rustls · djc · Oct 2, 2025 · Oct 2, 2025 · Oct 2, 2025
diff --git a/src/alg_tests.rs b/src/alg_tests.rs
@@ -222,7 +222,7 @@ fn test_ecdsa_secp384r1_sha256() {
 fn test_ecdsa_using_rsa_key() {
     assert_eq!(
         test_verify_signed_data(test_file_bytes!("ecdsa-using-rsa-key.pem")),
-        Err(Error::UnsupportedSignatureAlgorithmForPublicKeyContext(
+        Err(Error::UnsupportedSignatureAlgorithmForPublicKey(
             UnsupportedSignatureAlgorithmForPublicKeyContext {
                 #[cfg(feature = "alloc")]
                 signature_algorithm_id: alg_id::ECDSA_SHA256.as_ref().to_vec(),
@@ -329,7 +329,7 @@ fn test_rsa_pkcs1_sha256_using_ecdsa_algorithm() {
         test_verify_signed_data(test_file_bytes!(
             "rsa-pkcs1-sha256-using-ecdsa-algorithm.pem"
         )),
-        Err(Error::UnsupportedSignatureAlgorithmForPublicKeyContext(
+        Err(Error::UnsupportedSignatureAlgorithmForPublicKey(
             UnsupportedSignatureAlgorithmForPublicKeyContext {
                 #[cfg(feature = "alloc")]
                 signature_algorithm_id: alg_id::ECDSA_SHA256.as_ref().to_vec(),

diff --git a/src/aws_lc_rs_algs.rs b/src/aws_lc_rs_algs.rs
@@ -342,7 +342,7 @@ mod tests {
     }
 
     fn unsupported_for_rsa(_sig_alg_id: &[u8], _public_key_alg_id: &[u8]) -> Error {
-        Error::UnsupportedSignatureAlgorithmForPublicKeyContext(
+        Error::UnsupportedSignatureAlgorithmForPublicKey(
             UnsupportedSignatureAlgorithmForPublicKeyContext {
                 #[cfg(feature = "alloc")]
                 signature_algorithm_id: _sig_alg_id.to_vec(),
@@ -357,7 +357,7 @@ mod tests {
     }
 
     fn unsupported_for_ecdsa(_sig_alg_id: &[u8], _public_key_alg_id: &[u8]) -> Error {
-        Error::UnsupportedSignatureAlgorithmForPublicKeyContext(
+        Error::UnsupportedSignatureAlgorithmForPublicKey(
             UnsupportedSignatureAlgorithmForPublicKeyContext {
                 #[cfg(feature = "alloc")]
                 signature_algorithm_id: _sig_alg_id.to_vec(),
@@ -368,7 +368,7 @@ mod tests {
     }
 
     fn unsupported(_sig_alg_id: &[u8]) -> Error {
-        Error::UnsupportedSignatureAlgorithmContext(UnsupportedSignatureAlgorithmContext {
+        Error::UnsupportedSignatureAlgorithm(UnsupportedSignatureAlgorithmContext {
             #[cfg(feature = "alloc")]
             signature_algorithm_id: _sig_alg_id.to_vec(),
             #[cfg(feature = "alloc")]

diff --git a/src/crl/mod.rs b/src/crl/mod.rs
@@ -210,17 +210,9 @@ impl KeyUsageMode {
 // signature, not a certificate.
 fn crl_signature_err(err: Error) -> Error {
     match err {
-        #[allow(deprecated)]
-        Error::UnsupportedSignatureAlgorithm => Error::UnsupportedCrlSignatureAlgorithm,
-        Error::UnsupportedSignatureAlgorithmContext(cx) => {
-            Error::UnsupportedCrlSignatureAlgorithmContext(cx)
-        }
-        #[allow(deprecated)]
-        Error::UnsupportedSignatureAlgorithmForPublicKey => {
-            Error::UnsupportedCrlSignatureAlgorithmForPublicKey
-        }
-        Error::UnsupportedSignatureAlgorithmForPublicKeyContext(cx) => {
-            Error::UnsupportedCrlSignatureAlgorithmForPublicKeyContext(cx)
+        Error::UnsupportedSignatureAlgorithm(cx) => Error::UnsupportedCrlSignatureAlgorithm(cx),
+        Error::UnsupportedSignatureAlgorithmForPublicKey(cx) => {
+            Error::UnsupportedCrlSignatureAlgorithmForPublicKey(cx)
         }
         Error::InvalidSignatureForPublicKey => Error::InvalidCrlSignatureForPublicKey,
         _ => err,

diff --git a/src/error.rs b/src/error.rs
@@ -146,12 +146,7 @@ pub enum Error {
 
     /// The certificate is not valid for the Extended Key Usage for which it is
     /// being validated.
-    #[deprecated(since = "0.103.2", note = "use RequiredEkuNotFoundContext instead")]
-    RequiredEkuNotFound,
-
-    /// The certificate is not valid for the Extended Key Usage for which it is
-    /// being validated.
-    RequiredEkuNotFoundContext(RequiredEkuNotFoundContext),
+    RequiredEkuNotFound(RequiredEkuNotFoundContext),
 
     /// The algorithm in the TBSCertificate "signature" field of a certificate
     /// does not match the algorithm in the signature of the certificate.
@@ -202,53 +197,13 @@ pub enum Error {
     /// The CRL is partitioned by revocation reasons.
     UnsupportedRevocationReasonsPartitioning,
 
-    /// The signature algorithm for a signature over a CRL is not in the set of supported
-    /// signature algorithms given.
-    #[deprecated(
-        since = "0.103.4",
-        note = "use UnsupportedCrlSignatureAlgorithmContext instead"
-    )]
-    UnsupportedCrlSignatureAlgorithm,
-
     /// The signature algorithm for a signature is not in the set of supported
     /// signature algorithms given.
-    UnsupportedCrlSignatureAlgorithmContext(UnsupportedSignatureAlgorithmContext),
+    UnsupportedCrlSignatureAlgorithm(UnsupportedSignatureAlgorithmContext),
 
     /// The signature algorithm for a signature is not in the set of supported
     /// signature algorithms given.
-    #[deprecated(
-        since = "0.103.4",
-        note = "use UnsupportedSignatureAlgorithmContext instead"
-    )]
-    UnsupportedSignatureAlgorithm,
-
-    /// The signature algorithm for a signature is not in the set of supported
-    /// signature algorithms given.
-    UnsupportedSignatureAlgorithmContext(UnsupportedSignatureAlgorithmContext),
-
-    /// The CRL signature's algorithm does not match the algorithm of the issuer
-    /// public key it is being validated for. This may be because the public key
-    /// algorithm's OID isn't recognized (e.g. DSA), or the public key
-    /// algorithm's parameters don't match the supported parameters for that
-    /// algorithm (e.g. ECC keys for unsupported curves), or the public key
-    /// algorithm and the signature algorithm simply don't match (e.g.
-    /// verifying an RSA signature with an ECC public key).
-    #[deprecated(
-        since = "0.103.4",
-        note = "use UnsupportedCrlSignatureAlgorithmForPublicKeyContext instead"
-    )]
-    UnsupportedCrlSignatureAlgorithmForPublicKey,
-
-    /// The signature's algorithm does not match the algorithm of the public
-    /// key it is being validated for. This may be because the public key
-    /// algorithm's OID isn't recognized (e.g. DSA), or the public key
-    /// algorithm's parameters don't match the supported parameters for that
-    /// algorithm (e.g. ECC keys for unsupported curves), or the public key
-    /// algorithm and the signature algorithm simply don't match (e.g.
-    /// verifying an RSA signature with an ECC public key).
-    UnsupportedCrlSignatureAlgorithmForPublicKeyContext(
-        UnsupportedSignatureAlgorithmForPublicKeyContext,
-    ),
+    UnsupportedSignatureAlgorithm(UnsupportedSignatureAlgorithmContext),
 
     /// The signature's algorithm does not match the algorithm of the public
     /// key it is being validated for. This may be because the public key
@@ -257,11 +212,7 @@ pub enum Error {
     /// algorithm (e.g. ECC keys for unsupported curves), or the public key
     /// algorithm and the signature algorithm simply don't match (e.g.
     /// verifying an RSA signature with an ECC public key).
-    #[deprecated(
-        since = "0.103.4",
-        note = "use UnsupportedSignatureAlgorithmForPublicKeyContext instead"
-    )]
-    UnsupportedSignatureAlgorithmForPublicKey,
+    UnsupportedCrlSignatureAlgorithmForPublicKey(UnsupportedSignatureAlgorithmForPublicKeyContext),
 
     /// The signature's algorithm does not match the algorithm of the public
     /// key it is being validated for. This may be because the public key
@@ -270,9 +221,7 @@ pub enum Error {
     /// algorithm (e.g. ECC keys for unsupported curves), or the public key
     /// algorithm and the signature algorithm simply don't match (e.g.
     /// verifying an RSA signature with an ECC public key).
-    UnsupportedSignatureAlgorithmForPublicKeyContext(
-        UnsupportedSignatureAlgorithmForPublicKeyContext,
-    ),
+    UnsupportedSignatureAlgorithmForPublicKey(UnsupportedSignatureAlgorithmForPublicKeyContext),
 }
 
 impl Error {
@@ -296,8 +245,7 @@ impl Error {
             Self::InvalidCrlSignatureForPublicKey | Self::InvalidSignatureForPublicKey => 260,
             Self::SignatureAlgorithmMismatch => 250,
             Self::EmptyEkuExtension => 245,
-            #[allow(deprecated)]
-            Self::RequiredEkuNotFound | Self::RequiredEkuNotFoundContext(_) => 240,
+            Self::RequiredEkuNotFound(_) => 240,
             Self::NameConstraintViolation => 230,
             Self::PathLenConstraintViolated => 220,
             Self::CaUsedAsEndEntity | Self::EndEntityUsedAsCa => 210,
@@ -310,16 +258,11 @@ impl Error {
             Self::InvalidCrlNumber => 160,
 
             // Errors related to unsupported features.
-            #[allow(deprecated)]
-            Self::UnsupportedCrlSignatureAlgorithmForPublicKey
-            | Self::UnsupportedCrlSignatureAlgorithmForPublicKeyContext(_)
-            | Self::UnsupportedSignatureAlgorithmForPublicKey
-            | Self::UnsupportedSignatureAlgorithmForPublicKeyContext(_) => 150,
-            #[allow(deprecated)]
-            Self::UnsupportedCrlSignatureAlgorithm
-            | Self::UnsupportedCrlSignatureAlgorithmContext(_)
-            | Self::UnsupportedSignatureAlgorithm
-            | Self::UnsupportedSignatureAlgorithmContext(_) => 140,
+            Self::UnsupportedCrlSignatureAlgorithmForPublicKey(_)
+            | Self::UnsupportedSignatureAlgorithmForPublicKey(_) => 150,
+            Self::UnsupportedCrlSignatureAlgorithm(_) | Self::UnsupportedSignatureAlgorithm(_) => {
+                140
+            }
             Self::UnsupportedCriticalExtension => 130,
             Self::UnsupportedCertVersion => 130,
             Self::UnsupportedCrlVersion => 120,

diff --git a/src/ring_algs.rs b/src/ring_algs.rs
@@ -261,7 +261,7 @@ mod tests {
     fn unsupported_for_rsa(sig_alg_id: &[u8], _public_key_alg_id: &[u8]) -> Error {
         #[cfg(feature = "alloc")]
         {
-            Error::UnsupportedSignatureAlgorithmForPublicKeyContext(
+            Error::UnsupportedSignatureAlgorithmForPublicKey(
                 UnsupportedSignatureAlgorithmForPublicKeyContext {
                     signature_algorithm_id: sig_alg_id.to_vec(),
                     public_key_algorithm_id: _public_key_alg_id.to_vec(),
@@ -290,7 +290,7 @@ mod tests {
     }
 
     fn unsupported(_sig_alg_id: &[u8]) -> Error {
-        Error::UnsupportedSignatureAlgorithmContext(UnsupportedSignatureAlgorithmContext {
+        Error::UnsupportedSignatureAlgorithm(UnsupportedSignatureAlgorithmContext {
             #[cfg(feature = "alloc")]
             signature_algorithm_id: _sig_alg_id.to_vec(),
             #[cfg(feature = "alloc")]

diff --git a/src/signed_data.rs b/src/signed_data.rs
@@ -194,7 +194,7 @@ pub(crate) fn verify_signed_data(
             signed_data.data,
             signed_data.signature,
         ) {
-            Err(Error::UnsupportedSignatureAlgorithmForPublicKeyContext(cx)) => {
+            Err(Error::UnsupportedSignatureAlgorithmForPublicKey(cx)) => {
                 invalid_for_public_key = Some(cx);
                 continue;
             }
@@ -203,10 +203,10 @@ pub(crate) fn verify_signed_data(
     }
 
     if let Some(cx) = invalid_for_public_key {
-        return Err(Error::UnsupportedSignatureAlgorithmForPublicKeyContext(cx));
+        return Err(Error::UnsupportedSignatureAlgorithmForPublicKey(cx));
     }
 
-    Err(Error::UnsupportedSignatureAlgorithmContext(
+    Err(Error::UnsupportedSignatureAlgorithm(
         UnsupportedSignatureAlgorithmContext {
             #[cfg(feature = "alloc")]
             signature_algorithm_id: signed_data.algorithm.as_slice_less_safe().to_vec(),
@@ -227,7 +227,7 @@ pub(crate) fn verify_signature(
 ) -> Result<(), Error> {
     let spki = der::read_all::<SubjectPublicKeyInfo<'_>>(spki_value)?;
     if signature_alg.public_key_alg_id().as_ref() != spki.algorithm_id_value.as_slice_less_safe() {
-        return Err(Error::UnsupportedSignatureAlgorithmForPublicKeyContext(
+        return Err(Error::UnsupportedSignatureAlgorithmForPublicKey(
             UnsupportedSignatureAlgorithmForPublicKeyContext {
                 #[cfg(feature = "alloc")]
                 signature_algorithm_id: signature_alg.signature_alg_id().as_ref().to_vec(),

diff --git a/src/verify_cert.rs b/src/verify_cert.rs
@@ -577,14 +577,12 @@ impl ExtendedKeyUsageValidator for KeyUsage {
 
         match (empty, self.inner) {
             (true, ExtendedKeyUsage::RequiredIfPresent(_)) => Ok(()),
-            _ => Err(Error::RequiredEkuNotFoundContext(
-                RequiredEkuNotFoundContext {
-                    #[cfg(feature = "alloc")]
-                    required: Self { inner: self.inner },
-                    #[cfg(feature = "alloc")]
-                    present,
-                },
-            )),
+            _ => Err(Error::RequiredEkuNotFound(RequiredEkuNotFoundContext {
+                #[cfg(feature = "alloc")]
+                required: Self { inner: self.inner },
+                #[cfg(feature = "alloc")]
+                present,
+            })),
         }
     }
 }
@@ -940,7 +938,7 @@ mod tests {
             .unwrap_err();
         assert_eq!(
             err,
-            Error::RequiredEkuNotFoundContext(RequiredEkuNotFoundContext {
+            Error::RequiredEkuNotFound(RequiredEkuNotFoundContext {
                 #[cfg(feature = "alloc")]
                 required: dbg!(KeyUsage::required(EKU_SERVER_AUTH)), // Cover Debug impl
                 #[cfg(feature = "alloc")]

diff --git a/tests/client_auth.rs b/tests/client_auth.rs
@@ -64,15 +64,15 @@ fn cert_with_serverauth_eku_rejected_for_client_auth() {
     let err = check_cert(ee.der(), ca).unwrap_err();
     assert_eq!(
         err,
-        webpki::Error::RequiredEkuNotFoundContext(RequiredEkuNotFoundContext {
+        webpki::Error::RequiredEkuNotFound(RequiredEkuNotFoundContext {
             required: KeyUsage::client_auth(),
             present: vec![vec![1, 3, 6, 1, 5, 5, 7, 3, 1]],
         })
     );
 
     assert_eq!(
         format!("{err}"),
-        "RequiredEkuNotFoundContext(RequiredEkuNotFoundContext { required: KeyPurposeId(1.3.6.1.5.5.7.3.2), present: [KeyPurposeId(1.3.6.1.5.5.7.3.1)] })"
+        "RequiredEkuNotFound(RequiredEkuNotFoundContext { required: KeyPurposeId(1.3.6.1.5.5.7.3.2), present: [KeyPurposeId(1.3.6.1.5.5.7.3.1)] })"
     )
 }
 

diff --git a/tests/custom_ekus.rs b/tests/custom_ekus.rs
@@ -47,7 +47,7 @@ pub fn verify_custom_eku_mdoc() {
         ca,
         KeyUsage::server_auth(),
         time,
-        Err(webpki::Error::RequiredEkuNotFoundContext(
+        Err(webpki::Error::RequiredEkuNotFound(
             RequiredEkuNotFoundContext {
                 required: KeyUsage::server_auth(),
                 present: vec![vec![1, 0, 68701, 5, 1, 2]],
@@ -60,7 +60,7 @@ pub fn verify_custom_eku_mdoc() {
         ca,
         KeyUsage::server_auth(),
         time,
-        Err(webpki::Error::RequiredEkuNotFoundContext(
+        Err(webpki::Error::RequiredEkuNotFound(
             RequiredEkuNotFoundContext {
                 required: KeyUsage::server_auth(),
                 present: vec![vec![1, 0, 68701, 5, 1, 2]],

diff --git a/tests/generate.py b/tests/generate.py
@@ -774,7 +774,7 @@ def bad_algorithms_for_key(
     for algorithm in &[ %(unusable_algs_str)s ] {
         assert!(matches!(
             check_sig(ee, *algorithm, b"", b""),
-            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKeyContext(_))
+            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey(_))
         ));
     }
 }"""

diff --git a/tests/signatures.rs b/tests/signatures.rs
@@ -125,7 +125,7 @@ fn ed25519_key_rejected_by_other_algorithms() {
     ] {
         assert!(matches!(
             check_sig(ee, *algorithm, b"", b""),
-            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKeyContext(_))
+            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey(_))
         ));
     }
 }
@@ -247,7 +247,7 @@ fn ecdsa_p256_key_rejected_by_other_algorithms() {
     ] {
         assert!(matches!(
             check_sig(ee, *algorithm, b"", b""),
-            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKeyContext(_))
+            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey(_))
         ));
     }
 }
@@ -369,7 +369,7 @@ fn ecdsa_p384_key_rejected_by_other_algorithms() {
     ] {
         assert!(matches!(
             check_sig(ee, *algorithm, b"", b""),
-            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKeyContext(_))
+            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey(_))
         ));
     }
 }
@@ -546,7 +546,7 @@ fn ecdsa_p521_key_rejected_by_other_algorithms() {
     ] {
         assert!(matches!(
             check_sig(ee, *algorithm, b"", b""),
-            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKeyContext(_))
+            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey(_))
         ));
     }
 }
@@ -881,7 +881,7 @@ fn rsa_2048_key_rejected_by_other_algorithms() {
     ] {
         assert!(matches!(
             check_sig(ee, *algorithm, b"", b""),
-            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKeyContext(_))
+            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey(_))
         ));
     }
 }
@@ -1268,7 +1268,7 @@ fn rsa_3072_key_rejected_by_other_algorithms() {
     ] {
         assert!(matches!(
             check_sig(ee, *algorithm, b"", b""),
-            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKeyContext(_))
+            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey(_))
         ));
     }
 }
@@ -1655,7 +1655,7 @@ fn rsa_4096_key_rejected_by_other_algorithms() {
     ] {
         assert!(matches!(
             check_sig(ee, *algorithm, b"", b""),
-            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKeyContext(_))
+            Err(webpki::Error::UnsupportedSignatureAlgorithmForPublicKey(_))
         ));
     }
 }