• Manuel Pégourié-Gonnard's avatar
    Fix X.509 keysize check with multiple CAs · fa67ebae
    Manuel Pégourié-Gonnard authored
    Assume we have two trusted CAs with the same name, the first uses ECDSA 256
    bits, the second RSA 2048; cert is signed by the second. If we do the keysize
    check before we checked the key types match, we'll raise the badkey flags when
    checking the EC-256 CA and it will remain up even when we finally find the
    correct CA. So, move the check for the key size after signature verification,
    which implicitly checks the key type.
x509_crt.c 65.7 KB