25 files changed, 1290 insertions, 480 deletions
diff --git a/CHANGES b/CHANGES
index 78b002083a..a347efc14b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.7e and 0.9.8  [xx XXX xxxx]
 
+  *) Add processing of proxy certificates (see RFC 3820).  This work was
+     sponsored by KTH (The Royal Institute of Technology in Stockholm) and
+     EGEE (Enabling Grids for E-science in Europe).
+     [Richard Levitte]
+
   *) RC4 performance overhaul on modern architectures/implementations, such
      as Intel P4, IA-64 and AMD64.
      [Andy Polyakov]
diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index 05663c95b7..130b430d42 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -258,3 +258,56 @@ basicConstraints = CA:true
 
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 8941f454f8..6d731cbe8b 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -258,3 +258,56 @@ basicConstraints = CA:true
 
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index 7a5138276e..c2a707a984 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -62,12 +62,12 @@
  * [including the GNU Public Licence.]
  */
 
-#define NUM_NID 746
-#define NUM_SN 742
-#define NUM_LN 742
-#define NUM_OBJ 704
+#define NUM_NID 751
+#define NUM_SN 747
+#define NUM_LN 747
+#define NUM_OBJ 709
 
-static unsigned char lvalues[4963]={
+static unsigned char lvalues[5002]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@@ -772,6 +772,11 @@ static unsigned char lvalues[4963]={
 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,/* [4935] OBJ_sha384 */
 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,/* [4944] OBJ_sha512 */
 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,/* [4953] OBJ_sha224 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,          /* [4962] OBJ_id_ppl */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E,     /* [4969] OBJ_proxyCertInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00,     /* [4977] OBJ_id_ppl_anyLanguage */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01,     /* [4985] OBJ_id_ppl_inheritAll */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4993] OBJ_Independent */
 };
 
 static ASN1_OBJECT nid_objs[NUM_NID]={
@@ -1932,6 +1937,14 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"SHA224","sha224",NID_sha224,9,&(lvalues[4953]),0},
 {"Oakley-EC2N-3","ipsec3",NID_ipsec3,0,NULL},
 {"Oakley-EC2N-4","ipsec4",NID_ipsec4,0,NULL},
+{"id-ppl","id-ppl",NID_id_ppl,7,&(lvalues[4962]),0},
+{"proxyCertInfo","Proxy Certificate Information",NID_proxyCertInfo,8,
+	&(lvalues[4969]),0},
+{"id-ppl-anyLanguage","Any language",NID_id_ppl_anyLanguage,8,
+	&(lvalues[4977]),0},
+{"id-ppl-inheritAll","Inherit all",NID_id_ppl_inheritAll,8,
+	&(lvalues[4985]),0},
+{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4993]),0},
 };
 
 static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -2271,6 +2284,10 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[271]),/* "id-pkix1-explicit-93" */
 &(nid_objs[270]),/* "id-pkix1-implicit-88" */
 &(nid_objs[272]),/* "id-pkix1-implicit-93" */
+&(nid_objs[746]),/* "id-ppl" */
+&(nid_objs[748]),/* "id-ppl-anyLanguage" */
+&(nid_objs[750]),/* "id-ppl-independent" */
+&(nid_objs[749]),/* "id-ppl-inheritAll" */
 &(nid_objs[267]),/* "id-qcs" */
 &(nid_objs[359]),/* "id-qcs-pkixQCSyntax-v1" */
 &(nid_objs[259]),/* "id-qt" */
@@ -2453,6 +2470,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[415]),/* "prime256v1" */
 &(nid_objs[385]),/* "private" */
 &(nid_objs[84]),/* "privateKeyUsagePeriod" */
+&(nid_objs[747]),/* "proxyCertInfo" */
 &(nid_objs[510]),/* "pseudonym" */
 &(nid_objs[435]),/* "pss" */
 &(nid_objs[286]),/* "qcStatements" */
@@ -2683,6 +2701,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[363]),/* "AD Time Stamping" */
 &(nid_objs[405]),/* "ANSI X9.62" */
 &(nid_objs[368]),/* "Acceptable OCSP Responses" */
+&(nid_objs[748]),/* "Any language" */
 &(nid_objs[177]),/* "Authority Information Access" */
 &(nid_objs[365]),/* "Basic OCSP Response" */
 &(nid_objs[285]),/* "Biometric Info" */
@@ -2705,6 +2724,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[296]),/* "IPSec User" */
 &(nid_objs[182]),/* "ISO Member Body" */
 &(nid_objs[183]),/* "ISO US Member Body" */
+&(nid_objs[750]),/* "Independent" */
+&(nid_objs[749]),/* "Inherit all" */
 &(nid_objs[647]),/* "International Organizations" */
 &(nid_objs[142]),/* "Invalidity Date" */
 &(nid_objs[504]),/* "MIME MHS" */
@@ -2748,6 +2769,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[164]),/* "Policy Qualifier CPS" */
 &(nid_objs[165]),/* "Policy Qualifier User Notice" */
 &(nid_objs[385]),/* "Private" */
+&(nid_objs[747]),/* "Proxy Certificate Information" */
 &(nid_objs[ 1]),/* "RSA Data Security, Inc." */
 &(nid_objs[ 2]),/* "RSA Data Security, Inc. PKCS" */
 &(nid_objs[188]),/* "S/MIME" */
@@ -3009,6 +3031,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[271]),/* "id-pkix1-explicit-93" */
 &(nid_objs[270]),/* "id-pkix1-implicit-88" */
 &(nid_objs[272]),/* "id-pkix1-implicit-93" */
+&(nid_objs[746]),/* "id-ppl" */
 &(nid_objs[267]),/* "id-qcs" */
 &(nid_objs[359]),/* "id-qcs-pkixQCSyntax-v1" */
 &(nid_objs[259]),/* "id-qt" */
@@ -3727,6 +3750,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[266]),/* OBJ_id_aca                       1 3 6 1 5 5 7 10 */
 &(nid_objs[267]),/* OBJ_id_qcs                       1 3 6 1 5 5 7 11 */
 &(nid_objs[268]),/* OBJ_id_cct                       1 3 6 1 5 5 7 12 */
+&(nid_objs[746]),/* OBJ_id_ppl                       1 3 6 1 5 5 7 21 */
 &(nid_objs[176]),/* OBJ_id_ad                        1 3 6 1 5 5 7 48 */
 &(nid_objs[507]),/* OBJ_id_hex_partial_message       1 3 6 1 7 1 1 1 */
 &(nid_objs[508]),/* OBJ_id_hex_multipart_message     1 3 6 1 7 1 1 2 */
@@ -3801,6 +3825,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[292]),/* OBJ_sbqp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
 &(nid_objs[397]),/* OBJ_ac_proxying                  1 3 6 1 5 5 7 1 10 */
 &(nid_objs[398]),/* OBJ_sinfo_access                 1 3 6 1 5 5 7 1 11 */
+&(nid_objs[747]),/* OBJ_proxyCertInfo                1 3 6 1 5 5 7 1 14 */
 &(nid_objs[164]),/* OBJ_id_qt_cps                    1 3 6 1 5 5 7 2 1 */
 &(nid_objs[165]),/* OBJ_id_qt_unotice                1 3 6 1 5 5 7 2 2 */
 &(nid_objs[293]),/* OBJ_textNotice                   1 3 6 1 5 5 7 2 3 */
@@ -3871,6 +3896,9 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[360]),/* OBJ_id_cct_crs                   1 3 6 1 5 5 7 12 1 */
 &(nid_objs[361]),/* OBJ_id_cct_PKIData               1 3 6 1 5 5 7 12 2 */
 &(nid_objs[362]),/* OBJ_id_cct_PKIResponse           1 3 6 1 5 5 7 12 3 */
+&(nid_objs[748]),/* OBJ_id_ppl_anyLanguage           1 3 6 1 5 5 7 21 0 */
+&(nid_objs[749]),/* OBJ_id_ppl_inheritAll            1 3 6 1 5 5 7 21 1 */
+&(nid_objs[750]),/* OBJ_Independent                  1 3 6 1 5 5 7 21 2 */
 &(nid_objs[178]),/* OBJ_ad_OCSP                      1 3 6 1 5 5 7 48 1 */
 &(nid_objs[179]),/* OBJ_ad_ca_issuers                1 3 6 1 5 5 7 48 2 */
 &(nid_objs[363]),/* OBJ_ad_timeStamping              1 3 6 1 5 5 7 48 3 */
diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
index e53aadb6c6..322577094a 100644
--- a/crypto/objects/obj_mac.h
+++ b/crypto/objects/obj_mac.h
@@ -1265,6 +1265,10 @@
 #define NID_id_cct		268
 #define OBJ_id_cct		OBJ_id_pkix,12L
 
+#define SN_id_ppl		"id-ppl"
+#define NID_id_ppl		746
+#define OBJ_id_ppl		OBJ_id_pkix,21L
+
 #define SN_id_ad		"id-ad"
 #define NID_id_ad		176
 #define OBJ_id_ad		OBJ_id_pkix,48L
@@ -1380,6 +1384,11 @@
 #define NID_sinfo_access		398
 #define OBJ_sinfo_access		OBJ_id_pe,11L
 
+#define SN_proxyCertInfo		"proxyCertInfo"
+#define LN_proxyCertInfo		"Proxy Certificate Information"
+#define NID_proxyCertInfo		747
+#define OBJ_proxyCertInfo		OBJ_id_pe,14L
+
 #define SN_id_qt_cps		"id-qt-cps"
 #define LN_id_qt_cps		"Policy Qualifier CPS"
 #define NID_id_qt_cps		164
@@ -1704,6 +1713,21 @@
 #define NID_id_cct_PKIResponse		362
 #define OBJ_id_cct_PKIResponse		OBJ_id_cct,3L
 
+#define SN_id_ppl_anyLanguage		"id-ppl-anyLanguage"
+#define LN_id_ppl_anyLanguage		"Any language"
+#define NID_id_ppl_anyLanguage		748
+#define OBJ_id_ppl_anyLanguage		OBJ_id_ppl,0L
+
+#define SN_id_ppl_inheritAll		"id-ppl-inheritAll"
+#define LN_id_ppl_inheritAll		"Inherit all"
+#define NID_id_ppl_inheritAll		749
+#define OBJ_id_ppl_inheritAll		OBJ_id_ppl,1L
+
+#define SN_Independent		"id-ppl-independent"
+#define LN_Independent		"Independent"
+#define NID_Independent		750
+#define OBJ_Independent		OBJ_id_ppl,2L
+
 #define SN_ad_OCSP		"OCSP"
 #define LN_ad_OCSP		"OCSP"
 #define NID_ad_OCSP		178
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index c5dd8db1d3..180d20f1bc 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -743,3 +743,8 @@ sha512		742
 sha224		743
 ipsec3		744
 ipsec4		745
+id_ppl		746
+proxyCertInfo		747
+id_ppl_anyLanguage		748
+id_ppl_inheritAll		749
+Independent		750
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index f2ea4a4db0..46a405b3e6 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -405,6 +405,7 @@ id-pkix 9		: id-pda
 id-pkix 10		: id-aca
 id-pkix 11		: id-qcs
 id-pkix 12		: id-cct
+id-pkix 21		: id-ppl
 id-pkix 48		: id-ad
 
 # PKIX Modules
@@ -439,6 +440,7 @@ id-pe 9			: sbqp-routerIdentifier
 id-pe 10		: ac-proxying
 !Cname sinfo-access
 id-pe 11		: subjectInfoAccess	: Subject Information Access
+id-pe 14		: proxyCertInfo		: Proxy Certificate Information
 
 # PKIX policyQualifiers for Internet policy qualifiers
 id-qt 1			: id-qt-cps		: Policy Qualifier CPS
@@ -554,6 +556,11 @@ id-cct 1		: id-cct-crs
 id-cct 2		: id-cct-PKIData
 id-cct 3		: id-cct-PKIResponse
 
+# Predefined Proxy Certificate policy languages
+id-ppl 0		: id-ppl-anyLanguage	: Any language
+id-ppl 1		: id-ppl-inheritAll	: Inherit all
+id-ppl 2		: id-ppl-independent	: Independent
+
 # access descriptors for authority info access extension
 !Cname ad-OCSP
 id-ad 1			: OCSP			: OCSP
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 016164cb68..46673fddd1 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -280,6 +280,7 @@ struct x509_st
 	CRYPTO_EX_DATA ex_data;
 	/* These contain copies of various extension values */
 	long ex_pathlen;
+	long ex_pcpathlen;
 	unsigned long ex_flags;
 	unsigned long ex_kusage;
 	unsigned long ex_xkusage;
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index 57ff33dc19..247e7e178a 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -126,6 +126,8 @@ const char *X509_verify_cert_error_string(long n)
 		return ("invalid non-CA certificate (has CA markings)");
 	case X509_V_ERR_PATH_LENGTH_EXCEEDED:
 		return ("path length constraint exceeded");
+	case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
+		return("proxy path length constraint exceeded");
 	case X509_V_ERR_INVALID_PURPOSE:
 		return ("unsupported certificate purpose");
 	case X509_V_ERR_CERT_UNTRUSTED:
@@ -142,28 +144,22 @@ const char *X509_verify_cert_error_string(long n)
 		return("authority and issuer serial number mismatch");
 	case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
 		return("key usage does not include certificate signing");
-
 	case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
 		return("unable to get CRL issuer certificate");
-
 	case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
 		return("unhandled critical extension");
-
 	case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
 		return("key usage does not include CRL signing");
-
+	case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
+		return("key usage does not include digital signature");
 	case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
 		return("unhandled critical CRL extension");
-
 	case X509_V_ERR_INVALID_EXTENSION:
 		return("invalid or inconsistent certificate extension");
-
 	case X509_V_ERR_INVALID_POLICY_EXTENSION:
 		return("invalid or inconsistent certificate policy extension");
-
 	case X509_V_ERR_NO_EXPLICIT_POLICY:
 		return("no explicit policy");
-
 	default:
 		BIO_snprintf(buf,sizeof buf,"error number %ld",n);
 		return(buf);
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index c6c83ad72f..cbdd978a7d 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -389,6 +389,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 	int i, ok=0, must_be_ca;
 	X509 *x;
 	int (*cb)();
+	int proxy_path_length = 0;
 	cb=ctx->verify_cb;
 
 	/* must_be_ca can have 1 of 3 values:
@@ -472,7 +473,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 			}
 		/* Check pathlen */
 		if ((i > 1) && (x->ex_pathlen != -1)
-			   && (i > (x->ex_pathlen + 1)))
+			   && (i > (x->ex_pathlen + proxy_path_length + 1)))
 			{
 			ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
 			ctx->error_depth = i;
@@ -480,8 +481,26 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 			ok=cb(0,ctx);
 			if (!ok) goto end;
 			}
-		/* The next certificate must be a CA */
-		must_be_ca = 1;
+		/* If this certificate is a proxy certificate, the next
+		   certificate must be another proxy certificate or a EE
+		   certificate.  If not, the next certificate must be a
+		   CA certificate.  */
+		if (x->ex_flags & EXFLAG_PROXY)
+			{
+			if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
+				{
+				ctx->error =
+					X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
+				ctx->error_depth = i;
+				ctx->current_cert = x;
+				ok=cb(0,ctx);
+				if (!ok) goto end;
+				}
+			proxy_path_length++;
+			must_be_ca = 0;
+			}
+		else
+			must_be_ca = 1;
 		}
 	ok = 1;
  end:
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 5f49c2a8b7..33ace72671 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -323,10 +323,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define		X509_V_ERR_KEYUSAGE_NO_CRL_SIGN			35
 #define		X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION	36
 #define		X509_V_ERR_INVALID_NON_CA			37
+#define		X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED		38
+#define		X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE	39
 
-#define		X509_V_ERR_INVALID_EXTENSION			38
-#define		X509_V_ERR_INVALID_POLICY_EXTENSION		39
-#define		X509_V_ERR_NO_EXPLICIT_POLICY			40
+#define		X509_V_ERR_INVALID_EXTENSION			40
+#define		X509_V_ERR_INVALID_POLICY_EXTENSION		41
+#define		X509_V_ERR_NO_EXPLICIT_POLICY			42
 
 
 /* The application is not happy */
diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl
index 57c236e3d2..f91301188c 100644
--- a/crypto/x509v3/Makefile.ssl
+++ b/crypto/x509v3/Makefile.ssl
@@ -26,13 +26,13 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC=	v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
 v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
 v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
-v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c pcy_cache.c pcy_node.c \
-pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c
+v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
+pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
 v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
-v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o pcy_cache.o pcy_node.o \
-pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o
+v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \
+pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o
 
 SRC= $(LIBSRC)
 
@@ -410,6 +410,32 @@ v3_ocsp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 v3_ocsp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_ocsp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_ocsp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ocsp.c
+v3_pci.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_pci.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_pci.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_pci.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_pci.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_pci.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pci.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pci.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pci.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_pci.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_pci.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_pci.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_pci.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pci.c
+v3_pcia.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_pcia.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+v3_pcia.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_pcia.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_pcia.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_pcia.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pcia.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pcia.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pcia.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_pcia.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_pcia.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_pcia.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_pcia.o: ../../include/openssl/x509v3.h v3_pcia.c
 v3_pcons.o: ../../e_os.h ../../include/openssl/asn1.h
 v3_pcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 v3_pcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h
index 7be8565189..3ee4bffe39 100644
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@@ -64,7 +64,7 @@ extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
 extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
-extern X509V3_EXT_METHOD v3_crl_hold;
+extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
 extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
 extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp;
 
@@ -112,6 +112,7 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 #ifndef OPENSSL_NO_OCSP
 &v3_crl_hold,
 #endif
+&v3_pci,
 &v3_policy_mappings,
 &v3_name_constraints,
 &v3_inhibit_anyp
diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c
new file mode 100644
index 0000000000..42fb0d74df
--- /dev/null
+++ b/crypto/x509v3/v3_pci.c
@@ -0,0 +1,307 @@
+/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */
+/* Contributed to the OpenSSL Project 2004
+ * by Richard Levitte (richard@levitte.org)
+ */
+/* Copyright (c) 2004 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
+	BIO *out, int indent);
+static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
+	X509V3_CTX *ctx, char *str);
+
+X509V3_EXT_METHOD v3_pci =
+	{ NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
+	  0,0,0,0,
+	  0,0,
+	  NULL, NULL,
+	  (X509V3_EXT_I2R)i2r_pci,
+	  (X509V3_EXT_R2I)r2i_pci,
+	  NULL,
+	};
+
+static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
+	BIO *out, int indent)
+	{
+	BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
+	if (pci->pcPathLengthConstraint)
+	  i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
+	else
+	  BIO_printf(out, "infinite");
+	BIO_puts(out, "\n");
+	BIO_printf(out, "%*sPolicy Language: ", indent, "");
+	i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
+	BIO_puts(out, "\n");
+	if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
+	  BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
+		     pci->proxyPolicy->policy->data);
+	return 1;
+	}
+
+static int process_pci_value(CONF_VALUE *val,
+	ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
+	ASN1_OCTET_STRING **policy)
+	{
+	int free_policy = 0;
+
+	if (strcmp(val->name, "language") == 0)
+		{
+		if (*language)
+			{
+			X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED);
+			X509V3_conf_err(val);
+			return 0;
+			}
+		if (!(*language = OBJ_txt2obj(val->value, 0)))
+			{
+			X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+			X509V3_conf_err(val);
+			return 0;
+			}
+		}
+	else if (strcmp(val->name, "pathlen") == 0)
+		{
+		if (*pathlen)
+			{
+			X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED);
+			X509V3_conf_err(val);
+			return 0;
+			}
+		if (!X509V3_get_value_int(val, pathlen))
+			{
+			X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH);
+			X509V3_conf_err(val);
+			return 0;
+			}
+		}
+	else if (strcmp(val->name, "policy") == 0)
+		{
+		unsigned char *tmp_data = NULL;
+		long val_len;
+		if (!*policy)
+			{
+			*policy = ASN1_OCTET_STRING_new();
+			if (!*policy)
+				{
+				X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
+				X509V3_conf_err(val);
+				return 0;
+				}
+			free_policy = 1;
+			}
+		if (strncmp(val->value, "hex:", 4) == 0)
+			{
+			unsigned char *tmp_data2 =
+				string_to_hex(val->value + 4, &val_len);
+
+			if (!tmp_data2) goto err;
+
+			tmp_data = OPENSSL_realloc((*policy)->data,
+				(*policy)->length + val_len + 1);
+			if (tmp_data)
+				{
+				(*policy)->data = tmp_data;
+				memcpy(&(*policy)->data[(*policy)->length],
+					tmp_data2, val_len);
+				(*policy)->length += val_len;
+				(*policy)->data[(*policy)->length] = '\0';
+				}
+			}
+		else if (strncmp(val->value, "file:", 5) == 0)
+			{
+			unsigned char buf[2048];
+			int n;
+			BIO *b = BIO_new_file(val->value + 5, "r");
+			if (!b)
+				{
+				X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB);
+				X509V3_conf_err(val);
+				goto err;
+				}
+			while((n = BIO_read(b, buf, sizeof(buf))) > 0
+				|| (n == 0 && BIO_should_retry(b)))
+				{
+				if (!n) continue;
+
+				tmp_data = OPENSSL_realloc((*policy)->data,
+					(*policy)->length + n + 1);
+
+				if (!tmp_data)
+					break;
+
+				(*policy)->data = tmp_data;
+				memcpy(&(*policy)->data[(*policy)->length],
+					buf, n);
+				(*policy)->length += n;
+				(*policy)->data[(*policy)->length] = '\0';
+				}
+
+			if (n < 0)
+				{
+				X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB);
+				X509V3_conf_err(val);
+				goto err;
+				}
+			}
+		else if (strncmp(val->value, "text:", 5) == 0)
+			{
+			val_len = strlen(val->value + 5);
+			tmp_data = OPENSSL_realloc((*policy)->data,
+				(*policy)->length + val_len + 1);
+			if (tmp_data)
+				{
+				(*policy)->data = tmp_data;
+				memcpy(&(*policy)->data[(*policy)->length],
+					val->value + 5, val_len);
+				(*policy)->length += val_len;
+				(*policy)->data[(*policy)->length] = '\0';
+				}
+			}
+		else
+			{
+			X509V3err(X509V3_F_R2I_PCI,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
+			X509V3_conf_err(val);
+			goto err;
+			}
+		if (!tmp_data)
+			{
+			X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
+			X509V3_conf_err(val);
+			goto err;
+			}
+		}
+	return 1;
+err:
+	if (free_pol