diff --git a/CHANGES b/CHANGES
index f37645a502adf526a9b662bb225f7080decf3b7c..574c3190add6340f7b362d919857d6bd236d986b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
 
  Changes between 0.9.4 and 0.9.5  [xx XXX 1999]
 
+  *) New function X509_cmp(). Oddly enough there wasn't a function
+     to compare two certificates. We do this by working out the SHA1
+     hash and comparing that. X509_cmp() will be needed by the trust
+     code.
+     [Steve Henson]
+
   *) Correctly increment the reference count in the SSL_SESSION pointer 
      returned from SSL_get_session().
      [Geoff Thorpe <geoff@eu.c2.net>]
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index a6e61cf6c7dd9bb793d8c25e9429e18e42100a56..d3d803008632897d1947fccdd2409fe3b70e8c8b 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -269,6 +269,7 @@ typedef struct x509_st
 	unsigned long ex_kusage;
 	unsigned long ex_xkusage;
 	unsigned long ex_nscert;
+	unsigned char sha1_hash[SHA_DIGEST_LENGTH];
 	X509_CERT_AUX *aux;
 	} X509;
 
@@ -869,6 +870,7 @@ unsigned long	X509_issuer_name_hash(X509 *a);
 int		X509_subject_name_cmp(X509 *a,X509 *b);
 unsigned long	X509_subject_name_hash(X509 *x);
 
+int		X509_cmp (X509 *a, X509 *b);
 int		X509_NAME_cmp (X509_NAME *a, X509_NAME *b);
 unsigned long	X509_NAME_hash(X509_NAME *x);
 
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 0b0f1605da0d3abf54670c7bb1d930904ab815ab..62d801336087ba643f83976cb33f0ad5a61a4d95 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -61,6 +61,7 @@
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 
 int X509_issuer_and_serial_cmp(X509 *a, X509 *b)
 	{
@@ -135,6 +136,16 @@ unsigned long X509_subject_name_hash(X509 *x)
 	{
 	return(X509_NAME_hash(x->cert_info->subject));
 	}
+/* Compare two certificates: they must be identical for
+ * this to work.
+ */
+int X509_cmp(X509 *a, X509 *b)
+{
+	/* ensure hash is valid */
+	X509_check_purpose(a, -1, 0);
+	X509_check_purpose(b, -1, 0);
+	return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
+}
 
 int X509_NAME_cmp(X509_NAME *a, X509_NAME *b)
 	{
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index d7e561e58efe3383c366df5e685de4a970c84d54..6ec5f957e9408053ae3fbd9f14afbd07dd626291 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -103,12 +103,13 @@ int X509_check_purpose(X509 *x, int id, int ca)
 		x509v3_cache_extensions(x);
 		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
 	}
+	if(id == -1) return 1;
 	idx = x509_purpose_get_idx(id);
 	if(idx == -1) return -1;
 	pt = sk_X509_PURPOSE_value(xptable, idx);
 	return pt->check_purpose(pt, x,ca);
 }
-			
+
 
 
 
@@ -199,6 +200,7 @@ static void x509v3_cache_extensions(X509 *x)
 	STACK_OF(ASN1_OBJECT) *extusage;
 	int i;
 	if(x->ex_flags & EXFLAG_SET) return;
+	X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
 	/* Does subject name match issuer ? */
 	if(X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
 			 x->ex_flags |= EXFLAG_SS;