[Swan-dev] authenticated by RSA public key 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' issued by CA 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' using SHA2_512

Andrew Cagney Sat, 27 Feb 2021 10:47:09 -0800

I'm getting ready to push a change in how authentication is logged.
The long term objective is to get the authentication down to a single
line (perhaps per-auth method allowed?).


Today I'm looking at pubkey auth:

Success: authenticated by <PKI> public key '<ID>' issued by CA '<CA>'
using <hash>

-003 "westnet-eastnet" #1: authenticated using RSA with SHA-1
+003 "westnet-eastnet" #1: authenticated by RSA public key '@east'
issued by CA '%any' using SHA-1

-003 "westnet-eastnet-ikev2" #1: authenticated using RSA with SHA2_512
+003 "westnet-eastnet-ikev2" #1: authenticated by RSA public key
'192.1.2.23' issued by CA 'C=CA, ST=Ontario, L=Toronto, O=Libreswan,
OU=Test Department, CN=Libreswan test CA for mainca,
E=test...@libreswan.org' using SHA2_512

-003 "road-east-x509-ipv4"[1] 192.1.2.23 #1: authenticated using RSA
with SHA2_512
+003 "road-east-x509-ipv4"[1] 192.1.2.23 #1: authenticated by RSA
public key 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test
Department, CN=east.testing.libreswan.org,
E=user-e...@testing.libreswan.org' issued by CA 'C=CA, ST=Ontario,
L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for
mainca, E=test...@libreswan.org' using SHA2_512

-> I'll probably reword it so that <hash> comes earlier in the
possibly very long log line
-> it should probably include "local" or "remote" to indicate where
the cert came from
-> is anything missing?

Fail: <PKI> signature checkfor '<ID>' failed tried [remote certs:
*<KEYID>(<reason>) ...] [preloaded certs: *<KEYID>(<reason>) ...]

-003 "ikev1-aggr-failtest" #3: an RSA Sig check failed 'SIG length
does not match public key length' with *000000000 [preloaded keys]
-003 "ikev1-aggr-failtest" #3: RSA Signature check (on @east-v1)
failed (wrong key?); tried *000000000
+003 "ikev1-aggr-failtest" #3: RSA signature check for '@east-v1'
failed, tried preloaded certs: *000000000(length)

-> I'm not sure if "(length)" is helpful or not, it could be made longer?
-> I'm going to rename "preloaded" to "local"
_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Reply via email to