Suppport for CRL distribution points extension. Also document some of

this stuff.

CHANGES

@@ -5,6 +5,10 @@
 
  Changes between 0.9.2b and 0.9.3
 
+  *) Add support for CRL distribution points extension. Add Certificate
+     Policies and CRL distribution points documentation.
+     [Steve Henson]
+
   *) Move the autogenerated header file parts to crypto/opensslconf.h.
      [Ulf Möller]
 
@@ -23,6 +27,7 @@
   *) Fix problems with sizeof(long) == 8.
      [Andy Polyakov <appro@fy.chalmers.se>]
 
+>>>>>>> 1.185
   *) Change functions to ANSI C.
      [Ulf Möller]
 
@@ -36,7 +41,7 @@
      [Andy Polyakov <appro@fy.chalmers.se>]
 
   *) Support for Certificate Policies extension: both print and set.
-     Various additions to support the r2i method this extension will use.
+     Various additions to support the r2i method this uses.
      [Steve Henson]
 
   *) A lot of constification, and fix a bug in X509_NAME_oneline() that could

STATUS

 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 1999/04/21 17:30:41 $
+  ______________                           $Date: 1999/04/21 17:44:32 $
 
   DEVELOPMENT STATE
 
@@ -40,6 +40,7 @@
         PKCS#12 code cleanup and enhancement.
 	PKCS #8 and PKCS#5 v2.0 support.
 	Private key, certificate and CRL API and implementation.
+	Redo error code and DEF file generation scripts.
 
     o Mark is currently working on:
         Folding in any changes that are in the C2Net code base that were

crypto/asn1/asn1.err

@@ -57,6 +57,8 @@
 #define ASN1_F_D2I_AUTHORITY_KEYID			 238
 #define ASN1_F_D2I_BASIC_CONSTRAINTS			 227
 #define ASN1_F_D2I_DHPARAMS				 136
+#define ASN1_F_D2I_DIST_POINT				 276
+#define ASN1_F_D2I_DIST_POINT_NAME			 277
 #define ASN1_F_D2I_DSAPARAMS				 137
 #define ASN1_F_D2I_DSAPRIVATEKEY			 138
 #define ASN1_F_D2I_DSAPUBLICKEY				 139
@@ -113,6 +115,8 @@
 #define ASN1_F_D2I_X509_REVOKED				 173
 #define ASN1_F_D2I_X509_SIG				 174
 #define ASN1_F_D2I_X509_VAL				 175
+#define ASN1_F_DIST_POINT_NAME_NEW			 278
+#define ASN1_F_DIST_POINT_NEW				 279
 #define ASN1_F_GENERAL_NAME_NEW				 231
 #define ASN1_F_I2D_ASN1_HEADER				 176
 #define ASN1_F_I2D_ASN1_TIME				 225

crypto/asn1/asn1.h

@@ -864,6 +864,8 @@ ASN1_STRING *ASN1_pack_string();
 #define ASN1_F_D2I_AUTHORITY_KEYID			 238
 #define ASN1_F_D2I_BASIC_CONSTRAINTS			 227
 #define ASN1_F_D2I_DHPARAMS				 136
+#define ASN1_F_D2I_DIST_POINT				 276
+#define ASN1_F_D2I_DIST_POINT_NAME			 277
 #define ASN1_F_D2I_DSAPARAMS				 137
 #define ASN1_F_D2I_DSAPRIVATEKEY			 138
 #define ASN1_F_D2I_DSAPUBLICKEY				 139
@@ -920,6 +922,8 @@ ASN1_STRING *ASN1_pack_string();
 #define ASN1_F_D2I_X509_REVOKED				 173
 #define ASN1_F_D2I_X509_SIG				 174
 #define ASN1_F_D2I_X509_VAL				 175
+#define ASN1_F_DIST_POINT_NAME_NEW			 278
+#define ASN1_F_DIST_POINT_NEW				 279
 #define ASN1_F_GENERAL_NAME_NEW				 231
 #define ASN1_F_I2D_ASN1_HEADER				 176
 #define ASN1_F_I2D_ASN1_TIME				 225

crypto/asn1/asn1_err.c

@@ -119,6 +119,8 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_AUTHORITY_KEYID,0),	"D2I_AUTHORITY_KEYID"},
 {ERR_PACK(0,ASN1_F_D2I_BASIC_CONSTRAINTS,0),	"D2I_BASIC_CONSTRAINTS"},
 {ERR_PACK(0,ASN1_F_D2I_DHPARAMS,0),	"D2I_DHPARAMS"},
+{ERR_PACK(0,ASN1_F_D2I_DIST_POINT,0),	"D2I_DIST_POINT"},
+{ERR_PACK(0,ASN1_F_D2I_DIST_POINT_NAME,0),	"D2I_DIST_POINT_NAME"},
 {ERR_PACK(0,ASN1_F_D2I_DSAPARAMS,0),	"D2I_DSAPARAMS"},
 {ERR_PACK(0,ASN1_F_D2I_DSAPRIVATEKEY,0),	"D2I_DSAPRIVATEKEY"},
 {ERR_PACK(0,ASN1_F_D2I_DSAPUBLICKEY,0),	"D2I_DSAPUBLICKEY"},
@@ -175,6 +177,8 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_X509_REVOKED,0),	"D2I_X509_REVOKED"},
 {ERR_PACK(0,ASN1_F_D2I_X509_SIG,0),	"D2I_X509_SIG"},
 {ERR_PACK(0,ASN1_F_D2I_X509_VAL,0),	"D2I_X509_VAL"},
+{ERR_PACK(0,ASN1_F_DIST_POINT_NAME_NEW,0),	"DIST_POINT_NAME_NEW"},
+{ERR_PACK(0,ASN1_F_DIST_POINT_NEW,0),	"DIST_POINT_NEW"},
 {ERR_PACK(0,ASN1_F_GENERAL_NAME_NEW,0),	"GENERAL_NAME_NEW"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_HEADER,0),	"i2d_ASN1_HEADER"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),	"i2d_ASN1_TIME"},

crypto/x509v3/Makefile.ssl

@@ -24,10 +24,10 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC=	v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
 v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
-v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c
+v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
-v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o
+v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o
 
 SRC= $(LIBSRC)
 

crypto/x509v3/v3_cpols.c

@@ -209,15 +209,14 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK *polstrs)
 
 	return pol;
 
-	err:
-	POLICYINFO_free(pol);
-	return NULL;
-	
 	merr:
 	X509V3err(X509V3_F_POLICY_SECTION,ERR_R_MALLOC_FAILURE);
+
+	err:
 	POLICYINFO_free(pol);
 	return NULL;
 	
+	
 }
 
 static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot)
@@ -277,12 +276,10 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK *unot)
 
 	return qual;
 
-	err:
-	POLICYQUALINFO_free(qual);
-	return NULL;
-
 	merr:
 	X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+
+	err:
 	POLICYQUALINFO_free(qual);
 	return NULL;
 }
@@ -304,12 +301,10 @@ static STACK *nref_nos(STACK *nos)
 	}
 	return nnums;
 
-	err:
-	sk_pop_free(nnums, ASN1_STRING_free);
-	return NULL;
-
 	merr:
 	X509V3err(X509V3_F_NOTICE_SECTION,ERR_R_MALLOC_FAILURE);
+
+	err:
 	sk_pop_free(nnums, ASN1_STRING_free);
 	return NULL;
 }

crypto/x509v3/v3_crld.c

+/* v3_crld.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "conf.h"
+#include "asn1.h"
+#include "asn1_mac.h"
+#include "x509v3.h"
+
+static STACK *i2v_crld(X509V3_EXT_METHOD *method, STACK_OF(DIST_POINT) *crld,
+							 STACK *extlist);
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+						 X509V3_CTX *ctx, STACK *nval);
+
+X509V3_EXT_METHOD v3_crld = {
+NID_crl_distribution_points, X509V3_EXT_MULTILINE,
+(X509V3_EXT_NEW)CRL_DIST_POINTS_new,
+CRL_DIST_POINTS_free,
+(X509V3_EXT_D2I)d2i_CRL_DIST_POINTS,
+i2d_CRL_DIST_POINTS,
+NULL, NULL,
+(X509V3_EXT_I2V)i2v_crld,
+(X509V3_EXT_V2I)v2i_crld,
+NULL, NULL, NULL
+};
+
+/*
+ * ASN1err(ASN1_F_DIST_POINT_NEW,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_D2I_DIST_POINT,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_DIST_POINT_NAME_NEW,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_D2I_DIST_POINT_NAME,ERR_R_MALLOC_FAILURE);
+ */
+
+static STACK *i2v_crld(X509V3_EXT_METHOD *method, STACK_OF(DIST_POINT) *crld,
+								 STACK *exts)
+{
+	DIST_POINT *point;
+	int i;
+	for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
+		point = sk_DIST_POINT_value(crld, i);
+		if(point->distpoint->fullname) {
+			exts = i2v_GENERAL_NAMES(NULL,
+					 point->distpoint->fullname, exts);
+		}
+		if(point->reasons) 
+			X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
+		if(point->CRLissuer)
+			X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
+		if(point->distpoint->relativename)
+		        X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
+	}
+	return exts;
+}
+
+static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
+						 X509V3_CTX *ctx, STACK *nval)
+{
+	STACK_OF(DIST_POINT) *crld = NULL;
+	STACK_OF(GENERAL_NAME) *gens = NULL;
+	GENERAL_NAME *gen = NULL;
+	CONF_VALUE *cnf;
+	int i;
+	if(!(crld = sk_DIST_POINT_new(NULL))) goto merr;
+	for(i = 0; i < sk_num(nval); i++) {
+		DIST_POINT *point;
+		cnf = (CONF_VALUE *)sk_value(nval, i);
+		if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) goto err; 
+		if(!(gens = GENERAL_NAMES_new())) goto merr;
+		if(!sk_GENERAL_NAME_push(gens, gen)) goto merr;
+		gen = NULL;
+		if(!(point = DIST_POINT_new())) goto merr;
+		if(!sk_DIST_POINT_push(crld, point)) {
+			DIST_POINT_free(point);
+			goto merr;
+		}
+		if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
+		point->distpoint->fullname = gens;
+		gens = NULL;
+	}
+	return crld;
+
+	merr:
+	X509V3err(X509V3_F_V2I_CRLD,ERR_R_MALLOC_FAILURE);
+	err:
+	GENERAL_NAME_free(gen);
+	GENERAL_NAMES_free(gens);
+	sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
+	return NULL;
+}
+
+int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp)
+{
+
+return i2d_ASN1_SET_OF_DIST_POINT(a, pp, i2d_DIST_POINT, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);}
+
+STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void)
+{
+	return sk_DIST_POINT_new_null();
+}
+
+void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a)
+{
+	sk_DIST_POINT_pop_free(a, DIST_POINT_free);
+}
+
+STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a,
+		unsigned char **pp,long length)
+{
+return d2i_ASN1_SET_OF_DIST_POINT(a, pp, length, d2i_DIST_POINT,
+                         DIST_POINT_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+
+}
+
+IMPLEMENT_STACK_OF(DIST_POINT)
+IMPLEMENT_ASN1_SET_OF(DIST_POINT)
+
+int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp)
+{
+	int v = 0;
+	M_ASN1_I2D_vars(a);
+	/* NB: underlying type is a CHOICE so need EXPLICIT tagging */
+	M_ASN1_I2D_len_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
+	M_ASN1_I2D_len_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING);
+	M_ASN1_I2D_len_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
+	M_ASN1_I2D_put_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING, 1);
+	M_ASN1_I2D_put_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES, 2);
+
+	M_ASN1_I2D_finish();
+}
+
+DIST_POINT *DIST_POINT_new(void)
+{
+	DIST_POINT *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, DIST_POINT);
+	ret->distpoint = NULL;
+	ret->reasons = NULL;
+	ret->CRLissuer = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_DIST_POINT_NEW);
+}
+
+DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length)
+{
+	M_ASN1_D2I_vars(a,DIST_POINT *,DIST_POINT_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get_EXP_opt (ret->distpoint, d2i_DIST_POINT_NAME, 0);
+	M_ASN1_D2I_get_IMP_opt (ret->reasons, d2i_ASN1_BIT_STRING, 1,
+							V_ASN1_BIT_STRING);
+	M_ASN1_D2I_get_IMP_opt (ret->CRLissuer, d2i_GENERAL_NAMES, 2,
+							V_ASN1_SEQUENCE);
+	M_ASN1_D2I_Finish(a, DIST_POINT_free, ASN1_F_D2I_DIST_POINT);
+}
+
+void DIST_POINT_free(DIST_POINT *a)
+{
+	if (a == NULL) return;
+	DIST_POINT_NAME_free(a->distpoint);
+	ASN1_BIT_STRING_free(a->reasons);
+	sk_GENERAL_NAME_pop_free(a->CRLissuer, GENERAL_NAME_free);
+	Free ((char *)a);
+}
+
+int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp)
+{
+	int v = 0;
+	M_ASN1_I2D_vars(a);
+
+	if(a->fullname) {
+		M_ASN1_I2D_len_IMP_opt (a->fullname, i2d_GENERAL_NAMES);
+	} else {
+		M_ASN1_I2D_len_EXP_opt (a->relativename, i2d_X509_NAME, 1, v);
+	}
+
+	/* Don't want a SEQUENCE so... */
+	if(pp == NULL) return ret;
+	p = *pp;
+
+	if(a->fullname) {
+		M_ASN1_I2D_put_IMP_opt (a->fullname, i2d_GENERAL_NAMES, 0);
+	} else {
+		M_ASN1_I2D_put_EXP_opt (a->relativename, i2d_X509_NAME, 1, v);
+	}
+	M_ASN1_I2D_finish();
+}
+
+DIST_POINT_NAME *DIST_POINT_NAME_new(void)
+{
+	DIST_POINT_NAME *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, DIST_POINT_NAME);
+	ret->fullname = NULL;
+	ret->relativename = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_DIST_POINT_NAME_NEW);
+}
+
+void DIST_POINT_NAME_free(DIST_POINT_NAME *a)
+{
+	if (a == NULL) return;
+	X509_NAME_free(a->relativename);
+	sk_GENERAL_NAME_pop_free(a->fullname, GENERAL_NAME_free);
+	Free ((char *)a);
+}
+
+DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
+	     long length)
+{
+        unsigned char _tmp, tag;
+        M_ASN1_D2I_vars(a,DIST_POINT_NAME *,DIST_POINT_NAME_new);
+        M_ASN1_D2I_Init();
+        c.slen = length;
+
+        _tmp = M_ASN1_next;
+        tag = _tmp & ~V_ASN1_CONSTRUCTED;
+	
+	if(tag == (0|V_ASN1_CONTEXT_SPECIFIC)) {
+		M_ASN1_D2I_get_imp(ret->fullname, d2i_GENERAL_NAMES,
+							V_ASN1_SEQUENCE);
+	} else if (tag == (1|V_ASN1_CONTEXT_SPECIFIC)) {
+		M_ASN1_D2I_get_EXP_opt (ret->relativename, d2i_X509_NAME, 1);
+	} else {
+		c.error = ASN1_R_BAD_TAG;
+		goto err;
+	}
+
+	M_ASN1_D2I_Finish(a, DIST_POINT_NAME_free, ASN1_F_D2I_DIST_POINT_NAME);
+}

crypto/x509v3/v3_lib.c

@@ -142,7 +142,7 @@ extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
 
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld;
 
 int X509V3_add_standard_extensions(void)
 {
@@ -159,6 +159,7 @@ int X509V3_add_standard_extensions(void)
 	X509V3_EXT_add(&v3_sxnet);
 	X509V3_EXT_add(&v3_crl_reason);
 	X509V3_EXT_add(&v3_cpols);
+	X509V3_EXT_add(&v3_crld);
 	return 1;
 }
 

crypto/x509v3/v3err.c

@@ -87,6 +87,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_V2I_ASN1_BIT_STRING,0),	"V2I_ASN1_BIT_STRING"},
 {ERR_PACK(0,X509V3_F_V2I_AUTHORITY_KEYID,0),	"V2I_AUTHORITY_KEYID"},
 {ERR_PACK(0,X509V3_F_V2I_BASIC_CONSTRAINTS,0),	"V2I_BASIC_CONSTRAINTS"},
+{ERR_PACK(0,X509V3_F_V2I_CRLD,0),	"V2I_CRLD"},
 {ERR_PACK(0,X509V3_F_V2I_EXT_KU,0),	"V2I_EXT_KU"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),	"v2i_GENERAL_NAME"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),	"v2i_GENERAL_NAMES"},

crypto/x509v3/x509v3.err

@@ -25,6 +25,7 @@
 #define X509V3_F_V2I_ASN1_BIT_STRING			 101
 #define X509V3_F_V2I_AUTHORITY_KEYID			 119
 #define X509V3_F_V2I_BASIC_CONSTRAINTS			 102
+#define X509V3_F_V2I_CRLD				 134
 #define X509V3_F_V2I_EXT_KU				 103
 #define X509V3_F_V2I_GENERAL_NAME			 117
 #define X509V3_F_V2I_GENERAL_NAMES			 118

crypto/x509v3/x509v3.h

@@ -180,6 +180,21 @@ union {
 DECLARE_STACK_OF(GENERAL_NAME)
 DECLARE_ASN1_SET_OF(GENERAL_NAME)
 
+typedef struct DIST_POINT_NAME_st {
+/* NB: this is a CHOICE type and only one of these should be set */
+STACK_OF(GENERAL_NAME) *fullname;
+X509_NAME *relativename;
+} DIST_POINT_NAME;
+
+typedef struct DIST_POINT_st {
+DIST_POINT_NAME	*distpoint;
+ASN1_BIT_STRING *reasons;
+STACK_OF(GENERAL_NAME) *CRLissuer;
+} DIST_POINT;
+
+DECLARE_STACK_OF(DIST_POINT)
+DECLARE_ASN1_SET_OF(DIST_POINT)
+
 typedef struct AUTHORITY_KEYID_st {
 ASN1_OCTET_STRING *keyid;
 STACK_OF(GENERAL_NAME) *issuer;
@@ -343,6 +358,23 @@ NOTICEREF *NOTICEREF_new(void);
 NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp, long length);
 void NOTICEREF_free(NOTICEREF *a);
 
+int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp);
+STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void);
+void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a);
+STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a,
+                unsigned char **pp,long length);
+
+int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp);
+DIST_POINT *DIST_POINT_new(void);
+DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length);
+void DIST_POINT_free(DIST_POINT *a);
+
+int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp);
+DIST_POINT_NAME *DIST_POINT_NAME_new(void);
+void DIST_POINT_NAME_free(DIST_POINT_NAME *a);
+DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
+             long length);
+
 #ifdef HEADER_CONF_H
 GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf);
 void X509V3_conf_free(CONF_VALUE *val);
@@ -537,6 +569,7 @@ int X509V3_EXT_print_fp();
 #define X509V3_F_V2I_ASN1_BIT_STRING			 101
 #define X509V3_F_V2I_AUTHORITY_KEYID			 119
 #define X509V3_F_V2I_BASIC_CONSTRAINTS			 102
+#define X509V3_F_V2I_CRLD				 134
 #define X509V3_F_V2I_EXT_KU				 103
 #define X509V3_F_V2I_GENERAL_NAME			 117
 #define X509V3_F_V2I_GENERAL_NAMES			 118

doc/openssl.txt

@@ -272,10 +272,83 @@ Issuer Alternative Name.
 
 The issuer alternative name option supports all the literal options of
 subject alternative name. It does *not* support the email:copy option because
-that would not make sense. It does support and additional issuer:copy option
+that would not make sense. It does support an additional issuer:copy option
 that will copy all the subject alternative name values from the issuer 
 certificate (if possible).
 
+CRL distribution points.
+
+This is a multivalued extension that supports all the literal options of
+subject alternative name. Of the few software packages that currently interpret
+this extension most only interpret the URI option.
+
+Currently each option will set a new DistributionPoint with the fullName
+field set to the given value.
+
+Other fields like cRLissuer and reasons cannot currently be set or displayed:
+at this time no examples were available that used these fields.
+
+If you see this extension with <UNSUPPORTED> when you attempt to print it out
+or it doesn't appear to display correctly then let me know, including the
+certificate (mail me at steve@openssl.org) .
+
+Examples:
+
+crlDistributionPoints=URI:http://www.myhost.com/myca.crl
+crlDistributionPoints=URI:http://www.my.com/my.crl,URI:http://www.oth.com/my.crl
+
+Certificate Policies.
+
+This is a RAW extension. It attempts to display the contents of this extension:
+unfortuntately this extension is often improperly encoded.
+
+The certificate policies extension will rarely be used in practice: few
+software packages interpret it correctly or at all.
+
+All the fields of this extension can be set by using the appropriate syntax.
+
+If you follow the PKIX recommendations of not including any qualifiers and just
+using only one OID then you just include the value of that OID. Multiple OIDs
+can be set separated by commas, for example:
+
+certificatePolicies= 1.2.4.5, 1.1.3.4
+
+If you wish to include qualifiers then the policy OID and qualifiers need to
+be specified in a separate section: this is done by using the @section syntax
+instead of a literal OID value.
+
+The section referred to must include the policy OID using the name
+policyIdentifier, cPSuri qualifiers can be included using the syntax:
+
+CPS.nnn=value
+
+userNotice qualifiers can be set using the syntax:
+
+userNotice.nnn=@notice
+
+The value of the userNotice qualifier is specified in the relevant section. This
+section can include explicitText, organization and noticeNumbers options. 
+explicitText and organization are text strings, noticeNumbers is a comma
+separated list of numbers. The organization and noticeNumbers options (if
+included) must BOTH be present.
+
+Example:
+
+certificatePolicies=1.2.3.4,1.5.6.7.8,@polsect
+
+[polsect]
+
+policyIdentifier = 1.3.5.8
+CPS.1="http://my.host.name/"
+CPS.2="http://my.your.name/"
+userNotice.1=@notice
+
+[notice]
+
+explicitText="Explicit Text Here"
+organization="Organisation Name"
+noticeNumbers=1,2,3,4
+
 Display only extensions.
 
 Some extensions are only partially supported and currently are only displayed