More extension code. Incomplete support for subject and issuer alt

name, issuer and authority key id. Change the i2v function parameters
and add an extra 'crl' parameter in the X509V3_CTX structure: guess
what that's for :-) Fix to ASN1 macro which messed up
IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED.

15 files changed, 534 insertions, 24 deletions

diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl
index 8675328388..6e80ca82cf 100644
--- a/crypto/x509v3/Makefile.ssl
+++ b/crypto/x509v3/Makefile.ssl
@@ -23,9 +23,9 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC=	v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
-v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c
+v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
-v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o
+v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o
 
 SRC= $(LIBSRC)
 
diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509v3/v3_akey.c
new file mode 100644
index 0000000000..e3b84601be
--- /dev/null
+++ b/crypto/x509v3/v3_akey.c
@@ -0,0 +1,185 @@
+/* v3_akey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <pem.h>
+#include <asn1_mac.h>
+#include <err.h>
+#include <objects.h>
+#include <conf.h>
+#include "x509v3.h"
+
+#ifndef NOPROTO
+static STACK *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, AUTHORITY_KEYID *akeyid, STACK *extlist);
+static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK *values);
+
+#else
+
+static STACK *i2v_AUTHORITY_KEYID();
+static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID();
+
+#endif
+
+X509V3_EXT_METHOD v3_akey_id = {
+NID_authority_key_identifier, 0,
+(X509V3_EXT_NEW)AUTHORITY_KEYID_new,
+AUTHORITY_KEYID_free,
+(X509V3_EXT_D2I)d2i_AUTHORITY_KEYID,
+i2d_AUTHORITY_KEYID,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
+(X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
+NULL,
+NULL
+};
+
+
+/*
+ * ASN1err(ASN1_F_AUTHORITY_KEYID_NEW,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_D2I_AUTHORITY_KEYID,ERR_R_MALLOC_FAILURE);
+ */
+
+int i2d_AUTHORITY_KEYID(a,pp)
+AUTHORITY_KEYID *a;
+unsigned char **pp;
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len_IMP_opt (a->keyid, i2d_ASN1_OCTET_STRING);
+	M_ASN1_I2D_len_IMP_opt (a->issuer, i2d_GENERAL_NAMES);
+	M_ASN1_I2D_len_IMP_opt (a->serial, i2d_ASN1_INTEGER);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put_IMP_opt (a->keyid, i2d_ASN1_OCTET_STRING, 0);
+	M_ASN1_I2D_put_IMP_opt (a->issuer, i2d_GENERAL_NAMES, 1);
+	M_ASN1_I2D_put_IMP_opt (a->serial, i2d_ASN1_INTEGER, 2);
+
+	M_ASN1_I2D_finish();
+}
+
+AUTHORITY_KEYID *AUTHORITY_KEYID_new()
+{
+	AUTHORITY_KEYID *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, AUTHORITY_KEYID);
+	ret->keyid = NULL;
+	ret->issuer = NULL;
+	ret->serial = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_AUTHORITY_KEYID_NEW);
+}
+
+AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(a,pp,length)
+AUTHORITY_KEYID **a;
+unsigned char **pp;
+long length;
+{
+	M_ASN1_D2I_vars(a,AUTHORITY_KEYID *,AUTHORITY_KEYID_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get_IMP_opt (ret->keyid, d2i_ASN1_OCTET_STRING, 0,
+							V_ASN1_OCTET_STRING);
+	M_ASN1_D2I_get_IMP_opt (ret->issuer, d2i_GENERAL_NAMES, 1,
+							V_ASN1_SEQUENCE);
+	M_ASN1_D2I_get_IMP_opt (ret->serial, d2i_ASN1_INTEGER, 2,
+							V_ASN1_INTEGER);
+	M_ASN1_D2I_Finish(a, AUTHORITY_KEYID_free, ASN1_F_D2I_AUTHORITY_KEYID);
+}
+
+void AUTHORITY_KEYID_free(a)
+AUTHORITY_KEYID *a;
+{
+	if (a == NULL) return;
+	ASN1_OCTET_STRING_free(a->keyid);
+	sk_pop_free(a->issuer, GENERAL_NAME_free);
+	ASN1_INTEGER_free (a->serial);
+	Free ((char *)a);
+}
+
+static STACK *i2v_AUTHORITY_KEYID(method, akeyid, extlist)
+X509V3_EXT_METHOD *method;
+AUTHORITY_KEYID *akeyid;
+STACK *extlist;
+{
+	char *tmp;
+	if(akeyid->keyid) {
+		tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length);
+		X509V3_add_value("keyid", tmp, &extlist);
+		Free(tmp);
+	}
+	if(akeyid->issuer) 
+		extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
+	if(akeyid->serial) {
+		tmp = hex_to_string(akeyid->serial->data,
+						 akeyid->serial->length);
+		X509V3_add_value("serial", tmp, &extlist);
+		Free(tmp);
+	}
+	return extlist;
+}
+
+static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(method, ctx, values)
+X509V3_EXT_METHOD *method;
+X509V3_CTX *ctx;
+STACK *values;
+{
+return NULL;
+}
+
diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c
index 62d895de0d..4347c76c3d 100644
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c
@@ -65,11 +65,6 @@
 #include <conf.h>
 #include "x509v3.h"
 
-#ifndef NOPROTO
-static STACK *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, STACK *gen);
-/*static STACK *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK *values);*/
-#endif
-
 X509V3_EXT_METHOD v3_alt[] = {
 { NID_subject_alt_name, 0,
 (X509V3_EXT_NEW)GENERAL_NAMES_new,
@@ -92,13 +87,14 @@ NULL, NULL},
 EXT_END
 };
 
-static STACK *i2v_GENERAL_NAMES(method, gens)
+STACK *i2v_GENERAL_NAMES(method, gens, ret)
 X509V3_EXT_METHOD *method;
 STACK *gens;
+STACK *ret;
 {
 	int i;
-	STACK *ret = NULL;
 	GENERAL_NAME *gen;
+	char oline[256];
 	for(i = 0; i < sk_num(gens); i++) {
 		gen = (GENERAL_NAME *)sk_value(gens, i);
 		switch (gen->type)
@@ -127,6 +123,11 @@ STACK *gens;
 		X509V3_add_value("URI",gen->d.ia5->data, &ret);
                 break;
 
+                case GEN_DIRNAME:
+		X509_NAME_oneline(gen->d.dirn, oline, 256);
+		X509V3_add_value("DirName",oline, &ret);
+                break;
+
                 case GEN_IPADD:
 		X509V3_add_value("IP Address","<unsupported>", &ret);
                 break;
diff --git a/crypto/x509v3/v3_bcons.c b/crypto/x509v3/v3_bcons.c
index f7ad3e884c..87e5d008c8 100644
--- a/crypto/x509v3/v3_bcons.c
+++ b/crypto/x509v3/v3_bcons.c
@@ -66,7 +66,7 @@
 #include "x509v3.h"
 
 #ifndef NOPROTO
-static STACK *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons);
+static STACK *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK *extlist);
 static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK *values);
 
 #else
@@ -145,11 +145,11 @@ BASIC_CONSTRAINTS *a;
 	Free ((char *)a);
 }
 
-static STACK *i2v_BASIC_CONSTRAINTS(method, bcons)
+static STACK *i2v_BASIC_CONSTRAINTS(method, bcons, extlist)
 X509V3_EXT_METHOD *method;
 BASIC_CONSTRAINTS *bcons;
+STACK *extlist;
 {
-	STACK *extlist = NULL;
 	X509V3_add_value_bool("CA", bcons->ca, &extlist);
 	X509V3_add_value_int("pathlen", bcons->pathlen, &extlist);
 	return extlist;
diff --git a/crypto/x509v3/v3_bitst.c b/crypto/x509v3/v3_bitst.c
index 10ce8f04ef..3e5d0d9b69 100644
--- a/crypto/x509v3/v3_bitst.c
+++ b/crypto/x509v3/v3_bitst.c
@@ -68,7 +68,7 @@
 #ifndef NOPROTO
 static ASN1_BIT_STRING *asn1_bit_string_new(void);
 static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK *nval);
-static STACK *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits);
+static STACK *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits, STACK *extlist);
 #else
 static ASN1_BIT_STRING *asn1_bit_string_new();
 static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING();
@@ -110,12 +110,12 @@ static ASN1_BIT_STRING *asn1_bit_string_new()
 	return ASN1_BIT_STRING_new();
 }
 
-static STACK *i2v_ASN1_BIT_STRING(method, bits)
+static STACK *i2v_ASN1_BIT_STRING(method, bits, ret)
 X509V3_EXT_METHOD *method;
 ASN1_BIT_STRING *bits;
+STACK *ret;
 {
 	BIT_STRING_BITNAME *bnam;
-	STACK *ret = NULL;
 	for(bnam =(BIT_STRING_BITNAME *)method->usr_data; bnam->lname; bnam++) {
 		if(ASN1_BIT_STRING_get_bit(bits, bnam->bitnum)) 
 			X509V3_add_value(bnam->lname, NULL, &ret);
diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index afe2ae249e..b97e7939ba 100644
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -163,3 +163,11 @@ X509 *cert;
 	return 1;
 }
 
+/* Just check syntax of config file as far as possible */
+int X509V3_EXT_check_conf(conf, section)
+LHASH *conf;
+char *section;
+{
+	static X509V3_CTX ctx_tst = { CTX_TEST, NULL, NULL, NULL, NULL };
+	return X509V3_EXT_add_conf(conf, &ctx_tst, section, NULL);
+}
diff --git a/crypto/x509v3/v3_extku.c b/crypto/x509v3/v3_extku.c
index 8f22385859..1c2d93f1c8 100644
--- a/crypto/x509v3/v3_extku.c
+++ b/crypto/x509v3/v3_extku.c
@@ -67,7 +67,7 @@
 
 #ifndef NOPROTO
 static STACK *v2i_ext_ku(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK *nval);
-static STACK *i2v_ext_ku(X509V3_EXT_METHOD *method, STACK *eku);
+static STACK *i2v_ext_ku(X509V3_EXT_METHOD *method, STACK *eku, STACK *extlist);
 #else
 static STACK *v2i_ext_ku();
 static STACK *i2v_ext_ku();
@@ -117,14 +117,14 @@ long length;
 
 
 
-static STACK *i2v_ext_ku(method, eku)
+static STACK *i2v_ext_ku(method, eku, ext_list)
 X509V3_EXT_METHOD *method;
 STACK  *eku;
+STACK *ext_list;
 {
 int i;
 ASN1_OBJECT *obj;
 char obj_tmp[80];
-STACK *ext_list = NULL;
 for(i = 0; i < sk_num(eku); i++) {
 	obj = (ASN1_OBJECT *)sk_value(eku, i);
 	i2t_ASN1_OBJECT(obj_tmp, 80, obj);
diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c
index 1359fa3897..3fb21fbe25 100644
--- a/crypto/x509v3/v3_lib.c
+++ b/crypto/x509v3/v3_lib.c
@@ -108,7 +108,6 @@ X509_EXTENSION *ext;
 	return X509V3_EXT_get_nid(nid);
 }
 
-extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku, v3_ns_ia5_list[],v3_alt[];
 
 int X509V3_EXT_add_list(extlist)
 X509V3_EXT_METHOD *extlist;
@@ -132,7 +131,7 @@ int nid_to, nid_from;
 	}
 	*tmpext = *ext;
 	tmpext->ext_nid = nid_to;
-	tmpext->ext_flags = X509V3_EXT_DYNAMIC;
+	tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
 	return 1;
 }
 
@@ -147,6 +146,9 @@ X509V3_EXT_METHOD *ext;
 	if(ext->ext_flags & X509V3_EXT_DYNAMIC) Free(ext);
 }
 
+extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
+extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
+
 int X509V3_add_standard_extensions()
 {
 	X509V3_EXT_add_list(v3_ns_ia5_list);
@@ -155,5 +157,7 @@ int X509V3_add_standard_extensions()
 	X509V3_EXT_add(&v3_nscert);
 	X509V3_EXT_add(&v3_key_usage);
 	X509V3_EXT_add(&v3_ext_ku);
+	X509V3_EXT_add(&v3_skey_id);
+	X509V3_EXT_add(&v3_akey_id);
 	return 1;
 }
diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509v3/v3_prn.c
index c9755582ae..7da7056293 100644
--- a/crypto/x509v3/v3_prn.c
+++ b/crypto/x509v3/v3_prn.c
@@ -104,7 +104,7 @@ int flag;
 		}
 		BIO_printf(out, value);
 	} else if(method->i2v) {
-		if(!(nval = method->i2v(method, ext_str))) {
+		if(!(nval = method->i2v(method, ext_str, NULL))) {
 			ok = 0;
 			goto err;
 		}
diff --git a/crypto/x509v3/v3_skey.c b/crypto/x509v3/v3_skey.c
new file mode 100644
index 0000000000..3994c79d67
--- /dev/null
+++ b/crypto/x509v3/v3_skey.c
@@ -0,0 +1,171 @@
+/* v3_skey.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <pem.h>
+#include <asn1_mac.h>
+#include <err.h>
+#include <objects.h>
+#include <conf.h>
+#include "x509v3.h"
+
+#ifndef NOPROTO
+static ASN1_OCTET_STRING *octet_string_new(void);
+static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+#else
+static ASN1_OCTET_STRING *s2i_skey_id();
+static ASN1_OCTET_STRING *octet_string_new();
+#endif
+
+X509V3_EXT_METHOD v3_skey_id = { 
+NID_subject_key_identifier, 0,
+(X509V3_EXT_NEW)octet_string_new, ASN1_STRING_free,
+(X509V3_EXT_D2I)d2i_ASN1_OCTET_STRING,
+i2d_ASN1_OCTET_STRING,
+(X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
+(X509V3_EXT_S2I)s2i_skey_id,
+NULL, NULL, NULL, NULL};
+
+
+static ASN1_OCTET_STRING *octet_string_new(void)
+{
+	return ASN1_OCTET_STRING_new();
+}
+
+char *i2s_ASN1_OCTET_STRING(method, oct)
+X509V3_EXT_METHOD *method;
+ASN1_OCTET_STRING *oct;
+{
+	return hex_to_string(oct->data, oct->length);
+}
+
+ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(method, ctx, str)
+X509V3_EXT_METHOD *method;
+X509V3_CTX *ctx;
+char *str;
+{
+	ASN1_OCTET_STRING *oct;
+	long length;
+
+	if(!(oct = ASN1_OCTET_STRING_new())) {
+		X509V3err(X509V3_F_S2I_ASN1_OCTET_STRING,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	if(!(oct->data = string_to_hex(str, &length))) {
+		ASN1_OCTET_STRING_free(oct);
+		return NULL;
+	}
+
+	oct->length = length;
+
+	return oct;
+
+}
+
+ASN1_OCTET_STRING *s2i_skey_id(method, ctx, str)
+X509V3_EXT_METHOD *method;
+X509V3_CTX *ctx;
+char *str;
+{
+	ASN1_OCTET_STRING *oct;
+	ASN1_BIT_STRING *pk;
+	unsigned char pkey_dig[EVP_MAX_MD_SIZE];
+	EVP_MD_CTX md;
+	int diglen;
+
+	if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);
+
+	if(!(oct = ASN1_OCTET_STRING_new())) {
+		X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	if(ctx && (ctx->flags == CTX_TEST)) return oct;
+
+	if(!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
+		X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
+		goto err;
+	}
+
+	if(ctx->subject_req) 
+		pk = ctx->subject_req->req_info->pubkey->public_key;
+	else pk = ctx->subject_cert->cert_info->key->public_key;
+
+	if(!pk) {
+		X509V3err(X509V3_F_S2I_ASN1_SKEY_ID,X509V3_R_NO_PUBLIC_KEY);
+		goto err;
+	}
+
+	EVP_DigestInit(&md, EVP_sha1());
+	EVP_DigestUpdate(&md, pk->data, pk->length);
+	EVP_DigestFinal(&md, pkey_dig, &diglen);
+
+	if(!ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
+		X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+
+	return oct;
+	
+	err:
+	ASN1_OCTET_STRING_free(oct);
+	return NULL;
+}
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index a9068a2f0d..2c3a891254 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -310,3 +310,86 @@ char *name;
 	if(!*p) return NULL;
 	return p;
 }
+
+/* hex string utilities */
+
+/* Given a buffer of length 'len' return a Malloc'ed string with its
+ * hex representation
+ */
+
+char *hex_to_string(buffer, len)
+unsigned char *buffer;
+long len;
+{
+	char *tmp, *q;
+	unsigned char *p;
+	int i;
+	static char hexdig[] = "0123456789ABCDEF";
+	if(!buffer || !len) return NULL;
+	if(!(tmp = Malloc(len * 3 + 1))) {
+		X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	q = tmp;
+	for(i = 0, p = buffer; i < len; i++,p++) {
+		*q++ = hexdig[(*p >> 4) & 0xf];
+		*q++ = hexdig[*p & 0xf];
+		*q++ = ':';
+	}
+	q[-1] = 0;
+	return tmp;
+}
+
+/* Give a string of hex digits convert to
+ * a buffer
+ */
+
+unsigned char *string_to_hex(str, len)
+char *str;
+long *len;
+{
+	unsigned char *hexbuf, *q;
+	unsigned char ch, cl, *p;
+	if(!str) {
+		X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_INVALID_NULL_ARGUMENT);
+		return NULL;
+	}
+	if(!(hexbuf = Malloc(strlen(str) >> 1))) goto err;
+	for(p = (unsigned char *)str, q = hexbuf; *p;) {
+		ch = *p++;
+		if(ch == ':') continue;
+		cl = *p++;
+		if(!cl) {
+			X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ODD_NUMBER_OF_DIGITS);
+			Free(hexbuf);
+			return NULL;
+		}
+		if(isupper(ch)) ch = tolower(ch);
+		if(isupper(cl)) cl = tolower(cl);
+
+		if((ch >= '0') && (ch <= '9')) ch -= '0';
+		else if ((ch >= 'a') && (ch <= 'f')) ch -= 'a' - 10;
+		else goto badhex;
+
+		if((cl >= '0') && (cl <= '9')) cl -= '0';
+		else if ((cl >= 'a') && (cl <= 'f')) cl -= 'a' - 10;
+		else goto badhex;
+
+		*q++ = (ch << 4) | cl;
+	}
+
+	if(len) *len = q - hexbuf;
+
+	return hexbuf;
+
+	err:
+	if(hexbuf) Free(hexbuf);
+	X509V3err(X509V3_F_STRING_TO_HEX,ERR_R_MALLOC_FAILURE);
+	return NULL;
+
+	badhex:
+	Free(hexbuf);
+	X509V3err(X509V3_F_STRING_TO_HEX,X509V3_R_ILLEGAL_HEX_DIGIT);
+	return NULL;
+
+}
diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c
index b250953083..3acf8496c5 100644
--- a/crypto/x509v3/v3err.c
+++ b/crypto/x509v3/v3err.c
@@ -63,8 +63,14 @@
 #ifndef NO_ERR
 static ERR_STRING_DATA X509V3_str_functs[]=
 	{
+{ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),	"hex_to_string"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),	"S2I_ASN1_IA5STRING"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0),	"s2i_ASN1_OCTET_STRING"},
+{ERR_PACK(0,X509V3_F_S2I_ASN1_SKEY_ID,0),	"S2I_ASN1_SKEY_ID"},
+{ERR_PACK(0,X509V3_F_S2I_S2I_SKEY_ID,0),	"S2I_S2I_SKEY_ID"},
+{ERR_PACK(0,X509V3_F_STRING_TO_HEX,0),	"string_to_hex"},
 {ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),	"V2I_ASN1_BIT_STRING"},
+{ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),	"V2I_AUTHORITY_KEYID"},
 {ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0),	"V2I_BASIC_CONSTRAINTS"},
 {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),	"V2I_EXT_KU"},
 {ERR_PACK(0,X509V3_F_X509V3_ADD_EXT,0),	"X509V3_ADD_EXT"},
@@ -83,6 +89,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_BN_TO_ASN1_INTEGER_ERROR       ,"bn to asn1 integer error"},
 {X509V3_R_EXTENSION_NOT_FOUND            ,"extension not found"},
 {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
+{X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
 {X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
 {X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},
 {X509V3_R_INVALID_NAME                   ,"invalid name"},
@@ -90,6 +97,8 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_INVALID_NULL_NAME              ,"invalid null name"},
 {X509V3_R_INVALID_NULL_VALUE             ,"invalid null value"},
 {X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
+{X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
+{X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},
 {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT    ,"unknown bit string argument"},
 {0,NULL},
 	};
diff --git a/crypto/x509v3/v3prin.c b/crypto/x509v3/v3prin.c
index 6475fb97b1..75e0cfb5a4 100644
--- a/crypto/x509v3/v3prin.c
+++ b/crypto/x509v3/v3prin.c
@@ -70,6 +70,7 @@ char **argv;
 	int i, count;
 	X509_EXTENSION *ext;
 	X509V3_add_standard_extensions();
+	ERR_load_crypto_strings();
 	if(!argv[1]) {
 		fprintf(stderr, "Usage v3prin cert.pem\n");
 		exit(1);
@@ -89,7 +90,7 @@ char **argv;
 	for(i = 0; i < count; i++) {
 		ext = X509_get_ext(cert, i);
 		printf("%s\n", OBJ_nid2ln(OBJ_obj2nid(ext->object)));
-		X509V3_EXT_print_fp(stdout, ext, 0);
+		if(!X509V3_EXT_print_fp(stdout, ext, 0)) ERR_print_errors_fp(stderr);
 		printf("\n");
 		
 	}
diff --git a/crypto/x509v3/x509v3.err b/crypto/x509v3/x509v3.err
index 8e58d4406c..52b95b8c09 100644
--- a/crypto/x509v3/x509v3.err
+++ b/crypto/x509v3/x509v3.err
@@ -1,8 +1,14 @@
 /* Error codes for the X509V3 functions. */
 
 /* Function codes. */
+#define X509V3_F_HEX_TO_STRING				 111
 #define X509V3_F_S2I_ASN1_IA5STRING			 100
+#define X509V3_F_S2I_ASN1_OCTET_STRING			 112
+#define X509V3_F_S2I_ASN1_SKEY_ID			 114
+#define X509V3_F_S2I_S2I_SKEY_ID			 115
+#define X509V3_F_STRING_TO_HEX				 113
 #define X509V3_F_V2I_ASN1_BIT_STRING			 101
+#define X509V3_F_V2I_AUTHORITY_KEYID			 116
 #define X509V3_F_V2I_BASIC_CONSTRAINTS			 102
 #define X509V3_F_V2I_EXT_KU				 103
 #define X509V3_F_X509V3_ADD_EXT				 104
@@ -18,6 +24,7 @@
 #define X509V3_R_BN_TO_ASN1_INTEGER_ERROR		 101
 #define X509V3_R_EXTENSION_NOT_FOUND			 102
 #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED	 103
+#define X509V3_R_ILLEGAL_HEX_DIGIT			 113
 #define X509V3_R_INVALID_BOOLEAN_STRING			 104
 #define X509V3_R_INVALID_EXTENSION_STRING		 105
 #define X509V3_R_INVALID_NAME				 106
@@ -25,4 +32,6 @@
 #define X509V3_R_INVALID_NULL_NAME			 108
 #define X509V3_R_INVALID_NULL_VALUE			 109
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER		 110
+#define X509V3_R_NO_PUBLIC_KEY				 114
+#define X509V3_R_ODD_NUMBER_OF_DIGITS			 112
 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT		 111
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index 3f056a4e6a..ce230a3965 100644
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -75,7 +75,7 @@ typedef char * (*X509V3_EXT_NEW)();
 typedef void (*X509V3_EXT_FREE)();
 typedef char * (*X509V3_EXT_D2I)();
 typedef int (*X509V3_EXT_I2D)();
-typedef STACK * (*X509V3_EXT_I2V)(struct v3_ext_method *method, char *ext);
+typedef STACK * (*X509V3_EXT_I2V)(struct v3_ext_method *method, char *ext, STACK *extlist);
 typedef char * (*X509V3_EXT_V2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK *values);
 typedef char * (*X509V3_EXT_I2S)(struct v3_ext_method *method, char *ext);
 typedef char * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
@@ -105,11 +105,15 @@ X509V3_EXT_I2R i2r;
 char *usr_data;	/* Any extension specific data */
 };
 
+
 /* Context specific info */
 struct v3_ext_ctx {
+#define CTX_TEST 0x1
+int flags;
 X509 *issuer_cert;
 X509 *subject_cert;
 X509_REQ *subject_req;
+X509_CRL *crl;
 /* Maybe more here */
 };
 
@@ -118,6 +122,7 @@ typedef struct v3_ext_ctx X509V3_CTX;
 
 /* ext_flags values */
 #define X509V3_EXT_DYNAMIC 0x1
+#define X509V3_EXT_CTX_DEP 0x2
 
 typedef struct {
 int bitnum;
@@ -131,6 +136,12 @@ ASN1_INTEGER *pathlen;
 } BASIC_CONSTRAINTS;
 
 typedef struct {
+ASN1_OCTET_STRING *keyid;
+STACK *issuer;
+ASN1_INTEGER *serial;
+} AUTHORITY_KEYID;
+
+typedef struct {
 
 #define GEN_OTHERNAME	(0|V_ASN1_CONTEXT_SPECIFIC)
 #define GEN_EMAIL	(1|V_ASN1_CONTEXT_SPECIFIC)
@@ -194,12 +205,19 @@ GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **a, unsigned char **pp, long length
 GENERAL_NAME *GENERAL_NAME_new(void);
 void GENERAL_NAME_free(GENERAL_NAME *a);
 
+int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **pp);
+AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, unsigned char **pp, long length);
+AUTHORITY_KEYID *AUTHORITY_KEYID_new(void);
+void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a);
+
 STACK *GENERAL_NAMES_new(void);
 void GENERAL_NAMES_free(STACK *a);
 STACK *d2i_GENERAL_NAMES(STACK **a, unsigned char **pp, long length);
 int i2d_GENERAL_NAMES(STACK *a, unsigned char **pp);
+STACK *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, STACK *gen, STACK *extlist);
 
-
+char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
+ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
 
 int i2d_ext_ku(STACK *a, unsigned char **pp);
 STACK *d2i_ext_ku(STACK **a, unsigned char **pp, long length);
@@ -211,6 +229,7 @@ void X509V3_conf_free(CONF_VALUE *val);
 X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, char *value);
 X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, char *value);
 int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509 *cert);
+int X509V3_EXT_check_conf(LHASH *conf, char *section);
 int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
 int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
 #endif
@@ -227,6 +246,9 @@ X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
 int X509V3_add_standard_extensions(void);
 STACK *X509V3_parse_list(char *line);
 
+char *hex_to_string(unsigned char *buffer, long len);
+unsigned char *string_to_hex(char *str, long *len);
+
 int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag);
 int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag);
 
@@ -247,6 +269,10 @@ STACK *GENERAL_NAMES_new():
 void GENERAL_NAMES_free():
 STACK *d2i_GENERAL_NAMES();
 int i2d_GENERAL_NAMES();
+STACK *i2v_GENERAL_NAMES();
+
+char *i2s_ASN1_OCTET_STRING();
+ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING();
 
 int i2d_ext_ku();
 STACK *d2i_ext_ku();
@@ -258,6 +284,7 @@ void X509V3_conf_free();
 X509_EXTENSION *X509V3_EXT_conf_nid();
 X509_EXTENSION *X509V3_EXT_conf();
 int X509V3_EXT_add_conf();
+int X509V3_EXT_check_conf();
 int X509V3_get_value_bool();
 int X509V3_get_value_int();
 #endif