Skip to content

rustls_platform_verifier::Verifier::new_with_extra_roots: Improve error clarity for invalid certificates #197

New issue
New issue
Open
Open
rustls_platform_verifier::Verifier::new_with_extra_roots: Improve error clarity for invalid certificates#197
Labels
O-AppleWork related to the Apple (macOS, iOS) verifier implementationO-UNIXWork related to the certificate fetching on UNIX platformsO-WindowsWork related to the Windows verifier implementationenhancementNew feature or request
@LukeMathWalker

Description

@LukeMathWalker
LukeMathWalker
opened on Oct 2, 2025

The error returned by rustls_platform_verifier::Verifier::new_with_extra_roots doesn't specify which of the provided extra roots was invalid:

    pub fn new_with_extra_roots(
        roots: impl IntoIterator<Item = pki_types::CertificateDer<'static>>,
        crypto_provider: Arc<CryptoProvider>,
    ) -> Result<Self, TlsError> {
        let extra_roots = roots
            .into_iter()
            .map(|root| {
                SecCertificate::from_der(&root)
                    .map_err(|_| TlsError::InvalidCertificate(CertificateError::BadEncoding))
            })
            .collect::<Result<Vec<_>, _>>()?;
        Ok(Self {
            extra_roots,
            #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
            test_only_root_ca_override: None,
            crypto_provider,
        })
    }

Would there be a way (and interest) in at least mentioning the index of the faulty certificate?

Metadata

Metadata

Assignees

No one assigned

    Labels

    O-AppleWork related to the Apple (macOS, iOS) verifier implementationO-UNIXWork related to the certificate fetching on UNIX platformsO-WindowsWork related to the Windows verifier implementationenhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions