Add functionality needed to process proxy certificates.
authorRichard Levitte <levitte@openssl.org>
Tue, 28 Dec 2004 00:21:35 +0000 (00:21 +0000)
committerRichard Levitte <levitte@openssl.org>
Tue, 28 Dec 2004 00:21:35 +0000 (00:21 +0000)
25 files changed:
CHANGES
apps/openssl-vms.cnf
apps/openssl.cnf
crypto/objects/obj_dat.h
crypto/objects/obj_mac.h
crypto/objects/obj_mac.num
crypto/objects/objects.txt
crypto/x509/x509.h
crypto/x509/x509_txt.c
crypto/x509/x509_vfy.c
crypto/x509/x509_vfy.h
crypto/x509v3/Makefile.ssl
crypto/x509v3/ext_dat.h
crypto/x509v3/v3_pci.c [new file with mode: 0644]
crypto/x509v3/v3_pcia.c [new file with mode: 0644]
crypto/x509v3/v3_purp.c
crypto/x509v3/v3err.c
crypto/x509v3/x509v3.h
test/CAss.cnf
test/Makefile.ssl
test/P1ss.cnf [new file with mode: 0644]
test/P2ss.cnf [new file with mode: 0644]
test/Uss.cnf
test/testss
util/libeay.num

diff --git a/CHANGES b/CHANGES
index 78b0020..a347efc 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.7e and 0.9.8  [xx XXX xxxx]
 
+  *) Add processing of proxy certificates (see RFC 3820).  This work was
+     sponsored by KTH (The Royal Institute of Technology in Stockholm) and
+     EGEE (Enabling Grids for E-science in Europe).
+     [Richard Levitte]
+
   *) RC4 performance overhaul on modern architectures/implementations, such
      as Intel P4, IA-64 and AMD64.
      [Andy Polyakov]
index 05663c9..130b430 100644 (file)
@@ -258,3 +258,56 @@ basicConstraints = CA:true
 
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType                   = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment                      = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl             = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
index 8941f45..6d731cb 100644 (file)
@@ -258,3 +258,56 @@ basicConstraints = CA:true
 
 # issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType                   = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment                      = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl             = http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
index 7a51382..c2a707a 100644 (file)
  * [including the GNU Public Licence.]
  */
 
-#define NUM_NID 746
-#define NUM_SN 742
-#define NUM_LN 742
-#define NUM_OBJ 704
+#define NUM_NID 751
+#define NUM_SN 747
+#define NUM_LN 747
+#define NUM_OBJ 709
 
-static unsigned char lvalues[4963]={
+static unsigned char lvalues[5002]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@@ -772,6 +772,11 @@ static unsigned char lvalues[4963]={
 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,/* [4935] OBJ_sha384 */
 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,/* [4944] OBJ_sha512 */
 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04,/* [4953] OBJ_sha224 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,          /* [4962] OBJ_id_ppl */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E,     /* [4969] OBJ_proxyCertInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00,     /* [4977] OBJ_id_ppl_anyLanguage */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01,     /* [4985] OBJ_id_ppl_inheritAll */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02,     /* [4993] OBJ_Independent */
 };
 
 static ASN1_OBJECT nid_objs[NUM_NID]={
@@ -1932,6 +1937,14 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"SHA224","sha224",NID_sha224,9,&(lvalues[4953]),0},
 {"Oakley-EC2N-3","ipsec3",NID_ipsec3,0,NULL},
 {"Oakley-EC2N-4","ipsec4",NID_ipsec4,0,NULL},
+{"id-ppl","id-ppl",NID_id_ppl,7,&(lvalues[4962]),0},
+{"proxyCertInfo","Proxy Certificate Information",NID_proxyCertInfo,8,
+       &(lvalues[4969]),0},
+{"id-ppl-anyLanguage","Any language",NID_id_ppl_anyLanguage,8,
+       &(lvalues[4977]),0},
+{"id-ppl-inheritAll","Inherit all",NID_id_ppl_inheritAll,8,
+       &(lvalues[4985]),0},
+{"id-ppl-independent","Independent",NID_Independent,8,&(lvalues[4993]),0},
 };
 
 static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -2271,6 +2284,10 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[271]),/* "id-pkix1-explicit-93" */
 &(nid_objs[270]),/* "id-pkix1-implicit-88" */
 &(nid_objs[272]),/* "id-pkix1-implicit-93" */
+&(nid_objs[746]),/* "id-ppl" */
+&(nid_objs[748]),/* "id-ppl-anyLanguage" */
+&(nid_objs[750]),/* "id-ppl-independent" */
+&(nid_objs[749]),/* "id-ppl-inheritAll" */
 &(nid_objs[267]),/* "id-qcs" */
 &(nid_objs[359]),/* "id-qcs-pkixQCSyntax-v1" */
 &(nid_objs[259]),/* "id-qt" */
@@ -2453,6 +2470,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[415]),/* "prime256v1" */
 &(nid_objs[385]),/* "private" */
 &(nid_objs[84]),/* "privateKeyUsagePeriod" */
+&(nid_objs[747]),/* "proxyCertInfo" */
 &(nid_objs[510]),/* "pseudonym" */
 &(nid_objs[435]),/* "pss" */
 &(nid_objs[286]),/* "qcStatements" */
@@ -2683,6 +2701,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[363]),/* "AD Time Stamping" */
 &(nid_objs[405]),/* "ANSI X9.62" */
 &(nid_objs[368]),/* "Acceptable OCSP Responses" */
+&(nid_objs[748]),/* "Any language" */
 &(nid_objs[177]),/* "Authority Information Access" */
 &(nid_objs[365]),/* "Basic OCSP Response" */
 &(nid_objs[285]),/* "Biometric Info" */
@@ -2705,6 +2724,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[296]),/* "IPSec User" */
 &(nid_objs[182]),/* "ISO Member Body" */
 &(nid_objs[183]),/* "ISO US Member Body" */
+&(nid_objs[750]),/* "Independent" */
+&(nid_objs[749]),/* "Inherit all" */
 &(nid_objs[647]),/* "International Organizations" */
 &(nid_objs[142]),/* "Invalidity Date" */
 &(nid_objs[504]),/* "MIME MHS" */
@@ -2748,6 +2769,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[164]),/* "Policy Qualifier CPS" */
 &(nid_objs[165]),/* "Policy Qualifier User Notice" */
 &(nid_objs[385]),/* "Private" */
+&(nid_objs[747]),/* "Proxy Certificate Information" */
 &(nid_objs[ 1]),/* "RSA Data Security, Inc." */
 &(nid_objs[ 2]),/* "RSA Data Security, Inc. PKCS" */
 &(nid_objs[188]),/* "S/MIME" */
@@ -3009,6 +3031,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[271]),/* "id-pkix1-explicit-93" */
 &(nid_objs[270]),/* "id-pkix1-implicit-88" */
 &(nid_objs[272]),/* "id-pkix1-implicit-93" */
+&(nid_objs[746]),/* "id-ppl" */
 &(nid_objs[267]),/* "id-qcs" */
 &(nid_objs[359]),/* "id-qcs-pkixQCSyntax-v1" */
 &(nid_objs[259]),/* "id-qt" */
@@ -3727,6 +3750,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[266]),/* OBJ_id_aca                       1 3 6 1 5 5 7 10 */
 &(nid_objs[267]),/* OBJ_id_qcs                       1 3 6 1 5 5 7 11 */
 &(nid_objs[268]),/* OBJ_id_cct                       1 3 6 1 5 5 7 12 */
+&(nid_objs[746]),/* OBJ_id_ppl                       1 3 6 1 5 5 7 21 */
 &(nid_objs[176]),/* OBJ_id_ad                        1 3 6 1 5 5 7 48 */
 &(nid_objs[507]),/* OBJ_id_hex_partial_message       1 3 6 1 7 1 1 1 */
 &(nid_objs[508]),/* OBJ_id_hex_multipart_message     1 3 6 1 7 1 1 2 */
@@ -3801,6 +3825,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[292]),/* OBJ_sbqp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
 &(nid_objs[397]),/* OBJ_ac_proxying                  1 3 6 1 5 5 7 1 10 */
 &(nid_objs[398]),/* OBJ_sinfo_access                 1 3 6 1 5 5 7 1 11 */
+&(nid_objs[747]),/* OBJ_proxyCertInfo                1 3 6 1 5 5 7 1 14 */
 &(nid_objs[164]),/* OBJ_id_qt_cps                    1 3 6 1 5 5 7 2 1 */
 &(nid_objs[165]),/* OBJ_id_qt_unotice                1 3 6 1 5 5 7 2 2 */
 &(nid_objs[293]),/* OBJ_textNotice                   1 3 6 1 5 5 7 2 3 */
@@ -3871,6 +3896,9 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[360]),/* OBJ_id_cct_crs                   1 3 6 1 5 5 7 12 1 */
 &(nid_objs[361]),/* OBJ_id_cct_PKIData               1 3 6 1 5 5 7 12 2 */
 &(nid_objs[362]),/* OBJ_id_cct_PKIResponse           1 3 6 1 5 5 7 12 3 */
+&(nid_objs[748]),/* OBJ_id_ppl_anyLanguage           1 3 6 1 5 5 7 21 0 */
+&(nid_objs[749]),/* OBJ_id_ppl_inheritAll            1 3 6 1 5 5 7 21 1 */
+&(nid_objs[750]),/* OBJ_Independent                  1 3 6 1 5 5 7 21 2 */
 &(nid_objs[178]),/* OBJ_ad_OCSP                      1 3 6 1 5 5 7 48 1 */
 &(nid_objs[179]),/* OBJ_ad_ca_issuers                1 3 6 1 5 5 7 48 2 */
 &(nid_objs[363]),/* OBJ_ad_timeStamping              1 3 6 1 5 5 7 48 3 */
index e53aadb..3225770 100644 (file)
 #define NID_id_cct             268
 #define OBJ_id_cct             OBJ_id_pkix,12L
 
+#define SN_id_ppl              "id-ppl"
+#define NID_id_ppl             746
+#define OBJ_id_ppl             OBJ_id_pkix,21L
+
 #define SN_id_ad               "id-ad"
 #define NID_id_ad              176
 #define OBJ_id_ad              OBJ_id_pkix,48L
 #define NID_sinfo_access               398
 #define OBJ_sinfo_access               OBJ_id_pe,11L
 
+#define SN_proxyCertInfo               "proxyCertInfo"
+#define LN_proxyCertInfo               "Proxy Certificate Information"
+#define NID_proxyCertInfo              747
+#define OBJ_proxyCertInfo              OBJ_id_pe,14L
+
 #define SN_id_qt_cps           "id-qt-cps"
 #define LN_id_qt_cps           "Policy Qualifier CPS"
 #define NID_id_qt_cps          164
 #define NID_id_cct_PKIResponse         362
 #define OBJ_id_cct_PKIResponse         OBJ_id_cct,3L
 
+#define SN_id_ppl_anyLanguage          "id-ppl-anyLanguage"
+#define LN_id_ppl_anyLanguage          "Any language"
+#define NID_id_ppl_anyLanguage         748
+#define OBJ_id_ppl_anyLanguage         OBJ_id_ppl,0L
+
+#define SN_id_ppl_inheritAll           "id-ppl-inheritAll"
+#define LN_id_ppl_inheritAll           "Inherit all"
+#define NID_id_ppl_inheritAll          749
+#define OBJ_id_ppl_inheritAll          OBJ_id_ppl,1L
+
+#define SN_Independent         "id-ppl-independent"
+#define LN_Independent         "Independent"
+#define NID_Independent                750
+#define OBJ_Independent                OBJ_id_ppl,2L
+
 #define SN_ad_OCSP             "OCSP"
 #define LN_ad_OCSP             "OCSP"
 #define NID_ad_OCSP            178
index c5dd8db..180d20f 100644 (file)
@@ -743,3 +743,8 @@ sha512              742
 sha224         743
 ipsec3         744
 ipsec4         745
+id_ppl         746
+proxyCertInfo          747
+id_ppl_anyLanguage             748
+id_ppl_inheritAll              749
+Independent            750
index f2ea4a4..46a405b 100644 (file)
@@ -405,6 +405,7 @@ id-pkix 9           : id-pda
 id-pkix 10             : id-aca
 id-pkix 11             : id-qcs
 id-pkix 12             : id-cct
+id-pkix 21             : id-ppl
 id-pkix 48             : id-ad
 
 # PKIX Modules
@@ -439,6 +440,7 @@ id-pe 9                     : sbqp-routerIdentifier
 id-pe 10               : ac-proxying
 !Cname sinfo-access
 id-pe 11               : subjectInfoAccess     : Subject Information Access
+id-pe 14               : proxyCertInfo         : Proxy Certificate Information
 
 # PKIX policyQualifiers for Internet policy qualifiers
 id-qt 1                        : id-qt-cps             : Policy Qualifier CPS
@@ -554,6 +556,11 @@ id-cct 1           : id-cct-crs
 id-cct 2               : id-cct-PKIData
 id-cct 3               : id-cct-PKIResponse
 
+# Predefined Proxy Certificate policy languages
+id-ppl 0               : id-ppl-anyLanguage    : Any language
+id-ppl 1               : id-ppl-inheritAll     : Inherit all
+id-ppl 2               : id-ppl-independent    : Independent
+
 # access descriptors for authority info access extension
 !Cname ad-OCSP
 id-ad 1                        : OCSP                  : OCSP
index 016164c..46673fd 100644 (file)
@@ -280,6 +280,7 @@ struct x509_st
        CRYPTO_EX_DATA ex_data;
        /* These contain copies of various extension values */
        long ex_pathlen;
+       long ex_pcpathlen;
        unsigned long ex_flags;
        unsigned long ex_kusage;
        unsigned long ex_xkusage;
index 57ff33d..247e7e1 100644 (file)
@@ -126,6 +126,8 @@ const char *X509_verify_cert_error_string(long n)
                return ("invalid non-CA certificate (has CA markings)");
        case X509_V_ERR_PATH_LENGTH_EXCEEDED:
                return ("path length constraint exceeded");
+       case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
+               return("proxy path length constraint exceeded");
        case X509_V_ERR_INVALID_PURPOSE:
                return ("unsupported certificate purpose");
        case X509_V_ERR_CERT_UNTRUSTED:
@@ -142,28 +144,22 @@ const char *X509_verify_cert_error_string(long n)
                return("authority and issuer serial number mismatch");
        case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
                return("key usage does not include certificate signing");
-
        case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
                return("unable to get CRL issuer certificate");
-
        case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
                return("unhandled critical extension");
-
        case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
                return("key usage does not include CRL signing");
-
+       case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
+               return("key usage does not include digital signature");
        case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
                return("unhandled critical CRL extension");
-
        case X509_V_ERR_INVALID_EXTENSION:
                return("invalid or inconsistent certificate extension");
-
        case X509_V_ERR_INVALID_POLICY_EXTENSION:
                return("invalid or inconsistent certificate policy extension");
-
        case X509_V_ERR_NO_EXPLICIT_POLICY:
                return("no explicit policy");
-
        default:
                BIO_snprintf(buf,sizeof buf,"error number %ld",n);
                return(buf);
index c6c83ad..cbdd978 100644 (file)
@@ -389,6 +389,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
        int i, ok=0, must_be_ca;
        X509 *x;
        int (*cb)();
+       int proxy_path_length = 0;
        cb=ctx->verify_cb;
 
        /* must_be_ca can have 1 of 3 values:
@@ -472,7 +473,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                        }
                /* Check pathlen */
                if ((i > 1) && (x->ex_pathlen != -1)
-                          && (i > (x->ex_pathlen + 1)))
+                          && (i > (x->ex_pathlen + proxy_path_length + 1)))
                        {
                        ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                        ctx->error_depth = i;
@@ -480,8 +481,26 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
-               /* The next certificate must be a CA */
-               must_be_ca = 1;
+               /* If this certificate is a proxy certificate, the next
+                  certificate must be another proxy certificate or a EE
+                  certificate.  If not, the next certificate must be a
+                  CA certificate.  */
+               if (x->ex_flags & EXFLAG_PROXY)
+                       {
+                       if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
+                               {
+                               ctx->error =
+                                       X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
+                               ctx->error_depth = i;
+                               ctx->current_cert = x;
+                               ok=cb(0,ctx);
+                               if (!ok) goto end;
+                               }
+                       proxy_path_length++;
+                       must_be_ca = 0;
+                       }
+               else
+                       must_be_ca = 1;
                }
        ok = 1;
  end:
index 5f49c2a..33ace72 100644 (file)
@@ -323,10 +323,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define                X509_V_ERR_KEYUSAGE_NO_CRL_SIGN                 35
 #define                X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION     36
 #define                X509_V_ERR_INVALID_NON_CA                       37
+#define                X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED           38
+#define                X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE        39
 
-#define                X509_V_ERR_INVALID_EXTENSION                    38
-#define                X509_V_ERR_INVALID_POLICY_EXTENSION             39
-#define                X509_V_ERR_NO_EXPLICIT_POLICY                   40
+#define                X509_V_ERR_INVALID_EXTENSION                    40
+#define                X509_V_ERR_INVALID_POLICY_EXTENSION             41
+#define                X509_V_ERR_NO_EXPLICIT_POLICY                   42
 
 
 /* The application is not happy */
index 57c236e..f913011 100644 (file)
@@ -26,13 +26,13 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC=        v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
 v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
 v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
-v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c pcy_cache.c pcy_node.c \
-pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c
+v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
+pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
 v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
-v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o pcy_cache.o pcy_node.o \
-pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o
+v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \
+pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o
 
 SRC= $(LIBSRC)
 
@@ -410,6 +410,32 @@ v3_ocsp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 v3_ocsp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_ocsp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 v3_ocsp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ocsp.c
+v3_pci.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_pci.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_pci.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+v3_pci.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+v3_pci.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+v3_pci.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pci.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pci.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pci.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_pci.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_pci.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_pci.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_pci.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_pci.c
+v3_pcia.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+v3_pcia.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+v3_pcia.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_pcia.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+v3_pcia.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+v3_pcia.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pcia.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pcia.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pcia.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_pcia.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_pcia.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_pcia.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_pcia.o: ../../include/openssl/x509v3.h v3_pcia.c
 v3_pcons.o: ../../e_os.h ../../include/openssl/asn1.h
 v3_pcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 v3_pcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
index 7be8565..3ee4bff 100644 (file)
@@ -64,7 +64,7 @@ extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
 extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
-extern X509V3_EXT_METHOD v3_crl_hold;
+extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
 extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
 extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp;
 
@@ -112,6 +112,7 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 #ifndef OPENSSL_NO_OCSP
 &v3_crl_hold,
 #endif
+&v3_pci,
 &v3_policy_mappings,
 &v3_name_constraints,
 &v3_inhibit_anyp
diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c
new file mode 100644 (file)
index 0000000..42fb0d7
--- /dev/null
@@ -0,0 +1,307 @@
+/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */
+/* Contributed to the OpenSSL Project 2004
+ * by Richard Levitte (richard@levitte.org)
+ */
+/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
+       BIO *out, int indent);
+static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
+       X509V3_CTX *ctx, char *str);
+
+X509V3_EXT_METHOD v3_pci =
+       { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
+         0,0,0,0,
+         0,0,
+         NULL, NULL,
+         (X509V3_EXT_I2R)i2r_pci,
+         (X509V3_EXT_R2I)r2i_pci,
+         NULL,
+       };
+
+static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci,
+       BIO *out, int indent)
+       {
+       BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
+       if (pci->pcPathLengthConstraint)
+         i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
+       else
+         BIO_printf(out, "infinite");
+       BIO_puts(out, "\n");
+       BIO_printf(out, "%*sPolicy Language: ", indent, "");
+       i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
+       BIO_puts(out, "\n");
+       if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
+         BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
+                    pci->proxyPolicy->policy->data);
+       return 1;
+       }
+
+static int process_pci_value(CONF_VALUE *val,
+       ASN1_OBJECT **language, ASN1_INTEGER **pathlen,
+       ASN1_OCTET_STRING **policy)
+       {
+       int free_policy = 0;
+
+       if (strcmp(val->name, "language") == 0)
+               {
+               if (*language)
+                       {
+                       X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED);
+                       X509V3_conf_err(val);
+                       return 0;
+                       }
+               if (!(*language = OBJ_txt2obj(val->value, 0)))
+                       {
+                       X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+                       X509V3_conf_err(val);
+                       return 0;
+                       }
+               }
+       else if (strcmp(val->name, "pathlen") == 0)
+               {
+               if (*pathlen)
+                       {
+                       X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED);
+                       X509V3_conf_err(val);
+                       return 0;
+                       }
+               if (!X509V3_get_value_int(val, pathlen))
+                       {
+                       X509V3err(X509V3_F_R2I_PCI,X509V3_R_POLICY_PATH_LENGTH);
+                       X509V3_conf_err(val);
+                       return 0;
+                       }
+               }
+       else if (strcmp(val->name, "policy") == 0)
+               {
+               unsigned char *tmp_data = NULL;
+               long val_len;
+               if (!*policy)
+                       {
+                       *policy = ASN1_OCTET_STRING_new();
+                       if (!*policy)
+                               {
+                               X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
+                               X509V3_conf_err(val);
+                               return 0;
+                               }
+                       free_policy = 1;
+                       }
+               if (strncmp(val->value, "hex:", 4) == 0)
+                       {
+                       unsigned char *tmp_data2 =
+                               string_to_hex(val->value + 4, &val_len);
+
+                       if (!tmp_data2) goto err;
+
+                       tmp_data = OPENSSL_realloc((*policy)->data,
+                               (*policy)->length + val_len + 1);
+                       if (tmp_data)
+                               {
+                               (*policy)->data = tmp_data;
+                               memcpy(&(*policy)->data[(*policy)->length],
+                                       tmp_data2, val_len);
+                               (*policy)->length += val_len;
+                               (*policy)->data[(*policy)->length] = '\0';
+                               }
+                       }
+               else if (strncmp(val->value, "file:", 5) == 0)
+                       {
+                       unsigned char buf[2048];
+                       int n;
+                       BIO *b = BIO_new_file(val->value + 5, "r");
+                       if (!b)
+                               {
+                               X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB);
+                               X509V3_conf_err(val);
+                               goto err;
+                               }
+                       while((n = BIO_read(b, buf, sizeof(buf))) > 0
+                               || (n == 0 && BIO_should_retry(b)))
+                               {
+                               if (!n) continue;
+
+                               tmp_data = OPENSSL_realloc((*policy)->data,
+                                       (*policy)->length + n + 1);
+
+                               if (!tmp_data)
+                                       break;
+
+                               (*policy)->data = tmp_data;
+                               memcpy(&(*policy)->data[(*policy)->length],
+                                       buf, n);
+                               (*policy)->length += n;
+                               (*policy)->data[(*policy)->length] = '\0';
+                               }
+
+                       if (n < 0)
+                               {
+                               X509V3err(X509V3_F_R2I_PCI,ERR_R_BIO_LIB);
+                               X509V3_conf_err(val);
+                               goto err;
+                               }
+                       }
+               else if (strncmp(val->value, "text:", 5) == 0)
+                       {
+                       val_len = strlen(val->value + 5);
+                       tmp_data = OPENSSL_realloc((*policy)->data,
+                               (*policy)->length + val_len + 1);
+                       if (tmp_data)
+                               {
+                               (*policy)->data = tmp_data;
+                               memcpy(&(*policy)->data[(*policy)->length],
+                                       val->value + 5, val_len);
+                               (*policy)->length += val_len;
+                               (*policy)->data[(*policy)->length] = '\0';
+                               }
+                       }
+               else
+                       {
+                       X509V3err(X509V3_F_R2I_PCI,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
+                       X509V3_conf_err(val);
+                       goto err;
+                       }
+               if (!tmp_data)
+                       {
+                       X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
+                       X509V3_conf_err(val);
+                       goto err;
+                       }
+               }
+       return 1;
+err:
+       if (free_policy)
+               {
+               ASN1_OCTET_STRING_free(*policy);
+               *policy = NULL;
+               }
+       return 0;
+       }
+
+static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
+       X509V3_CTX *ctx, char *value)
+       {
+       PROXY_CERT_INFO_EXTENSION *pci = NULL;
+       STACK_OF(CONF_VALUE) *vals;
+       ASN1_OBJECT *language = NULL;
+       ASN1_INTEGER *pathlen = NULL;
+       ASN1_OCTET_STRING *policy = NULL;
+       int i, j;
+
+       vals = X509V3_parse_list(value);
+       for (i = 0; i < sk_CONF_VALUE_num(vals); i++)
+               {
+               CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
+               if (!cnf->name || (*cnf->name != '@' && !cnf->value))
+                       {
+                       X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_PROXY_POLICY_SETTING);
+                       X509V3_conf_err(cnf);
+                       goto err;
+                       }
+               if (*cnf->name == '@')
+                       {
+                       STACK_OF(CONF_VALUE) *sect;
+                       int success_p = 1;
+
+                       sect = X509V3_get_section(ctx, cnf->name + 1);
+                       if (!sect)
+                               {
+                               X509V3err(X509V3_F_R2I_PCI,X509V3_R_INVALID_SECTION);
+                               X509V3_conf_err(cnf);
+                               goto err;
+                               }
+                       for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++)
+                               {
+                               success_p =
+                                       process_pci_value(sk_CONF_VALUE_value(sect, j),
+                                               &language, &pathlen, &policy);
+                               }
+                       X509V3_section_free(ctx, sect);
+                       if (!success_p)
+                               goto err;
+                       }
+               else
+                       {
+                       if (!process_pci_value(cnf,
+                                       &language, &pathlen, &policy))
+                               {
+                               X509V3_conf_err(cnf);
+                               goto err;
+                               }
+                       }
+               }
+
+       /* Language is mandatory */
+       if (!language)
+               {
+               X509V3err(X509V3_F_R2I_PCI,X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
+               goto err;
+               }
+
+       pci = PROXY_CERT_INFO_EXTENSION_new();
+       if (!pci)
+               {
+               X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
+               goto err;
+               }
+       pci->proxyPolicy = PROXY_POLICY_new();
+       if (!pci->proxyPolicy)
+               {
+               X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
+               goto err;
+               }
+
+       pci->proxyPolicy->policyLanguage = language; language = NULL;
+       pci->proxyPolicy->policy = policy; policy = NULL;
+       pci->pcPathLengthConstraint = pathlen; pathlen = NULL;
+       goto end;
+err:
+       if (language) { ASN1_OBJECT_free(language); language = NULL; }
+       if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
+       if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
+       if (pci && pci->proxyPolicy)
+               {
+               PROXY_POLICY_free(pci->proxyPolicy);
+               pci->proxyPolicy = NULL;
+               }
+       if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
+end:
+       sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
+       return pci;
+       }
diff --git a/crypto/x509v3/v3_pcia.c b/crypto/x509v3/v3_pcia.c
new file mode 100644 (file)
index 0000000..bb362e0
--- /dev/null
@@ -0,0 +1,55 @@
+/* v3_pcia.c -*- mode:C; c-file-style: "eay" -*- */
+/* Contributed to the OpenSSL Project 2004
+ * by Richard Levitte (richard@levitte.org)
+ */
+/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+
+ASN1_SEQUENCE(PROXY_POLICY) =
+       {
+       ASN1_SIMPLE(PROXY_POLICY,policyLanguage,ASN1_OBJECT),
+       ASN1_OPT(PROXY_POLICY,policy,ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(PROXY_POLICY)
+
+IMPLEMENT_ASN1_FUNCTIONS(PROXY_POLICY)
+
+ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION) =
+       {
+       ASN1_OPT(PROXY_CERT_INFO_EXTENSION,pcPathLengthConstraint,ASN1_INTEGER),
+       ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION,proxyPolicy,PROXY_POLICY)
+} ASN1_SEQUENCE_END(PROXY_CERT_INFO_EXTENSION)
+
+IMPLEMENT_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
index a60d41b..9f992c9 100644 (file)
@@ -285,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex)
                NID_key_usage,          /* 83 */
                NID_subject_alt_name,   /* 85 */
                NID_basic_constraints,  /* 87 */
-               NID_ext_key_usage       /* 126 */
+               NID_ext_key_usage,      /* 126 */
+               NID_proxyCertInfo       /* 661 */
        };
 
        int ex_nid;
@@ -306,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
 static void x509v3_cache_extensions(X509 *x)
 {
        BASIC_CONSTRAINTS *bs;
+       PROXY_CERT_INFO_EXTENSION *pci;
        ASN1_BIT_STRING *usage;
        ASN1_BIT_STRING *ns;
        EXTENDED_KEY_USAGE *extusage;
@@ -334,6 +336,18 @@ static void x509v3_cache_extensions(X509 *x)
                BASIC_CONSTRAINTS_free(bs);
                x->ex_flags |= EXFLAG_BCONS;
        }
+       /* Handle proxy certificates */
+       if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
+               if (x->ex_flags & EXFLAG_CA) {
+                       x->ex_flags |= EXFLAG_INVALID;
+               }
+               if (pci->pcPathLengthConstraint) {
+                       x->ex_pcpathlen =
+                               ASN1_INTEGER_get(pci->pcPathLengthConstraint);
+               } else x->ex_pcpathlen = -1;
+               PROXY_CERT_INFO_EXTENSION_free(pci);
+               x->ex_flags |= EXFLAG_PROXY;
+       }
        /* Handle key usage */
        if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
                if(usage->length > 0) {
@@ -623,7 +637,13 @@ int X509_check_issued(X509 *issuer, X509 *subject)
                                return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
                }
        }
-       if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+       if(subject->ex_flags & EXFLAG_PROXY)
+               {
+               if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
+                       return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
+               }
+       else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
+               return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
        return X509_V_OK;
 }
 
index 2e21079..ac96c3f 100644 (file)
@@ -81,6 +81,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_NREF_NOS,0),      "NREF_NOS"},
 {ERR_PACK(0,X509V3_F_POLICY_SECTION,0),        "POLICY_SECTION"},
 {ERR_PACK(0,X509V3_F_R2I_CERTPOL,0),   "R2I_CERTPOL"},
+{ERR_PACK(0,X509V3_F_R2I_PCI,0),       "R2I_PCI"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),    "S2I_ASN1_IA5STRING"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0),      "s2i_ASN1_INTEGER"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0), "s2i_ASN1_OCTET_STRING"},
@@ -138,6 +139,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_EXTENSION_VALUE_ERROR          ,"extension value error"},
 {X509V3_R_ILLEGAL_EMPTY_EXTENSION        ,"illegal empty extension"},
 {X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
+{X509V3_R_INCORRECT_POLICY_SYNTAX_TAG    ,"incorrect policy syntax tag"},
 {X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
 {X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},
 {X509V3_R_INVALID_NAME                   ,"invalid name"},
@@ -149,6 +151,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
 {X509V3_R_INVALID_OPTION                 ,"invalid option"},
 {X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
+{X509V3_R_INVALID_PROXY_POLICY_SETTING   ,"invalid proxy policy setting"},
 {X509V3_R_INVALID_PURPOSE                ,"invalid purpose"},
 {X509V3_R_INVALID_SECTION                ,"invalid section"},
 {X509V3_R_INVALID_SYNTAX                 ,"invalid syntax"},
@@ -159,11 +162,16 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
 {X509V3_R_NO_ISSUER_DETAILS              ,"no issuer details"},
 {X509V3_R_NO_POLICY_IDENTIFIER           ,"no policy identifier"},
+{X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"},
 {X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
 {X509V3_R_NO_SUBJECT_DETAILS             ,"no subject details"},
 {X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},
 {X509V3_R_OPERATION_NOT_DEFINED          ,"operation not defined"},
 {X509V3_R_OTHERNAME_ERROR                ,"othername error"},
+{X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"},
+{X509V3_R_POLICY_PATH_LENGTH             ,"policy path length"},
+{X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"},
+{X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"},
 {X509V3_R_SECTION_NOT_FOUND              ,"section not found"},
 {X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS   ,"unable to get issuer details"},
 {X509V3_R_UNABLE_TO_GET_ISSUER_KEYID     ,"unable to get issuer keyid"},
index 4ade7cf..c1662e2 100644 (file)
@@ -313,6 +313,23 @@ typedef struct POLICY_CONSTRAINTS_st {
        ASN1_INTEGER *inhibitPolicyMapping;
 } POLICY_CONSTRAINTS;
 
+/* Proxy certificate structures, see RFC 3820 */
+typedef struct PROXY_POLICY_st
+       {
+       ASN1_OBJECT *policyLanguage;
+       ASN1_OCTET_STRING *policy;
+       } PROXY_POLICY;
+
+typedef struct PROXY_CERT_INFO_EXTENSION_st
+       {
+       ASN1_INTEGER *pcPathLengthConstraint;
+       PROXY_POLICY *proxyPolicy;
+       } PROXY_CERT_INFO_EXTENSION;
+
+DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
+DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
+
+
 #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
 ",name:", val->name, ",value:", val->value);
 
@@ -351,6 +368,7 @@ typedef struct POLICY_CONSTRAINTS_st {
 #define EXFLAG_INVALID         0x80
 #define EXFLAG_SET             0x100
 #define EXFLAG_CRITICAL                0x200
+#define EXFLAG_PROXY           0x400
 
 #define EXFLAG_INVALID_POLICY  0x400
 
@@ -631,6 +649,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_F_NREF_NOS                               133
 #define X509V3_F_POLICY_SECTION                                 131
 #define X509V3_F_R2I_CERTPOL                            130
+#define X509V3_F_R2I_PCI                                149
 #define X509V3_F_S2I_ASN1_IA5STRING                     100
 #define X509V3_F_S2I_ASN1_INTEGER                       108
 #define X509V3_F_S2I_ASN1_OCTET_STRING                  112
@@ -685,6 +704,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_EXTENSION_VALUE_ERROR                  116
 #define X509V3_R_ILLEGAL_EMPTY_EXTENSION                151
 #define X509V3_R_ILLEGAL_HEX_DIGIT                      113
+#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG            152
 #define X509V3_R_INVALID_BOOLEAN_STRING                         104
 #define X509V3_R_INVALID_EXTENSION_STRING               105
 #define X509V3_R_INVALID_NAME                           106
@@ -696,6 +716,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER              110
 #define X509V3_R_INVALID_OPTION                                 138
 #define X509V3_R_INVALID_POLICY_IDENTIFIER              134
+#define X509V3_R_INVALID_PROXY_POLICY_SETTING           153
 #define X509V3_R_INVALID_PURPOSE                        146
 #define X509V3_R_INVALID_SECTION                        135
 #define X509V3_R_INVALID_SYNTAX                                 143
@@ -706,11 +727,16 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_NO_ISSUER_CERTIFICATE                  121
 #define X509V3_R_NO_ISSUER_DETAILS                      127
 #define X509V3_R_NO_POLICY_IDENTIFIER                   139
+#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED  154
 #define X509V3_R_NO_PUBLIC_KEY                          114
 #define X509V3_R_NO_SUBJECT_DETAILS                     125
 #define X509V3_R_ODD_NUMBER_OF_DIGITS                   112
 #define X509V3_R_OPERATION_NOT_DEFINED                  148
 #define X509V3_R_OTHERNAME_ERROR                        147
+#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED       155
+#define X509V3_R_POLICY_PATH_LENGTH                     156
+#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED    157
+#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED  158
 #define X509V3_R_SECTION_NOT_FOUND                      150
 #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS           122
 #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID             123
index 0884fee..20f8f05 100644 (file)
@@ -71,4 +71,6 @@ emailAddress          = optional
 [ v3_ca ]
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true
+basicConstraints = CA:true,pathlen:1
+keyUsage = cRLSign, keyCertSign
+issuerAltName=issuer:copy
index 7b7b7a8..b49dec0 100644 (file)
@@ -274,17 +274,23 @@ test_gen:
        @echo "Generate and verify a certificate request"
        @$(SET_SO_PATHS); sh ./testgen
 
-test_ss keyU.ss certU.ss certCA.ss: testss
+test_ss keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \
+               intP1.ss intP2.ss: testss
        @echo "Generate and certify a test certificate"
        @$(SET_SO_PATHS); sh ./testss
+       @cat certCA.ss certU.ss > intP1.ss
+       @cat certCA.ss certU.ss certP1.ss > intP2.ss
 
 test_engine: 
        @echo "Manipulate the ENGINE structures"
        $(SET_SO_PATHS); ./$(ENGINETEST)
 
-test_ssl: keyU.ss certU.ss certCA.ss
+test_ssl: keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \
+               intP1.ss intP2.ss
        @echo "test SSL protocol"
        @$(SET_SO_PATHS); sh ./testssl keyU.ss certU.ss certCA.ss
+       @$(SET_SO_PATHS); sh ./testssl keyP1.ss certP1.ss intP1.ss
+       @$(SET_SO_PATHS); sh ./testssl keyP2.ss certP2.ss intP2.ss
 
 test_ca:
        @$(SET_SO_PATHS); if ../apps/openssl no-rsa; then \
diff --git a/test/P1ss.cnf b/test/P1ss.cnf
new file mode 100644 (file)
index 0000000..864e4d2
--- /dev/null
@@ -0,0 +1,37 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE               = ./.rnd
+
+####################################################################
+[ req ]
+default_bits           = 512
+default_keyfile        = keySS.pem
+distinguished_name     = req_distinguished_name
+encrypt_rsa_key                = no
+default_md             = md2
+
+[ req_distinguished_name ]
+countryName                    = Country Name (2 letter code)
+countryName_default            = AU
+countryName_value              = AU
+
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+
+0.commonName                   = Common Name (eg, YOUR name)
+0.commonName_value             = Brother 1
+
+1.commonName                   = Common Name (eg, YOUR name)
+1.commonName_value             = Brother 2
+
+2.commonName                   = Common Name (eg, YOUR name)
+2.commonName_value             = Proxy 1
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:foo
diff --git a/test/P2ss.cnf b/test/P2ss.cnf
new file mode 100644 (file)
index 0000000..04a76cd
--- /dev/null
@@ -0,0 +1,45 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+RANDFILE               = ./.rnd
+
+####################################################################
+[ req ]
+default_bits           = 512
+default_keyfile        = keySS.pem
+distinguished_name     = req_distinguished_name
+encrypt_rsa_key                = no
+default_md             = md2
+
+[ req_distinguished_name ]
+countryName                    = Country Name (2 letter code)
+countryName_default            = AU
+countryName_value              = AU
+
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+
+0.commonName                   = Common Name (eg, YOUR name)
+0.commonName_value             = Brother 1
+
+1.commonName                   = Common Name (eg, YOUR name)
+1.commonName_value             = Brother 2
+
+2.commonName                   = Common Name (eg, YOUR name)
+2.commonName_value             = Proxy 1
+
+3.commonName                   = Common Name (eg, YOUR name)
+3.commonName_value             = Proxy 2
+
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,@proxy_ext
+
+[ proxy_ext ]
+language=id-ppl-anyLanguage
+pathlen=0
+policy=text:bar
index c89692d..0c0ebb5 100644 (file)
@@ -26,3 +26,11 @@ organizationName_value          = Dodgy Brothers
 
 1.commonName                   = Common Name (eg, YOUR name)
 1.commonName_value             = Brother 2
+
+[ v3_ee ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+issuerAltName=issuer:copy
+
index 8d3557f..e71510b 100644 (file)
@@ -17,6 +17,18 @@ Ukey="keyU.ss"
 Ureq="reqU.ss"
 Ucert="certU.ss"
 
+P1conf="P1ss.cnf"
+P1key="keyP1.ss"
+P1req="reqP1.ss"
+P1cert="certP1.ss"
+P1intermediate="tmp_intP1.ss"
+
+P2conf="P2ss.cnf"
+P2key="keyP2.ss"
+P2req="reqP2.ss"
+P2cert="certP2.ss"
+P2intermediate="tmp_intP2.ss"
+
 echo
 echo "make a certificate request using 'req'"
 
@@ -35,7 +47,7 @@ if [ $? != 0 ]; then
 fi
 echo
 echo "convert the certificate request into a self signed certificate using 'x509'"
-$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss
+$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss
 if [ $? != 0 ]; then
        echo "error using 'x509' to self sign a certificate request"
        exit 1
@@ -68,18 +80,18 @@ if [ $? != 0 ]; then
 fi
 
 echo
-echo "make another certificate request using 'req'"
+echo "make a user certificate request using 'req'"
 $reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss
 if [ $? != 0 ]; then
-       echo "error using 'req' to generate a certificate request"
+       echo "error using 'req' to generate a user certificate request"
        exit 1
 fi
 
 echo
-echo "sign certificate request with the just created CA via 'x509'"
-$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss
+echo "sign user certificate request with the just created CA via 'x509'"
+$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss
 if [ $? != 0 ]; then
-       echo "error using 'x509' to sign a certificate request"
+       echo "error using 'x509' to sign a user certificate request"
        exit 1
 fi
 
@@ -88,6 +100,50 @@ echo
 echo "Certificate details"
 $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
 
+echo
+echo "make a proxy certificate request using 'req'"
+$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss
+if [ $? != 0 ]; then
+       echo "error using 'req' to generate a proxy certificate request"
+       exit 1
+fi
+
+echo
+echo "sign proxy certificate request with the just created user certificate via 'x509'"
+$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss
+if [ $? != 0 ]; then
+       echo "error using 'x509' to sign a proxy certificate request"
+       exit 1
+fi
+
+cat $Ucert > $P1intermediate
+$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert
+
+echo
+echo "make another proxy certificate request using 'req'"
+$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss
+if [ $? != 0 ]; then
+       echo "error using 'req' to generate another proxy certificate request"
+       exit 1
+fi
+
+echo
+echo "sign second proxy certificate request with the first proxy certificate via 'x509'"
+$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss
+if [ $? != 0 ]; then
+       echo "error using 'x509' to sign a second proxy certificate request"
+       exit 1
+fi
+
+cat $Ucert $P1cert > $P2intermediate
+$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert
+
 echo
 echo The generated CA certificate is $CAcert
 echo The generated CA private key is $CAkey
@@ -95,5 +151,13 @@ echo The generated CA private key is $CAkey
 echo The generated user certificate is $Ucert
 echo The generated user private key is $Ukey
 
+echo The first generated proxy certificate is $P1cert
+echo The first generated proxy private key is $P1key
+
+echo The second generated proxy certificate is $P2cert
+echo The second generated proxy private key is $P2key
+
 /bin/rm err.ss
+#/bin/rm $P1intermediate
+#/bin/rm $P2intermediate
 exit 0
index 674b07b..30beee2 100755 (executable)
@@ -2843,448 +2843,460 @@ FIPS_mode                               3283  NOEXIST::FUNCTION:
 FIPS_selftest_failed                    3284   NOEXIST::FUNCTION:
 sk_is_sorted                            3285   EXIST::FUNCTION:
 X509_check_ca                           3286   EXIST::FUNCTION:
-ERR_set_mark                            3287   EXIST::FUNCTION:
-X509_STORE_CTX_set0_crls                3288   EXIST::FUNCTION:
-ENGINE_set_STORE                        3289   EXIST::FUNCTION:ENGINE
-ENGINE_register_ECDSA                   3290   EXIST::FUNCTION:ENGINE
-STORE_method_set_list_start_function    3291   EXIST:!VMS:FUNCTION:
-STORE_meth_set_list_start_fn            3291   EXIST:VMS:FUNCTION:
-NAME_CONSTRAINTS_free                   3292   EXIST::FUNCTION:
-STORE_ATTR_INFO_set_number              3293   EXIST::FUNCTION:
-X509_STORE_CTX_set0_param               3294   EXIST::FUNCTION:
-POLICY_MAPPING_it                       3295   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-POLICY_MAPPING_it                       3295   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-STORE_parse_attrs_start                 3296   EXIST::FUNCTION:
-POLICY_CONSTRAINTS_free                 3297   EXIST::FUNCTION:
-BN_nist_mod_192                         3298   EXIST::FUNCTION:
-EC_GROUP_get_trinomial_basis            3299   EXIST::FUNCTION:EC
-STORE_set_method                        3300   EXIST::FUNCTION:
-EVP_aes_256_cfb128                      3301   EXIST::FUNCTION:AES
-GENERAL_SUBTREE_free                    3302   EXIST::FUNCTION:
-NAME_CONSTRAINTS_it                     3303   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-NAME_CONSTRAINTS_it                     3303   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ECDH_get_default_method                 3304   EXIST::FUNCTION:ECDH
-PKCS12_add_safe                         3305   EXIST::FUNCTION:
-STORE_method_get_update_store_function  3306   EXIST:!VMS:FUNCTION:
-STORE_meth_get_update_store_fn          3306   EXIST:VMS:FUNCTION:
-ENGINE_register_ECDH                    3307   EXIST::FUNCTION:ENGINE
-EVP_sha384                              3308   EXIST::FUNCTION:SHA,SHA512
-SHA512_Update                           3309   EXIST::FUNCTION:SHA,SHA512
-i2d_ECPrivateKey                        3310   EXIST::FUNCTION:EC
-BN_get0_nist_prime_192                  3311   EXIST::FUNCTION:
-STORE_modify_certificate                3312   EXIST::FUNCTION:
-EC_POINT_set_affine_coordinates_GF2m    3313   EXIST:!VMS:FUNCTION:EC
-EC_POINT_set_affine_coords_GF2m         3313   EXIST:VMS:FUNCTION:EC
-BN_GF2m_mod_exp_arr                     3314   EXIST::FUNCTION:
-STORE_ATTR_INFO_modify_number           3315   EXIST::FUNCTION:
-X509_keyid_get0                         3316   EXIST::FUNCTION:
-EC_GROUP_new_by_nid                     3317   EXIST::FUNCTION:EC
-ENGINE_load_gmp                         3318   EXIST::FUNCTION:ENGINE,STATIC_ENGINE
-BN_GF2m_mod_mul_arr                     3319   EXIST::FUNCTION:
-STORE_list_public_key_endp              3320   EXIST::FUNCTION:
-o2i_ECPublicKey                         3321   EXIST::FUNCTION:EC
-EC_KEY_copy                             3322   EXIST::FUNCTION:EC
-BIO_dump_fp                             3323   EXIST::FUNCTION:FP_API
-X509_policy_node_get0_parent            3324   EXIST::FUNCTION:
-EC_GROUP_check_discriminant             3325   EXIST::FUNCTION:EC
-i2o_ECPublicKey                         3326   EXIST::FUNCTION:EC
-a2i_IPADDRESS                           3327   EXIST::FUNCTION:
-STORE_method_set_initialise_function    3328   EXIST:!VMS:FUNCTION:
-STORE_meth_set_initialise_fn            3328   EXIST:VMS:FUNCTION:
-X509_STORE_CTX_set_depth                3329   EXIST::FUNCTION:
-X509_VERIFY_PARAM_inherit               3330   EXIST::FUNCTION:
-EC_POINT_point2bn                       3331   EXIST::FUNCTION:EC
-STORE_ATTR_INFO_set_dn                  3332   EXIST::FUNCTION:
-X509_policy_tree_get0_policies          3333   EXIST::FUNCTION:
-EC_GROUP_new_curve_GF2m                 3334   EXIST::FUNCTION:EC
-STORE_destroy_method                    3335   EXIST::FUNCTION:
-ENGINE_unregister_STORE                 3336   EXIST::FUNCTION:ENGINE
-EVP_PKEY_get1_EC_KEY                    3337   EXIST::FUNCTION:EC
-STORE_ATTR_INFO_get0_number             3338   EXIST::FUNCTION:
-ENGINE_get_default_ECDH                 3339   EXIST::FUNCTION:ENGINE
-ASN1_OCTET_STRING_NDEF_it               3340   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-ASN1_OCTET_STRING_NDEF_it               3340   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-STORE_delete_public_key                 3341   EXIST::FUNCTION:
-STORE_get_public_key                    3342   EXIST::FUNCTION:
-STORE_modify_arbitrary                  3343   EXIST::FUNCTION:
-ENGINE_get_static_state                 3344   EXIST::FUNCTION:ENGINE
-ECDSA_SIG_new                           3345   EXIST::FUNCTION:ECDSA
-OPENSSL_DIR_end                         3346   EXIST::FUNCTION:
-BN_GF2m_mod_sqr                         3347   EXIST::FUNCTION:
-EC_POINT_bn2point                       3348   EXIST::FUNCTION:EC
-X509_VERIFY_PARAM_set_depth             3349   EXIST::FUNCTION:
-STORE_get_method                        3350   EXIST::FUNCTION:
-STORE_parse_attrs_end                   3351   EXIST::FUNCTION:
-EC_GROUP_get_point_conversion_form      3352   EXIST:!VMS:FUNCTION:EC
-EC_GROUP_get_point_conv_form            3352   EXIST:VMS:FUNCTION:EC
-STORE_method_set_store_function         3353   EXIST::FUNCTION:
-STORE_ATTR_INFO_in                      3354   EXIST::FUNCTION:
-PEM_read_bio_ECPKParameters             3355   EXIST::FUNCTION:EC
-EC_GROUP_get_pentanomial_basis          3356   EXIST::FUNCTION:EC
-X509_VERIFY_PARAM_set1_policies         3357   EXIST::FUNCTION:
-EVP_sha512                              3358   EXIST::FUNCTION:SHA,SHA512
-X509_VERIFY_PARAM_set1_name             3359   EXIST::FUNCTION:
-X509_VERIFY_PARAM_set_purpose           3360   EXIST::FUNCTION:
-EC_GROUP_get_nid                        3361   EXIST::FUNCTION:EC
-STORE_get_number                        3362   EXIST::FUNCTION:
-ECDSA_sign_setup                        3363   EXIST::FUNCTION:ECDSA
-BN_GF2m_mod_solve_quad_arr              3364   EXIST::FUNCTION:
-EC_KEY_up_ref                           3365   EXIST::FUNCTION:EC
-POLICY_MAPPING_free                     3366   EXIST::FUNCTION:
-BN_GF2m_mod_div                         3367   EXIST::FUNCTION:
-X509_VERIFY_PARAM_set_flags             3368   EXIST::FUNCTION:
-EC_KEY_free                             3369   EXIST::FUNCTION:EC
-STORE_method_set_list_next_function     3370   EXIST:!VMS:FUNCTION:
-STORE_meth_set_list_next_fn             3370   EXIST:VMS:FUNCTION:
-PEM_write_bio_ECPrivateKey              3371   EXIST::FUNCTION:EC
-d2i_EC_PUBKEY                           3372   EXIST::FUNCTION:EC
-STORE_method_get_generate_function      3373   EXIST:!VMS:FUNCTION:
-STORE_meth_get_generate_fn              3373   EXIST:VMS:FUNCTION:
-STORE_method_set_list_end_function      3374   EXIST:!VMS:FUNCTION:
-STORE_meth_set_list_end_fn              3374   EXIST:VMS:FUNCTION:
-EC_GROUP_have_precompute_mult           3375   EXIST::FUNCTION:EC
-EC_KEY_print_fp                         3376   EXIST::FUNCTION:EC,FP_API
-BN_GF2m_mod_arr                         3377   EXIST::FUNCTION:
-PEM_write_bio_X509_CERT_PAIR            3378   EXIST::FUNCTION:
-EVP_PKEY_cmp                            3379   EXIST::FUNCTION:
-X509_policy_level_node_count            3380   EXIST::FUNCTION:
-STORE_new_engine                        3381   EXIST::FUNCTION:
-STORE_list_public_key_start             3382   EXIST::FUNCTION:
-X509_VERIFY_PARAM_new                   3383   EXIST::FUNCTION:
-ECDH_get_ex_data                        3384   EXIST::FUNCTION:ECDH
-ECDSA_do_sign                           3385   EXIST::FUNCTION:ECDSA
-ENGINE_unregister_ECDH                  3386   EXIST::FUNCTION:ENGINE
-ECDH_OpenSSL                            3387   EXIST::FUNCTION:ECDH
-EC_POINT_dup                            3388   EXIST::FUNCTION:EC
-GENERAL_SUBTREE_new                     3389   EXIST::FUNCTION:
-STORE_list_crl_endp                     3390   EXIST::FUNCTION:
-EC_get_builtin_curves                   3391   EXIST::FUNCTION:EC
-EVP_aes_128_cfb128                      3392   EXIST::FUNCTION:AES
-X509_policy_node_get0_qualifiers        3393   EXIST:!VMS:FUNCTION:
-X509_pcy_node_get0_qualifiers           3393   EXIST:VMS:FUNCTION:
-STORE_list_crl_end                      3394   EXIST::FUNCTION:
-EVP_PKEY_set1_EC_KEY                    3395   EXIST::FUNCTION:EC
-BN_GF2m_mod_sqrt_arr                    3396   EXIST::FUNCTION:
-i2d_ECPrivateKey_bio                    3397   EXIST::FUNCTION:BIO,EC
-ECPKParameters_print_fp                 3398   EXIST::FUNCTION:EC,FP_API
-ECDSA_SIG_free                          3399   EXIST::FUNCTION:ECDSA
-PEM_write_bio_ECPKParameters            3400   EXIST::FUNCTION:EC
-STORE_method_set_ctrl_function          3401   EXIST::FUNCTION:
-STORE_list_public_key_end               3402   EXIST::FUNCTION:
-EC_GROUP_set_nid                        3403   EXIST::FUNCTION:EC
-STORE_get_arbitrary                     3404   EXIST::FUNCTION:
-STORE_store_crl                         3405   EXIST::FUNCTION:
-X509_policy_node_get0_policy            3406   EXIST::FUNCTION:
-PKCS12_add_safes                        3407   EXIST::FUNCTION:
-X509_policy_tree_free                   3408   EXIST::FUNCTION:
-BN_GF2m_poly2arr                        3409   EXIST::FUNCTION:
-STORE_ctrl                              3410   EXIST::FUNCTION:
-EVP_sha224                              3411   EXIST::FUNCTION:SHA,SHA256
-STORE_ATTR_INFO_compare                 3412   EXIST::FUNCTION:
-BN_get0_nist_prime_224                  3413   EXIST::FUNCTION:
-i2d_ECParameters                        3414   EXIST::FUNCTION:EC
-i2d_ECPKParameters                      3415   EXIST::FUNCTION:EC
-BN_GENCB_call                           3416   EXIST::FUNCTION:
-BN_ncopy                                3417   EXIST::FUNCTION:
-d2i_ECPKParameters                      3418   EXIST::FUNCTION:EC
-STORE_method_set_generate_function      3419   EXIST:!VMS:FUNCTION:
-STORE_meth_set_generate_fn              3419   EXIST:VMS:FUNCTION:
-ENGINE_set_ECDH                         3420   EXIST::FUNCTION:ENGINE
-NAME_CONSTRAINTS_new                    3421   EXIST::FUNCTION:
-SHA256_Init                             3422   EXIST::FUNCTION:SHA,SHA256
-PEM_write_bio_EC_PUBKEY                 3423   EXIST::FUNCTION:EC
-STORE_ATTR_INFO_set_cstr                3424   EXIST::FUNCTION:
-STORE_list_crl_next                     3425   EXIST::FUNCTION:
-STORE_ATTR_INFO_in_range                3426   EXIST::FUNCTION:
-ECParameters_print                      3427   EXIST::FUNCTION:BIO,EC
-STORE_method_set_delete_function        3428   EXIST:!VMS:FUNCTION:
-STORE_meth_set_delete_fn                3428   EXIST:VMS:FUNCTION:
-STORE_list_certificate_next             3429   EXIST::FUNCTION:
-ASN1_generate_nconf                     3430   EXIST::FUNCTION:
-BUF_memdup                              3431   EXIST::FUNCTION:
-BN_GF2m_mod_mul                         3432   EXIST::FUNCTION:
-STORE_method_get_list_next_function     3433   EXIST:!VMS:FUNCTION:
-STORE_meth_get_list_next_fn             3433   EXIST:VMS:FUNCTION:
-STORE_ATTR_INFO_get0_dn                 3434   EXIST::FUNCTION:
-STORE_list_private_key_next             3435   EXIST::FUNCTION:
-EC_GROUP_set_seed                       3436   EXIST::FUNCTION:EC
-X509_VERIFY_PARAM_set_trust             3437   EXIST::FUNCTION:
-STORE_ATTR_INFO_free                    3438   EXIST::FUNCTION:
-STORE_get_private_key                   3439   EXIST::FUNCTION:
-STORE_ATTR_INFO_new                     3440   EXIST::FUNCTION:
-EC_GROUP_get_curve_GF2m                 3441   EXIST::FUNCTION:EC
-STORE_method_set_revoke_function        3442   EXIST:!VMS:FUNCTION:
-STORE_meth_set_revoke_fn                3442   EXIST:VMS:FUNCTION:
-STORE_store_number                      3443   EXIST::FUNCTION:
-BN_is_prime_ex                          3444   EXIST::FUNCTION:
-STORE_revoke_public_key                 3445   EXIST::FUNCTION:
-X509_STORE_CTX_get0_param               3446   EXIST::FUNCTION:
-STORE_delete_arbitrary                  3447   EXIST::FUNCTION:
-PEM_read_X509_CERT_PAIR                 3448   EXIST:!WIN16:FUNCTION:
-X509_STORE_set_depth                    3449   EXIST::FUNCTION:
-ECDSA_get_ex_data                       3450   EXIST::FUNCTION:ECDSA
-SHA224                                  3451   EXIST::FUNCTION:SHA,SHA256
-BIO_dump_indent_fp                      3452   EXIST::FUNCTION:FP_API
-BUF_strndup                             3453   EXIST::FUNCTION:
-STORE_list_certificate_start            3454   EXIST::FUNCTION:
-BN_GF2m_mod                             3455   EXIST::FUNCTION:
-X509_REQ_check_private_key              3456   EXIST::FUNCTION:
-EC_GROUP_get_seed_len                   3457   EXIST::FUNCTION:EC
-ERR_load_STORE_strings                  3458   EXIST::FUNCTION:
-PEM_read_bio_EC_PUBKEY                  3459   EXIST::FUNCTION:EC
-STORE_list_private_key_end              3460   EXIST::FUNCTION:
-i2d_EC_PUBKEY                           3461   EXIST::FUNCTION:EC
-ECDSA_get_default_method                3462   EXIST::FUNCTION:ECDSA
-ASN1_put_eoc                            3463   EXIST::FUNCTION:
-X509_STORE_CTX_get_explicit_policy      3464   EXIST:!VMS:FUNCTION:
-X509_STORE_CTX_get_expl_policy          3464   EXIST:VMS:FUNCTION:
-ECDSA_DATA_free                         3465   EXIST::FUNCTION:ECDSA
-X509_VERIFY_PARAM_table_cleanup         3466   EXIST::FUNCTION:
-STORE_modify_private_key                3467   EXIST::FUNCTION:
-X509_VERIFY_PARAM_free                  3468   EXIST::FUNCTION:
-EC_METHOD_get_field_type                3469   EXIST::FUNCTION:EC
-EC_GFp_nist_method                      3470   EXIST::FUNCTION:EC
-STORE_method_set_modify_function        3471   EXIST:!VMS:FUNCTION:
-STORE_meth_set_modify_fn                3471   EXIST:VMS:FUNCTION:
-STORE_parse_attrs_next                  3472   EXIST::FUNCTION:
-ENGINE_load_padlock                     3473   EXIST::FUNCTION:ENGINE
-X509_CERT_PAIR_it                       3474   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-X509_CERT_PAIR_it                       3474   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-STORE_method_get_revoke_function        3475   EXIST:!VMS:FUNCTION:
-STORE_meth_get_revoke_fn                3475   EXIST:VMS:FUNCTION:
-STORE_method_set_get_function           3476   EXIST::FUNCTION:
-STORE_modify_number                     3477   EXIST::FUNCTION:
-STORE_method_get_store_function         3478   EXIST::FUNCTION:
-STORE_store_private_key                 3479   EXIST::FUNCTION:
-BN_GF2m_mod_sqr_arr                     3480   EXIST::FUNCTION:
-STORE_Memory                            3481   EXIST::FUNCTION:
-sk_find_ex                              3482   EXIST::FUNCTION:
-EC_GROUP_set_curve_GF2m                 3483   EXIST::FUNCTION:EC
-ENGINE_set_default_ECDSA                3484   EXIST::FUNCTION:ENGINE
-POLICY_CONSTRAINTS_new                  3485   EXIST::FUNCTION:
-BN_GF2m_mod_sqrt                        3486   EXIST::FUNCTION:
-ECDH_set_default_method                 3487   EXIST::FUNCTION:ECDH
-EC_KEY_generate_key                     3488   EXIST::FUNCTION:EC
-SHA384_Update                           3489   EXIST::FUNCTION:SHA,SHA512
-BN_GF2m_arr2poly                        3490   EXIST::FUNCTION:
-STORE_method_get_get_function           3491   EXIST::FUNCTION:
-STORE_method_set_cleanup_function       3492   EXIST:!VMS:FUNCTION:
-STORE_meth_set_cleanup_fn               3492   EXIST:VMS:FUNCTION:
-EC_GROUP_check                          3493   EXIST::FUNCTION:EC
-d2i_ECPrivateKey_bio                    3494   EXIST::FUNCTION:BIO,EC
-STORE_method_get_lock_store_function    3495   EXIST:!VMS:FUNCTION:
-STORE_meth_get_lock_store_fn            3495   EXIST:VMS:FUNCTION:
-X509_VERIFY_PARAM_get_depth             3496   EXIST::FUNCTION:
-EVP_aes_192_cfb128                      3497   EXIST::FUNCTION:AES
-SHA224_Final                            3498   EXIST::FUNCTION:SHA,SHA256
-STORE_method_set_update_store_function  3499   EXIST:!VMS:FUNCTION:
-STORE_meth_set_update_store_fn          3499   EXIST:VMS:FUNCTION:
-SHA224_Update                           3500   EXIST::FUNCTION:SHA,SHA256
-d2i_ECPrivateKey                        3501   EXIST::FUNCTION:EC
-ASN1_item_ndef_i2d                      3502   EXIST::FUNCTION:
-STORE_delete_private_key                3503   EXIST::FUNCTION:
-ERR_pop_to_mark                         3504   EXIST::FUNCTION:
-ENGINE_register_all_STORE               3505   EXIST::FUNCTION:ENGINE
-X509_policy_level_get0_node             3506   EXIST::FUNCTION:
-i2d_PKCS7_NDEF                          3507   EXIST::FUNCTION:
-EC_GROUP_get_degree                     3508   EXIST::FUNCTION:EC
-ASN1_generate_v3                        3509   EXIST::FUNCTION:
-STORE_ATTR_INFO_modify_cstr             3510   EXIST::FUNCTION:
-X509_policy_tree_level_count            3511   EXIST::FUNCTION:
-BN_GF2m_add                             3512   EXIST::FUNCTION:
-STORE_generate_crl                      3513   EXIST::FUNCTION:
-STORE_store_public_key                  3514   EXIST::FUNCTION:
-X509_CERT_PAIR_free                     3515   EXIST::FUNCTION:
-STORE_revoke_private_key                3516   EXIST::FUNCTION:
-BN_nist_mod_224                         3517   EXIST::FUNCTION:
-SHA512_Final                            3518   EXIST::FUNCTION:SHA,SHA512
-STORE_ATTR_INFO_modify_dn               3519   EXIST::FUNCTION:
-STORE_method_get_initialise_function    3520   EXIST:!VMS:FUNCTION:
-STORE_meth_get_initialise_fn            3520   EXIST:VMS:FUNCTION:
-STORE_delete_number                     3521   EXIST::FUNCTION:
-i2d_EC_PUBKEY_bio                       3522   EXIST::FUNCTION:BIO,EC
-EC_GROUP_get_asn1_flag                  3523   EXIST::FUNCTION:EC
-STORE_ATTR_INFO_in_ex                   3524   EXIST::FUNCTION:
-STORE_list_crl_start                    3525   EXIST::FUNCTION:
-ECDH_get_ex_new_index                   3526   EXIST::FUNCTION:ECDH
-STORE_method_get_modify_function        3527   EXIST:!VMS:FUNCTION:
-STORE_meth_get_modify_fn                3527   EXIST:VMS:FUNCTION:
-v2i_ASN1_BIT_STRING                     3528   EXIST::FUNCTION:
-STORE_store_certificate                 3529   EXIST::FUNCTION:
-OBJ_bsearch_ex                          3530   EXIST::FUNCTION:
-X509_STORE_CTX_set_default              3531   EXIST::FUNCTION:
-STORE_ATTR_INFO_set_sha1str             3532   EXIST::FUNCTION:
-BN_GF2m_mod_inv                         3533   EXIST::FUNCTION:
-BN_GF2m_mod_exp                         3534   EXIST::FUNCTION:
-STORE_modify_public_key                 3535   EXIST::FUNCTION:
-STORE_method_get_list_start_function    3536   EXIST:!VMS:FUNCTION:
-STORE_meth_get_list_start_fn            3536   EXIST:VMS:FUNCTION:
-EC_GROUP_get0_seed                      3537   EXIST::FUNCTION:EC
-ecdsa_check                             3538   EXIST::FUNCTION:ECDSA
-STORE_store_arbitrary                   3539   EXIST::FUNCTION:
-STORE_method_set_unlock_store_function  3540   EXIST:!VMS:FUNCTION:
-STORE_meth_set_unlock_store_fn          3540   EXIST:VMS:FUNCTION:
-BN_GF2m_mod_div_arr                     3541   EXIST::FUNCTION:
-ENGINE_set_ECDSA                        3542   EXIST::FUNCTION:ENGINE
-STORE_create_method                     3543   EXIST::FUNCTION:
-ECPKParameters_print                    3544   EXIST::FUNCTION:BIO,EC
-PEM_write_EC_PUBKEY                     3545   EXIST:!WIN16:FUNCTION:EC
-X509_VERIFY_PARAM_set1                  3546   EXIST::FUNCTION:
-ECDH_set_method                         3547   EXIST::FUNCTION:ECDH
-v2i_GENERAL_NAME_ex                     3548   EXIST::FUNCTION:
-ECDH_set_ex_data                        3549   EXIST::FUNCTION:ECDH
-STORE_generate_key                      3550   EXIST::FUNCTION:
-BN_nist_mod_521                         3551   EXIST::FUNCTION:
-X509_policy_tree_get0_level             3552   EXIST::FUNCTION:
-EC_GROUP_set_point_conversion_form      3553   EXIST:!VMS:FUNCTION:EC
-EC_GROUP_set_point_conv_form            3553   EXIST:VMS:FUNCTION:EC
-PEM_read_EC_PUBKEY                      3554   EXIST:!WIN16:FUNCTION:EC
-i2d_ECDSA_SIG                           3555   EXIST::FUNCTION:ECDSA
-ECDSA_OpenSSL                           3556   EXIST::FUNCTION:ECDSA
-STORE_delete_crl                        3557   EXIST::FUNCTION:
-ASN1_const_check_infinite_end           3558   EXIST::FUNCTION:
-ECDSA_set_default_method                3559   EXIST::FUNCTION:ECDSA
-EC_POINT_set_compressed_coordinates_GF2m 3560  EXIST:!VMS:FUNCTION:EC
-EC_POINT_set_compr_coords_GF2m          3560   EXIST:VMS:FUNCTION:EC
-EC_GROUP_cmp                            3561   EXIST::FUNCTION:EC
-STORE_revoke_certificate                3562   EXIST::FUNCTION:
-ECDH_DATA_new_method                    3563   EXIST::FUNCTION:ECDH
-BN_get0_nist_prime_256                  3564   EXIST::FUNCTION:
-STORE_method_get_delete_function        3565   EXIST:!VMS:FUNCTION:
-STORE_meth_get_delete_fn                3565   EXIST:VMS:FUNCTION:
-SHA224_Init                             3566   EXIST::FUNCTION:SHA,SHA256
-PEM_read_ECPrivateKey                   3567   EXIST:!WIN16:FUNCTION:EC
-SHA512_Init                             3568   EXIST::FUNCTION:SHA,SHA512
-STORE_parse_attrs_endp                  3569   EXIST::FUNCTION:
-ERR_load_ECDSA_strings                  3570   EXIST::FUNCTION:ECDSA
-EC_GROUP_get_basis_type                 3571   EXIST::FUNCTION:EC
-ECDH_DATA_new                           3572   EXIST::FUNCTION:ECDH
-STORE_list_public_key_next              3573   EXIST::FUNCTION:
-i2v_ASN1_BIT_STRING                     3574   EXIST::FUNCTION:
-STORE_OBJECT_free                       3575   EXIST::FUNCTION:
-BN_nist_mod_384                         3576   EXIST::FUNCTION:
-i2d_X509_CERT_PAIR                      3577   EXIST::FUNCTION:
-PEM_write_ECPKParameters                3578   EXIST:!WIN16:FUNCTION:EC
-ECDH_compute_key                        3579   EXIST::FUNCTION:ECDH
-STORE_ATTR_INFO_get0_sha1str            3580   EXIST::FUNCTION:
-ENGINE_register_all_ECDH                3581   EXIST::FUNCTION:ENGINE
-STORE_ATTR_INFO_get0_cstr               3582   EXIST::FUNCTION:
-POLICY_CONSTRAINTS_it                   3583   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-POLICY_CONSTRAINTS_it                   3583   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-STORE_get_ex_new_index                  3584   EXIST::FUNCTION:
-X509_VERIFY_PARAM_add0_policy           3585   EXIST::FUNCTION:
-BN_GF2m_mod_solve_quad                  3586   EXIST::FUNCTION:
-SHA256                                  3587   EXIST::FUNCTION:SHA,SHA256
-i2d_ECPrivateKey_fp                     3588   EXIST::FUNCTION:EC,FP_API
-X509_policy_tree_get0_user_policies     3589   EXIST:!VMS:FUNCTION:
-X509_pcy_tree_get0_usr_policies         3589   EXIST:VMS:FUNCTION:
-OPENSSL_DIR_read                        3590   EXIST::FUNCTION:
-ENGINE_register_all_ECDSA               3591   EXIST::FUNCTION:ENGINE
-X509_VERIFY_PARAM_lookup                3592   EXIST::FUNCTION:
-EC_POINT_get_affine_coordinates_GF2m    3593   EXIST:!VMS:FUNCTION:EC
-EC_POINT_get_affine_coords_GF2m         3593   EXIST:VMS:FUNCTION:EC
-EC_GROUP_dup                            3594   EXIST::FUNCTION:EC
-ENGINE_get_default_ECDSA                3595   EXIST::FUNCTION:ENGINE
-EC_KEY_new                              3596   EXIST::FUNCTION:EC
-SHA256_Transform                        3597   EXIST::FUNCTION:SHA,SHA256
-ECDSA_verify                            3598   EXIST::FUNCTION:ECDSA
-EC_POINT_point2hex                      3599   EXIST::FUNCTION:EC
-ENGINE_get_STORE                        3600   EXIST::FUNCTION:ENGINE
-SHA512                                  3601   EXIST::FUNCTION:SHA,SHA512
-STORE_get_certificate                   3602   EXIST::FUNCTION:
-ECDSA_do_verify                         3603   EXIST::FUNCTION:ECDSA
-d2i_ECPrivateKey_fp                     3604   EXIST::FUNCTION:EC,FP_API
-STORE_delete_certificate                3605   EXIST::FUNCTION:
-SHA512_Transform                        3606   EXIST::FUNCTION:SHA,SHA512
-X509_STORE_set1_param                   3607   EXIST::FUNCTION:
-STORE_method_get_ctrl_function          3608   EXIST::FUNCTION:
-STORE_free                              3609   EXIST::FUNCTION:
-PEM_write_ECPrivateKey                  3610   EXIST:!WIN16:FUNCTION:EC
-STORE_method_get_unlock_store_function  3611   EXIST:!VMS:FUNCTION:
-STORE_meth_get_unlock_store_fn          3611   EXIST:VMS:FUNCTION:
-STORE_get_ex_data                       3612   EXIST::FUNCTION:
-PEM_read_ECPKParameters                 3613   EXIST:!WIN16:FUNCTION:EC
-X509_CERT_PAIR_new                      3614   EXIST::FUNCTION:
-ENGINE_register_STORE                   3615   EXIST::FUNCTION:ENGINE
-RSA_generate_key_ex                     3616   EXIST::FUNCTION:RSA
-DSA_generate_parameters_ex              3617   EXIST::FUNCTION:DSA
-ECParameters_print_fp                   3618   EXIST::FUNCTION:EC,FP_API
-X509V3_NAME_from_section                3619   EXIST::FUNCTION:
-STORE_modify_crl                        3620   EXIST::FUNCTION:
-STORE_list_private_key_start            3621   EXIST::FUNCTION:
-POLICY_MAPPINGS_it                      3622   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-POLICY_MAPPINGS_it                      3622   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-GENERAL_SUBTREE_it                      3623   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
-GENERAL_SUBTREE_it                      3623   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-ECDH_DATA_free                          3624   EXIST::FUNCTION:ECDH
-PEM_write_X509_CERT_PAIR                3625   EXIST:!WIN16:FUNCTION:
-BIO_dump_indent_cb                      3626   EXIST::FUNCTION:
-d2i_X509_CERT_PAIR                      3627   EXIST::FUNCTION:
-STORE_list_private_key_endp             3628   EXIST::FUNCTION:
-asn1_const_Finish                       3629   EXIST::FUNCTION:
-i2d_EC_PUBKEY_fp                        3630   EXIST::FUNCTION:EC,FP_API
-BN_nist_mod_256                         3631   EXIST::FUNCTION:
-ECDSA_DATA_new                          3632   EXIST::FUNCTION:ECDSA
-X509_VERIFY_PARAM_add0_table            3633   EXIST::FUNCTION:
-EVP_sha256                              3634   EXIST::FUNCTION:SHA,SHA256
-ECDSA_size                              3635   EXIST::FUNCTION:ECDSA
-d2i_EC_PUBKEY_bio                       3636   EXIST::FUNCTION:BIO,EC
-BN_get0_nist_prime_521                  3637   EXIST::FUNCTION:
-STORE_ATTR_INFO_modify_sha1str          3638   EXIST::FUNCTION:
-BN_generate_prime_ex                    3639   EXIST::FUNCTION:
-SHA256_Final                            3640   EXIST::FUNCTION:SHA,SHA256
-DH_generate_parameters_ex               3641   EXIST::FUNCTION:DH
-PEM_read_bio_ECPrivateKey               3642   EXIST::FUNCTION:EC
-STORE_method_get_cleanup_function       3643   EXIST:!VMS:FUNCTION:
-STORE_meth_get_cleanup_fn               3643   EXIST:VMS:FUNCTION:
-ENGINE_get_ECDH                         3644   EXIST::FUNCTION:ENGINE
-d2i_ECDSA_SIG                           3645   EXIST::FUNCTION:ECDSA
-BN_is_prime_fasttest_ex                 3646   EXIST::FUNCTION:
-ECDSA_sign                              3647   EXIST::FUNCTION:ECDSA
-X509_policy_check                       3648   EXIST::FUNCTION:
-STORE_set_ex_data                       3649   EXIST::FUNCTION:
-ENGINE_get_ECDSA                        3650   EXIST::FUNCTION:ENGINE
-EVP_ecdsa                               3651   EXIST::FUNCTION:SHA
-PKCS12_add_cert                         3652   EXIST::FUNCTION:
-STORE_OBJECT_new                        3653   EXIST::FUNCTION:
-ERR_load_ECDH_strings                   3654   EXIST::FUNCTION:ECDH
-EC_KEY_dup                              3655   EXIST::FUNCTION:EC
-EVP_CIPHER_CTX_rand_key                 3656   EXIST::FUNCTION:
-ECDSA_set_method                        3657   EXIST::FUNCTION:ECDSA
-a2i_IPADDRESS_NC                        3658   EXIST::FUNCTION:
-d2i_ECParameters                        3659   EXIST::FUNCTION:EC
-STORE_list_certificate_end              3660   EXIST::FUNCTION:
-STORE_get_crl                           3661   EXIST::FUNCTION:
-X509_POLICY_NODE_print                  3662   EXIST::FUNCTION:
-SHA384_Init                             3663   EXIST::FUNCTION:SHA,SHA512
-EC_GF2m_simple_method                   3664   EXIST::FUNCTION:EC
-ECDSA_set_ex_data                       3665   EXIST::FUNCTION:ECDSA
-SHA384_Final                            3666   EXIST::FUNCTION:SHA,SHA512
-PKCS7_set_digest                        3667   EXIST::FUNCTION:
-EC_KEY_print                            3668   EXIST::FUNCTION:BIO,EC
-STORE_method_set_lock_store_function    3669   EXIST:!VMS:FUNCTION:
-STORE_meth_set_lock_store_fn            3669   EXIST:VMS:FUNCTION:
-ECDSA_get_ex_new_index                  3670   EXIST::FUNCTION:ECDSA
-SHA384                                  3671   EXIST::FUNCTION:SHA,SHA512
-POLICY_MAPPING_new                      3672   EXIST::FUNCTION:
-STORE_list_certificate_endp             3673   EXIST::FUNCTION:
-X509_STORE_CTX_get0_policy_tree         3674   EXIST::FUNCTION:
-EC_GROUP_set_asn1_flag                  3675   EXIST::FUNCTION:EC
-EC_KEY_check_key                        3676   EXIST::FUNCTION:EC
-d2i_EC_PUBKEY_fp                        3677   EXIST::FUNCTION:EC,FP_API
-PKCS7_set0_type_other                   3678   EXIST::FUNCTION:
-ecdh_check                              3679   EXIST::FUNCTION:ECDH
-ECDSA_DATA_new_method                   3680   EXIST::FUNCTION:ECDSA
-PEM_read_bio_X509_CERT_PAIR             3681   EXIST::FUNCTION:
-STORE_method_get_list_end_function      3682   EXIST:!VMS:FUNCTION:
-STORE_meth_get_list_end_fn              3682   EXIST:VMS:FUNCTION:
-X509_VERIFY_PARAM_set_time              3683   EXIST::FUNCTION:
-ENGINE_set_default_ECDH                 3684   EXIST::FUNCTION:ENGINE
-STORE_new_method                        3685   EXIST::FUNCTION:
-PKCS12_add_key                          3686   EXIST::FUNCTION:
-DSO_merge                               3687   EXIST::FUNCTION:
-EC_POINT_hex2point                      3688   EXIST::FUNCTION:EC
-BIO_dump_cb                             3689   EXIST::FUNCTION:
-SHA256_Update                           3690   EXIST::FUNCTION:SHA,SHA256
-BN_GF2m_mod_inv_arr                     3691   EXIST::FUNCTION:
-ENGINE_unregister_ECDSA                 3692   EXIST::FUNCTION:ENGINE
+d2i_PROXY_CERT_INFO_EXTENSION           3287   EXIST::FUNCTION:
+PROXY_POLICY_it                         3288   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PROXY_POLICY_it                         3288   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+i2d_PROXY_POLICY                        3289   EXIST::FUNCTION:
+i2d_PROXY_CERT_INFO_EXTENSION           3290   EXIST::FUNCTION:
+d2i_PROXY_POLICY                        3291   EXIST::FUNCTION:
+PROXY_CERT_INFO_EXTENSION_new           3292   EXIST::FUNCTION:
+PROXY_CERT_INFO_EXTENSION_free          3293   EXIST::FUNCTION:
+PROXY_CERT_INFO_EXTENSION_it            3294   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PROXY_CERT_INFO_EXTENSION_it            3294   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+PROXY_POLICY_free                       3295   EXIST::FUNCTION:
+PROXY_POLICY_new                        3296   EXIST::FUNCTION:
+ERR_set_mark                            3297   EXIST::FUNCTION:
+X509_STORE_CTX_set0_crls                3298   EXIST::FUNCTION:
+ENGINE_set_STORE                        3299   EXIST::FUNCTION:ENGINE
+ENGINE_register_ECDSA                   3300   EXIST::FUNCTION:ENGINE
+STORE_method_set_list_start_function    3301   EXIST:!VMS:FUNCTION:
+STORE_meth_set_list_start_fn            3301   EXIST:VMS:FUNCTION:
+NAME_CONSTRAINTS_free                   3302   EXIST::FUNCTION:
+STORE_ATTR_INFO_set_number              3303   EXIST::FUNCTION:
+X509_STORE_CTX_set0_param               3304   EXIST::FUNCTION:
+POLICY_MAPPING_it                       3305   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+POLICY_MAPPING_it                       3305   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+STORE_parse_attrs_start                 3306   EXIST::FUNCTION:
+POLICY_CONSTRAINTS_free                 3307   EXIST::FUNCTION:
+BN_nist_mod_192                         3308   EXIST::FUNCTION:
+EC_GROUP_get_trinomial_basis            3309   EXIST::FUNCTION:EC
+STORE_set_method                        3310   EXIST::FUNCTION:
+EVP_aes_256_cfb128                      3311   EXIST::FUNCTION:AES
+GENERAL_SUBTREE_free                    3312   EXIST::FUNCTION:
+NAME_CONSTRAINTS_it                     3313   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+NAME_CONSTRAINTS_it                     3313   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ECDH_get_default_method                 3314   EXIST::FUNCTION:ECDH
+PKCS12_add_safe                         3315   EXIST::FUNCTION:
+STORE_method_get_update_store_function  3316   EXIST:!VMS:FUNCTION:
+STORE_meth_get_update_store_fn          3316   EXIST:VMS:FUNCTION:
+ENGINE_register_ECDH                    3317   EXIST::FUNCTION:ENGINE
+EVP_sha384                              3318   EXIST::FUNCTION:SHA,SHA512
+SHA512_Update                           3319   EXIST::FUNCTION:SHA,SHA512
+i2d_ECPrivateKey                        3320   EXIST::FUNCTION:EC
+BN_get0_nist_prime_192                  3321   EXIST::FUNCTION:
+STORE_modify_certificate                3322   EXIST::FUNCTION:
+EC_POINT_set_affine_coordinates_GF2m    3323   EXIST:!VMS:FUNCTION:EC
+EC_POINT_set_affine_coords_GF2m         3323   EXIST:VMS:FUNCTION:EC
+BN_GF2m_mod_exp_arr                     3324   EXIST::FUNCTION:
+STORE_ATTR_INFO_modify_number           3325   EXIST::FUNCTION:
+X509_keyid_get0                         3326   EXIST::FUNCTION:
+EC_GROUP_new_by_nid                     3327   EXIST::FUNCTION:EC
+ENGINE_load_gmp                         3328   EXIST::FUNCTION:ENGINE,STATIC_ENGINE
+BN_GF2m_mod_mul_arr                     3329   EXIST::FUNCTION:
+STORE_list_public_key_endp              3330   EXIST::FUNCTION:
+o2i_ECPublicKey                         3331   EXIST::FUNCTION:EC
+EC_KEY_copy                             3332   EXIST::FUNCTION:EC
+BIO_dump_fp                             3333   EXIST::FUNCTION:FP_API
+X509_policy_node_get0_parent            3334   EXIST::FUNCTION:
+EC_GROUP_check_discriminant             3335   EXIST::FUNCTION:EC
+i2o_ECPublicKey                         3336   EXIST::FUNCTION:EC
+a2i_IPADDRESS                           3337   EXIST::FUNCTION:
+STORE_method_set_initialise_function    3338   EXIST:!VMS:FUNCTION:
+STORE_meth_set_initialise_fn            3338   EXIST:VMS:FUNCTION:
+X509_STORE_CTX_set_depth                3339   EXIST::FUNCTION:
+X509_VERIFY_PARAM_inherit               3340   EXIST::FUNCTION:
+EC_POINT_point2bn                       3341   EXIST::FUNCTION:EC
+STORE_ATTR_INFO_set_dn                  3342   EXIST::FUNCTION:
+X509_policy_tree_get0_policies          3343   EXIST::FUNCTION:
+EC_GROUP_new_curve_GF2m                 3344   EXIST::FUNCTION:EC
+STORE_destroy_method                    3345   EXIST::FUNCTION:
+ENGINE_unregister_STORE                 3346   EXIST::FUNCTION:ENGINE
+EVP_PKEY_get1_EC_KEY                    3347   EXIST::FUNCTION:EC
+STORE_ATTR_INFO_get0_number             3348   EXIST::FUNCTION:
+ENGINE_get_default_ECDH                 3349   EXIST::FUNCTION:ENGINE
+ASN1_OCTET_STRING_NDEF_it               3350   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_OCTET_STRING_NDEF_it               3350   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+STORE_delete_public_key                 3351   EXIST::FUNCTION:
+STORE_get_public_key                    3352   EXIST::FUNCTION:
+STORE_modify_arbitrary                  3353   EXIST::FUNCTION:
+ENGINE_get_static_state                 3354   EXIST::FUNCTION:ENGINE
+ECDSA_SIG_new                           3355   EXIST::FUNCTION:ECDSA
+OPENSSL_DIR_end                         3356   EXIST::FUNCTION:
+BN_GF2m_mod_sqr                         3357   EXIST::FUNCTION:
+EC_POINT_bn2point                       3358   EXIST::FUNCTION:EC
+X509_VERIFY_PARAM_set_depth             3359   EXIST::FUNCTION:
+STORE_get_method                        3360   EXIST::FUNCTION:
+STORE_parse_attrs_end                   3361   EXIST::FUNCTION:
+EC_GROUP_get_point_conversion_form      3362   EXIST:!VMS:FUNCTION:EC
+EC_GROUP_get_point_conv_form            3362   EXIST:VMS:FUNCTION:EC
+STORE_method_set_store_function         3363   EXIST::FUNCTION:
+STORE_ATTR_INFO_in                      3364   EXIST::FUNCTION:
+PEM_read_bio_ECPKParameters             3365   EXIST::FUNCTION:EC
+EC_GROUP_get_pentanomial_basis          3366   EXIST::FUNCTION:EC
+X509_VERIFY_PARAM_set1_policies         3367   EXIST::FUNCTION:
+EVP_sha512                              3368   EXIST::FUNCTION:SHA,SHA512
+X509_VERIFY_PARAM_set1_name             3369   EXIST::FUNCTION:
+X509_VERIFY_PARAM_set_purpose           3370   EXIST::FUNCTION:
+EC_GROUP_get_nid                        3371   EXIST::FUNCTION:EC
+STORE_get_number                        3372   EXIST::FUNCTION:
+ECDSA_sign_setup                        3373   EXIST::FUNCTION:ECDSA
+BN_GF2m_mod_solve_quad_arr              3374   EXIST::FUNCTION:
+EC_KEY_up_ref                           3375   EXIST::FUNCTION:EC
+POLICY_MAPPING_free                     3376   EXIST::FUNCTION:
+BN_GF2m_mod_div                         3377   EXIST::FUNCTION:
+X509_VERIFY_PARAM_set_flags             3378   EXIST::FUNCTION:
+EC_KEY_free                             3379   EXIST::FUNCTION:EC
+STORE_method_set_list_next_function     3380   EXIST:!VMS:FUNCTION:
+STORE_meth_set_list_next_fn             3380   EXIST:VMS:FUNCTION:
+PEM_write_bio_ECPrivateKey              3381   EXIST::FUNCTION:EC
+d2i_EC_PUBKEY                           3382   EXIST::FUNCTION:EC
+STORE_method_get_generate_function      3383   EXIST:!VMS:FUNCTION:
+STORE_meth_get_generate_fn              3383   EXIST:VMS:FUNCTION:
+STORE_method_set_list_end_function      3384   EXIST:!VMS:FUNCTION:
+STORE_meth_set_list_end_fn              3384   EXIST:VMS:FUNCTION:
+EC_GROUP_have_precompute_mult           3385   EXIST::FUNCTION:EC
+EC_KEY_print_fp                         3386   EXIST::FUNCTION:EC,FP_API
+BN_GF2m_mod_arr                         3387   EXIST::FUNCTION:
+PEM_write_bio_X509_CERT_PAIR            3388   EXIST::FUNCTION:
+EVP_PKEY_cmp                            3389   EXIST::FUNCTION:
+X509_policy_level_node_count            3390   EXIST::FUNCTION:
+STORE_new_engine                        3391   EXIST::FUNCTION:
+STORE_list_public_key_start             3392   EXIST::FUNCTION:
+X509_VERIFY_PARAM_new                   3393   EXIST::FUNCTION:
+ECDH_get_ex_data                        3394   EXIST::FUNCTION:ECDH
+ECDSA_do_sign                           3395   EXIST::FUNCTION:ECDSA
+ENGINE_unregister_ECDH                  3396   EXIST::FUNCTION:ENGINE
+ECDH_OpenSSL                            3397   EXIST::FUNCTION:ECDH
+EC_POINT_dup                            3398   EXIST::FUNCTION:EC
+GENERAL_SUBTREE_new                     3399   EXIST::FUNCTION:
+STORE_list_crl_endp                     3400   EXIST::FUNCTION:
+EC_get_builtin_curves                   3401   EXIST::FUNCTION:EC
+EVP_aes_128_cfb128                      3402   EXIST::FUNCTION:AES
+X509_policy_node_get0_qualifiers        3403   EXIST:!VMS:FUNCTION:
+X509_pcy_node_get0_qualifiers           3403   EXIST:VMS:FUNCTION:
+STORE_list_crl_end                      3404   EXIST::FUNCTION:
+EVP_PKEY_set1_EC_KEY                    3405   EXIST::FUNCTION:EC
+BN_GF2m_mod_sqrt_arr                    3406   EXIST::FUNCTION:
+i2d_ECPrivateKey_bio                    3407   EXIST::FUNCTION:BIO,EC
+ECPKParameters_print_fp                 3408   EXIST::FUNCTION:EC,FP_API
+ECDSA_SIG_free                          3409   EXIST::FUNCTION:ECDSA
+PEM_write_bio_ECPKParameters            3410   EXIST::FUNCTION:EC
+STORE_method_set_ctrl_function          3411   EXIST::FUNCTION:
+STORE_list_public_key_end               3412   EXIST::FUNCTION:
+EC_GROUP_set_nid                        3413   EXIST::FUNCTION:EC
+STORE_get_arbitrary                     3414   EXIST::FUNCTION:
+STORE_store_crl                         3415   EXIST::FUNCTION:
+X509_policy_node_get0_policy            3416   EXIST::FUNCTION:
+PKCS12_add_safes                        3417   EXIST::FUNCTION:
+X509_policy_tree_free                   3418   EXIST::FUNCTION:
+BN_GF2m_poly2arr                        3419   EXIST::FUNCTION:
+STORE_ctrl                              3420   EXIST::FUNCTION:
+EVP_sha224                              3421   EXIST::FUNCTION:SHA,SHA256
+STORE_ATTR_INFO_compare                 3422   EXIST::FUNCTION:
+BN_get0_nist_prime_224                  3423   EXIST::FUNCTION:
+i2d_ECParameters                        3424   EXIST::FUNCTION:EC
+i2d_ECPKParameters                      3425   EXIST::FUNCTION:EC
+BN_GENCB_call                           3426   EXIST::FUNCTION:
+BN_ncopy                                3427   EXIST::FUNCTION:
+d2i_ECPKParameters                      3428   EXIST::FUNCTION:EC
+STORE_method_set_generate_function      3429   EXIST:!VMS:FUNCTION:
+STORE_meth_set_generate_fn              3429   EXIST:VMS:FUNCTION:
+ENGINE_set_ECDH                         3430   EXIST::FUNCTION:ENGINE
+NAME_CONSTRAINTS_new                    3431   EXIST::FUNCTION:
+SHA256_Init                             3432   EXIST::FUNCTION:SHA,SHA256
+PEM_write_bio_EC_PUBKEY                 3433   EXIST::FUNCTION:EC
+STORE_ATTR_INFO_set_cstr                3434   EXIST::FUNCTION:
+STORE_list_crl_next                     3435   EXIST::FUNCTION:
+STORE_ATTR_INFO_in_range                3436   EXIST::FUNCTION:
+ECParameters_print                      3437   EXIST::FUNCTION:BIO,EC
+STORE_method_set_delete_function        3438   EXIST:!VMS:FUNCTION:
+STORE_meth_set_delete_fn                3438   EXIST:VMS:FUNCTION:
+STORE_list_certificate_next             3439   EXIST::FUNCTION:
+ASN1_generate_nconf                     3440   EXIST::FUNCTION:
+BUF_memdup                              3441   EXIST::FUNCTION:
+BN_GF2m_mod_mul                         3442   EXIST::FUNCTION:
+STORE_method_get_list_next_function     3443   EXIST:!VMS:FUNCTION:
+STORE_meth_get_list_next_fn             3443   EXIST:VMS:FUNCTION:
+STORE_ATTR_INFO_get0_dn                 3444   EXIST::FUNCTION:
+STORE_list_private_key_next             3445   EXIST::FUNCTION:
+EC_GROUP_set_seed                       3446   EXIST::FUNCTION:EC
+X509_VERIFY_PARAM_set_trust             3447   EXIST::FUNCTION:
+STORE_ATTR_INFO_free                    3448   EXIST::FUNCTION:
+STORE_get_private_key                   3449   EXIST::FUNCTION:
+STORE_ATTR_INFO_new                     3450   EXIST::FUNCTION:
+EC_GROUP_get_curve_GF2m                 3451   EXIST::FUNCTION:EC
+STORE_method_set_revoke_function        3452   EXIST:!VMS:FUNCTION:
+STORE_meth_set_revoke_fn                3452   EXIST:VMS:FUNCTION:
+STORE_store_number                      3453   EXIST::FUNCTION:
+BN_is_prime_ex                          3454   EXIST::FUNCTION:
+STORE_revoke_public_key                 3455   EXIST::FUNCTION:
+X509_STORE_CTX_get0_param               3456   EXIST::FUNCTION:
+STORE_delete_arbitrary                  3457   EXIST::FUNCTION:
+PEM_read_X509_CERT_PAIR                 3458   EXIST:!WIN16:FUNCTION:
+X509_STORE_set_depth                    3459   EXIST::FUNCTION:
+ECDSA_get_ex_data                       3460   EXIST::FUNCTION:ECDSA
+SHA224                                  3461   EXIST::FUNCTION:SHA,SHA256
+BIO_dump_indent_fp                      3462   EXIST::FUNCTION:FP_API
+BUF_strndup                             3463   EXIST::FUNCTION:
+STORE_list_certificate_start            3464   EXIST::FUNCTION:
+BN_GF2m_mod                             3465   EXIST::FUNCTION:
+X509_REQ_check_private_key              3466   EXIST::FUNCTION:
+EC_GROUP_get_seed_len                   3467   EXIST::FUNCTION:EC
+ERR_load_STORE_strings                  3468   EXIST::FUNCTION:
+PEM_read_bio_EC_PUBKEY                  3469   EXIST::FUNCTION:EC
+STORE_list_private_key_end              3470   EXIST::FUNCTION:
+i2d_EC_PUBKEY                           3471   EXIST::FUNCTION:EC
+ECDSA_get_default_method                3472   EXIST::FUNCTION:ECDSA
+ASN1_put_eoc                            3473   EXIST::FUNCTION:
+X509_STORE_CTX_get_explicit_policy      3474   EXIST:!VMS:FUNCTION:
+X509_STORE_CTX_get_expl_policy          3474   EXIST:VMS:FUNCTION:
+ECDSA_DATA_free                         3475   EXIST::FUNCTION:ECDSA
+X509_VERIFY_PARAM_table_cleanup         3476   EXIST::FUNCTION:
+STORE_modify_private_key                3477   EXIST::FUNCTION:
+X509_VERIFY_PARAM_free                  3478   EXIST::FUNCTION:
+EC_METHOD_get_field_type                3479   EXIST::FUNCTION:EC
+EC_GFp_nist_method                      3480   EXIST::FUNCTION:EC
+STORE_method_set_modify_function        3481   EXIST:!VMS:FUNCTION:
+STORE_meth_set_modify_fn                3481   EXIST:VMS:FUNCTION:
+STORE_parse_attrs_next                  3482   EXIST::FUNCTION:
+ENGINE_load_padlock                     3483   EXIST::FUNCTION:ENGINE
+X509_CERT_PAIR_it                       3484   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_CERT_PAIR_it                       3484   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+STORE_method_get_revoke_function        3485   EXIST:!VMS:FUNCTION:
+STORE_meth_get_revoke_fn                3485   EXIST:VMS:FUNCTION:
+STORE_method_set_get_function           3486   EXIST::FUNCTION:
+STORE_modify_number                     3487   EXIST::FUNCTION:
+STORE_method_get_store_function         3488   EXIST::FUNCTION:
+STORE_store_private_key                 3489   EXIST::FUNCTION:
+BN_GF2m_mod_sqr_arr                     3490   EXIST::FUNCTION:
+STORE_Memory                            3491   EXIST::FUNCTION:
+sk_find_ex                              3492   EXIST::FUNCTION:
+EC_GROUP_set_curve_GF2m                 3493   EXIST::FUNCTION:EC
+ENGINE_set_default_ECDSA                3494   EXIST::FUNCTION:ENGINE
+POLICY_CONSTRAINTS_new                  3495   EXIST::FUNCTION:
+BN_GF2m_mod_sqrt                        3496   EXIST::FUNCTION:
+ECDH_set_default_method                 3497   EXIST::FUNCTION:ECDH
+EC_KEY_generate_key                     3498   EXIST::FUNCTION:EC
+SHA384_Update                           3499   EXIST::FUNCTION:SHA,SHA512
+BN_GF2m_arr2poly                        3500   EXIST::FUNCTION:
+STORE_method_get_get_function           3501   EXIST::FUNCTION:
+STORE_method_set_cleanup_function       3502   EXIST:!VMS:FUNCTION:
+STORE_meth_set_cleanup_fn               3502   EXIST:VMS:FUNCTION:
+EC_GROUP_check                          3503   EXIST::FUNCTION:EC
+d2i_ECPrivateKey_bio                    3504   EXIST::FUNCTION:BIO,EC
+STORE_method_get_lock_store_function    3505   EXIST:!VMS:FUNCTION:
+STORE_meth_get_lock_store_fn            3505   EXIST:VMS:FUNCTION:
+X509_VERIFY_PARAM_get_depth             3506   EXIST::FUNCTION:
+EVP_aes_192_cfb128                      3507   EXIST::FUNCTION:AES
+SHA224_Final                            3508   EXIST::FUNCTION:SHA,SHA256
+STORE_method_set_update_store_function  3509   EXIST:!VMS:FUNCTION:
+STORE_meth_set_update_store_fn          3509   EXIST:VMS:FUNCTION:
+SHA224_Update                           3510   EXIST::FUNCTION:SHA,SHA256
+d2i_ECPrivateKey                        3511   EXIST::FUNCTION:EC
+ASN1_item_ndef_i2d                      3512   EXIST::FUNCTION:
+STORE_delete_private_key                3513   EXIST::FUNCTION:
+ERR_pop_to_mark                         3514   EXIST::FUNCTION:
+ENGINE_register_all_STORE               3515   EXIST::FUNCTION:ENGINE
+X509_policy_level_get0_node             3516   EXIST::FUNCTION:
+i2d_PKCS7_NDEF                          3517   EXIST::FUNCTION:
+EC_GROUP_get_degree                     3518   EXIST::FUNCTION:EC
+ASN1_generate_v3                        3519   EXIST::FUNCTION:
+STORE_ATTR_INFO_modify_cstr             3520   EXIST::FUNCTION:
+X509_policy_tree_level_count            3521   EXIST::FUNCTION:
+BN_GF2m_add                             3522   EXIST::FUNCTION:
+STORE_generate_crl                      3523   EXIST::FUNCTION:
+STORE_store_public_key                  3524   EXIST::FUNCTION:
+X509_CERT_PAIR_free                     3525   EXIST::FUNCTION:
+STORE_revoke_private_key                3526   EXIST::FUNCTION:
+BN_nist_mod_224                         3527   EXIST::FUNCTION:
+SHA512_Final                            3528   EXIST::FUNCTION:SHA,SHA512
+STORE_ATTR_INFO_modify_dn               3529   EXIST::FUNCTION:
+STORE_method_get_initialise_function    3530   EXIST:!VMS:FUNCTION:
+STORE_meth_get_initialise_fn            3530   EXIST:VMS:FUNCTION:
+STORE_delete_number                     3531   EXIST::FUNCTION:
+i2d_EC_PUBKEY_bio                       3532   EXIST::FUNCTION:BIO,EC
+EC_GROUP_get_asn1_flag                  3533   EXIST::FUNCTION:EC
+STORE_ATTR_INFO_in_ex                   3534   EXIST::FUNCTION:
+STORE_list_crl_start                    3535   EXIST::FUNCTION:
+ECDH_get_ex_new_index                   3536   EXIST::FUNCTION:ECDH
+STORE_method_get_modify_function        3537   EXIST:!VMS:FUNCTION:
+STORE_meth_get_modify_fn                3537   EXIST:VMS:FUNCTION:
+v2i_ASN1_BIT_STRING                     3538   EXIST::FUNCTION:
+STORE_store_certificate                 3539   EXIST::FUNCTION:
+OBJ_bsearch_ex                          3540   EXIST::FUNCTION:
+X509_STORE_CTX_set_default              3541   EXIST::FUNCTION:
+STORE_ATTR_INFO_set_sha1str             3542   EXIST::FUNCTION:
+BN_GF2m_mod_inv                         3543   EXIST::FUNCTION:
+BN_GF2m_mod_exp                         3544   EXIST::FUNCTION:
+STORE_modify_public_key                 3545   EXIST::FUNCTION:
+STORE_method_get_list_start_function    3546   EXIST:!VMS:FUNCTION:
+STORE_meth_get_list_start_fn            3546   EXIST:VMS:FUNCTION:
+EC_GROUP_get0_seed                      3547   EXIST::FUNCTION:EC
+ecdsa_check                             3548   EXIST::FUNCTION:ECDSA
+STORE_store_arbitrary                   3549   EXIST::FUNCTION:
+STORE_method_set_unlock_store_function  3550   EXIST:!VMS:FUNCTION:
+STORE_meth_set_unlock_store_fn          3550   EXIST:VMS:FUNCTION:
+BN_GF2m_mod_div_arr                     3551   EXIST::FUNCTION:
+ENGINE_set_ECDSA                        3552   EXIST::FUNCTION:ENGINE
+STORE_create_method                     3553   EXIST::FUNCTION:
+ECPKParameters_print                    3554   EXIST::FUNCTION:BIO,EC
+PEM_write_EC_PUBKEY                     3555   EXIST:!WIN16:FUNCTION:EC
+X509_VERIFY_PARAM_set1                  3556   EXIST::FUNCTION:
+ECDH_set_method                         3557   EXIST::FUNCTION:ECDH
+v2i_GENERAL_NAME_ex                     3558   EXIST::FUNCTION:
+ECDH_set_ex_data                        3559   EXIST::FUNCTION:ECDH
+STORE_generate_key                      3560   EXIST::FUNCTION:
+BN_nist_mod_521                         3561   EXIST::FUNCTION:
+X509_policy_tree_get0_level             3562   EXIST::FUNCTION:
+EC_GROUP_set_point_conversion_form      3563   EXIST:!VMS:FUNCTION:EC
+EC_GROUP_set_point_conv_form            3563   EXIST:VMS:FUNCTION:EC
+PEM_read_EC_PUBKEY                      3564   EXIST:!WIN16:FUNCTION:EC
+i2d_ECDSA_SIG                           3565   EXIST::FUNCTION:ECDSA
+ECDSA_OpenSSL                           3566   EXIST::FUNCTION:ECDSA
+STORE_delete_crl                        3567   EXIST::FUNCTION:
+ASN1_const_check_infinite_end           3568   EXIST::FUNCTION:
+ECDSA_set_default_method                3569   EXIST::FUNCTION:ECDSA
+EC_POINT_set_compressed_coordinates_GF2m 3570  EXIST:!VMS:FUNCTION:EC
+EC_POINT_set_compr_coords_GF2m          3570   EXIST:VMS:FUNCTION:EC
+EC_GROUP_cmp                            3571   EXIST::FUNCTION:EC
+STORE_revoke_certificate                3572   EXIST::FUNCTION:
+ECDH_DATA_new_method                    3573   EXIST::FUNCTION:ECDH
+BN_get0_nist_prime_256                  3574   EXIST::FUNCTION:
+STORE_method_get_delete_function        3575   EXIST:!VMS:FUNCTION:
+STORE_meth_get_delete_fn                3575   EXIST:VMS:FUNCTION:
+SHA224_Init                             3576   EXIST::FUNCTION:SHA,SHA256
+PEM_read_ECPrivateKey                   3577   EXIST:!WIN16:FUNCTION:EC
+SHA512_Init                             3578   EXIST::FUNCTION:SHA,SHA512
+STORE_parse_attrs_endp                  3579   EXIST::FUNCTION:
+ERR_load_ECDSA_strings                  3580   EXIST::FUNCTION:ECDSA
+EC_GROUP_get_basis_type                 3581   EXIST::FUNCTION:EC
+ECDH_DATA_new                           3582   EXIST::FUNCTION:ECDH
+STORE_list_public_key_next              3583   EXIST::FUNCTION:
+i2v_ASN1_BIT_STRING                     3584   EXIST::FUNCTION:
+STORE_OBJECT_free                       3585   EXIST::FUNCTION:
+BN_nist_mod_384                         3586   EXIST::FUNCTION:
+i2d_X509_CERT_PAIR                      3587   EXIST::FUNCTION:
+PEM_write_ECPKParameters                3588   EXIST:!WIN16:FUNCTION:EC
+ECDH_compute_key                        3589   EXIST::FUNCTION:ECDH
+STORE_ATTR_INFO_get0_sha1str            3590   EXIST::FUNCTION:
+ENGINE_register_all_ECDH                3591   EXIST::FUNCTION:ENGINE
+STORE_ATTR_INFO_get0_cstr               3592   EXIST::FUNCTION:
+POLICY_CONSTRAINTS_it                   3593   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+POLICY_CONSTRAINTS_it                   3593   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+STORE_get_ex_new_index                  3594   EXIST::FUNCTION:
+X509_VERIFY_PARAM_add0_policy           3595   EXIST::FUNCTION:
+BN_GF2m_mod_solve_quad                  3596   EXIST::FUNCTION:
+SHA256                                  3597   EXIST::FUNCTION:SHA,SHA256
+i2d_ECPrivateKey_fp                     3598   EXIST::FUNCTION:EC,FP_API
+X509_policy_tree_get0_user_policies     3599   EXIST:!VMS:FUNCTION:
+X509_pcy_tree_get0_usr_policies         3599   EXIST:VMS:FUNCTION:
+OPENSSL_DIR_read                        3600   EXIST::FUNCTION:
+ENGINE_register_all_ECDSA               3601   EXIST::FUNCTION:ENGINE
+X509_VERIFY_PARAM_lookup                3602   EXIST::FUNCTION:
+EC_POINT_get_affine_coordinates_GF2m    3603   EXIST:!VMS:FUNCTION:EC
+EC_POINT_get_affine_coords_GF2m         3603   EXIST:VMS:FUNCTION:EC
+EC_GROUP_dup                            3604   EXIST::FUNCTION:EC
+ENGINE_get_default_ECDSA                3605   EXIST::FUNCTION:ENGINE
+EC_KEY_new                              3606   EXIST::FUNCTION:EC
+SHA256_Transform                        3607   EXIST::FUNCTION:SHA,SHA256
+ECDSA_verify                            3608   EXIST::FUNCTION:ECDSA
+EC_POINT_point2hex                      3609   EXIST::FUNCTION:EC
+ENGINE_get_STORE                        3610   EXIST::FUNCTION:ENGINE
+SHA512                                  3611   EXIST::FUNCTION:SHA,SHA512
+STORE_get_certificate                   3612   EXIST::FUNCTION:
+ECDSA_do_verify                         3613   EXIST::FUNCTION:ECDSA
+d2i_ECPrivateKey_fp                     3614   EXIST::FUNCTION:EC,FP_API
+STORE_delete_certificate                3615   EXIST::FUNCTION:
+SHA512_Transform                        3616   EXIST::FUNCTION:SHA,SHA512
+X509_STORE_set1_param                   3617   EXIST::FUNCTION:
+STORE_method_get_ctrl_function          3618   EXIST::FUNCTION:
+STORE_free                              3619   EXIST::FUNCTION:
+PEM_write_ECPrivateKey                  3620   EXIST:!WIN16:FUNCTION:EC
+STORE_method_get_unlock_store_function  3621   EXIST:!VMS:FUNCTION:
+STORE_meth_get_unlock_store_fn          3621   EXIST:VMS:FUNCTION:
+STORE_get_ex_data                       3622   EXIST::FUNCTION:
+PEM_read_ECPKParameters                 3623   EXIST:!WIN16:FUNCTION:EC
+X509_CERT_PAIR_new                      3624   EXIST::FUNCTION:
+ENGINE_register_STORE                   3625   EXIST::FUNCTION:ENGINE
+RSA_generate_key_ex                     3626   EXIST::FUNCTION:RSA
+DSA_generate_parameters_ex              3627   EXIST::FUNCTION:DSA
+ECParameters_print_fp                   3628   EXIST::FUNCTION:EC,FP_API
+X509V3_NAME_from_section                3629   EXIST::FUNCTION:
+STORE_modify_crl                        3630   EXIST::FUNCTION:
+STORE_list_private_key_start            3631   EXIST::FUNCTION:
+POLICY_MAPPINGS_it                      3632   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+POLICY_MAPPINGS_it                      3632   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+GENERAL_SUBTREE_it                      3633   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+GENERAL_SUBTREE_it                      3633   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ECDH_DATA_free                          3634   EXIST::FUNCTION:ECDH
+PEM_write_X509_CERT_PAIR                3635   EXIST:!WIN16:FUNCTION:
+BIO_dump_indent_cb                      3636   EXIST::FUNCTION:
+d2i_X509_CERT_PAIR                      3637   EXIST::FUNCTION:
+STORE_list_private_key_endp             3638   EXIST::FUNCTION:
+asn1_const_Finish                       3639   EXIST::FUNCTION:
+i2d_EC_PUBKEY_fp                        3640   EXIST::FUNCTION:EC,FP_API
+BN_nist_mod_256                         3641   EXIST::FUNCTION:
+ECDSA_DATA_new                          3642   EXIST::FUNCTION:ECDSA
+X509_VERIFY_PARAM_add0_table            3643   EXIST::FUNCTION:
+EVP_sha256                              3644   EXIST::FUNCTION:SHA,SHA256
+ECDSA_size                              3645   EXIST::FUNCTION:ECDSA
+d2i_EC_PUBKEY_bio                       3646   EXIST::FUNCTION:BIO,EC
+BN_get0_nist_prime_521                  3647   EXIST::FUNCTION:
+STORE_ATTR_INFO_modify_sha1str          3648   EXIST::FUNCTION:
+BN_generate_prime_ex                    3649   EXIST::FUNCTION:
+SHA256_Final                            3650   EXIST::FUNCTION:SHA,SHA256
+DH_generate_parameters_ex               3651   EXIST::FUNCTION:DH
+PEM_read_bio_ECPrivateKey               3652   EXIST::FUNCTION:EC
+STORE_method_get_cleanup_function       3653   EXIST:!VMS:FUNCTION:
+STORE_meth_get_cleanup_fn               3653   EXIST:VMS:FUNCTION:
+ENGINE_get_ECDH                         3654   EXIST::FUNCTION:ENGINE
+d2i_ECDSA_SIG                           3655   EXIST::FUNCTION:ECDSA
+BN_is_prime_fasttest_ex                 3656   EXIST::FUNCTION:
+ECDSA_sign                              3657   EXIST::FUNCTION:ECDSA
+X509_policy_check                       3658   EXIST::FUNCTION:
+STORE_set_ex_data                       3659   EXIST::FUNCTION:
+ENGINE_get_ECDSA                        3660   EXIST::FUNCTION:ENGINE
+EVP_ecdsa                               3661   EXIST::FUNCTION:SHA
+PKCS12_add_cert                         3662   EXIST::FUNCTION:
+STORE_OBJECT_new                        3663   EXIST::FUNCTION:
+ERR_load_ECDH_strings                   3664   EXIST::FUNCTION:ECDH
+EC_KEY_dup                              3665   EXIST::FUNCTION:EC
+EVP_CIPHER_CTX_rand_key                 3666   EXIST::FUNCTION:
+ECDSA_set_method                        3667   EXIST::FUNCTION:ECDSA
+a2i_IPADDRESS_NC                        3668   EXIST::FUNCTION:
+d2i_ECParameters                        3669   EXIST::FUNCTION:EC
+STORE_list_certificate_end              3670   EXIST::FUNCTION:
+STORE_get_crl                           3671   EXIST::FUNCTION:
+X509_POLICY_NODE_print                  3672   EXIST::FUNCTION:
+SHA384_Init                             3673   EXIST::FUNCTION:SHA,SHA512
+EC_GF2m_simple_method                   3674   EXIST::FUNCTION:EC
+ECDSA_set_ex_data                       3675   EXIST::FUNCTION:ECDSA
+SHA384_Final                            3676   EXIST::FUNCTION:SHA,SHA512
+PKCS7_set_digest                        3677   EXIST::FUNCTION:
+EC_KEY_print                            3678   EXIST::FUNCTION:BIO,EC
+STORE_method_set_lock_store_function    3679   EXIST:!VMS:FUNCTION:
+STORE_meth_set_lock_store_fn            3679   EXIST:VMS:FUNCTION:
+ECDSA_get_ex_new_index                  3680   EXIST::FUNCTION:ECDSA
+SHA384                                  3681   EXIST::FUNCTION:SHA,SHA512
+POLICY_MAPPING_new                      3682   EXIST::FUNCTION:
+STORE_list_certificate_endp             3683   EXIST::FUNCTION:
+X509_STORE_CTX_get0_policy_tree         3684   EXIST::FUNCTION:
+EC_GROUP_set_asn1_flag                  3685   EXIST::FUNCTION:EC
+EC_KEY_check_key                        3686   EXIST::FUNCTION:EC
+d2i_EC_PUBKEY_fp                        3687   EXIST::FUNCTION:EC,FP_API
+PKCS7_set0_type_other                   3688   EXIST::FUNCTION:
+ecdh_check                              3689   EXIST::FUNCTION:ECDH
+ECDSA_DATA_new_method                   3690   EXIST::FUNCTION:ECDSA
+PEM_read_bio_X509_CERT_PAIR             3691   EXIST::FUNCTION:
+STORE_method_get_list_end_function      3692   EXIST:!VMS:FUNCTION:
+STORE_meth_get_list_end_fn              3692   EXIST:VMS:FUNCTION:
+X509_VERIFY_PARAM_set_time              3693   EXIST::FUNCTION:
+ENGINE_set_default_ECDH                 3694   EXIST::FUNCTION:ENGINE
+STORE_new_method                        3695   EXIST::FUNCTION:
+PKCS12_add_key                          3696   EXIST::FUNCTION:
+DSO_merge                               3697   EXIST::FUNCTION:
+EC_POINT_hex2point                      3698   EXIST::FUNCTION:EC
+BIO_dump_cb                             3699   EXIST::FUNCTION:
+SHA256_Update                           3700   EXIST::FUNCTION:SHA,SHA256
+BN_GF2m_mod_inv_arr                     3701   EXIST::FUNCTION:
+ENGINE_unregister_ECDSA                 3702   EXIST::FUNCTION:ENGINE