From fa67ebaebb7bb65643d3e35b579b197ae829a940 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Sat, 27 Jun 2015 14:41:38 +0200
Subject: [PATCH] Fix X.509 keysize check with multiple CAs

Assume we have two trusted CAs with the same name, the first uses ECDSA 256
bits, the second RSA 2048; cert is signed by the second. If we do the keysize
check before we checked the key types match, we'll raise the badkey flags when
checking the EC-256 CA and it will remain up even when we finally find the
correct CA. So, move the check for the key size after signature verification,
which implicitly checks the key type.
---
 library/x509_crt.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 7bee9af9b3..c837c03d13 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1938,9 +1938,6 @@ static int x509_crt_verify_top(
             continue;
         }
 
-        if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 )
-            *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
-
         if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
                            child->sig_md, hash, mbedtls_md_get_size( md_info ),
                            child->sig.p, child->sig.len ) != 0 )
@@ -1952,6 +1949,10 @@ static int x509_crt_verify_top(
          * Top of chain is signed by a trusted CA
          */
         *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+
+        if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 )
+            *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
         break;
     }