From 6d9790b7f4080e2f244c9621300e5c3019a48a5e Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Tue, 23 Dec 2025 12:07:45 -0500 Subject: [PATCH] Give a better error message for an unexpected self-signed cert Currently, attempting to verify a self-signed cert chain with a root gives a cryptic error message about mismatched key types. Add another check to give a better error message for this case. --- verifier/src/lib.rs | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/verifier/src/lib.rs b/verifier/src/lib.rs index c4cb474..8172914 100644 --- a/verifier/src/lib.rs +++ b/verifier/src/lib.rs @@ -298,6 +298,8 @@ pub enum PkiPathSignatureVerifierError { NoMatchingRoot, #[error("Signature verification failed: {0}")] VerifierFailed(#[from] CertVerifierError), + #[error("The chain is unexpectedly self-signed")] + UnexpectedSelfSigned, } /// This struct encapsulates the signature verification process for a PkiPath. @@ -352,11 +354,21 @@ impl<'a> PkiPathSignatureVerifier<'a> { Err(CertVerifierError::Signature(_)) => continue, // if there's any other error return it Err(e) => { - return Err( + // did we forget this was self-signed? + let verifier = + CertSigVerifierFactory::get_verifier( + &pki_path[0], + )?; + + if verifier.verify(&pki_path[0]).is_ok() { + return Err(PkiPathSignatureVerifierError::UnexpectedSelfSigned); + } else { + return Err( PkiPathSignatureVerifierError::VerifierFailed( e, ), - ) + ); + } } } }