Tolerate DER time encoding errors

It seems that openssl generated certificates may contain invalid
formatted times, and gnutls will no longer parse them. Ignore such
formatting errors when DER decoding.

We should reconsider this in the future (#207)

Resolves #196

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/x509/common.h b/lib/x509/common.h
index 0cca5272b8420b260feb500566275a21283da4d0..6d80b819b8d90d35d18c751c2901b1cd7e14b87c 100644 (file)
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -262,7 +262,12 @@ int _gnutls_check_if_sorted(gnutls_x509_crt_t * crt, int nr);
 inline static int _asn1_strict_der_decode (asn1_node * element, const void *ider,
                       int len, char *errorDescription)
 {
-       return asn1_der_decoding2(element, ider, &len, ASN1_DECODE_FLAG_STRICT_DER, errorDescription);
+#ifdef ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME
+# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME|ASN1_DECODE_FLAG_STRICT_DER
+#else
+# define _ASN1_DER_FLAGS ASN1_DECODE_FLAG_STRICT_DER
+#endif
+       return asn1_der_decoding2(element, ider, &len, _ASN1_DER_FLAGS, errorDescription);
 }
 
 #endif