The old code was painfully primitive and couldn't handle
distinct certificates using the same subject name.

The new code performs several tests on a candidate issuer
certificate based on certificate extensions.

It also adds several callbacks to X509_VERIFY_CTX so its
behaviour can be customised.

Unfortunately some hackery was needed to persuade X509_STORE
to tolerate this. This should go away when X509_STORE is
replaced, sometime...

This must have broken something though :-(

After some messing around this seems to work but needs
a few more tests. Working out the syntax for sk_set_cmp_func()
(cast it to a function that itself returns a function pointer)
was painful :-(

Needs some testing to see what other compilers think of this
syntax.

Also needs similar stuff for ASN1_SET_OF etc etc.

to support multiple calls.

New function to retrieve email address from certificates and
requests.

libeay.num and ssleay.num.

yet tighter, and also put some heat on the rest of the library by
insisting (correctly) that compare callbacks used in stacks are prototyped
with "const" parameters. This has led to a depth-first explosion of
compiler warnings in the code where 1 constification has led to 3 or 4
more. Fortunately these have all been resolved to completion and the code
seems cleaner as a result - in particular many of the _cmp() functions
should have been prototyped with "const"s, and now are. There was one
little problem however;

X509_cmp() should by rights compare "const X509 *" pointers, and it is now
declared as such. However, it's internal workings can involve
recalculating hash values and extensions if they have not already been
setup. Someone with a more intricate understanding of the flow control of
X509 might be able to tighten this up, but for now - this seemed the
obvious place to stop the "depth-first" constification of the code by
using an evil cast (they have migrated all the way here from safestack.h).

Fortunately, this is the only place in the code where this was required
to complete these type-safety changes, and it's reasonably clear and
commented, and seemed the least unacceptable of the options. Trying to
take the constification further ends up exploding out considerably, and
indeed leads directly into generalised ASN functions which are not likely
to cooperate well with this.

"Jan Mikkelsen" <janm@transactionsite.com> correctly states that the
OpenSSL header files have #include's and extern "C"'s in an incorrect
order.  Thusly fixed.

where the new functions are mentioned.

-Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline''.

This better reflects their behaviour.

Fix so CRLDistributionPoints relativeName option uses
the correct type.

represent everything by OIDs.

either and has a static and dynamic mix.

yet.

Add a function X509_STORE_CTX_purpose_inherit() which implements the logic
of "inheriting" purpose and trust from a parent structure and using a default:
this will be used in the SSL code and possibly future S/MIME.

Partial documentation of the 'verify' utility. Still need to document how all
the extension checking works and the various error messages.

Extend the X509_PURPOSE structure to include shortnames for purposed and default
trust ids.

Still need some extendable trust checking code and integration with the SSL and
S/MIME code.

Fix so EVP_PKEY_rset_*() check return codes.

certificate: currently this includes trust settings
and a "friendly name".

Submitted by: Lennart Bång, Bodo Möller

tolerated in certificates.

ultimately lead to certificate chain verification. It is
VERY EXPERIMENTAL at present though.

config file (change RAW to DER).

documentation to reflect the STACK_OF(CONF_VALUE) change to the CONF lib and
use ANSI typedefs for X509V3_EXT_I2D and X509V3_EXT_FREE.

seemed like a good idea at the time... several hours later it was rather
obvious that these are used all over the place making the changes rather
extensive.

to use 'void *' rather than 'char *' for an "arbitrary extension".

-Wpointer-arith -Wcast-align -Wmissing-prototypes -Wmissing-declarations
-Wnested-externs -Winline'' with EGCS 1.1.2+

script, translates function codes better and doesn't need the K&R function
prototypes to work (NB. the K&R prototypes can't be wiped just yet: they are
still needed by the DEF generator...). I also ran the script with the -rewrite
option to update all the header and source files.

Submitted by:
Reviewed by:
PR:

this stuff.