Rivoreo Source Code Repositories
src.rivoreo.one / security / mbedtls / fa67ebaebb7bb65643d3e35b579b197ae829a940
commitfa67ebaebb7bb65643d3e35b579b197ae829a940[log] [download]
authorManuel Pégourié-Gonnard <mpg@elzevir.fr>Sat Jun 27 14:41:38 2015 +0200
committerManuel Pégourié-Gonnard <mpg@elzevir.fr>Sat Jun 27 14:41:38 2015 +0200
treea5601587bda4a43c05e16b2c1eed67ee0d838167
parent1c5b9fc19ffa694bb783d2f5bb82ace54b96a11b [diff]
Fix X.509 keysize check with multiple CAs

Assume we have two trusted CAs with the same name, the first uses ECDSA 256
bits, the second RSA 2048; cert is signed by the second. If we do the keysize
check before we checked the key types match, we'll raise the badkey flags when
checking the EC-256 CA and it will remain up even when we finally find the
correct CA. So, move the check for the key size after signature verification,
which implicitly checks the key type.
1 file changed
tree: a5601587bda4a43c05e16b2c1eed67ee0d838167
  1. .gitignore
  2. .travis.yml
  3. CMakeLists.txt
  4. ChangeLog
  5. DartConfiguration.tcl
  6. LICENSE
  7. Makefile
  8. README.rst
  9. configs/
  10. doxygen/
  11. include/
  12. library/
  13. programs/
  14. scripts/
  15. tests/
  16. visualc/VS2010/