There is a bug in OpenSSL ts module,
causing the generated high-precision RFC3161 time-stamp
(when clock_precision_digits is set > 0) to have the original
microsecond value increased by one or more orders of magnitude,
when that sub-second value is < 0.1 s.
In crypto/ts/ts_rsp_sign.c: TS_RESP_set_genTime_with_precision:
BIO_snprintf(p, 2 + precision, ".%ld", usec);
/* We cannot use the snprintf return value,
because it might have been truncated. */
.. the comment is right - for instance, the time-stamp
sub-second portion carrying e.g. 99 microsecond value
might have (in addition to intended truncation from right,
if 0 < precision < 6, and the subsequent possible right-zeroes
truncation in accordance with ASN.1 GeneralizedTime encoding rules)
been "truncated" to 990 milliseconds (".000099" --> ".99"),
unfortunately.
The bug has been discovered back in 2008 by Vladimir Smotlacha (CESNET),
when the TS functionality was just an unofficial patch from OpenTSA
project (https://web.archive.org/web/http://www.opentsa.org/ts/),
and applies to all OpenSSL versions with the ts functionality
(>= 1.0.0), apparently.
regards,
Michal Bozon,
CESNET
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index df09e17..3c48352 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -971,7 +971,7 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
if (precision > 0)
{
/* Add fraction of seconds (leave space for dot and null). */
- BIO_snprintf(p, 2 + precision, ".%ld", usec);
+ BIO_snprintf(p, 2 + precision, ".%06ld", usec);
/* We cannot use the snprintf return value,
because it might have been truncated. */
p += strlen(p);
