Initial support for Certificate Policies extension: print out works but setting

isn't fully implemented (yet).

10 files changed, 662 insertions, 28 deletions

diff --git a/crypto/asn1/asn1.err b/crypto/asn1/asn1.err
index 62dbd717c9..e03227067f 100644
--- a/crypto/asn1/asn1.err
+++ b/crypto/asn1/asn1.err
@@ -67,6 +67,7 @@
 #define ASN1_F_D2I_NETSCAPE_RSA_2			 142
 #define ASN1_F_D2I_NETSCAPE_SPKAC			 143
 #define ASN1_F_D2I_NETSCAPE_SPKI			 144
+#define ASN1_F_D2I_NOTICEREF				 268
 #define ASN1_F_D2I_PBE2PARAM				 262
 #define ASN1_F_D2I_PBEPARAM				 249
 #define ASN1_F_D2I_PBKDF2PARAM				 263
@@ -86,12 +87,15 @@
 #define ASN1_F_D2I_PKCS7_SIGN_ENVELOPE			 154
 #define ASN1_F_D2I_PKCS8_PRIV_KEY_INFO			 250
 #define ASN1_F_D2I_PKEY_USAGE_PERIOD			 239
+#define ASN1_F_D2I_POLICYINFO				 269
+#define ASN1_F_D2I_POLICYQUALINFO			 270
 #define ASN1_F_D2I_PRIVATEKEY				 155
 #define ASN1_F_D2I_PUBLICKEY				 156
 #define ASN1_F_D2I_RSAPRIVATEKEY			 157
 #define ASN1_F_D2I_RSAPUBLICKEY				 158
 #define ASN1_F_D2I_SXNET				 241
 #define ASN1_F_D2I_SXNETID				 243
+#define ASN1_F_D2I_USERNOTICE				 271
 #define ASN1_F_D2I_X509					 159
 #define ASN1_F_D2I_X509_ALGOR				 160
 #define ASN1_F_D2I_X509_ATTRIBUTE			 161
@@ -128,6 +132,7 @@
 #define ASN1_F_NETSCAPE_PKEY_NEW			 189
 #define ASN1_F_NETSCAPE_SPKAC_NEW			 190
 #define ASN1_F_NETSCAPE_SPKI_NEW			 191
+#define ASN1_F_NOTICEREF_NEW				 272
 #define ASN1_F_PBE2PARAM_NEW				 264
 #define ASN1_F_PBEPARAM_NEW				 251
 #define ASN1_F_PBKDF2PARAM_NEW				 265
@@ -147,8 +152,11 @@
 #define ASN1_F_PKCS7_SIGN_ENVELOPE_NEW			 201
 #define ASN1_F_PKCS8_PRIV_KEY_INFO_NEW			 252
 #define ASN1_F_PKEY_USAGE_PERIOD_NEW			 240
+#define ASN1_F_POLICYINFO_NEW				 273
+#define ASN1_F_POLICYQUALINFO_NEW			 274
 #define ASN1_F_SXNETID_NEW				 244
 #define ASN1_F_SXNET_NEW				 242
+#define ASN1_F_USERNOTICE_NEW				 275
 #define ASN1_F_X509_ALGOR_NEW				 202
 #define ASN1_F_X509_ATTRIBUTE_NEW			 203
 #define ASN1_F_X509_CINF_NEW				 204
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index 3dc6edaad1..04174cdedb 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -874,6 +874,7 @@ ASN1_STRING *ASN1_pack_string();
 #define ASN1_F_D2I_NETSCAPE_RSA_2			 142
 #define ASN1_F_D2I_NETSCAPE_SPKAC			 143
 #define ASN1_F_D2I_NETSCAPE_SPKI			 144
+#define ASN1_F_D2I_NOTICEREF				 268
 #define ASN1_F_D2I_PBE2PARAM				 262
 #define ASN1_F_D2I_PBEPARAM				 249
 #define ASN1_F_D2I_PBKDF2PARAM				 263
@@ -893,12 +894,15 @@ ASN1_STRING *ASN1_pack_string();
 #define ASN1_F_D2I_PKCS7_SIGN_ENVELOPE			 154
 #define ASN1_F_D2I_PKCS8_PRIV_KEY_INFO			 250
 #define ASN1_F_D2I_PKEY_USAGE_PERIOD			 239
+#define ASN1_F_D2I_POLICYINFO				 269
+#define ASN1_F_D2I_POLICYQUALINFO			 270
 #define ASN1_F_D2I_PRIVATEKEY				 155
 #define ASN1_F_D2I_PUBLICKEY				 156
 #define ASN1_F_D2I_RSAPRIVATEKEY			 157
 #define ASN1_F_D2I_RSAPUBLICKEY				 158
 #define ASN1_F_D2I_SXNET				 241
 #define ASN1_F_D2I_SXNETID				 243
+#define ASN1_F_D2I_USERNOTICE				 271
 #define ASN1_F_D2I_X509					 159
 #define ASN1_F_D2I_X509_ALGOR				 160
 #define ASN1_F_D2I_X509_ATTRIBUTE			 161
@@ -935,6 +939,7 @@ ASN1_STRING *ASN1_pack_string();
 #define ASN1_F_NETSCAPE_PKEY_NEW			 189
 #define ASN1_F_NETSCAPE_SPKAC_NEW			 190
 #define ASN1_F_NETSCAPE_SPKI_NEW			 191
+#define ASN1_F_NOTICEREF_NEW				 272
 #define ASN1_F_PBE2PARAM_NEW				 264
 #define ASN1_F_PBEPARAM_NEW				 251
 #define ASN1_F_PBKDF2PARAM_NEW				 265
@@ -954,8 +959,11 @@ ASN1_STRING *ASN1_pack_string();
 #define ASN1_F_PKCS7_SIGN_ENVELOPE_NEW			 201
 #define ASN1_F_PKCS8_PRIV_KEY_INFO_NEW			 252
 #define ASN1_F_PKEY_USAGE_PERIOD_NEW			 240
+#define ASN1_F_POLICYINFO_NEW				 273
+#define ASN1_F_POLICYQUALINFO_NEW			 274
 #define ASN1_F_SXNETID_NEW				 244
 #define ASN1_F_SXNET_NEW				 242
+#define ASN1_F_USERNOTICE_NEW				 275
 #define ASN1_F_X509_ALGOR_NEW				 202
 #define ASN1_F_X509_ATTRIBUTE_NEW			 203
 #define ASN1_F_X509_CINF_NEW				 204
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index 682e70237d..c5a898f02d 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -129,6 +129,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA_2,0),	"D2I_NETSCAPE_RSA_2"},
 {ERR_PACK(0,ASN1_F_D2I_NETSCAPE_SPKAC,0),	"D2I_NETSCAPE_SPKAC"},
 {ERR_PACK(0,ASN1_F_D2I_NETSCAPE_SPKI,0),	"D2I_NETSCAPE_SPKI"},
+{ERR_PACK(0,ASN1_F_D2I_NOTICEREF,0),	"D2I_NOTICEREF"},
 {ERR_PACK(0,ASN1_F_D2I_PBE2PARAM,0),	"D2I_PBE2PARAM"},
 {ERR_PACK(0,ASN1_F_D2I_PBEPARAM,0),	"D2I_PBEPARAM"},
 {ERR_PACK(0,ASN1_F_D2I_PBKDF2PARAM,0),	"D2I_PBKDF2PARAM"},
@@ -148,12 +149,15 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGN_ENVELOPE,0),	"D2I_PKCS7_SIGN_ENVELOPE"},
 {ERR_PACK(0,ASN1_F_D2I_PKCS8_PRIV_KEY_INFO,0),	"D2I_PKCS8_PRIV_KEY_INFO"},
 {ERR_PACK(0,ASN1_F_D2I_PKEY_USAGE_PERIOD,0),	"D2I_PKEY_USAGE_PERIOD"},
+{ERR_PACK(0,ASN1_F_D2I_POLICYINFO,0),	"D2I_POLICYINFO"},
+{ERR_PACK(0,ASN1_F_D2I_POLICYQUALINFO,0),	"D2I_POLICYQUALINFO"},
 {ERR_PACK(0,ASN1_F_D2I_PRIVATEKEY,0),	"D2I_PRIVATEKEY"},
 {ERR_PACK(0,ASN1_F_D2I_PUBLICKEY,0),	"D2I_PUBLICKEY"},
 {ERR_PACK(0,ASN1_F_D2I_RSAPRIVATEKEY,0),	"D2I_RSAPRIVATEKEY"},
 {ERR_PACK(0,ASN1_F_D2I_RSAPUBLICKEY,0),	"D2I_RSAPUBLICKEY"},
 {ERR_PACK(0,ASN1_F_D2I_SXNET,0),	"D2I_SXNET"},
 {ERR_PACK(0,ASN1_F_D2I_SXNETID,0),	"D2I_SXNETID"},
+{ERR_PACK(0,ASN1_F_D2I_USERNOTICE,0),	"D2I_USERNOTICE"},
 {ERR_PACK(0,ASN1_F_D2I_X509,0),	"D2I_X509"},
 {ERR_PACK(0,ASN1_F_D2I_X509_ALGOR,0),	"D2I_X509_ALGOR"},
 {ERR_PACK(0,ASN1_F_D2I_X509_ATTRIBUTE,0),	"D2I_X509_ATTRIBUTE"},
@@ -190,6 +194,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_NETSCAPE_PKEY_NEW,0),	"NETSCAPE_PKEY_NEW"},
 {ERR_PACK(0,ASN1_F_NETSCAPE_SPKAC_NEW,0),	"NETSCAPE_SPKAC_NEW"},
 {ERR_PACK(0,ASN1_F_NETSCAPE_SPKI_NEW,0),	"NETSCAPE_SPKI_NEW"},
+{ERR_PACK(0,ASN1_F_NOTICEREF_NEW,0),	"NOTICEREF_NEW"},
 {ERR_PACK(0,ASN1_F_PBE2PARAM_NEW,0),	"PBE2PARAM_NEW"},
 {ERR_PACK(0,ASN1_F_PBEPARAM_NEW,0),	"PBEPARAM_NEW"},
 {ERR_PACK(0,ASN1_F_PBKDF2PARAM_NEW,0),	"PBKDF2PARAM_NEW"},
@@ -209,8 +214,11 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_PKCS7_SIGN_ENVELOPE_NEW,0),	"PKCS7_SIGN_ENVELOPE_NEW"},
 {ERR_PACK(0,ASN1_F_PKCS8_PRIV_KEY_INFO_NEW,0),	"PKCS8_PRIV_KEY_INFO_NEW"},
 {ERR_PACK(0,ASN1_F_PKEY_USAGE_PERIOD_NEW,0),	"PKEY_USAGE_PERIOD_NEW"},
+{ERR_PACK(0,ASN1_F_POLICYINFO_NEW,0),	"POLICYINFO_NEW"},
+{ERR_PACK(0,ASN1_F_POLICYQUALINFO_NEW,0),	"POLICYQUALINFO_NEW"},
 {ERR_PACK(0,ASN1_F_SXNETID_NEW,0),	"SXNETID_NEW"},
 {ERR_PACK(0,ASN1_F_SXNET_NEW,0),	"SXNET_NEW"},
+{ERR_PACK(0,ASN1_F_USERNOTICE_NEW,0),	"USERNOTICE_NEW"},
 {ERR_PACK(0,ASN1_F_X509_ALGOR_NEW,0),	"X509_ALGOR_NEW"},
 {ERR_PACK(0,ASN1_F_X509_ATTRIBUTE_NEW,0),	"X509_ATTRIBUTE_NEW"},
 {ERR_PACK(0,ASN1_F_X509_CINF_NEW,0),	"X509_CINF_NEW"},
diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl
index ac8690b12e..4ab659e134 100644
--- a/crypto/x509v3/Makefile.ssl
+++ b/crypto/x509v3/Makefile.ssl
@@ -24,10 +24,10 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC=	v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
 v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
-v3_pku.c v3_int.c v3_enum.c v3_sxnet.c
+v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
-v3_int.o v3_enum.o v3_sxnet.o
+v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o
 
 SRC= $(LIBSRC)
 
diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index 0427a3071e..54ee2a53ca 100644
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -149,6 +149,12 @@ char *value;	/* Value */
 		if(!ext_struc) return NULL;
 	} else if(method->s2i) {
 		if(!(ext_struc = method->s2i(method, ctx, value))) return NULL;
+	} else if(method->r2i) {
+		if(!ctx->db) {
+			X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_NO_CONFIG_DATABASE);
+			return NULL;
+		}
+		if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
 	} else {
 		X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
 		ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
@@ -287,15 +293,6 @@ X509_CRL *crl;
 	return 1;
 }
 
-/* Just check syntax of config file as far as possible */
-int X509V3_EXT_check_conf(conf, section)
-LHASH *conf;
-char *section;
-{
-	static X509V3_CTX ctx_tst = { CTX_TEST, NULL, NULL, NULL, NULL };
-	return X509V3_EXT_add_conf(conf, &ctx_tst, section, NULL);
-}
-
 /* Config database functions */
 
 char * X509V3_get_string(ctx, name, section)
@@ -317,18 +314,20 @@ char *section;
 	return NULL;
 }
 
-void X509V3_free_string(ctx, str)
+void X509V3_string_free(ctx, str)
 X509V3_CTX *ctx;
 char *str;
 {
+	if(!str) return;
 	if(ctx->db_meth->free_string)
 			return ctx->db_meth->free_string(ctx->db, str);
 }
 
-void X509V3_free_section(ctx, section)
+void X509V3_section_free(ctx, section)
 X509V3_CTX *ctx;
 STACK *section;
 {
+	if(!section) return;
 	if(ctx->db_meth->free_section)
 			return ctx->db_meth->free_section(ctx->db, section);
 }
diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c
new file mode 100644
index 0000000000..c9340046d7
--- /dev/null
+++ b/crypto/x509v3/v3_cpols.c
@@ -0,0 +1,544 @@
+/* v3_cpols.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include "conf.h"
+#include "asn1.h"
+#include "asn1_mac.h"
+#include "x509v3.h"
+
+/* Certificate policies extension support: this one is a bit complex... */
+
+static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent);
+static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value);
+static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent);
+static void print_notice(BIO *out, USERNOTICE *notice, int indent);
+static POLICYINFO *policy_section(X509V3_CTX *ctx, STACK *polstrs);
+
+X509V3_EXT_METHOD v3_cpols = {
+NID_certificate_policies, 0,
+(X509V3_EXT_NEW)CERTIFICATEPOLICIES_new,
+CERTIFICATEPOLICIES_free,
+(X509V3_EXT_D2I)d2i_CERTIFICATEPOLICIES,
+i2d_CERTIFICATEPOLICIES,
+NULL, NULL,
+NULL, NULL,
+(X509V3_EXT_I2R)i2r_certpol,
+(X509V3_EXT_R2I)r2i_certpol,
+NULL
+};
+
+
+/*
+ * ASN1err(ASN1_F_POLICYINFO_NEW,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_D2I_POLICYINFO,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_POLICYQUALINFO_NEW,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_D2I_POLICYQUALINFO,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_USERNOTICE_NEW,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_D2I_USERNOTICE,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_NOTICEREF_NEW,ERR_R_MALLOC_FAILURE);
+ * ASN1err(ASN1_F_D2I_NOTICEREF,ERR_R_MALLOC_FAILURE);
+ */
+
+static STACK_OF(POLICYINFO) *r2i_certpol(method, ctx, value)
+X509V3_EXT_METHOD *method;
+X509V3_CTX *ctx;
+char *value;
+{
+	STACK_OF(POLICYINFO) *pols = NULL;
+	char *pstr;
+	POLICYINFO *pol;
+	ASN1_OBJECT *pobj;
+	STACK *vals;
+	CONF_VALUE *cnf;
+	int i;
+	pols = sk_POLICYINFO_new_null();
+	vals =  X509V3_parse_list(value);
+	for(i = 0; i < sk_num(vals); i++) {
+		cnf = (CONF_VALUE *)sk_value(vals, i);
+		if(cnf->value || !cnf->name ) {
+			X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_POLICY_IDENTIFIER);
+			X509V3_conf_err(cnf);
+			goto err;
+		}
+		pstr = cnf->name;
+		if(*pstr == '@') {
+			STACK *polsect;
+			polsect = X509V3_get_section(ctx, pstr + 1);
+			if(!polsect) {
+				X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_SECTION);
+
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			pol = policy_section(ctx, polsect);
+			X509V3_section_free(ctx, polsect);
+			if(!pol) goto err;
+		} else {
+			if(!(pobj = OBJ_txt2obj(cnf->name, 0))) {
+				X509V3err(X509V3_F_R2I_CERTPOL,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			pol = POLICYINFO_new();
+			pol->policyid = pobj;
+		}
+		sk_POLICYINFO_push(pols, pol);
+	}
+	sk_pop_free(vals, X509V3_conf_free);
+	return pols;
+	err:
+	sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
+	return NULL;
+}
+
+static POLICYINFO *policy_section(ctx, polstrs)
+X509V3_CTX *ctx;
+STACK *polstrs;
+{
+	int i;
+	CONF_VALUE *cnf;
+	for(i = 0; i < sk_num(polstrs); i++) {
+		cnf = (CONF_VALUE *)sk_value(polstrs, i);
+	}
+	return NULL;
+}
+
+
+static int i2r_certpol(method, pol, out, indent)
+X509V3_EXT_METHOD *method;
+STACK_OF(POLICYINFO) *pol;
+BIO *out;
+int indent;
+{
+	int i;
+	POLICYINFO *pinfo;
+	/* First print out the policy OIDs */
+	for(i = 0; i < sk_POLICYINFO_num(pol); i++) {
+		pinfo = sk_POLICYINFO_value(pol, i);
+		BIO_printf(out, "%*sPolicy: ", indent, "");
+		i2a_ASN1_OBJECT(out, pinfo->policyid);
+		BIO_puts(out, "\n");
+		if(pinfo->qualifiers)
+			 print_qualifiers(out, pinfo->qualifiers, indent + 2);
+	}
+	return 1;
+}
+
+
+int i2d_CERTIFICATEPOLICIES(a, pp)
+STACK_OF(POLICYINFO) *a;
+unsigned char **pp;
+{
+
+return i2d_ASN1_SET_OF_POLICYINFO(a, pp, i2d_POLICYINFO, V_ASN1_SEQUENCE,
+                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);}
+
+STACK_OF(POLICYINFO) *CERTIFICATEPOLICIES_new()
+{
+	return sk_POLICYINFO_new_null();
+}
+
+void CERTIFICATEPOLICIES_free(a)
+STACK_OF(POLICYINFO) *a;
+{
+	sk_POLICYINFO_pop_free(a, POLICYINFO_free);
+}
+
+STACK_OF(POLICYINFO) *d2i_CERTIFICATEPOLICIES(a,pp,length)
+STACK_OF(POLICYINFO) **a;
+unsigned char **pp;
+long length;
+{
+return d2i_ASN1_SET_OF_POLICYINFO(a, pp, length, d2i_POLICYINFO,
+                         POLICYINFO_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
+
+}
+
+IMPLEMENT_STACK_OF(POLICYINFO)
+IMPLEMENT_ASN1_SET_OF(POLICYINFO)
+
+int i2d_POLICYINFO(a,pp)
+POLICYINFO *a;
+unsigned char **pp;
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len (a->policyid, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_len_SEQUENCE_type(POLICYQUALINFO, a->qualifiers,
+							 i2d_POLICYQUALINFO);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->policyid, i2d_ASN1_OBJECT);
+	M_ASN1_I2D_put_SEQUENCE_type(POLICYQUALINFO, a->qualifiers,
+							 i2d_POLICYQUALINFO);
+
+	M_ASN1_I2D_finish();
+}
+
+POLICYINFO *POLICYINFO_new()
+{
+	POLICYINFO *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, POLICYINFO);
+	ret->policyid = NULL;
+	ret->qualifiers = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_POLICYINFO_NEW);
+}
+
+POLICYINFO *d2i_POLICYINFO(a,pp,length)
+POLICYINFO **a;
+unsigned char **pp;
+long length;
+{
+	M_ASN1_D2I_vars(a,POLICYINFO *,POLICYINFO_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get(ret->policyid, d2i_ASN1_OBJECT);
+	if(!M_ASN1_D2I_end_sequence()) {
+		M_ASN1_D2I_get_seq_type (POLICYQUALINFO, ret->qualifiers,
+				 d2i_POLICYQUALINFO, POLICYQUALINFO_free);
+	}
+	M_ASN1_D2I_Finish(a, POLICYINFO_free, ASN1_F_D2I_POLICYINFO);
+}
+
+void POLICYINFO_free(a)
+POLICYINFO *a;
+{
+	if (a == NULL) return;
+	ASN1_OBJECT_free(a->policyid);
+	sk_POLICYQUALINFO_pop_free(a->qualifiers, POLICYQUALINFO_free);
+	Free (a);
+}
+
+static void print_qualifiers(out, quals, indent)
+BIO *out;
+STACK_OF(POLICYQUALINFO) *quals;
+int indent;
+{
+	POLICYQUALINFO *qualinfo;
+	int i;
+	for(i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
+		qualinfo = sk_POLICYQUALINFO_value(quals, i);
+		switch(OBJ_obj2nid(qualinfo->pqualid))
+		{
+			case NID_id_qt_cps:
+			BIO_printf(out, "%*sCPS: %s\n", indent, "",
+						qualinfo->d.cpsuri->data);
+			break;
+		
+			case NID_id_qt_unotice:
+			BIO_printf(out, "%*sUser Notice:\n", indent, "");
+			print_notice(out, qualinfo->d.usernotice, indent + 2);
+			break;
+
+			default:
+			BIO_printf(out, "%*sUnknown Qualifier: ",
+							 indent + 2, "");
+			
+			i2a_ASN1_OBJECT(out, qualinfo->pqualid);
+			BIO_puts(out, "\n");
+			break;
+		}
+	}
+}
+
+static void print_notice(out, notice, indent)
+BIO *out;
+USERNOTICE *notice;
+int indent;
+{
+	int i;
+	if(notice->noticeref) {
+		NOTICEREF *ref;
+		ref = notice->noticeref;
+		BIO_printf(out, "%*sOrganization: %s\n", indent, "",
+						 ref->organization->data);
+		BIO_printf(out, "%*sNumber%s: ", indent, "",
+				 (sk_num(ref->noticenos) > 1) ? "s" : "");
+		for(i = 0; i < sk_num(ref->noticenos); i++) {
+			ASN1_INTEGER *num;
+			char *tmp;
+			num = (ASN1_INTEGER *)sk_value(ref->noticenos, i);
+			if(i) BIO_puts(out, ", ");
+			tmp = i2s_ASN1_INTEGER(NULL, num);
+			BIO_puts(out, tmp);
+			Free(tmp);
+		}
+		BIO_puts(out, "\n");
+	}
+	if(notice->exptext)
+		BIO_printf(out, "%*sNotice Reference: %s\n", indent, "",
+							 notice->exptext->data);
+}
+		
+	
+
+int i2d_POLICYQUALINFO(a,pp)
+POLICYQUALINFO *a;
+unsigned char **pp;
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len (a->pqualid, i2d_ASN1_OBJECT);
+	switch(OBJ_obj2nid(a->pqualid)) {
+		case NID_id_qt_cps:
+		M_ASN1_I2D_len(a->d.cpsuri, i2d_ASN1_IA5STRING);
+		break;
+
+		case NID_id_qt_unotice:
+		M_ASN1_I2D_len(a->d.usernotice, i2d_USERNOTICE);
+		break;
+
+		default:
+		M_ASN1_I2D_len(a->d.other, i2d_ASN1_TYPE);
+		break;
+	}
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->pqualid, i2d_ASN1_OBJECT);
+	switch(OBJ_obj2nid(a->pqualid)) {
+		case NID_id_qt_cps:
+		M_ASN1_I2D_put(a->d.cpsuri, i2d_ASN1_IA5STRING);
+		break;
+
+		case NID_id_qt_unotice:
+		M_ASN1_I2D_put(a->d.usernotice, i2d_USERNOTICE);
+		break;
+
+		default:
+		M_ASN1_I2D_put(a->d.other, i2d_ASN1_TYPE);
+		break;
+	}
+
+	M_ASN1_I2D_finish();
+}
+
+POLICYQUALINFO *POLICYQUALINFO_new()
+{
+	POLICYQUALINFO *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, POLICYQUALINFO);
+	ret->pqualid = NULL;
+	ret->d.other = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_POLICYQUALINFO_NEW);
+}
+
+POLICYQUALINFO *d2i_POLICYQUALINFO(a,pp,length)
+POLICYQUALINFO **a;
+unsigned char **pp;
+long length;
+{
+	M_ASN1_D2I_vars(a,POLICYQUALINFO *,POLICYQUALINFO_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get (ret->pqualid, d2i_ASN1_OBJECT);
+	switch(OBJ_obj2nid(ret->pqualid)) {
+		case NID_id_qt_cps:
+		M_ASN1_D2I_get(ret->d.cpsuri, d2i_ASN1_IA5STRING);
+		break;
+
+		case NID_id_qt_unotice:
+		M_ASN1_D2I_get(ret->d.usernotice, d2i_USERNOTICE);
+		break;
+
+		default:
+		M_ASN1_D2I_get(ret->d.other, d2i_ASN1_TYPE);
+		break;
+	}
+	M_ASN1_D2I_Finish(a, POLICYQUALINFO_free, ASN1_F_D2I_POLICYQUALINFO);
+}
+
+void POLICYQUALINFO_free(a)
+POLICYQUALINFO *a;
+{
+	if (a == NULL) return;
+	switch(OBJ_obj2nid(a->pqualid)) {
+		case NID_id_qt_cps:
+		ASN1_IA5STRING_free(a->d.cpsuri);
+		break;
+
+		case NID_id_qt_unotice:
+		USERNOTICE_free(a->d.usernotice);
+		break;
+
+		default:
+		ASN1_TYPE_free(a->d.other);
+		break;
+	}
+	
+	ASN1_OBJECT_free(a->pqualid);
+	Free (a);
+}
+
+int i2d_USERNOTICE(a,pp)
+USERNOTICE *a;
+unsigned char **pp;
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len (a->noticeref, i2d_NOTICEREF);
+	M_ASN1_I2D_len (a->exptext, i2d_DISPLAYTEXT);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->noticeref, i2d_NOTICEREF);
+	M_ASN1_I2D_put (a->exptext, i2d_DISPLAYTEXT);
+
+	M_ASN1_I2D_finish();
+}
+
+USERNOTICE *USERNOTICE_new()
+{
+	USERNOTICE *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, USERNOTICE);
+	ret->noticeref = NULL;
+	ret->exptext = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_USERNOTICE_NEW);
+}
+
+USERNOTICE *d2i_USERNOTICE(a,pp,length)
+USERNOTICE **a;
+unsigned char **pp;
+long length;
+{
+	M_ASN1_D2I_vars(a,USERNOTICE *,USERNOTICE_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	M_ASN1_D2I_get_opt(ret->noticeref, d2i_NOTICEREF, V_ASN1_SEQUENCE);
+	if (!M_ASN1_D2I_end_sequence()) {
+		M_ASN1_D2I_get(ret->exptext, d2i_DISPLAYTEXT);
+	}
+	M_ASN1_D2I_Finish(a, USERNOTICE_free, ASN1_F_D2I_USERNOTICE);
+}
+
+void USERNOTICE_free(a)
+USERNOTICE *a;
+{
+	if (a == NULL) return;
+	NOTICEREF_free(a->noticeref);
+	DISPLAYTEXT_free(a->exptext);
+	Free (a);
+}
+
+int i2d_NOTICEREF(a,pp)
+NOTICEREF *a;
+unsigned char **pp;
+{
+	M_ASN1_I2D_vars(a);
+
+	M_ASN1_I2D_len (a->organization, i2d_DISPLAYTEXT);
+	M_ASN1_I2D_len_SEQUENCE(a->noticenos, i2d_ASN1_INTEGER);
+
+	M_ASN1_I2D_seq_total();
+
+	M_ASN1_I2D_put (a->organization, i2d_DISPLAYTEXT);
+	M_ASN1_I2D_put_SEQUENCE(a->noticenos, i2d_ASN1_INTEGER);
+
+	M_ASN1_I2D_finish();
+}
+
+NOTICEREF *NOTICEREF_new()
+{
+	NOTICEREF *ret=NULL;
+	ASN1_CTX c;
+	M_ASN1_New_Malloc(ret, NOTICEREF);
+	ret->organization = NULL;
+	ret->noticenos = NULL;
+	return (ret);
+	M_ASN1_New_Error(ASN1_F_NOTICEREF_NEW);
+}
+
+NOTICEREF *d2i_NOTICEREF(a,pp,length)
+NOTICEREF **a;
+unsigned char **pp;
+long length;
+{
+	M_ASN1_D2I_vars(a,NOTICEREF *,NOTICEREF_new);
+	M_ASN1_D2I_Init();
+	M_ASN1_D2I_start_sequence();
+	/* This is to cope with some broken encodings that use IA5STRING for
+         * the organization field
+	 */
+	M_ASN1_D2I_get_opt(ret->organization, d2i_ASN1_IA5STRING,
+							 V_ASN1_IA5STRING);
+	if(!ret->organization) {
+		 M_ASN1_D2I_get(ret->organization, d2i_DISPLAYTEXT);
+	}
+	M_ASN1_D2I_get_seq(ret->noticenos, d2i_ASN1_INTEGER, ASN1_STRING_free);
+	M_ASN1_D2I_Finish(a, NOTICEREF_free, ASN1_F_D2I_NOTICEREF);
+}
+
+void NOTICEREF_free(a)
+NOTICEREF *a;
+{
+	if (a == NULL) return;
+	DISPLAYTEXT_free(a->organization);
+	sk_pop_free(a->noticenos, ASN1_STRING_free);
+	Free (a);
+}
+
+IMPLEMENT_STACK_OF(POLICYQUALINFO)
+IMPLEMENT_ASN1_SET_OF(POLICYQUALINFO)
diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c
index f5dda420d1..e3686b6275 100644
--- a/crypto/x509v3/v3_lib.c
+++ b/crypto/x509v3/v3_lib.c
@@ -149,7 +149,7 @@ extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
 
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols;
 
 int X509V3_add_standard_extensions()
 {
@@ -165,6 +165,7 @@ int X509V3_add_standard_extensions()
 	X509V3_EXT_add(&v3_crl_num);
 	X509V3_EXT_add(&v3_sxnet);
 	X509V3_EXT_add(&v3_crl_reason);
+	X509V3_EXT_add(&v3_cpols);
 	return 1;
 }
 
diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c
index ac7ac48af1..4a8297ceb3 100644
--- a/crypto/x509v3/v3err.c
+++ b/crypto/x509v3/v3err.c
@@ -69,6 +69,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),	"hex_to_string"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),	"i2s_ASN1_ENUMERATED"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),	"i2s_ASN1_INTEGER"},
+{ERR_PACK(0,X509V3_F_R2I_CERTPOL,0),	"R2I_CERTPOL"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),	"S2I_ASN1_IA5STRING"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0),	"s2i_ASN1_INTEGER"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0),	"s2i_ASN1_OCTET_STRING"},
@@ -87,12 +88,12 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),	"v2i_GENERAL_NAME"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),	"v2i_GENERAL_NAMES"},
 {ERR_PACK(0,X509V3_F_V3_GENERIC_EXTENSION,0),	"V3_GENERIC_EXTENSION"},
-{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD,0),	"X509V3_EXT_add"},
 {ERR_PACK(0,X509V3_F_X509V3_ADD_VALUE,0),	"X509V3_add_value"},
+{ERR_PACK(0,X509V3_F_X509V3_EXT_ADD,0),	"X509V3_EXT_add"},
 {ERR_PACK(0,X509V3_F_X509V3_EXT_ADD_ALIAS,0),	"X509V3_EXT_add_alias"},
 {ERR_PACK(0,X509V3_F_X509V3_EXT_CONF,0),	"X509V3_EXT_conf"},
-{ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0),	"X509V3_parse_list"},
 {ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0),	"X509V3_get_value_bool"},
+{ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0),	"X509V3_parse_list"},
 {0,NULL},
 	};
 
@@ -117,8 +118,11 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_INVALID_NULL_NAME              ,"invalid null name"},
 {X509V3_R_INVALID_NULL_VALUE             ,"invalid null value"},
 {X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
+{X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
+{X509V3_R_INVALID_SECTION                ,"invalid section"},
 {X509V3_R_ISSUER_DECODE_ERROR            ,"issuer decode error"},
 {X509V3_R_MISSING_VALUE                  ,"missing value"},
+{X509V3_R_NO_CONFIG_DATABASE             ,"no config database"},
 {X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
 {X509V3_R_NO_ISSUER_DETAILS              ,"no issuer details"},
 {X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
diff --git a/crypto/x509v3/x509v3.err b/crypto/x509v3/x509v3.err
index 9358d44b3b..2c027813fe 100644
--- a/crypto/x509v3/x509v3.err
+++ b/crypto/x509v3/x509v3.err
@@ -7,6 +7,7 @@
 #define X509V3_F_HEX_TO_STRING				 111
 #define X509V3_F_I2S_ASN1_ENUMERATED			 121
 #define X509V3_F_I2S_ASN1_INTEGER			 120
+#define X509V3_F_R2I_CERTPOL				 130
 #define X509V3_F_S2I_ASN1_IA5STRING			 100
 #define X509V3_F_S2I_ASN1_INTEGER			 108
 #define X509V3_F_S2I_ASN1_OCTET_STRING			 112
@@ -25,12 +26,12 @@
 #define X509V3_F_V2I_GENERAL_NAME			 117
 #define X509V3_F_V2I_GENERAL_NAMES			 118
 #define X509V3_F_V3_GENERIC_EXTENSION			 116
-#define X509V3_F_X509V3_EXT_ADD				 104
 #define X509V3_F_X509V3_ADD_VALUE			 105
+#define X509V3_F_X509V3_EXT_ADD				 104
 #define X509V3_F_X509V3_EXT_ADD_ALIAS			 106
 #define X509V3_F_X509V3_EXT_CONF			 107
-#define X509V3_F_X509V3_PARSE_LIST			 109
 #define X509V3_F_X509V3_GET_VALUE_BOOL			 110
+#define X509V3_F_X509V3_PARSE_LIST			 109
 
 /* Reason codes. */
 #define X509V3_R_BAD_IP_ADDRESS				 118
@@ -52,8 +53,11 @@
 #define X509V3_R_INVALID_NULL_NAME			 108
 #define X509V3_R_INVALID_NULL_VALUE			 109
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER		 110
+#define X509V3_R_INVALID_POLICY_IDENTIFIER		 134
+#define X509V3_R_INVALID_SECTION			 135
 #define X509V3_R_ISSUER_DECODE_ERROR			 126
 #define X509V3_R_MISSING_VALUE				 124
+#define X509V3_R_NO_CONFIG_DATABASE			 136
 #define X509V3_R_NO_ISSUER_CERTIFICATE			 121
 #define X509V3_R_NO_ISSUER_DETAILS			 127
 #define X509V3_R_NO_PUBLIC_KEY				 114
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index d44aad7be4..d63630160a 100644
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -203,7 +203,7 @@ typedef struct NOTICEREF_st {
 } NOTICEREF;
 
 typedef struct USERNOTICE_st {
-	NOTICEREF *notref;
+	NOTICEREF *noticeref;
 	ASN1_STRING *exptext;
 } USERNOTICE;
 
@@ -217,10 +217,11 @@ typedef struct POLICYQUALINFO_st {
 } POLICYQUALINFO;
 
 DECLARE_STACK_OF(POLICYQUALINFO)
+DECLARE_ASN1_SET_OF(POLICYQUALINFO)
 
 typedef struct POLICYINFO_st {
 	ASN1_OBJECT *policyid;
-	STACK_OF(POLICYQUALINFO) qualifiers;
+	STACK_OF(POLICYQUALINFO) *qualifiers;
 } POLICYINFO;
 
 DECLARE_STACK_OF(POLICYINFO);
@@ -229,6 +230,10 @@ DECLARE_ASN1_SET_OF(POLICYINFO);
 #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
 ",name:", val->name, ",value:", val->value);
 
+#define X509V3_set_ctx_test(ctx) \
+			X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
+#define X509V3_set_ctx_nodb(ctx) ctx->db = NULL;
+
 #define EXT_BITSTRING(nid, table) { nid, 0, \
 			(X509V3_EXT_NEW)asn1_bit_string_new, ASN1_STRING_free, \
 			(X509V3_EXT_D2I)d2i_ASN1_BIT_STRING, \
@@ -308,6 +313,32 @@ STACK *d2i_ext_ku(STACK **a, unsigned char **pp, long length);
 void ext_ku_free(STACK *a);
 STACK *ext_ku_new(void);
 
+int i2d_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) *a, unsigned char **pp);
+STACK_OF(POLICYINFO) *CERTIFICATEPOLICIES_new(void);
+void CERTIFICATEPOLICIES_free(STACK_OF(POLICYINFO) *a);
+STACK_OF(POLICYINFO) *d2i_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) **a, unsigned char **pp, long length);
+
+int i2d_POLICYINFO(POLICYINFO *a, unsigned char **pp);
+POLICYINFO *POLICYINFO_new(void);
+POLICYINFO *d2i_POLICYINFO(POLICYINFO **a, unsigned char **pp, long length);
+void POLICYINFO_free(POLICYINFO *a);
+
+int i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **pp);
+POLICYQUALINFO *POLICYQUALINFO_new(void);
+POLICYQUALINFO *d2i_POLICYQUALINFO(POLICYQUALINFO **a, unsigned char **pp,
+								 long length);
+void POLICYQUALINFO_free(POLICYQUALINFO *a);
+
+int i2d_USERNOTICE(USERNOTICE *a, unsigned char **pp);
+USERNOTICE *USERNOTICE_new(void);
+USERNOTICE *d2i_USERNOTICE(USERNOTICE **a, unsigned char **pp, long length);
+void USERNOTICE_free(USERNOTICE *a);
+
+int i2d_NOTICEREF(NOTICEREF *a, unsigned char **pp);
+NOTICEREF *NOTICEREF_new(void);
+NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp, long length);
+void NOTICEREF_free(NOTICEREF *a);
+
 #ifdef HEADER_CONF_H
 GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf);
 void X509V3_conf_free(CONF_VALUE *val);
@@ -315,7 +346,6 @@ X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, c
 X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, char *value);
 int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509 *cert);
 int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
-int X509V3_EXT_check_conf(LHASH *conf, char *section);
 int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
 int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
 void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash);
@@ -323,8 +353,8 @@ void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash);
 
 char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
 STACK * X509V3_get_section(X509V3_CTX *ctx, char *section);
-void X509V3_free_string(X509V3_CTX *ctx, char *str);
-void X509V3_free_section( X509V3_CTX *ctx, STACK *section);
+void X509V3_string_free(X509V3_CTX *ctx, char *str);
+void X509V3_section_free( X509V3_CTX *ctx, STACK *section);
 void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
 				 X509_REQ *req, X509_CRL *crl, int flags);
 
@@ -413,16 +443,40 @@ void X509V3_conf_free();
 X509_EXTENSION *X509V3_EXT_conf_nid();
 X509_EXTENSION *X509V3_EXT_conf();
 int X509V3_EXT_add_conf();
-int X509V3_EXT_check_conf();
 int X509V3_get_value_bool();
 int X509V3_get_value_int();
 void X509V3_set_conf_lhash();
 #endif
 
+int i2d_CERTIFICATEPOLICIES();
+STACK *CERTIFICATEPOLICIES_new();
+void CERTIFICATEPOLICIES_free();
+STACK *d2i_CERTIFICATEPOLICIES();
+
+int i2d_POLICYINFO();
+POLICYINFO *POLICYINFO_new();
+POLICYINFO *d2i_POLICYINFO();
+void POLICYINFO_free();
+
+int i2d_POLICYQUALINFO();
+POLICYQUALINFO *POLICYQUALINFO_new();
+POLICYQUALINFO *d2i_POLICYQUALINFO();
+void POLICYQUALINFO_free();
+
+int i2d_USERNOTICE();
+USERNOTICE *USERNOTICE_new();
+USERNOTICE *d2i_USERNOTICE();
+void USERNOTICE_free();
+
+int i2d_NOTICEREF();
+NOTICEREF *NOTICEREF_new();
+NOTICEREF *d2i_NOTICEREF();
+void NOTICEREF_free();
+
 char * X509V3_get_string();
 STACK * X509V3_get_section();
-void X509V3_free_string();
-void X509V3_free_section();
+void X509V3_string_free();
+void X509V3_section_free();
 void X509V3_set_ctx();
 
 int X509V3_add_value();
@@ -461,6 +515,7 @@ int X509V3_EXT_print_fp();
 #define X509V3_F_HEX_TO_STRING				 111
 #define X509V3_F_I2S_ASN1_ENUMERATED			 121
 #define X509V3_F_I2S_ASN1_INTEGER			 120
+#define X509V3_F_R2I_CERTPOL				 130
 #define X509V3_F_S2I_ASN1_IA5STRING			 100
 #define X509V3_F_S2I_ASN1_INTEGER			 108
 #define X509V3_F_S2I_ASN1_OCTET_STRING			 112
@@ -479,12 +534,12 @@ int X509V3_EXT_print_fp();
 #define X509V3_F_V2I_GENERAL_NAME			 117
 #define X509V3_F_V2I_GENERAL_NAMES			 118
 #define X509V3_F_V3_GENERIC_EXTENSION			 116
-#define X509V3_F_X509V3_EXT_ADD				 104
 #define X509V3_F_X509V3_ADD_VALUE			 105
+#define X509V3_F_X509V3_EXT_ADD				 104
 #define X509V3_F_X509V3_EXT_ADD_ALIAS			 106
 #define X509V3_F_X509V3_EXT_CONF			 107
-#define X509V3_F_X509V3_PARSE_LIST			 109
 #define X509V3_F_X509V3_GET_VALUE_BOOL			 110
+#define X509V3_F_X509V3_PARSE_LIST			 109
 
 /* Reason codes. */
 #define X509V3_R_BAD_IP_ADDRESS				 118
@@ -506,8 +561,11 @@ int X509V3_EXT_print_fp();
 #define X509V3_R_INVALID_NULL_NAME			 108
 #define X509V3_R_INVALID_NULL_VALUE			 109
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER		 110
+#define X509V3_R_INVALID_POLICY_IDENTIFIER		 134
+#define X509V3_R_INVALID_SECTION			 135
 #define X509V3_R_ISSUER_DECODE_ERROR			 126
 #define X509V3_R_MISSING_VALUE				 124
+#define X509V3_R_NO_CONFIG_DATABASE			 136
 #define X509V3_R_NO_ISSUER_CERTIFICATE			 121
 #define X509V3_R_NO_ISSUER_DETAILS			 127
 #define X509V3_R_NO_PUBLIC_KEY				 114