Add context to CrlExpired errors

Author: ctz

src/crl/types.rs

@@ -150,7 +150,7 @@ impl CertRevocationList<'_> {
         };
 
         if time >= next_update {
-            return Err(Error::CrlExpired);
+            return Err(Error::CrlExpired { time, next_update });
         }
 
         Ok(())
@@ -1254,8 +1254,10 @@ mod tests {
         let crl = CertRevocationList::from(BorrowedCertRevocationList::from_der(&crl[..]).unwrap());
         //  Friday, February 2, 2024 8:26:19 PM GMT
         let time = UnixTime::since_unix_epoch(Duration::from_secs(1_706_905_579));
-
-        assert!(matches!(crl.check_expiration(time), Err(Error::CrlExpired)));
+        assert!(matches!(
+            crl.check_expiration(time),
+            Err(Error::CrlExpired { .. })
+        ));
     }
 
     #[test]

src/error.rs

@@ -62,7 +62,12 @@ pub enum Error {
 
     /// The CRL is expired; i.e. the verification time is not before the time
     /// in the CRL nextUpdate field.
-    CrlExpired,
+    CrlExpired {
+        /// The validation time.
+        time: UnixTime,
+        /// The nextUpdate time of the CRL.
+        next_update: UnixTime,
+    },
 
     /// An end-entity certificate is being used as a CA certificate.
     EndEntityUsedAsCa,
@@ -235,7 +240,7 @@ impl Error {
             // Errors related to certificate validity
             Self::CertNotValidYet { .. } | Self::CertExpired { .. } => 290,
             Self::CertNotValidForName(_) => 280,
-            Self::CertRevoked | Self::UnknownRevocationStatus | Self::CrlExpired => 270,
+            Self::CertRevoked | Self::UnknownRevocationStatus | Self::CrlExpired { .. } => 270,
             Self::InvalidCrlSignatureForPublicKey | Self::InvalidSignatureForPublicKey => 260,
             Self::SignatureAlgorithmMismatch => 250,
             Self::RequiredEkuNotFound => 240,

tests/client_auth_revocation.rs

@@ -1662,7 +1662,10 @@ fn expired_crl_enforce_expiration() {
     let revocation = Some(builder.build());
     assert_eq!(
         check_cert(ee, intermediates, ca, revocation),
-        Err(webpki::Error::CrlExpired)
+        Err(webpki::Error::CrlExpired {
+            time: UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d)),
+            next_update: UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d - 10)),
+        })
     );
 }
 
@@ -1691,6 +1694,9 @@ fn expired_crl_enforce_expiration_owned() {
     let revocation = Some(builder.build());
     assert_eq!(
         check_cert(ee, intermediates, ca, revocation),
-        Err(webpki::Error::CrlExpired)
+        Err(webpki::Error::CrlExpired {
+            time: UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d)),
+            next_update: UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d - 10)),
+        })
     );
 }

tests/generate.py

@@ -2246,14 +2246,20 @@ def _expired_crl_enforce_expiration() -> None:
         )
 
         # Providing a CRL that's expired should error if the expiration policy is set to enforce.
+        expected_error = """
+        CrlExpired {
+          time: UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d)),
+          next_update: UnixTime::since_unix_epoch(Duration::from_secs(0x1fed_f00d - 10)),
+        }
+        """
         _revocation_test(
             test_name=test_name,
             chain=no_ku_chain,
             crl_paths=[ee_not_revoked_crl_path],
             depth=ChainDepth.CHAIN,
             policy=StatusRequirement.ALLOW_UNKNOWN,
             expiration=ExpirationPolicy.ENFORCE,
-            expected_error="CrlExpired",
+            expected_error=expected_error,
         )
 
     with trim_top("client_auth_revocation.rs") as output: