(xmlsec-gnutls) Added an option to skip timestamp checks for certific…

…ates and CLRs.

docs/index.html

@@ -72,7 +72,7 @@ <h1>XML Security Library</h1>
         <ul>
             <li>(xmlsec-core) Disabled old crypto algorithms (MD5, RIPEMD160) and the old crypto engines (MSCrypto, GCrypt) by default (use "--with-legacy-features" option to reenable everything).</li>
             <li>(xmlsec-windows) Disabled old crypto algorithms (MD5, RIPEMD160), made "mscng" the default crypto engine on Windows, and added support for "legacy-features" flag for "configure.js".<li>
-            <li>(xmlsec-openssl) Added an option to skip timestamp checks for certificates and CLRs.</li>
+            <li>(xmlsec-openssl, xmlsec-gnutls) Added an option to skip timestamp checks for certificates and CLRs.</li>
             <li>Several other small fixes (see <a href="https://github.com/lsh123/xmlsec/commits/master">more details</a>).</li>
         </ul>
 	</li>

src/gnutls/x509vfy.c

@@ -406,6 +406,9 @@ xmlSecGnuTLSX509StoreVerifyCert(xmlSecGnuTLSX509StoreCtxPtr ctx,
     if(keyInfoCtx->certsVerificationTime > 0) {
         flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
     }
+    if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_TIME_CHECKS) != 0) {
+        flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
+    }
 
     flags |= GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
     if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0) {

tests/testDSig.sh

@@ -1147,9 +1147,9 @@ execDSigTest $res_success \
     "--trusted-$cert_format $topfolder/keys/cacert.$cert_format --enabled-key-data x509 --verification-gmt-time 2022-12-14+00:00:00"
 
 
-# currently only openssl supports skipping time checks
+# currently only openssl and gnutls support skipping time checks
 # https://github.com/lsh123/xmlsec/issues/852
-if [ "z$crypto" = "zopenssl" ] ; then
+if [ "z$crypto" = "zopenssl" -o "z$crypto" = "zgnutls"  ] ; then
 extra_message="Expired cert but we skip timestamp checks"
 execDSigTest $res_success \
     "" \