7 files changed, 1173 insertions, 1 deletions

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 3c14577966..f6c0ef249a 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.65 2016/12/05 16:13:19 schwarze Exp $
+# $OpenBSD: Makefile,v 1.66 2016/12/05 18:24:08 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -190,8 +190,14 @@ MAN=	\
         X509_check_ca.3 \
         X509_check_host.3 \
         X509_check_issued.3 \
+        X509_get_pubkey.3 \
+        X509_get_serialNumber.3 \
+        X509_get_subject_name.3 \
+        X509_get_version.3 \
         X509_new.3 \
+        X509_sign.3 \
         X509_verify_cert.3 \
+        X509v3_get_ext_by_NID.3 \
         bn.3 \
         bn_dump.3 \
         crypto.3 \
diff --git a/src/lib/libcrypto/man/X509_get_pubkey.3 b/src/lib/libcrypto/man/X509_get_pubkey.3
new file mode 100644
index 0000000000..8948f5cfda
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_get_pubkey.3
@@ -0,0 +1,147 @@
+.\"     $OpenBSD: X509_get_pubkey.3,v 1.1 2016/12/05 18:24:08 schwarze Exp $
+.\"     OpenSSL e7fabc5e Sep 7 13:41:20 2015 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 5 2016 $
+.Dt X509_GET_PUBKEY 3
+.Os
+.Sh NAME
+.Nm X509_get_pubkey ,
+.Nm X509_set_pubkey ,
+.Nm X509_get_X509_PUBKEY ,
+.Nm X509_REQ_get_pubkey ,
+.Nm X509_REQ_set_pubkey
+.Nd get or set certificate or certificate request public key
+.Sh SYNOPSIS
+.In openssl/x509.h
+.Ft EVP_PKEY *
+.Fo X509_get_pubkey
+.Fa "X509 *x"
+.Fc
+.Ft int
+.Fo X509_set_pubkey
+.Fa "X509 *x"
+.Fa "EVP_PKEY *pkey"
+.Fc
+.Ft X509_PUBKEY *
+.Fo X509_get_X509_PUBKEY
+.Fa "X509 *x"
+.Fc
+.Ft EVP_PKEY *
+.Fo X509_REQ_get_pubkey
+.Fa "X509_REQ *req"
+.Fc
+.Ft int
+.Fo X509_REQ_set_pubkey
+.Fa "X509_REQ *x"
+.Fa "EVP_PKEY *pkey"
+.Fc
+.Sh DESCRIPTION
+.Fn X509_get_pubkey
+attempts to decode the public key for certificate
+.Fa x .
+If successful it returns the public key as an
+.Vt EVP_PKEY
+pointer with its reference count incremented: this means the returned
+key must be freed up after use.
+.Pp
+.Fn X509_get_X509_PUBKEY
+returns an internal pointer to the
+.Vt X509_PUBKEY
+structure which encodes the certificate of
+.Fa x .
+The returned value must not be freed up after use.
+.Fn X509_get_X509_PUBKEY
+is implemented as a macro.
+.Pp
+.Fn X509_set_pubkey
+attempts to set the public key for certificate
+.Fa x
+to
+.Fa pkey .
+The key
+.Fa pkey
+should be freed up after use.
+.Pp
+.Fn X509_REQ_get_pubkey
+and
+.Fn X509_REQ_set_pubkey
+are similar but operate on certificate request
+.Fa req .
+.Pp
+The first time a public key is decoded, the
+.Vt EVP_PKEY
+structure is cached in the certificate or certificate request itself.
+Subsequent calls return the cached structure with its reference count
+incremented to improve performance.
+.Sh RETURN VALUES
+.Fn X509_get_pubkey ,
+.Fn X509_get_X509_PUBKEY ,
+and
+.Fn X509_REQ_get_pubkey
+return a public key or
+.Dv NULL
+if an error occurred.
+.Pp
+.Fn X509_set_pubkey
+and
+.Fn X509_REQ_set_pubkey
+return 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr d2i_X509 3 ,
+.Xr ERR_get_error 3 ,
+.Xr X509_CRL_get0_by_serial 3 ,
+.Xr X509_NAME_add_entry_by_txt 3 ,
+.Xr X509_NAME_ENTRY_get_object 3 ,
+.Xr X509_NAME_get_index_by_NID 3 ,
+.Xr X509_NAME_print_ex 3 ,
+.Xr X509_new 3 ,
+.Xr X509_sign 3 ,
+.Xr X509_verify_cert 3 ,
+.Xr X509V3_get_d2i 3
diff --git a/src/lib/libcrypto/man/X509_get_serialNumber.3 b/src/lib/libcrypto/man/X509_get_serialNumber.3
new file mode 100644
index 0000000000..9f2b14ec10
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_get_serialNumber.3
@@ -0,0 +1,112 @@
+.\"     $OpenBSD: X509_get_serialNumber.3,v 1.1 2016/12/05 18:24:08 schwarze Exp $
+.\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 5 2016 $
+.Dt X509_GET_SERIALNUMBER 3
+.Os
+.Sh NAME
+.Nm X509_get_serialNumber ,
+.Nm X509_set_serialNumber
+.Nd get or set certificate serial number
+.Sh SYNOPSIS
+.In openssl/x509.h
+.Ft ASN1_INTEGER *
+.Fo X509_get_serialNumber
+.Fa "X509 *x"
+.Fc
+.Ft int
+.Fo X509_set_serialNumber
+.Fa "X509 *x"
+.Fa "ASN1_INTEGER *serial"
+.Fc
+.Sh DESCRIPTION
+.Fn X509_get_serialNumber
+returns the serial number of certificate
+.Fa x
+as an
+.Vt ASN1_INTEGER
+structure which can be examined or initialised.
+The value returned is an internal pointer which must not be freed
+up after the call.
+.Pp
+.Fn X509_set_serialNumber
+sets the serial number of certificate
+.Fa x
+to
+.Fa serial .
+A copy of the serial number is used internally so
+.Fa serial
+should be freed up after use.
+.Sh RETURN VALUES
+.Fn X509_get_serialNumber
+returns an
+.Vt ASN1_INTEGER
+structure.
+.Pp
+.Fn X509_set_serialNumber
+returns 1 for success and 0 for failure.
+.Sh SEE ALSO
+.Xr d2i_X509 3 ,
+.Xr ERR_get_error 3 ,
+.Xr X509_CRL_get0_by_serial 3 ,
+.Xr X509_get_pubkey 3 ,
+.Xr X509_NAME_add_entry_by_txt 3 ,
+.Xr X509_NAME_ENTRY_get_object 3 ,
+.Xr X509_NAME_get_index_by_NID 3 ,
+.Xr X509_NAME_print_ex 3 ,
+.Xr X509_new 3 ,
+.Xr X509_sign 3 ,
+.Xr X509_verify_cert 3 ,
+.Xr X509V3_get_d2i 3
+.Sh HISTORY
+.Fn X509_get_serialNumber
+and
+.Fn X509_set_serialNumber
+are available in all versions of OpenSSL.
diff --git a/src/lib/libcrypto/man/X509_get_subject_name.3 b/src/lib/libcrypto/man/X509_get_subject_name.3
new file mode 100644
index 0000000000..1b5814286f
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_get_subject_name.3
@@ -0,0 +1,169 @@
+.\"     $OpenBSD: X509_get_subject_name.3,v 1.1 2016/12/05 18:24:08 schwarze Exp $
+.\"     OpenSSL 0ad69cd6 Jun 14 23:02:16 2016 +0200
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 5 2016 $
+.Dt X509_GET_SUBJECT_NAME 3
+.Os
+.Sh NAME
+.Nm X509_get_subject_name ,
+.Nm X509_set_subject_name ,
+.Nm X509_get_issuer_name ,
+.Nm X509_set_issuer_name ,
+.Nm X509_REQ_get_subject_name ,
+.Nm X509_REQ_set_subject_name ,
+.Nm X509_CRL_get_issuer ,
+.Nm X509_CRL_set_issuer_name
+.Nd get and set issuer or subject names
+.Sh SYNOPSIS
+.In openssl/x509.h
+.Ft X509_NAME *
+.Fo X509_get_subject_name
+.Fa "X509 *x"
+.Fc
+.Ft int
+.Fo X509_set_subject_name
+.Fa "X509 *x"
+.Fa "X509_NAME *name"
+.Fc
+.Ft X509_NAME *
+.Fo X509_get_issuer_name
+.Fa "X509 *x"
+.Fc
+.Ft int
+.Fo X509_set_issuer_name
+.Fa "X509 *x"
+.Fa "X509_NAME *name"
+.Fc
+.Ft X509_NAME *
+.Fo X509_REQ_get_subject_name
+.Fa "const X509_REQ *req"
+.Fc
+.Ft int
+.Fo X509_REQ_set_subject_name
+.Fa "X509_REQ *req"
+.Fa "X509_NAME *name"
+.Fc
+.Ft X509_NAME *
+.Fo X509_CRL_get_issuer
+.Fa "const X509_CRL *crl"
+.Fc
+.Ft int
+.Fo X509_CRL_set_issuer_name
+.Fa "X509_CRL *x"
+.Fa "X509_NAME *name"
+.Fc
+.Sh DESCRIPTION
+.Fn X509_get_subject_name
+returns the subject name of certificate
+.Fa x .
+The returned value is an internal pointer which must not be freed.
+.Pp
+.Fn X509_set_subject_name
+sets the issuer name of certificate
+.Fa x
+to
+.Fa name .
+The
+.Fa name
+parameter is copied internally and should be freed up when it is no
+longer needed.
+.Pp
+.Fn X509_get_issuer_name
+and
+.Fn X509_set_issuer_name
+are identical to
+.Fn X509_get_subject_name
+and
+.Fn X509_set_subject_name
+except that they get and set the issuer name of
+.Fa x .
+.Pp
+Similarly
+.Fn X509_REQ_get_subject_name ,
+.Fn X509_REQ_set_subject_name ,
+.Fn X509_CRL_get_issuer ,
+and
+.Fn X509_CRL_set_issuer_name
+get or set the subject or issuer names of certificate requests
+of CRLs, respectively.
+.Pp
+.Fn X509_REQ_get_subject_name
+and
+.Fn X509_CRL_get_issuer
+are implemented as macros.
+.Sh RETURN VALUES
+.Fn X509_get_subject_name ,
+.Fn X509_get_issuer_name ,
+.Fn X509_REQ_get_subject_name ,
+and
+.Fn X509_CRL_get_issuer
+return a pointer to an
+.Vt X509_NAME
+object.
+.Pp
+.Fn X509_set_subject_name ,
+.Fn X509_set_issuer_name ,
+.Fn X509_REQ_set_subject_name ,
+and
+.Fn X509_CRL_set_issuer_name
+return 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr d2i_X509 3 ,
+.Xr ERR_get_error 3 ,
+.Xr X509_CRL_get0_by_serial 3 ,
+.Xr X509_get_pubkey 3 ,
+.Xr X509_NAME_add_entry_by_txt 3 ,
+.Xr X509_NAME_ENTRY_get_object 3 ,
+.Xr X509_NAME_get_index_by_NID 3 ,
+.Xr X509_NAME_print_ex 3 ,
+.Xr X509_new 3 ,
+.Xr X509_sign 3 ,
+.Xr X509_verify_cert 3 ,
+.Xr X509V3_get_d2i 3
diff --git a/src/lib/libcrypto/man/X509_get_version.3 b/src/lib/libcrypto/man/X509_get_version.3
new file mode 100644
index 0000000000..6e35f3df31
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_get_version.3
@@ -0,0 +1,149 @@
+.\"     $OpenBSD: X509_get_version.3,v 1.1 2016/12/05 18:24:08 schwarze Exp $
+.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 5 2016 $
+.Dt X509_GET_VERSION 3
+.Os
+.Sh NAME
+.Nm X509_get_version ,
+.Nm X509_set_version ,
+.Nm X509_REQ_get_version ,
+.Nm X509_REQ_set_version ,
+.Nm X509_CRL_get_version ,
+.Nm X509_CRL_set_version
+.Nd get or set certificate, certificate request, or CRL version
+.Sh SYNOPSIS
+.In openssl/x509.h
+.Ft long
+.Fo X509_get_version
+.Fa "const X509 *x"
+.Fc
+.Ft int
+.Fo X509_set_version
+.Fa "X509 *x"
+.Fa "long version"
+.Fc
+.Ft long
+.Fo X509_REQ_get_version
+.Fa "const X509_REQ *req"
+.Fc
+.Ft int
+.Fo X509_REQ_set_version
+.Fa "X509_REQ *x"
+.Fa "long version"
+.Fc
+.Ft long
+.Fo X509_CRL_get_version
+.Fa "const X509_CRL *crl"
+.Fc
+.Ft int
+.Fo X509_CRL_set_version
+.Fa "X509_CRL *x"
+.Fa "long version"
+.Fc
+.Sh DESCRIPTION
+.Fn X509_get_version
+returns the numerical value of the version field of certificate
+.Fa x .
+Note: this is defined by standards (X.509 et al.) to be one less
+than the certificate version.
+So a version 3 certificate will return 2 and a version 1 certificate
+will return 0.
+.Pp
+.Fn X509_set_version
+sets the numerical value of the version field of certificate
+.Fa x
+to
+.Fa version .
+.Pp
+Similarly
+.Fn X509_REQ_get_version ,
+.Fn X509_REQ_set_version ,
+.Fn X509_CRL_get_version ,
+and
+.Fn X509_CRL_set_version
+get and set the version number of certificate requests and CRLs.
+.Pp
+The version field of certificates, certificate requests, and CRLs
+has a DEFAULT value of v1(0) meaning the field should be omitted
+for version 1.
+This is handled transparently by these functions.
+.Pp
+.Fn X509_get_version ,
+.Fn X509_REQ_get_version
+and
+.Fn X509_CRL_get_version
+are implemented as macros.
+.Sh RETURN VALUES
+.Fn X509_get_version ,
+.Fn X509_REQ_get_version ,
+and
+.Fn X509_CRL_get_version
+return the numerical value of the version field.
+.Pp
+.Fn X509_set_version ,
+.Fn X509_REQ_set_version ,
+and
+.Fn X509_CRL_set_version
+return 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr d2i_X509 3 ,
+.Xr ERR_get_error 3 ,
+.Xr X509_CRL_get0_by_serial 3 ,
+.Xr X509_get_pubkey 3 ,
+.Xr X509_get_subject_name 3 ,
+.Xr X509_NAME_add_entry_by_txt 3 ,
+.Xr X509_NAME_ENTRY_get_object 3 ,
+.Xr X509_NAME_get_index_by_NID 3 ,
+.Xr X509_NAME_print_ex 3 ,
+.Xr X509_new 3 ,
+.Xr X509_sign 3 ,
+.Xr X509_verify_cert 3 ,
+.Xr X509V3_get_d2i 3
diff --git a/src/lib/libcrypto/man/X509_sign.3 b/src/lib/libcrypto/man/X509_sign.3
new file mode 100644
index 0000000000..2680f0b095
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_sign.3
@@ -0,0 +1,202 @@
+.\"     $OpenBSD: X509_sign.3,v 1.1 2016/12/05 18:24:08 schwarze Exp $
+.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 5 2016 $
+.Dt X509_SIGN 3
+.Os
+.Sh NAME
+.Nm X509_sign ,
+.Nm X509_sign_ctx ,
+.Nm X509_verify ,
+.Nm X509_REQ_sign ,
+.Nm X509_REQ_sign_ctx ,
+.Nm X509_REQ_verify ,
+.Nm X509_CRL_sign ,
+.Nm X509_CRL_sign_ctx ,
+.Nm X509_CRL_verify
+.Nd sign or verify certificate, certificate request, or CRL signature
+.Sh SYNOPSIS
+.In openssl/x509.h
+.Ft int
+.Fo X509_sign
+.Fa "X509 *x"
+.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_MD *md"
+.Fc
+.Ft int
+.Fo X509_sign_ctx
+.Fa "X509 *x"
+.Fa "EVP_MD_CTX *ctx"
+.Fc
+.Ft int
+.Fo X509_verify
+.Fa "X509 *a"
+.Fa "EVP_PKEY *r"
+.Fc
+.Ft int
+.Fo X509_REQ_sign
+.Fa "X509_REQ *x"
+.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_MD *md"
+.Fc
+.Ft int
+.Fo X509_REQ_sign_ctx
+.Fa "X509_REQ *x"
+.Fa "EVP_MD_CTX *ctx"
+.Fc
+.Ft int
+.Fo X509_REQ_verify
+.Fa "X509_REQ *a"
+.Fa "EVP_PKEY *r"
+.Fc
+.Ft int
+.Fo X509_CRL_sign
+.Fa "X509_CRL *x"
+.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_MD *md"
+.Fc
+.Ft int
+.Fo X509_CRL_sign_ctx
+.Fa "X509_CRL *x"
+.Fa "EVP_MD_CTX *ctx"
+.Fc
+.Ft int
+.Fo X509_CRL_verify
+.Fa "X509_CRL *a"
+.Fa "EVP_PKEY *r"
+.Fc
+.Sh DESCRIPTION
+.Fn X509_sign
+signs the certificate
+.Fa x
+using the private key
+.Fa pkey
+and the message digest
+.Fa md
+and sets the signature in
+.Fa x .
+.Fn X509_sign_ctx
+also signs the certificate
+.Fa x
+but uses the parameters contained in digest context
+.Fa ctx .
+.Pp
+.Fn X509_verify
+verifies the signature of certificate
+.Fa x
+using the public key
+.Fa pkey .
+Only the signature is checked: no other checks (such as certificate
+chain validity) are performed.
+.Pp
+.Fn X509_REQ_sign ,
+.Fn X509_REQ_sign_ctx ,
+.Fn X509_REQ_verify ,
+.Fn X509_CRL_sign ,
+.Fn X509_CRL_sign_ctx ,
+and
+.Fn X509_CRL_verify
+sign and verify certificate requests and CRLs, respectively.
+.Pp
+.Fn X509_sign_ctx
+is used where the default parameters for the corresponding public key
+and digest are not suitable.
+It can be used to sign keys using RSA-PSS for example.
+.Pp
+For efficiency reasons and to work around ASN.1 encoding issues, the
+encoding of the signed portion of a certificate, certificate request,
+and CRL is cached internally.
+If the signed portion of the structure is modified, the encoding is not
+always updated, meaning a stale version is sometimes used.
+This is not normally a problem because modifying the signed portion will
+invalidate the signature and signing will always update the encoding.
+.Sh RETURN VALUES
+.Fn X509_sign ,
+.Fn X509_sign_ctx ,
+.Fn X509_REQ_sign ,
+.Fn X509_REQ_sign_ctx ,
+.Fn X509_CRL_sign ,
+and
+.Fn X509_CRL_sign_ctx
+return the size of the signature in bytes for success or 0 for failure.
+.Pp
+.Fn X509_verify ,
+.Fn X509_REQ_verify ,
+and
+.Fn X509_CRL_verify
+return 1 if the signature is valid or 0 if the signature check fails.
+If the signature could not be checked at all because it was invalid or
+some other error occurred, then -1 is returned.
+.Sh SEE ALSO
+.Xr d2i_X509 3 ,
+.Xr ERR_get_error 3 ,
+.Xr X509_CRL_get0_by_serial 3 ,
+.Xr X509_get_pubkey 3 ,
+.Xr X509_get_subject_name 3 ,
+.Xr X509_get_version 3 ,
+.Xr X509_NAME_add_entry_by_txt 3 ,
+.Xr X509_NAME_ENTRY_get_object 3 ,
+.Xr X509_NAME_get_index_by_NID 3 ,
+.Xr X509_NAME_print_ex 3 ,
+.Xr X509_new 3 ,
+.Xr X509_verify_cert 3 ,
+.Xr X509V3_get_d2i 3
+.Sh HISTORY
+.Fn X509_sign ,
+.Fn X509_REQ_sign ,
+and
+.Fn X509_CRL_sign
+are available in all versions of OpenSSL.
+.Pp
+.Fn X509_sign_ctx ,
+.Fn X509_REQ_sign_ctx ,
+and
+.Fn X509_CRL_sign_ctx
+were first added to OpenSSL 1.0.1.
diff --git a/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3 b/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3
new file mode 100644
index 0000000000..32d828f230
--- /dev/null
+++ b/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3
@@ -0,0 +1,387 @@
+.\"     $OpenBSD: X509v3_get_ext_by_NID.3,v 1.1 2016/12/05 18:24:08 schwarze Exp $
+.\"     OpenSSL c952780c Jun 21 07:03:34 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 5 2016 $
+.Dt X509V3_GET_EXT_BY_NID 3
+.Os
+.Sh NAME
+.Nm X509v3_get_ext_count ,
+.Nm X509v3_get_ext ,
+.Nm X509v3_get_ext_by_NID ,
+.Nm X509v3_get_ext_by_OBJ ,
+.Nm X509v3_get_ext_by_critical ,
+.Nm X509v3_delete_ext ,
+.Nm X509v3_add_ext ,
+.Nm X509_get_ext_count ,
+.Nm X509_get_ext ,
+.Nm X509_get_ext_by_NID ,
+.Nm X509_get_ext_by_OBJ ,
+.Nm X509_get_ext_by_critical ,
+.Nm X509_delete_ext ,
+.Nm X509_add_ext ,
+.Nm X509_CRL_get_ext_count ,
+.Nm X509_CRL_get_ext ,
+.Nm X509_CRL_get_ext_by_NID ,
+.Nm X509_CRL_get_ext_by_OBJ ,
+.Nm X509_CRL_get_ext_by_critical ,
+.Nm X509_CRL_delete_ext ,
+.Nm X509_CRL_add_ext ,
+.Nm X509_REVOKED_get_ext_count ,
+.Nm X509_REVOKED_get_ext ,
+.Nm X509_REVOKED_get_ext_by_NID ,
+.Nm X509_REVOKED_get_ext_by_OBJ ,
+.Nm X509_REVOKED_get_ext_by_critical ,
+.Nm X509_REVOKED_delete_ext ,
+.Nm X509_REVOKED_add_ext
+.Nd extension stack utility functions
+.Sh SYNOPSIS
+.In openssl/x509.h
+.Ft int
+.Fo X509v3_get_ext_count
+.Fa "const STACK_OF(X509_EXTENSION) *x"
+.Fc
+.Ft X509_EXTENSION *
+.Fo X509v3_get_ext
+.Fa "const STACK_OF(X509_EXTENSION) *x"
+.Fa "int loc"
+.Fc
+.Ft int
+.Fo X509v3_get_ext_by_NID
+.Fa "const STACK_OF(X509_EXTENSION) *x"
+.Fa "int nid"
+.Fa "int lastpos"
+.Fc
+.Ft int
+.Fo X509v3_get_ext_by_OBJ
+.Fa "const STACK_OF(X509_EXTENSION) *x"
+.Fa "ASN1_OBJECT *obj"
+.Fa "int lastpos"
+.Fc
+.Ft int
+.Fo X509v3_get_ext_by_critical
+.Fa "const STACK_OF(X509_EXTENSION) *x"
+.Fa "int crit"
+.Fa "int lastpos"
+.Fc
+.Ft X509_EXTENSION *
+.Fo X509v3_delete_ext
+.Fa "STACK_OF(X509_EXTENSION) *x"
+.Fa "int loc"
+.Fc
+.Ft STACK_OF(X509_EXTENSION) *
+.Fo X509v3_add_ext
+.Fa "STACK_OF(X509_EXTENSION) **x"
+.Fa "X509_EXTENSION *ex"
+.Fa "int loc"
+.Fc
+.Ft int
+.Fo X509_get_ext_count
+.Fa "X509 *x"
+.Fc
+.Ft X509_EXTENSION *
+.Fo X509_get_ext
+.Fa "X509 *x"
+.Fa "int loc"
+.Fc
+.Ft int
+.Fo X509_get_ext_by_NID
+.Fa "X509 *x"
+.Fa "int nid"
+.Fa "int lastpos"
+.Fc
+.Ft int
+.Fo X509_get_ext_by_OBJ
+.Fa "X509 *x"
+.Fa "ASN1_OBJECT *obj"
+.Fa "int lastpos"
+.Fc
+.Ft int
+.Fo X509_get_ext_by_critical
+.Fa "X509 *x"
+.Fa "int crit"
+.Fa "int lastpos"
+.Fc
+.Ft X509_EXTENSION *
+.Fo X509_delete_ext
+.Fa "X509 *x"
+.Fa "int loc"
+.Fc
+.Ft int
+.Fo X509_add_ext
+.Fa "X509 *x"
+.Fa "X509_EXTENSION *ex"
+.Fa "int loc"
+.Fc
+.Ft int
+.Fo X509_CRL_get_ext_count
+.Fa "X509_CRL *x"
+.Fc
+.Ft X509_EXTENSION *
+.Fo X509_CRL_get_ext
+.Fa "X509_CRL *x"
+.Fa "int loc"
+.Fc
+.Ft int
+.Fo X509_CRL_get_ext_by_NID
+.Fa "X509_CRL *x"
+.Fa "int nid"
+.Fa "int lastpos"
+.Fc
+.Ft int
+.Fo X509_CRL_get_ext_by_OBJ
+.Fa "X509_CRL *x"
+.Fa "ASN1_OBJECT *obj"
+.Fa "int lastpos"
+.Fc
+.Ft int
+.Fo X509_CRL_get_ext_by_critical
+.Fa "X509_CRL *x"
+.Fa "int crit"
+.Fa "int lastpos"
+.Fc
+.Ft X509_EXTENSION *
+.Fo X509_CRL_delete_ext
+.Fa "X509_CRL *x"
+.Fa "int loc"
+.Fc
+.Ft int
+.Fo X509_CRL_add_ext
+.Fa "X509_CRL *x"
+.Fa "X509_EXTENSION *ex"
+.Fa "int loc"
+.Fc
+.Ft int
+.Fo X509_REVOKED_get_ext_count
+.Fa "X509_REVOKED *x"
+.Fc
+.Ft X509_EXTENSION *
+.Fo X509_REVOKED_get_ext
+.Fa "X509_REVOKED *x"
+.Fa "int loc"
+.Fc
+.Ft int
+.Fo X509_REVOKED_get_ext_by_NID
+.Fa "X509_REVOKED *x"
+.Fa "int nid"
+.Fa "int lastpos"
+.Fc
+.Ft int
+.Fo X509_REVOKED_get_ext_by_OBJ
+.Fa "X509_REVOKED *x"
+.Fa "ASN1_OBJECT *obj"
+.Fa "int lastpos"
+.Fc
+.Ft int
+.Fo X509_REVOKED_get_ext_by_critical
+.Fa "X509_REVOKED *x"
+.Fa "int crit"
+.Fa "int lastpos"
+.Fc
+.Ft X509_EXTENSION *
+.Fo X509_REVOKED_delete_ext
+.Fa "X509_REVOKED *x"
+.Fa "int loc"
+.Fc
+.Ft int
+.Fo X509_REVOKED_add_ext
+.Fa "X509_REVOKED *x"
+.Fa "X509_EXTENSION *ex"
+.Fa "int loc"
+.Fc
+.Sh DESCRIPTION
+.Fn X509v3_get_ext_count
+retrieves the number of extensions in
+.Fa x .
+.Pp
+.Fn X509v3_get_ext
+retrieves extension
+.Fa loc
+from
+.Fa x .
+The index
+.Fa loc
+can take any value from 0 to
+.Fn X509_get_ext_count x No - 1 .
+The returned extension is an internal pointer which must not be
+freed up by the application.
+.Pp
+.Fn X509v3_get_ext_by_NID
+and
+.Fn X509v3_get_ext_by_OBJ
+look for an extension with
+.Fa nid
+or
+.Fa obj
+from extension stack
+.Fa x .
+The search starts from the extension after
+.Fa lastpos
+or from the beginning if
+.Fa lastpos
+is -1.
+If the extension is found, its index is returned; otherwise, -1 is
+returned.
+.Pp
+.Fn X509v3_get_ext_by_critical
+is similar to
+.Fn X509v3_get_ext_by_NID
+except that it looks for an extension of criticality
+.Fa crit .
+A zero value for
+.Fa crit
+looks for a non-critical extension; a non-zero value looks for a
+critical extension.
+.Pp
+.Fn X509v3_delete_ext
+deletes the extension with index
+.Fa loc
+from
+.Fa x .
+The deleted extension is returned and must be freed by the caller.
+If
+.Fa loc
+is in invalid index value,
+.Dv NULL
+is returned.
+.Pp
+.Xr X509v3_add_ext 3
+adds the extension
+.Fa ex
+to the stack
+.Pf * Fa x
+at position
+.Fa loc .
+If
+.Fa loc
+is -1, the new extension is added to the end.
+If
+.Pf * Fa x
+is
+.Dv NULL ,
+a new stack will be allocated.
+The passed extension
+.Fa ex
+is duplicated internally so it must be freed after use.
+.Pp
+.Fn X509_get_ext_count ,
+.Fn X509_get_ext ,
+.Fn X509_get_ext_by_NID ,
+.Fn X509_get_ext_by_OBJ ,
+.Fn X509_get_ext_by_critical ,
+.Fn X509_delete_ext ,
+and
+.Fn X509_add_ext
+operate on the extensions of certificate
+.Fa x .
+They are otherwise identical to the X509v3 functions.
+.Pp
+.Fn X509_CRL_get_ext_count ,
+.Fn X509_CRL_get_ext ,
+.Fn X509_CRL_get_ext_by_NID ,
+.Fn X509_CRL_get_ext_by_OBJ ,
+.Fn X509_CRL_get_ext_by_critical ,
+.Fn X509_CRL_delete_ext ,
+and
+.Fn X509_CRL_add_ext
+operate on the extensions of the CRL
+.Fa x .
+They are otherwise identical to the X509v3 functions.
+.Pp
+.Fn X509_REVOKED_get_ext_count ,
+.Fn X509_REVOKED_get_ext ,
+.Fn X509_REVOKED_get_ext_by_NID ,
+.Fn X509_REVOKED_get_ext_by_OBJ ,
+.Fn X509_REVOKED_get_ext_by_critical ,
+.Fn X509_REVOKED_delete_ext ,
+and
+.Fn X509_REVOKED_add_ext
+operate on the extensions of the CRL entry
+.Fa x .
+They are otherwise identical to the X509v3 functions.
+.Pp
+These functions are used to examine stacks of extensions directly.
+Many applications will want to parse or encode and add an extension:
+they should use the extension encode and decode functions instead
+such as
+.Xr X509_get_ext_d2i 3 .
+.Pp
+Extension indices start from zero, so a zero index return value is
+not an error.
+These search functions start from the extension
+.Em after
+the
+.Fa lastpos
+parameter, so it should initially be set to -1.
+If it is set to 0, the initial extension will not be checked.
+.Sh RETURN VALUES
+.Fn X509v3_get_ext_count
+returns the extension count.
+.Pp
+.Fn X509v3_get_ext
+and
+.Fn X509v3_delete_ext
+return an
+.Vt X509_EXTENSION
+pointer or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn X509v3_get_ext_by_NID ,
+.Fn X509v3_get_ext_by_OBJ ,
+and
+.Fn X509v3_get_ext_by_critical
+return the an extension index or -1 if an error occurs.
+.Pp
+.Xr X509v3_add_ext 3
+returns a stack of extensions or
+.Dv NULL
+on error.
+.Sh SEE ALSO
+.Xr X509V3_get_d2i 3