import five newish X509 pages from OpenSSL

6 files changed, 1181 insertions, 1 deletions

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index f6dd178a0c..c8eb806169 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.61 2016/11/29 18:16:09 deraadt Exp $
+# $OpenBSD: Makefile,v 1.62 2016/12/04 20:51:47 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -170,6 +170,11 @@ MAN=	\
         SMIME_read_PKCS7.3 \
         SMIME_write_PKCS7.3 \
         UI_new.3 \
+        X509V3_get_d2i.3 \
+        X509_ALGOR_dup.3 \
+        X509_CRL_get0_by_serial.3 \
+        X509_EXTENSION_set_object.3 \
+        X509_LOOKUP_hash_dir.3 \
         X509_NAME_ENTRY_get_object.3 \
         X509_NAME_add_entry_by_txt.3 \
         X509_NAME_get_index_by_NID.3 \
diff --git a/src/lib/libcrypto/man/X509V3_get_d2i.3 b/src/lib/libcrypto/man/X509V3_get_d2i.3
new file mode 100644
index 0000000000..cd3bb844b5
--- /dev/null
+++ b/src/lib/libcrypto/man/X509V3_get_d2i.3
@@ -0,0 +1,386 @@
+.\"     $OpenBSD: X509V3_get_d2i.3,v 1.1 2016/12/04 20:51:47 schwarze Exp $
+.\"     OpenSSL 047dd81e Jul 4 23:03:17 2014 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2014, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 4 2016 $
+.Dt X509V3_GET_D2I 3
+.Os
+.Sh NAME
+.Nm X509V3_get_d2i ,
+.Nm X509V3_add1_i2d ,
+.Nm X509V3_EXT_d2i ,
+.Nm X509V3_EXT_i2d ,
+.Nm X509_get_ext_d2i ,
+.Nm X509_add1_ext_i2d ,
+.Nm X509_CRL_get_ext_d2i ,
+.Nm X509_CRL_add1_ext_i2d ,
+.Nm X509_REVOKED_get_ext_d2i ,
+.Nm X509_REVOKED_add1_ext_i2d
+.Nd X509 extension decode and encode functions
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft void *
+.Fo X509V3_get_d2i
+.Fa "const STACK_OF(X509_EXTENSION) *x"
+.Fa "int nid"
+.Fa "int *crit"
+.Fa "int *idx"
+.Fc
+.Ft int
+.Fo X509V3_add1_i2d
+.Fa "STACK_OF(X509_EXTENSION) **x"
+.Fa "int nid"
+.Fa "void *value"
+.Fa "int crit"
+.Fa "unsigned long flags"
+.Fc
+.Ft void *
+.Fo X509V3_EXT_d2i
+.Fa "X509_EXTENSION *ext"
+.Fc
+.Ft X509_EXTENSION *
+.Fo X509V3_EXT_i2d
+.Fa "int ext_nid"
+.Fa "int crit"
+.Fa "void *ext"
+.Fc
+.Ft void *
+.Fo X509_get_ext_d2i
+.Fa "const X509 *x"
+.Fa "int nid"
+.Fa "int *crit"
+.Fa "int *idx"
+.Fc
+.Ft int
+.Fo X509_add1_ext_i2d
+.Fa "X509 *x"
+.Fa "int nid"
+.Fa "void *value"
+.Fa "int crit"
+.Fa "unsigned long flags"
+.Fc
+.Ft void *
+.Fo X509_CRL_get_ext_d2i
+.Fa "const X509_CRL *crl"
+.Fa "int nid"
+.Fa "int *crit"
+.Fa "int *idx"
+.Fc
+.Ft int
+.Fo X509_CRL_add1_ext_i2d
+.Fa "X509_CRL *crl"
+.Fa "int nid"
+.Fa "void *value"
+.Fa "int crit"
+.Fa "unsigned long flags"
+.Fc
+.Ft void *
+.Fo X509_REVOKED_get_ext_d2i
+.Fa "const X509_REVOKED *r"
+.Fa "int nid"
+.Fa "int *crit"
+.Fa "int *idx"
+.Fc
+.Ft int
+.Fo X509_REVOKED_add1_ext_i2d
+.Fa "X509_REVOKED *r"
+.Fa "int nid"
+.Fa "void *value"
+.Fa "int crit"
+.Fa "unsigned long flags"
+.Fc
+.Sh DESCRIPTION
+.Fn X509V3_get_d2i
+looks for an extension with OID
+.Fa nid
+in the extensions
+.Fa x
+and, if found, decodes it.
+If
+.Fa idx
+is
+.Dv NULL ,
+then only one occurrence of an extension is permissible.
+Otherwise the first extension after index
+.Pf * Fa idx
+is returned and
+.Pf * Fa idx
+is updated to the location of the extension.
+If
+.Fa crit
+is not
+.Dv NULL ,
+then
+.Pf * Fa crit
+is set to a status value: -2 if the extension occurs multiple times
+(this is only returned if
+.Fa idx
+is
+.Dv NULL ) ,
+-1 if the extension could not be found, 0 if the extension is found
+and is not critical, and 1 if it is critical.
+A pointer to an extension specific structure or
+.Dv NULL
+is returned.
+.Pp
+.Fn X509V3_add1_i2d
+adds extension
+.Fa value
+to STACK
+.Pf * Fa x
+(allocating a new STACK if necessary) using OID
+.Fa nid
+and criticality
+.Fa crit
+according to
+.Fa flags .
+.Pp
+.Fn X509V3_EXT_d2i
+attempts to decode the ASN.1 data contained in extension
+.Fa ext
+and returns a pointer to an extension specific structure or
+.Dv NULL
+if the extension could not be decoded (invalid syntax or not supported).
+.Pp
+.Fn X509V3_EXT_i2d
+encodes the extension specific structure
+.Fa ext
+with OID
+.Fa ext_nid
+and criticality
+.Fa crit .
+.Pp
+.Fn X509_get_ext_d2i
+and
+.Fn X509_add1_ext_i2d
+operate on the extensions of certificate
+.Fa x ,
+they are otherwise identical to
+.Fn X509V3_get_d2i
+and
+.Fn X509V3_add1_i2d 3 .
+.Pp
+.Fn X509_CRL_get_ext_d2i
+and
+.Fn X509_CRL_add1_ext_i2d
+operate on the extensions of CRL
+.Fa crl ,
+they are otherwise identical to
+.Fn X509V3_get_d2i
+and
+.Fn X509V3_add1_i2d 3 .
+.Pp
+.Fn X509_REVOKED_get_ext_d2i
+and
+.Fn X509_REVOKED_add1_ext_i2d
+operate on the extensions of the
+.Vt X509_REVOKED
+structure
+.Fa r
+(i.e. for CRL entry extensions), they are otherwise identical to
+.Fn X509V3_get_d2i
+and
+.Fn X509V3_add1_i2d 3 .
+.Pp
+In almost all cases an extension can occur at most once and multiple
+occurrences is an error.
+Therefore the
+.Fa idx
+parameter is usually
+.Dv NULL .
+.Pp
+The
+.Fa flags
+parameter may be one of the following values.
+.Pp
+.Dv X509V3_ADD_DEFAULT
+appends a new extension only if the extension does not already exist.
+An error is returned if the extension does already exist.
+.Pp
+.Dv X509V3_ADD_APPEND
+appends a new extension, ignoring whether the extension already exists.
+.Pp
+.Dv X509V3_ADD_REPLACE
+replaces an extension if it exists otherwise appends a new extension.
+.Pp
+.Dv X509V3_ADD_REPLACE_EXISTING
+replaces an existing extension if it exists otherwise returns an error.
+.Pp
+.Dv X509V3_ADD_KEEP_EXISTING
+appends a new extension only if the extension does not already exist.
+An error
+.Sy is not
+returned if the extension does already exist.
+.Pp
+.Dv X509V3_ADD_DELETE
+deletes extension
+.Fa nid .
+No new extension is added.
+.Pp
+If
+.Dv X509V3_ADD_SILENT
+is ored with
+.Fa flags ,
+any error returned will not be added to the error queue.
+.Pp
+The function
+.Fn X509V3_get_d2i
+will return
+.Dv NULL
+if the extension is not found, occurs multiple times or cannot be
+decoded.
+It is possible to determine the precise reason by checking the value of
+.Pf * Fa crit .
+.Sh SUPPORTED EXTENSIONS
+The following sections contain a list of all supported extensions
+including their name and NID.
+.Ss PKIX Certificate Extensions
+The following certificate extensions are defined in PKIX standards such
+as RFC5280.
+.Bl -column 30n 30n
+.It Basic Constraints             Ta Dv NID_basic_constraints
+.It Key Usage                     Ta Dv NID_key_usage
+.It Extended Key Usage            Ta Dv NID_ext_key_usage
+.It Subject Key Identifier        Ta Dv NID_subject_key_identifier
+.It Authority Key Identifier      Ta Dv NID_authority_key_identifier
+.It Private Key Usage Period      Ta Dv NID_private_key_usage_period
+.It Subject Alternative Name      Ta Dv NID_subject_alt_name
+.It Issuer Alternative Name       Ta Dv NID_issuer_alt_name
+.It Authority Information Access  Ta Dv NID_info_access
+.It Subject Information Access    Ta Dv NID_sinfo_access
+.It Name Constraints              Ta Dv NID_name_constraints
+.It Certificate Policies          Ta Dv NID_certificate_policies
+.It Policy Mappings               Ta Dv NID_policy_mappings
+.It Policy Constraints            Ta Dv NID_policy_constraints
+.It Inhibit Any Policy            Ta Dv NID_inhibit_any_policy
+.El
+.Ss Netscape Certificate Extensions
+The following are (largely obsolete) Netscape certificate extensions.
+.Bl -column 30n 30n
+.It Netscape Cert Type            Ta Dv NID_netscape_cert_type
+.It Netscape Base Url             Ta Dv NID_netscape_base_url
+.It Netscape Revocation Url       Ta Dv NID_netscape_revocation_url
+.It Netscape CA Revocation Url    Ta Dv NID_netscape_ca_revocation_url
+.It Netscape Renewal Url          Ta Dv NID_netscape_renewal_url
+.It Netscape CA Policy Url        Ta Dv NID_netscape_ca_policy_url
+.It Netscape SSL Server Name      Ta Dv NID_netscape_ssl_server_name
+.It Netscape Comment              Ta Dv NID_netscape_comment
+.El
+.Ss Miscellaneous Certificate Extensions
+.Bl -column 30n 30n
+.It Strong Extranet ID            Ta Dv NID_sxnet
+.It Proxy Certificate Information Ta Dv NID_proxyCertInfo
+.El
+.Ss PKIX CRL Extensions
+The following are CRL extensions from PKIX standards such as RFC5280.
+.Bl -column 30n 30n
+.It CRL Number                    Ta Dv NID_crl_number
+.It CRL Distribution Points       Ta Dv NID_crl_distribution_points
+.It Delta CRL Indicator           Ta Dv NID_delta_crl
+.It Freshest CRL                  Ta Dv NID_freshest_crl
+.It Invalidity Date               Ta Dv NID_invalidity_date
+.It Issuing Distribution Point    Ta Dv NID_issuing_distribution_point
+.El
+.Pp
+The following are CRL entry extensions from PKIX standards such as
+RFC5280.
+.Bl -column 30n 30n
+.It CRL Reason Code               Ta Dv NID_crl_reason
+.It Certificate Issuer            Ta Dv NID_certificate_issuer
+.El
+.Ss OCSP Extensions
+.Bl -column 30n 30n
+.It OCSP Nonce                    Ta Dv NID_id_pkix_OCSP_Nonce
+.It OCSP CRL ID                   Ta Dv NID_id_pkix_OCSP_CrlID
+.It Acceptable OCSP Responses     Ta Dv NID_id_pkix_OCSP_acceptableResponses
+.It OCSP No Check                 Ta Dv NID_id_pkix_OCSP_noCheck
+.It OCSP Archive Cutoff           Ta Dv NID_id_pkix_OCSP_archiveCutoff
+.It OCSP Service Locator          Ta Dv NID_id_pkix_OCSP_serviceLocator
+.It Hold Instruction Code         Ta Dv NID_hold_instruction_code
+.El
+.Ss Certificate Transparency Extensions
+The following extensions are used by certificate transparency, RFC6962
+.Bl -column 30n 30n
+.It CT Precertificate SCTs        Ta Dv NID_ct_precert_scts
+.It CT Certificate SCTs           Ta Dv NID_ct_cert_scts
+.El
+.Sh RETURN VALUES
+.Fn X509V3_get_d2i
+and
+.Fn X509V3_EXT_d2i
+return a pointer to an extension specific structure or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn X509V3_EXT_i2d
+returns a pointer to an
+.Vt X509_EXTENSION
+structure or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn X509V3_add1_i2d
+returns 1 if the operation is successful, 0 if it fails due to a
+non-fatal error (extension not found, already exists, cannot be encoded),
+or -1 due to a fatal error such as a memory allocation failure.
+.Sh SEE ALSO
+.Xr d2i_X509 3 ,
+.Xr ERR_get_error 3 ,
+.Xr X509_CRL_get0_by_serial 3 ,
+.Xr X509_get_ext_d2i 3 ,
+.Xr X509_get_pubkey 3 ,
+.Xr X509_get_subject_name 3 ,
+.Xr X509_get_version 3 ,
+.Xr X509_NAME_add_entry_by_txt 3 ,
+.Xr X509_NAME_ENTRY_get_object 3 ,
+.Xr X509_NAME_get_index_by_NID 3 ,
+.Xr X509_NAME_print_ex 3 ,
+.Xr X509_new 3 ,
+.Xr X509_sign 3 ,
+.Xr X509_verify_cert 3
diff --git a/src/lib/libcrypto/man/X509_ALGOR_dup.3 b/src/lib/libcrypto/man/X509_ALGOR_dup.3
new file mode 100644
index 0000000000..00d87592c7
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_ALGOR_dup.3
@@ -0,0 +1,157 @@
+.\"     $OpenBSD: X509_ALGOR_dup.3,v 1.1 2016/12/04 20:51:47 schwarze Exp $
+.\"     OpenSSL 4692340e Jun 7 15:49:08 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2002, 2015 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 4 2016 $
+.Dt X509_ALGOR_DUP 3
+.Os
+.Sh NAME
+.Nm X509_ALGOR_dup ,
+.Nm X509_ALGOR_set0 ,
+.Nm X509_ALGOR_get0 ,
+.Nm X509_ALGOR_set_md ,
+.Nm X509_ALGOR_cmp
+.Nd AlgorithmIdentifier functions
+.Sh SYNOPSIS
+.In openssl/x509.h
+.Ft X509_ALGOR *
+.Fo X509_ALGOR_dup
+.Fa "X509_ALGOR *alg"
+.Fc
+.Ft int
+.Fo X509_ALGOR_set0
+.Fa "X509_ALGOR *alg"
+.Fa "ASN1_OBJECT *aobj"
+.Fa "int ptype"
+.Fa "void *pval"
+.Fc
+.Ft void
+.Fo X509_ALGOR_get0
+.Fa "ASN1_OBJECT **paobj"
+.Fa "int *pptype"
+.Fa "const void **ppval"
+.Fa "const X509_ALGOR *alg"
+.Fc
+.Ft void
+.Fo X509_ALGOR_set_md
+.Fa "X509_ALGOR *alg"
+.Fa "const EVP_MD *md"
+.Fc
+.Ft int
+.Fo X509_ALGOR_cmp
+.Fa "const X509_ALGOR *a"
+.Fa "const X509_ALGOR *b"
+.Fc
+.Sh DESCRIPTION
+.Fn X509_ALGOR_dup
+returns a copy of
+.Fa alg .
+.Pp
+.Fn X509_ALGOR_set0
+sets the algorithm OID of
+.Fa alg
+to
+.Fa aobj
+and the associated parameter type to
+.Fa ptype
+with value
+.Fa pval .
+If
+.Fa ptype
+is
+.Sy V_ASN1_UNDEF
+the parameter is omitted, otherwise
+.Fa ptype
+and
+.Fa pval
+have the same meaning as the
+.Sy type
+and
+.Sy value
+parameters to
+.Xr ASN1_TYPE_set 3 .
+All the supplied parameters are used internally so must
+.Sy NOT
+be freed after this call.
+.Pp
+.Fn X509_ALGOR_get0
+is the inverse of
+.Fn X509_ALGOR_set0 :
+it returns the algorithm OID in
+.Sy *paobj
+and the associated parameter in
+.Sy *pptype
+and
+.Sy *ppval
+from the
+.Sy AlgorithmIdentifier
+.Fa alg .
+.Pp
+.Fn X509_ALGOR_set_md
+sets the
+.Sy AlgorithmIdentifier
+.Fa alg
+to appropriate values for the message digest
+.Fa md .
+.Pp
+.Fn X509_ALGOR_cmp
+compares
+.Fa a
+and
+.Fa b
+and returns 0 if they have identical encodings and non-zero otherwise.
+.Sh COPYRIGHT
+Copyright 2002-2016 The OpenSSL Project Authors.
+All Rights Reserved.
+.Pp
+Licensed under the OpenSSL license (the "License").
+You may not use this file except in compliance with the License.
+You can obtain a copy in the file LICENSE in the source distribution or
+at
+.Lk https://www.openssl.org/source/license.html .
diff --git a/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3 b/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
new file mode 100644
index 0000000000..fdfaf76beb
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
@@ -0,0 +1,192 @@
+.\"     $OpenBSD: X509_CRL_get0_by_serial.3,v 1.1 2016/12/04 20:51:47 schwarze Exp $
+.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 4 2016 $
+.Dt X509_CRL_GET0_BY_SERIAL 3
+.Os
+.Sh NAME
+.Nm X509_CRL_get0_by_serial ,
+.Nm X509_CRL_get0_by_cert ,
+.Nm X509_CRL_get_REVOKED ,
+.Nm X509_REVOKED_set_serialNumber ,
+.Nm X509_REVOKED_set_revocationDate ,
+.Nm X509_CRL_add0_revoked ,
+.Nm X509_CRL_sort
+.Nd CRL revoked entry utility functions
+.Sh SYNOPSIS
+.In openssl/x509.h
+.Ft int
+.Fo X509_CRL_get0_by_serial
+.Fa "X509_CRL *crl"
+.Fa "X509_REVOKED **ret"
+.Fa "ASN1_INTEGER *serial"
+.Fc
+.Ft int
+.Fo X509_CRL_get0_by_cert
+.Fa "X509_CRL *crl"
+.Fa "X509_REVOKED **ret"
+.Fa "X509 *x"
+.Fc
+.Ft STACK_OF(X509_REVOKED) *
+.Fo X509_CRL_get_REVOKED
+.Fa "X509_CRL *crl"
+.Fc
+.Ft int
+.Fo X509_REVOKED_set_serialNumber
+.Fa "X509_REVOKED *r"
+.Fa "ASN1_INTEGER *serial"
+.Fc
+.Ft int
+.Fo X509_REVOKED_set_revocationDate
+.Fa "X509_REVOKED *r"
+.Fa "ASN1_TIME *tm"
+.Fc
+.Ft int
+.Fo X509_CRL_add0_revoked
+.Fa "X509_CRL *crl"
+.Fa "X509_REVOKED *rev"
+.Fc
+.Ft int
+.Fo X509_CRL_sort
+.Fa "X509_CRL *crl"
+.Fc
+.Sh DESCRIPTION
+.Fn X509_CRL_get0_by_serial
+attempts to find a revoked entry in
+.Fa crl
+for serial number
+.Fa serial .
+If it is successful, it sets
+.Pf * Fa ret
+to the internal pointer of the matching entry.
+Consequently,
+.Pf * Fa ret
+must not be freed up after the call.
+.Pp
+.Fn X509_CRL_get0_by_cert
+is similar to
+.Fn X509_CRL_get0_by_serial
+except that it looks for a revoked entry using the serial number
+of certificate
+.Fa x .
+.Pp
+.Fn X509_CRL_get_REVOKED
+returns an internal pointer to a stack of all revoked entries for
+.Fa crl .
+It is implemented as a macro.
+.Pp
+.Fn X509_REVOKED_set_serialNumber
+sets the serial number of
+.Fa r
+to
+.Fa serial .
+The supplied
+.Fa serial
+pointer is not used internally so it should be freed up after use.
+.Pp
+.Fn X509_REVOKED_set_revocationDate
+sets the revocation date of
+.Fa r
+to
+.Fa tm .
+The supplied
+.Fa tm
+pointer is not used internally so it should be freed up after use.
+.Pp
+.Fn X509_CRL_add0_revoked
+appends revoked entry
+.Fa rev
+to CRL
+.Fa crl .
+The pointer
+.Fa rev
+is used internally so it must not be freed up after the call: it is
+freed when the parent CRL is freed.
+.Pp
+.Fn X509_CRL_sort
+sorts the revoked entries of
+.Fa crl
+into ascending serial number order.
+.Pp
+Applications can determine the number of revoked entries returned by
+.Fn X509_CRL_get_revoked
+using
+.Xr sk_X509_REVOKED_num 3
+and examine each one in turn using
+.Xr sk_X509_REVOKED_value 3 .
+.Sh RETURN VALUES
+.Fn X509_CRL_get0_by_serial ,
+.Fn X509_CRL_get0_by_cert ,
+.Fn X509_REVOKED_set_serialNumber ,
+.Fn X509_REVOKED_set_revocationDate ,
+.Fn X509_CRL_add0_revoked ,
+and
+.Fn X509_CRL_sort
+return 1 for success or 0 for failure.
+.Pp
+.Fn X509_CRL_get_REVOKED
+returns a STACK of revoked entries.
+.Sh SEE ALSO
+.Xr d2i_X509 3 ,
+.Xr ERR_get_error 3 ,
+.Xr X509_get0_signature 3 ,
+.Xr X509_get_ext_d2i 3 ,
+.Xr X509_get_extension_flags 3 ,
+.Xr X509_get_pubkey 3 ,
+.Xr X509_get_subject_name 3 ,
+.Xr X509_get_version 3 ,
+.Xr X509_NAME_add_entry_by_txt 3 ,
+.Xr X509_NAME_ENTRY_get_object 3 ,
+.Xr X509_NAME_get_index_by_NID 3 ,
+.Xr X509_NAME_print_ex 3 ,
+.Xr X509_new 3 ,
+.Xr X509_sign 3 ,
+.Xr X509_verify_cert 3 ,
+.Xr X509V3_get_d2i 3
diff --git a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3 b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
new file mode 100644
index 0000000000..32bb9c6828
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
@@ -0,0 +1,221 @@
+.\"     $OpenBSD: X509_EXTENSION_set_object.3,v 1.1 2016/12/04 20:51:47 schwarze Exp $
+.\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 4 2016 $
+.Dt X509_EXTENSION_SET_OBJECT 3
+.Os
+.Sh NAME
+.Nm X509_EXTENSION_set_object ,
+.Nm X509_EXTENSION_set_critical ,
+.Nm X509_EXTENSION_set_data ,
+.Nm X509_EXTENSION_create_by_NID ,
+.Nm X509_EXTENSION_create_by_OBJ ,
+.Nm X509_EXTENSION_get_object ,
+.Nm X509_EXTENSION_get_critical ,
+.Nm X509_EXTENSION_get_data
+.Nd extension utility functions
+.Sh SYNOPSIS
+.Ft int
+.Fo X509_EXTENSION_set_object
+.Fa "X509_EXTENSION *ex"
+.Fa "ASN1_OBJECT *obj"
+.Fc
+.Ft int
+.Fo X509_EXTENSION_set_critical
+.Fa "X509_EXTENSION *ex"
+.Fa "int crit"
+.Fc
+.Ft int
+.Fo X509_EXTENSION_set_data
+.Fa "X509_EXTENSION *ex"
+.Fa "ASN1_OCTET_STRING *data"
+.Fc
+.Ft X509_EXTENSION *
+.Fo X509_EXTENSION_create_by_NID
+.Fa "X509_EXTENSION **ex"
+.Fa "int nid"
+.Fa "int crit"
+.Fa "ASN1_OCTET_STRING *data"
+.Fc
+.Ft X509_EXTENSION *
+.Fo X509_EXTENSION_create_by_OBJ
+.Fa "X509_EXTENSION **ex"
+.Fa "ASN1_OBJECT *obj"
+.Fa "int crit"
+.Fa "ASN1_OCTET_STRING *data"
+.Fc
+.Ft ASN1_OBJECT *
+.Fo X509_EXTENSION_get_object
+.Fa "X509_EXTENSION *ex"
+.Fc
+.Ft int
+.Fo X509_EXTENSION_get_critical
+.Fa "X509_EXTENSION *ex"
+.Fc
+.Ft ASN1_OCTET_STRING *
+.Fo X509_EXTENSION_get_data
+.Fa "X509_EXTENSION *ne"
+.Fc
+.Sh DESCRIPTION
+.Fn X509_EXTENSION_set_object
+sets the extension type of
+.Fa ex
+to
+.Fa obj .
+The
+.Fa obj
+pointer is duplicated internally so
+.Fa obj
+should be freed up after use.
+.Pp
+.Fn X509_EXTENSION_set_critical
+sets the criticality of
+.Fa ex
+to
+.Fa crit .
+If
+.Fa crit
+is zero, the extension in non-critical, otherwise it is critical.
+.Pp
+.Fn X509_EXTENSION_set_data
+sets the data in extension
+.Fa ex
+to
+.Fa data .
+The
+.Fa data
+pointer is duplicated internally.
+.Pp
+.Fn X509_EXTENSION_create_by_NID
+creates an extension of type
+.Fa nid ,
+criticality
+.Fa crit
+using data
+.Fa data .
+The created extension is returned and written to
+.Pf * Fa ex
+reusing or allocating a new extension if necessary, so
+.Pf * Fa ex
+should either be
+.Dv NULL
+or a valid
+.Vt X509_EXTENSION
+structure.
+It must not be an uninitialised pointer.
+.Pp
+.Fn X509_EXTENSION_create_by_OBJ
+is identical to
+.Fn X509_EXTENSION_create_by_NID
+except that it creates an extension using
+.Fa obj
+instead of a NID.
+.Pp
+.Fn X509_EXTENSION_get_object
+returns the extension type of
+.Fa ex
+as an
+.Vt ASN1_OBJECT
+pointer.
+The returned pointer is an internal value which must not be freed up.
+.Pp
+.Fn X509_EXTENSION_get_critical
+returns the criticality of extension
+.Fa ex
+it returns 1 for critical and 0 for non-critical.
+.Pp
+.Fn X509_EXTENSION_get_data
+returns the data of extension
+.Fa ex .
+The returned pointer is an internal value which must not be freed up.
+.Pp
+These functions manipulate the contents of an extension directly.
+Most applications will want to parse or encode and add an extension:
+they should use the extension encode and decode functions instead
+such as
+.Xr X509_add1_ext_i2d 3
+and
+.Xr X509_get_ext_d2i 3 .
+.Pp
+The
+.Fa data
+associated with an extension is the extension encoding in an
+.Vt ASN1_OCTET_STRING
+structure.
+.Sh RETURN VALUES
+.Fn X509_EXTENSION_set_object ,
+.Fn X509_EXTENSION_set_critical ,
+and
+.Fn X509_EXTENSION_set_data
+return 1 for success or 0 for failure.
+.Pp
+.Fn X509_EXTENSION_create_by_NID
+and
+.Fn X509_EXTENSION_create_by_OBJ
+return an
+.Vt X509_EXTENSION
+pointer or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn X509_EXTENSION_get_object
+returns an
+.Vt ASN1_OBJECT
+pointer.
+.Pp
+.Fn X509_EXTENSION_get_critical
+returns 0 for non-critical or 1 for critical.
+.Pp
+.Fn X509_EXTENSION_get_data
+returns an
+.Vt ASN1_OCTET_STRING
+pointer.
+.Sh SEE ALSO
+.Xr X509V3_get_d2i 3
diff --git a/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 b/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
new file mode 100644
index 0000000000..4b06525994
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
@@ -0,0 +1,219 @@
+.\"     $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.1 2016/12/04 20:51:47 schwarze Exp $
+.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Victor B. Wagner <vitus@cryptocom.ru>
+.\" and Claus Assmann.
+.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 4 2016 $
+.Dt X509_LOOKUP_HASH_DIR 3
+.Os
+.Sh NAME
+.Nm X509_LOOKUP_hash_dir ,
+.Nm X509_LOOKUP_file ,
+.Nm X509_load_cert_file ,
+.Nm X509_load_crl_file ,
+.Nm X509_load_cert_crl_file
+.Nd default OpenSSL certificate lookup methods
+.Sh SYNOPSIS
+.In openssl/x509_vfy.h
+.Ft X509_LOOKUP_METHOD *
+.Fn X509_LOOKUP_hash_dir void
+.Ft X509_LOOKUP_METHOD *
+.Fn X509_LOOKUP_file void
+.Ft int
+.Fo X509_load_cert_file
+.Fa "X509_LOOKUP *ctx"
+.Fa "const char *file"
+.Fa "int type"
+.Fc
+.Ft int
+.Fo X509_load_crl_file
+.Fa "X509_LOOKUP *ctx"
+.Fa "const char *file"
+.Fa "int type"
+.Fc
+.Ft int
+.Fo X509_load_cert_crl_file
+.Fa "X509_LOOKUP *ctx"
+.Fa "const char *file"
+.Fa "int type"
+.Fc
+.Sh DESCRIPTION
+.Fn X509_LOOKUP_hash_dir
+and
+.Fn X509_LOOKUP_file
+are two certificate lookup methods to use with
+.Vt X509_STORE ,
+provided by OpenSSL library.
+.Pp
+Users of the library typically do not need to create instances of these
+methods manually.
+They are created automatically by the
+.Xr X509_STORE_load_locations 3
+or
+.Xr SSL_CTX_load_verify_locations 3
+functions.
+.Pp
+Internally loading of certificates and CRLs is implemented via functions
+.Fn X509_load_cert_crl_file ,
+.Fn X509_load_cert_file
+and
+.Fn X509_load_crl_file .
+These functions support a parameter
+.Fa type ,
+which can be one of the constants
+.Dv FILETYPE_PEM ,
+.Dv FILETYPE_ASN1 ,
+and
+.Dv FILETYPE_DEFAULT .
+They load certificates and/or CRLs from the specified file into a
+memory cache of
+.Vt X509_STORE
+objects which the given
+.Fa ctx
+parameter is associated with.
+.Pp
+The functions
+.Fn X509_load_cert_file
+and
+.Fn X509_load_crl_file
+can load both PEM and DER formats depending on the
+.Fa type
+value.
+Because DER format cannot contain more than one certificate or CRL
+object (while PEM can contain several concatenated PEM objects),
+.Fn X509_load_cert_crl_file
+with
+.Dv FILETYPE_ASN1
+is equivalent to
+.Fn X509_load_cert_file .
+.Pp
+The constant
+.Dv FILETYPE_DEFAULT
+with
+.Dv NULL
+filename causes these functions to load default certificate
+store file (see
+.Xr X509_STORE_set_default_paths 3 ) .
+.Pp
+These functions return the number of objects loaded from file or 0
+in case of error.
+.Pp
+Both methods support adding several certificate locations into one
+.Sy X509_STORE .
+.Pp
+This page documents certificate store formats used by these methods and
+caching policy.
+.Ss File Method
+The
+.Fn X509_LOOKUP_file
+method loads all the certificates or CRLs present in a file into memory
+at the time the file is added as a lookup source.
+.Pp
+The file format is ASCII text which contains concatenated PEM
+certificates and CRLs.
+.Pp
+This method should be used by applications which work with a small set
+of CAs.
+.Ss Hashed Directory Method
+.Fa X509_LOOKUP_hash_dir
+is a more advanced method, which loads certificates and CRLs on demand,
+and caches them in memory once they are loaded.
+As of OpenSSL 1.0.0, it also checks for newer CRLs upon each lookup, so
+that newer CRLs are used as soon as they appear in the directory.
+.Pp
+The directory should contain one certificate or CRL per file in PEM
+format, with a file name of the form
+.Ar hash . Ns Ar N
+for a certificate, or
+.Ar hash . Ns Sy r Ns Ar N
+for a CRL.
+The
+.Ar hash
+is the value returned by the
+.Xr X509_NAME_hash 3
+function applied to the subject name for certificates or issuer
+name for CRLs.
+The hash can also be obtained via the
+.Fl hash
+option of the
+.Xr openssl
+.Cm x509
+or
+.Cm crl
+commands.
+.Pp
+The
+.Ar N
+suffix is a sequence number that starts at zero and is incremented
+consecutively for each certificate or CRL with the same
+.Ar hash
+value.
+Gaps in the sequence numbers are not supported.
+It is assumed that there are no more objects with the same hash
+beyond the first missing number in the sequence.
+.Pp
+Sequence numbers make it possible for the directory to contain multiple
+certificates with the same subject name hash value.
+For example, it is possible to have in the store several certificates
+with the same subject or several CRLs with the same issuer (and, for
+example, a different validity period).
+.Pp
+When checking for new CRLs, once one CRL for a given hash value is
+loaded, hash_dir lookup method checks only for certificates with
+sequence number greater than that of the already cached CRL.
+.Pp
+Note that the hash algorithm used for subject name hashing changed in
+OpenSSL 1.0.0, and all certificate stores have to be rehashed when
+moving from OpenSSL 0.9.8 to 1.0.0.
+.Sh SEE ALSO
+.Xr d2i_X509_bio 3 ,
+.Xr PEM_read_PrivateKey 3 ,
+.Xr SSL_CTX_load_verify_locations 3 ,
+.Xr X509_STORE_add_lookup 3 ,
+.Xr X509_STORE_load_locations 3