Make sure the digestAlgorithm.parameters field is empty, which it has
to be for the hashes we support.  Otherwise, the field can encode
"garbage" that might be used to make the signature be a perfect cube,
similar (but not identical) to Bleichenbacher's Crypto 06 rump session
attack.
--- gnutls-1.0.20/lib/x509/verify.c.no-params	2004-08-04 23:36:03.000000000 +0200
+++ gnutls-1.0.20/lib/x509/verify.c	2006-09-14 11:06:32.000000000 +0200
@@ -390,6 +390,18 @@
 		return GNUTLS_E_UNKNOWN_HASH_ALGORITHM;
 	}
 	
+	len = sizeof(str) - 1;
+	result = asn1_read_value (dinfo, "digestAlgorithm.parameters", str, &len);
+	/* To avoid permitting garbage in the parameters field, either the
+	   parameters field is not present, or it contains 0x05 0x00. */
+	if (!(result == ASN1_ELEMENT_NOT_FOUND ||
+	    (result == ASN1_SUCCESS && len == 2 &&
+	    str[0] == 0x05 && str[1] == 0x00))) {
+		gnutls_assert();
+		asn1_delete_structure(&dinfo);
+		return GNUTLS_E_ASN1_GENERIC_ERROR;
+	}
+
 	result =
 	    asn1_read_value( dinfo, "digest", digest, digest_size);
 	if (result != ASN1_SUCCESS) {