Skip to content

Revise errors for CertificateSigningRequestParams::from_der #388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Revise errors for CertificateSigningRequestParams::from_der #388

wants to merge 2 commits into from

Conversation

dwhjames
Copy link
Contributor

@dwhjames dwhjames commented Oct 9, 2025

  • Introduce specific error for CSR signature verification
  • Make error name more specific for unsupported CSR extensions

Following up from

@dwhjames dwhjames force-pushed the csr_verification_and_valiation_errors branch from 334716a to 0c9946e Compare October 10, 2025 07:09
dwhjames
dwhjames commented Oct 10, 2025
View reviewed changes
@djc
Copy link
Member

djc commented Oct 10, 2025

It would be nice to better understand the motivation/use case here.

@dwhjames
Copy link
Contributor Author

It would be nice to better understand the motivation/use case here.

@djc, I’m assuming the original introduction of Error::RingUnspecified is for

rcgen/rcgen/src/key_pair.rs

Lines 651 to 656 in 453bcb5

#[cfg(feature = "crypto")]
impl<T> ExternalError<T> for Result<T, ring_error::Unspecified> {
fn _err(self) -> Result<T, Error> {
self.map_err(|_| Error::RingUnspecified)
}
}

where a catch-all error case of the underlying crypto library is lifted into the rcgen error enumeration.

And later it was re-used in this case

It would be clearer in code that uses this library to have error variant names that map in a self-evident way to the expected error conditions expected in parsing and verifying a CSR.

Some, but not all, existing error variants include contextual hints in the name (…InCsr or …CertificationRequest are existing examples).

@dwhjames
Revise errors for CertificateSigningRequestParams::from_der
5fd069c 
- Introduce specific error for CSR signature verification
- Make error name more specific for unsupported CSR extensions
@dwhjames dwhjames force-pushed the csr_verification_and_valiation_errors branch from 0c9946e to 5fd069c Compare October 10, 2025 20:08
@djc
Copy link
Member

djc commented Oct 10, 2025

It would be nice to better understand the motivation/use case here.

You still haven't really answered this question. What problem did you run into that you are trying to solve?

@dwhjames
Copy link
Contributor Author

It would be clearer in code that uses this library to have error variant names that map in a self-evident way to the expected error conditions expected in parsing and verifying a CSR.

Some, but not all, existing error variants include contextual hints in the name (…InCsr or …CertificationRequest are existing examples).

match CertificateSigningRequestParams::from_der(csr_der) {
    Ok(csr_params) => …,
    Err(rcgen::Error::RingUnspecified) => …,
    Err(rcgen::Error::UnsupportedExtension) => …,
    Err(_) => …,
}
  1. Would you agree that even in the immediate context of CertificateSigningRequestParams::from_der, RingUnspecified is not an intuitive name for the error condition that caused its return?
  2. Would you agree that if the error handling for UnsupportedExtension is not immediately in this scope, but an enclosing scope, it would not be obvious what error condition is being handled?

@dwhjames dwhjames requested a review from djc October 11, 2025 21:32
@djc djc mentioned this pull request Oct 13, 2025
Open
@djc
Copy link
Member

djc commented Oct 13, 2025

Submitted an alternative in #390.

@dwhjames
Copy link
Contributor Author

It sounds like you agree on 1? Do you also agree on 2? Are you open to a more specific name for the rejection of an extension in a CSR?

@djc
Copy link
Member

djc commented Oct 15, 2025

It sounds like you agree on 1? Do you also agree on 2? Are you open to a more specific name for the rejection of an extension in a CSR?

I'm on the fence because I think the documentation for the variant and error string (Display representation) are pretty clear that it's about the CSR -- therefore I'm not sure changing this to a different name (in a semver-compatible release, deprecating the old variant) is worth it. @cpu thoughts?

@dwhjames
Copy link
Contributor Author

I'm on the fence because I think the documentation for the variant and error string (Display representation) are pretty clear that it's about the CSR

Certainly those parts are, but that doesn’t immediately help clarity in source code.

match something_that_interally_calls_from_der() {
    Ok() => …,
    Err(rcgen::Error::UnsupportedExtension) => …,
    Err(_) => …,
}

My contention, from above, is that if the error handling for UnsupportedExtension is not immediately in the lexical scope of invoking from_der, but instead an enclosing scope, it would not be obvious what error condition is being handled.

The current recourse is to add comments asking the reader to jump to documentation on the error value or the from_der function.

@cpu
Copy link
Member

cpu commented Oct 20, 2025

therefore I'm not sure changing this to a different name (in a semver-compatible release, deprecating the old variant) is worth it. @cpu thoughts?

I don't feel strongly but agree that duplicating the error types under a new name + deprecating the old ones doesn't feel like it's worthwhile in this case. Maybe better to file an issue tagged with a label to just outright fix the name in the next semver breaking release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djc djc Awaiting requested review from djc

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dwhjames @djc @cpu