The default time comes from the gettimeofday() system call (see def_time_cb in ts_rsp_sign.c). I don't see any openssl bug here.
-- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz > -----Original Message----- > From: owner-openssl-...@openssl.org [mailto:owner-openssl- > d...@openssl.org] On Behalf Of Michal Bozon via RT > Sent: Thursday, September 18, 2014 7:55 AM > Cc: openssl-dev@openssl.org > Subject: [openssl.org #3535] TS high-precision time malformation - demo > > Quick demonstration - doing a statistics on first decimal place digit of large > number of time-stamps: > > ----- sample output: > ... > ### BEFORE: > 0: 0% <--- ! > 1:11% > 2:11% > 3:11% > 4:10% > 5:11% > 6:11% > 7:12% > 8:12% > 9:11% > ### AFTER: > 0:10% > 1:10% > 2:10% > 3:10% > 4:10% > 5:10% > 6:10% > 7:10% > 8:10% > 9:10% > > ----- script: > #!/bin/sh > > cp apps/openssl.cnf /tmp/ossl.cnf > > cat <<EOF >> /tmp/ossl.cnf > [ tsa_test ] > basicConstraints=CA:TRUE > extendedKeyUsage=critical,timeStamping > [ tsr_test ] > clock_precision_digits = 6 > serial = /tmp/serial > default_policy = 2.999.0 > digests = sha1 > EOF > > openssl req -x509 -newkey rsa:2048 -config /tmp/ossl.cnf -nodes -batch \ > -extensions tsa_test -out /tmp/tsa_.pem -keyout /tmp/tsa_.pem > > for ossl in openssl /usr/local/ssl/bin/openssl; do > [ $ossl = openssl ] && echo "### BEFORE:" || echo "### AFTER:" > for i in `seq 1 2000`; do > $ossl ts -reply -config /tmp/ossl.cnf -queryfile /tmp/x.tsq \ > -signer /tmp/tsa_.pem -inkey /tmp/tsa_.pem -section tsr_test \ > | openssl ts -reply -in /dev/stdin -text \ > | grep '^Time stamp' > done 2>/tmp/osslerr.out | perl -ne \ > '/\.(\d)/;$h{$1}++}{for(0..9){printf"%i:%2.f%%\n",$_,100*$h{$_}/$.}' > done > > > __________________________________________________________ > ____________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org
