Fabian Stelzer <fs@xxxxxxxxxxxx> writes:
>>> + /* Search for the last "with" to get the full principal */
>>> + principal = line;
>>> + do {
>>> + search = strstr(line, " with ");
>>> + if (search)
>>> + line = search + 1;
>>> + } while (search != NULL);
>>> + sigc->signer = xmemdupz(principal, line - principal - 1);
>>> + sigc->fingerprint = xstrdup(strstr(line, "key") + 4);
>> OK. This does not care the "RSA" part, which is future resistant.
>> It assumes the <algo>:<fingerprint> comes after literal " key ",
>> which I think is a reasonable thing to do.
>> However, we never checked if the line has "key" in it, so
>> strstr(line, "key") + 4 may not be pointing at where this code
>> expects.
>
> Hmm. What would i do if i don't find "key"? Still mark the signature
> as valid an just leave fingerprint & key empty?
We didn't get a satisfactory response from the ssh-keygen we expect
that tells us that the external tool successfully decided that the
signature is good or bad. I would feel safer if we said we did not
see a good signature in such a case.
