[Swan-dev] can add connection require a private key?

[Paul Wouters]

On Thu, 17 Sep 2020, Andrew Cagney wrote:

> Currently the code just warns when trying to add a connection with no private key.   Instead much much later - during the auth exchange - the
> code tries to find the private key.
> Presumably this is because the end may not need the private key.

Yes. that is:

conn test
 	left=%defaultroute
 	right=%any
 	leftcert=somecert
 	rightrsasigkey=%fromcert # implied as default

When loading this conn, pluto does not know if it is left or right. The
smae config could be used on both endpoints, and somecert would only be
on one endpoint. whether this is worth supporting is something else. I
could see where we just always try to load the leftcert= / rightcert=
and throw an error when we can't load it. The idea behind re-using the
same config on both sides is slowly vanishing anyway. And if I get to
do some kind of rewrite with a new config format, then I think I would
be tempted to use [inifile] type syntax anyway.

But, if currently the only issue is a "late failure" vs "early failure"
than I suggest to just leave it as "late failure".

> I'm wondering if there's enough information available to determine that the private key is required when the connection is being added.  If a
> connection can specify multiple optional auth methods then probably not?

Perhaps after orienting there is. Before that, I think it is a littly
tricky?

> (a case when there isn't is with rsasigkey - that only arrives after the connection is added; grrrr)

I'm fine with that failing to load, provided we would be sure we had
oriented properly ?

Paul