Skip to content

feat(models): add missing RevocationReason variants (RFC 5280)#58

Closed
Swaagie wants to merge 1 commit into
mainfrom
feat/revocation-reasons
Closed

feat(models): add missing RevocationReason variants (RFC 5280)#58
Swaagie wants to merge 1 commit into
mainfrom
feat/revocation-reasons

Conversation

@Swaagie

@Swaagie Swaagie commented May 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds four RevocationReason variants that are present in the Go SDK but missing from the Rust SDK:

  • CaCompromise — CA was compromised
  • ExpiredCert — certificate has expired
  • RemoveFromCrl — remove from CRL
  • Unspecified — no specific reason

ExpiredCert and Unspecified are the immediate motivation: they are needed to attempt recovery of agent registrations stuck in PENDING_VALIDATION past their expiresAt, where CESSATION_OF_OPERATION is rejected with 422.

Test plan

  • cargo build — clean across full workspace
  • Verify EXPIRED_CERT and UNSPECIFIED are accepted by the API against a stuck registration

Adds CaCompromise, ExpiredCert, RemoveFromCrl, and Unspecified to match
the full set of reason codes accepted by the ANS API and exposed by the
Go SDK. ExpiredCert and Unspecified are specifically needed to attempt
recovery of registrations stuck in PENDING_VALIDATION past their expiresAt.
@github-actions

Copy link
Copy Markdown
Contributor

Coverage Report

Filename                                          Regions    Missed Regions     Cover   Functions  Missed Functions  Executed       Lines      Missed Lines     Cover    Branches   Missed Branches     Cover
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ans-client/src/client.rs                              476                42    91.18%          69                 5    92.75%         361                22    93.91%           0                 0         -
ans-client/src/error.rs                               193                26    86.53%          20                 3    85.00%         147                11    92.52%           0                 0         -
ans-client/src/models.rs                              193                22    88.60%          25                 4    84.00%         145                17    88.28%           0                 0         -
ans-types/src/badge.rs                                 85                10    88.24%          14                 3    78.57%         102                 9    91.18%           0                 0         -
ans-types/src/fingerprint.rs                          304                 2    99.34%          35                 0   100.00%         180                 3    98.33%           0                 0         -
ans-types/src/scitt.rs                                259                 9    96.53%          18                 1    94.44%         173                 6    96.53%           0                 0         -
ans-types/src/types.rs                                560                15    97.32%          71                 2    97.18%         327                12    96.33%           0                 0         -
ans-verify/src/cache.rs                               668                35    94.76%          62                 7    88.71%         353                23    93.48%           0                 0         -
ans-verify/src/dane.rs                                537                26    95.16%          36                 0   100.00%         364                17    95.33%           0                 0         -
ans-verify/src/dns.rs                                 991               116    88.29%         105                12    88.57%         638               108    83.07%           0                 0         -
ans-verify/src/error.rs                                58                12    79.31%           9                 3    66.67%          57                 9    84.21%           0                 0         -
ans-verify/src/rustls_verifier.rs                     376                67    82.18%          39                11    71.79%         260                78    70.00%           0                 0         -
ans-verify/src/scitt/client.rs                        384               145    62.24%          52                18    65.38%         250               101    59.60%           0                 0         -
ans-verify/src/scitt/cose.rs                          750                40    94.67%          35                 3    91.43%         454                31    93.17%           0                 0         -
ans-verify/src/scitt/error.rs                         229                 0   100.00%          28                 0   100.00%         181                 0   100.00%           0                 0         -
ans-verify/src/scitt/headers.rs                       299                 6    97.99%          24                 0   100.00%         153                 2    98.69%           0                 0         -
ans-verify/src/scitt/merkle.rs                        606                15    97.52%          33                 0   100.00%         302                 4    98.68%           0                 0         -
ans-verify/src/scitt/mod.rs                             5                 0   100.00%           2                 0   100.00%           4                 0   100.00%           0                 0         -
ans-verify/src/scitt/receipt.rs                      1248                39    96.88%          44                 3    93.18%         702                33    95.30%           0                 0         -
ans-verify/src/scitt/refreshable_key_store.rs         698                88    87.39%          54                12    77.78%         353                53    84.99%           0                 0         -
ans-verify/src/scitt/root_keys.rs                     577                28    95.15%          30                 0   100.00%         277                14    94.95%           0                 0         -
ans-verify/src/scitt/scitt_cache.rs                   501                24    95.21%          54                 4    92.59%         285                17    94.04%           0                 0         -
ans-verify/src/scitt/status_token.rs                 1271                86    93.23%          58                10    82.76%         844                64    92.42%           0                 0         -
ans-verify/src/scitt/supplier.rs                      871                80    90.82%          55                 5    90.91%         538                65    87.92%           0                 0         -
ans-verify/src/scitt/verification_cache.rs           1252                18    98.56%         103                 2    98.06%         773                10    98.71%           0                 0         -
ans-verify/src/tlog.rs                                423                29    93.14%          55                 9    83.64%         251                18    92.83%           0                 0         -
ans-verify/src/verify.rs                             5435               533    90.19%         326                47    85.58%        3587               372    89.63%           0                 0         -
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
TOTAL                                               19249              1513    92.14%        1456               164    88.74%       12061              1099    90.89%           0                 0         -

Threshold: 90% line coverage | Full LCOV report

@Swaagie

Swaagie commented May 13, 2026

Copy link
Copy Markdown
Contributor Author

Closing — both EXPIRED_CERT and UNSPECIFIED are rejected by the server with a JSON mapping error (not recognized server-side). Adding these variants would give false confidence that they work. The Go SDK includes them in client-side validation but the ANS API does not accept them.

@Swaagie Swaagie closed this May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant