Make use of CRT acquire/release in x509_crt_verify_restartable
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 6dba6a1..bf62f65 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -3156,7 +3156,6 @@
                      mbedtls_x509_crt_restart_ctx *rs_ctx )
 {
     int ret;
-    mbedtls_pk_type_t pk_type;
     mbedtls_x509_crt_verify_chain ver_chain;
     uint32_t ee_flags;
 
@@ -3172,16 +3171,31 @@
 
     /* check name if requested */
     if( cn != NULL )
-        x509_crt_verify_name( crt, cn, &ee_flags );
+    {
+        ret = x509_crt_verify_name( crt, cn, &ee_flags );
+        if( ret != 0 )
+            return( ret );
+    }
 
-    /* Check the type and size of the key */
-    pk_type = mbedtls_pk_get_type( &crt->pk );
+    {
+        mbedtls_pk_context *pk;
+        mbedtls_pk_type_t pk_type;
 
-    if( x509_profile_check_pk_alg( profile, pk_type ) != 0 )
-        ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+        ret = x509_crt_pk_acquire( crt, &pk );
+        if( ret != 0 )
+            return( MBEDTLS_ERR_X509_FATAL_ERROR );
 
-    if( x509_profile_check_key( profile, &crt->pk ) != 0 )
-        ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+        /* Check the type and size of the key */
+        pk_type = mbedtls_pk_get_type( pk );
+
+        if( x509_profile_check_pk_alg( profile, pk_type ) != 0 )
+            ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+
+        if( x509_profile_check_key( profile, pk ) != 0 )
+            ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+        x509_crt_pk_release( crt, pk );
+    }
 
     /* Check the chain */
     ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,