Change ts to only support one second precision.

RFC 3631 allows for sub second ASN1 GENERALIZED times, if you
choose to support sub second time precison. It does not
indicate that an implementation must support them.

Supporting sub second timestamps is just silly and unrealistic,
so set our maximum to one second of precision. We then simplify
this code by removing some nasty eye-bleed that made artisinally
hand crafted strings and jammed them into an ASN1_GENERALIZEDTIME.

ok tb@, jsing@, with one second precision tested by kn@

3 files changed, 9 insertions, 84 deletions

diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h
index 5215fc0583..c2b2a9ed3d 100644
--- a/src/lib/libcrypto/ts/ts.h
+++ b/src/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.h,v 1.23 2023/11/19 15:46:10 tb Exp $ */
+/* $OpenBSD: ts.h,v 1.24 2024/03/26 00:39:22 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
  * project 2002, 2003, 2004.
  */
@@ -389,8 +389,8 @@ int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx,
    '0' means sec, '3' msec, '6' usec, and so on. Default is 0. */
 int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
     unsigned clock_precision_digits);
-/* At most we accept usec precision. */
-#define TS_MAX_CLOCK_PRECISION_DIGITS   6
+/* At most we accept sec precision. */
+#define TS_MAX_CLOCK_PRECISION_DIGITS 0
 
 /* No flags are set by default. */
 void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);
diff --git a/src/lib/libcrypto/ts/ts_conf.c b/src/lib/libcrypto/ts/ts_conf.c
index 5d27a8bbc3..ef8569ef04 100644
--- a/src/lib/libcrypto/ts/ts_conf.c
+++ b/src/lib/libcrypto/ts/ts_conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_conf.c,v 1.13 2023/11/19 15:46:10 tb Exp $ */
+/* $OpenBSD: ts_conf.c,v 1.14 2024/03/26 00:39:22 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -437,7 +437,8 @@ TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
         if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS,
             &digits))
                 digits = 0;
-        if (digits < 0 || digits > TS_MAX_CLOCK_PRECISION_DIGITS) {
+        /* We only support second precision, so reject everything else */
+        if (digits != 0) {
                 TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS);
                 goto err;
         }
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index dc8241d2be..e3101340c5 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.34 2024/03/25 07:02:22 beck Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.35 2024/03/26 00:39:22 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -90,9 +90,6 @@ static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed);
 static int TS_TST_INFO_content_new(PKCS7 *p7);
 static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
 
-static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision(
-    ASN1_GENERALIZEDTIME *, time_t, long, unsigned);
-
 /* Default callbacks for response generation. */
 
 static ASN1_INTEGER *
@@ -434,7 +431,7 @@ LCRYPTO_ALIAS(TS_RESP_CTX_get_tst_info);
 int
 TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, unsigned precision)
 {
-        if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
+        if (precision > 0)
                 return 0;
         ctx->clock_precision_digits = precision;
         return 1;
@@ -650,8 +647,7 @@ TS_RESP_create_tst_info(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
             !TS_TST_INFO_set_serial(tst_info, serial))
                 goto end;
         if (!(*ctx->time_cb)(ctx, ctx->time_cb_data, &sec, &usec) ||
-            !(asn1_time = TS_RESP_set_genTime_with_precision(NULL, sec, usec,
-            ctx->clock_precision_digits)) ||
+            ((asn1_time = ASN1_GENERALIZEDTIME_set(NULL, sec)) == NULL) ||
             !TS_TST_INFO_set_time(tst_info, asn1_time))
                 goto end;
 
@@ -984,75 +980,3 @@ err:
 
         return 0;
 }
-
-
-static ASN1_GENERALIZEDTIME *
-TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
-    time_t sec, long usec, unsigned precision)
-{
-        struct tm tm;
-        char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS];
-        char usecstr[TS_MAX_CLOCK_PRECISION_DIGITS + 2];
-        char *p;
-        int rv;
-
-        if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
-                goto err;
-
-        if (OPENSSL_gmtime(&sec, &tm) == NULL)
-                goto err;
-
-        /*
-         * Put "genTime_str" in GeneralizedTime format.  We work around the
-         * restrictions imposed by rfc3280 (i.e. "GeneralizedTime values MUST
-         * NOT include fractional seconds") and OpenSSL related functions to
-         * meet the rfc3161 requirement: "GeneralizedTime syntax can include
-         * fraction-of-second details".
-         */
-        if (precision > 0) {
-                /* To make things a bit harder, X.690 | ISO/IEC 8825-1 provides
-                   the following restrictions for a DER-encoding, which OpenSSL
-                   (specifically ASN1_GENERALIZEDTIME_check() function) doesn't
-                   support:
-                   "The encoding MUST terminate with a "Z" (which means "Zulu"
-                   time). The decimal point element, if present, MUST be the
-                   point option ".". The fractional-seconds elements,
-                   if present, MUST omit all trailing 0's;
-                   if the elements correspond to 0, they MUST be wholly
-                   omitted, and the decimal point element also MUST be
-                   omitted." */
-                (void) snprintf(usecstr, sizeof(usecstr), ".%06ld", usec);
-                /* truncate and trim trailing 0 */
-                usecstr[precision + 1] = '\0';
-                p = usecstr + strlen(usecstr) - 1;
-                while (p > usecstr && *p == '0')
-                        *p-- = '\0';
-                /* if we've reached the beginning, delete the . too */
-                if (p == usecstr)
-                        *p = '\0';
-
-        } else {
-                /* empty */
-                usecstr[0] = '\0';
-        }
-        rv = snprintf(genTime_str, sizeof(genTime_str),
-            "%04d%02d%02d%02d%02d%02d%sZ",
-            tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
-            tm.tm_hour, tm.tm_min, tm.tm_sec, usecstr);
-        if (rv < 0 || rv >= sizeof(genTime_str))
-                goto err;
-
-        /* Now call OpenSSL to check and set our genTime value */
-        if (!asn1_time && !(asn1_time = ASN1_GENERALIZEDTIME_new()))
-                goto err;
-        if (!ASN1_GENERALIZEDTIME_set_string(asn1_time, genTime_str)) {
-                ASN1_GENERALIZEDTIME_free(asn1_time);
-                goto err;
-        }
-
-        return asn1_time;
-
-err:
-        TSerror(TS_R_COULD_NOT_SET_TIME);
-        return NULL;
-}