rustls · ctz · Sep 5, 2023 · Sep 5, 2023 · Sep 5, 2023 · Sep 5, 2023
diff --git a/src/error.rs b/src/error.rs
@@ -99,6 +99,9 @@
     /// The maximum number of internal path building calls has been reached. Path complexity is too great.
     MaximumPathBuildCallsExceeded,
 
+    /// The path search was terminated because it became too deep.
+    MaximumPathDepthExceeded,
+
     /// The certificate violates one or more name constraints.
     NameConstraintViolation,
 
@@ -202,48 +205,49 @@
        match &self {
            // Errors related to certificate validity
            Error::CertNotValidYet | Error::CertExpired => 290,
            Error::CertNotValidForName => 280,
            Error::CertRevoked | Error::UnknownRevocationStatus => 270,
            Error::InvalidCrlSignatureForPublicKey | Error::InvalidSignatureForPublicKey => 260,
            Error::SignatureAlgorithmMismatch => 250,
            Error::RequiredEkuNotFound => 240,
            Error::NameConstraintViolation => 230,
            Error::PathLenConstraintViolated => 220,
            Error::CaUsedAsEndEntity | Error::EndEntityUsedAsCa => 210,
            Error::IssuerNotCrlSigner => 200,

            // Errors related to supported features used in an invalid way.
            Error::InvalidCertValidity => 190,
            Error::InvalidNetworkMaskConstraint => 180,
            Error::InvalidSerialNumber => 170,
            Error::InvalidCrlNumber => 160,

            // Errors related to unsupported features.
            Error::UnsupportedCrlSignatureAlgorithmForPublicKey
            | Error::UnsupportedSignatureAlgorithmForPublicKey => 150,
            Error::UnsupportedCrlSignatureAlgorithm | Error::UnsupportedSignatureAlgorithm => 140,
            Error::UnsupportedCriticalExtension => 130,
            Error::UnsupportedCertVersion => 130,
            Error::UnsupportedCrlVersion => 120,
            Error::UnsupportedDeltaCrl => 110,
            Error::UnsupportedIndirectCrl => 100,
             Error::UnsupportedRevocationReason => 90,
             Error::UnsupportedRevocationReasonsPartitioning => 80,
             Error::UnsupportedCrlIssuingDistributionPoint => 70,
+            Error::MaximumPathDepthExceeded => 61,
 
             // Errors related to malformed data.
             Error::MalformedDnsIdentifier => 60,
            Error::MalformedNameConstraint => 50,
            Error::MalformedExtensions | Error::TrailingData(_) => 40,
            Error::ExtensionValueInvalid => 30,

            // Generic DER errors.
            Error::BadDerTime => 20,
            Error::BadDer => 10,

            // Special case errors - not subject to ranking.
            Error::MaximumSignatureChecksExceeded => 0,
            Error::MaximumPathBuildCallsExceeded => 0,

            // Default catch all error - should be renamed in the future.
            Error::UnknownIssuer => 0,

diff --git a/src/verify_cert.rs b/src/verify_cert.rs
@@ -151,8 +151,7 @@ fn build_chain_inner(
             const MAX_SUB_CA_COUNT: usize = 6;
 
             if sub_ca_count >= MAX_SUB_CA_COUNT {
-                // TODO(XXX): Candidate for a more specific error - Error::PathTooDeep?
-                return Err(Error::UnknownIssuer);
+                return Err(Error::MaximumPathDepthExceeded);
             }
         }
         UsedAsCa::No => {
@@ -923,4 +922,83 @@ mod tests {
             Error::MaximumPathBuildCallsExceeded
         );
     }
+
+    #[cfg(feature = "alloc")]
+    fn build_linear_chain(chain_length: usize) -> Result<(), Error> {
+        use crate::{extract_trust_anchor, ECDSA_P256_SHA256};
+        use crate::{EndEntityCert, Time};
+
+        let alg = &rcgen::PKCS_ECDSA_P256_SHA256;
+
+        let make_issuer = |index: usize| {
+            let mut ca_params = rcgen::CertificateParams::new(Vec::new());
+            ca_params.distinguished_name.push(
+                rcgen::DnType::OrganizationName,
+                format!("Bogus Subject {index}"),
+            );
+            ca_params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained);
+            ca_params.key_usages = vec![
+                rcgen::KeyUsagePurpose::KeyCertSign,
+                rcgen::KeyUsagePurpose::DigitalSignature,
+                rcgen::KeyUsagePurpose::CrlSign,
+            ];
+            ca_params.alg = alg;
+            rcgen::Certificate::from_params(ca_params).unwrap()
+        };
+
+        let ca_cert = make_issuer(chain_length);
+        let ca_cert_der = CertificateDer::from(ca_cert.serialize_der().unwrap());
+
+        let mut intermediates = Vec::with_capacity(chain_length);
+        let mut issuer = ca_cert;
+        for i in 0..chain_length {
+            let intermediate = make_issuer(i);
+            let intermediate_der = intermediate.serialize_der_with_signer(&issuer).unwrap();
+            intermediates.push(intermediate_der);
+            issuer = intermediate;
+        }
+
+        let mut ee_params = rcgen::CertificateParams::new(vec!["example.com".to_string()]);
+        ee_params.is_ca = rcgen::IsCa::ExplicitNoCa;
+        ee_params.alg = alg;
+        let ee_cert = rcgen::Certificate::from_params(ee_params).unwrap();
+        let ee_cert_der = CertificateDer::from(ee_cert.serialize_der_with_signer(&issuer).unwrap());
+
+        let anchors = &[extract_trust_anchor(&ca_cert_der).unwrap()];
+        let time = Time::from_seconds_since_unix_epoch(0x1fed_f00d);
+        let cert = EndEntityCert::try_from(&ee_cert_der).unwrap();
+        let intermediates_der = intermediates
+            .iter()
+            .map(|x| CertificateDer::from(x.as_ref()))
+            .collect::<Vec<_>>();
+
+        build_chain(
+            &ChainOptions {
+                eku: KeyUsage::server_auth(),
+                supported_sig_algs: &[ECDSA_P256_SHA256],
+                trust_anchors: anchors,
+                intermediate_certs: &intermediates_der,
+                revocation: None,
+            },
+            cert.inner(),
+            time,
+        )
+    }
+
+    #[test]
+    #[cfg(feature = "alloc")]
+    fn longest_allowed_path() {
+        assert_eq!(build_linear_chain(1), Ok(()));
+        assert_eq!(build_linear_chain(2), Ok(()));
+        assert_eq!(build_linear_chain(3), Ok(()));
+        assert_eq!(build_linear_chain(4), Ok(()));
+        assert_eq!(build_linear_chain(5), Ok(()));
+        assert_eq!(build_linear_chain(6), Ok(()));
+    }
+
+    #[test]
+    #[cfg(feature = "alloc")]
+    fn path_too_long() {
+        assert_eq!(build_linear_chain(7), Err(Error::MaximumPathDepthExceeded));
+    }
 }