error::CrlExpired))); + assert!(matches!( + crl.check_expiration(time), + Err(Error::CrlExpired { .. }) + )); } #[test] diff --git a/src/error.rs b/src/error.rs index 9411ac55..fb10e758 100644 --- a/src/error.rs +++ b/src/error.rs @@ -62,7 +62,12 @@ pub enum Error { /// The CRL is expired; i.e. the verification time is not before the time /// in the CRL nextUpdate field. - CrlExpired, + CrlExpired { + /// The validation time. + time: UnixTime, + /// The nextUpdate time of the CRL. + next_update: UnixTime, + }, /// An end-entity certificate is being used as a CA certificate. EndEntityUsedAsCa, @@ -235,7 +240,7 @@ impl Error { // Errors related to certificate validity Self::CertNotValidYet { .. } | Self::CertExpired { .. } => 290, Self::CertNotValidForName(_) => 280, - Self::CertRevoked | Self::UnknownRevocationStatus | Self::CrlExpired => 270, + Self::CertRevoked | Self::UnknownRevocationStatus | Self::CrlExpired { .. } => 270, Self::InvalidCrlSignatureForPublicKey | Self::InvalidSignatureForPublicKey => 260, Self::SignatureAlgorithmMismatch => 250, Self::RequiredEkuNotFound => 240, diff --git a/tests/client_auth_revocation.rs b/tests/client_auth_revocation.rs index 016b5e2e..776ad19b 100644 --- a/tests/client_auth_revocation.rs +++ b/tests/client_auth_revocation.rs @@ -1662,7 +1662,10 @@ fn expired_crl_enforce_expiration() { let revocation = Some(builder.build()); assert_eq!( check_cert(ee, intermediates, ca, revocation), - Err(webpki::Error::CrlExpired) + Err(webpki::Error::CrlExpired { + time: UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d)), + next_update: UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d - 10)), + }) ); } @@ -1691,6 +1694,9 @@ fn expired_crl_enforce_expiration_owned() { let revocation = Some(builder.build()); assert_eq!( check_cert(ee, intermediates, ca, revocation), - Err(webpki::Error::CrlExpired) + Err(webpki::Error::CrlExpired { + time: UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d)), + next_update: UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d - 10)), + }) ); } diff --git a/tests/generate.py b/tests/generate.py index 8f8b42f2..78633b56 100755 --- a/tests/generate.py +++ b/tests/generate.py @@ -2246,6 +2246,12 @@ def _expired_crl_enforce_expiration() -> None: ) # Providing a CRL that's expired should error if the expiration policy is set to enforce. + expected_error = """ + CrlExpired { + time: UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d)), + next_update: UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d - 10)), + } + """ _revocation_test( test_name=test_name, chain=no_ku_chain, @@ -2253,7 +2259,7 @@ def _expired_crl_enforce_expiration() -> None: depth=ChainDepth.CHAIN, policy=StatusRequirement.ALLOW_UNKNOWN, expiration=ExpirationPolicy.ENFORCE, - expected_error="CrlExpired", + expected_error=expected_error, ) with trim_top("client_auth_revocation.rs") as output: