Fix X.509 keysize check with multiple CAs
Assume we have two trusted CAs with the same name, the first uses ECDSA 256 bits, the second RSA 2048; cert is signed by the second. If we do the keysize check before we checked the key types match, we'll raise the badkey flags when checking the EC-256 CA and it will remain up even when we finally find the correct CA. So, move the check for the key size after signature verification, which implicitly checks the key type.
Showing with 4 additions and 3 deletions