21 files changed, 691 insertions, 376 deletions
diff --git a/src/lib/libcrypto/ct/ct_x509v3.c b/src/lib/libcrypto/ct/ct_x509v3.c
index 59f2975cd9..b14ffc9532 100644
--- a/src/lib/libcrypto/ct/ct_x509v3.c
+++ b/src/lib/libcrypto/ct/ct_x509v3.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_x509v3.c,v 1.6 2021/12/25 15:42:32 tb Exp $ */
+/*      $OpenBSD: ct_x509v3.c,v 1.7 2024/07/13 15:08:58 tb Exp $ */
 /*
 * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
 * (steve@openssl.org) for the OpenSSL project 2014.
@@ -128,59 +128,74 @@ ocsp_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len)
        return s;
 }
-/* Handlers for X509v3/OCSP Certificate Transparency extensions */
+/* X509v3 extension in certificates that contains SCTs */
-const X509V3_EXT_METHOD v3_ct_scts[3] = {
+static const X509V3_EXT_METHOD x509v3_ext_ct_precert_scts = {
-        /* X509v3 extension in certificates that contains SCTs */
+        .ext_nid = NID_ct_precert_scts,
-        [0] = {
+        .ext_flags = 0,
-                .ext_nid = NID_ct_precert_scts,
+        .it = NULL,
-                .ext_flags = 0,
+        .ext_new = NULL,
-                .it = NULL,
+        .ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
-                .ext_new = NULL,
+        .d2i = (X509V3_EXT_D2I)x509_ext_d2i_SCT_LIST,
-                .ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
+        .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
-                .d2i = (X509V3_EXT_D2I)x509_ext_d2i_SCT_LIST,
+        .i2s = NULL,
-                .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
+        .s2i = NULL,
-                .i2s = NULL,
+        .i2v = NULL,
-                .s2i = NULL,
+        .v2i = NULL,
-                .i2v = NULL,
+        .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
-                .v2i = NULL,
+        .r2i = NULL,
-                .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
+        .usr_data = NULL,
-                .r2i = NULL,
-                .usr_data = NULL,
-        },
-        /* X509v3 extension to mark a certificate as a pre-certificate */
-        [1] = {
-                .ext_nid = NID_ct_precert_poison,
-                .ext_flags = 0,
-                .it = &ASN1_NULL_it,
-                .ext_new = NULL,
-                .ext_free = NULL,
-                .d2i = NULL,
-                .i2d = NULL,
-                .i2s = i2s_poison,
-                .s2i = s2i_poison,
-                .i2v = NULL,
-                .v2i = NULL,
-                .i2r = NULL,
-                .r2i = NULL,
-                .usr_data = NULL,
-        },
-        /* OCSP extension that contains SCTs */
-        [2] = {
-                .ext_nid = NID_ct_cert_scts,
-                .ext_flags = 0,
-                .it = NULL,
-                .ext_new = NULL,
-                .ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
-                .d2i = (X509V3_EXT_D2I)ocsp_ext_d2i_SCT_LIST,
-                .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
-                .i2s = NULL,
-                .s2i = NULL,
-                .i2v = NULL,
-                .v2i = NULL,
-                .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
-                .r2i = NULL,
-                .usr_data = NULL,
-        },
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_ct_precert_scts(void)
+{
+        return &x509v3_ext_ct_precert_scts;
+}
+/* X509v3 extension to mark a certificate as a pre-certificate */
+static const X509V3_EXT_METHOD x509v3_ext_ct_precert_poison = {
+        .ext_nid = NID_ct_precert_poison,
+        .ext_flags = 0,
+        .it = &ASN1_NULL_it,
+        .ext_new = NULL,
+        .ext_free = NULL,
+        .d2i = NULL,
+        .i2d = NULL,
+        .i2s = i2s_poison,
+        .s2i = s2i_poison,
+        .i2v = NULL,
+        .v2i = NULL,
+        .i2r = NULL,
+        .r2i = NULL,
+        .usr_data = NULL,
+};
+const X509V3_EXT_METHOD *
+x509v3_ext_method_ct_precert_poison(void)
+{
+        return &x509v3_ext_ct_precert_poison;
+}
+/* OCSP extension that contains SCTs */
+static const X509V3_EXT_METHOD x509v3_ext_ct_cert_scts = {
+        .ext_nid = NID_ct_cert_scts,
+        .ext_flags = 0,
+        .it = NULL,
+        .ext_new = NULL,
+        .ext_free = (X509V3_EXT_FREE)SCT_LIST_free,
+        .d2i = (X509V3_EXT_D2I)ocsp_ext_d2i_SCT_LIST,
+        .i2d = (X509V3_EXT_I2D)i2d_SCT_LIST,
+        .i2s = NULL,
+        .s2i = NULL,
+        .i2v = NULL,
+        .v2i = NULL,
+        .i2r = (X509V3_EXT_I2R)i2r_SCT_LIST,
+        .r2i = NULL,
+        .usr_data = NULL,
+};
+const X509V3_EXT_METHOD *
+x509v3_ext_method_ct_cert_scts(void)
+{
+        return &x509v3_ext_ct_cert_scts;
+}
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 864b7bbf3d..2208cc434e 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.92 2024/07/08 14:47:44 beck Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.93 2024/07/13 15:08:58 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -1714,7 +1714,7 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
 /*
 * OpenSSL dispatch
 */
-const X509V3_EXT_METHOD v3_addr = {
+static const X509V3_EXT_METHOD x509v3_ext_sbgp_ipAddrBlock = {
        .ext_nid = NID_sbgp_ipAddrBlock,
        .ext_flags = 0,
        .it = &IPAddrBlocks_it,
@@ -1731,6 +1731,12 @@ const X509V3_EXT_METHOD v3_addr = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_sbgp_ipAddrBlock(void)
+{
+        return &x509v3_ext_sbgp_ipAddrBlock;
+}
 /*
 * Figure out whether extension uses inheritance.
 */
diff --git a/src/lib/libcrypto/x509/x509_akey.c b/src/lib/libcrypto/x509/x509_akey.c
index f8c7113350..b052d95984 100644
--- a/src/lib/libcrypto/x509/x509_akey.c
+++ b/src/lib/libcrypto/x509/x509_akey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_akey.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_akey.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -70,7 +70,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
 static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
-const X509V3_EXT_METHOD v3_akey_id = {
+static const X509V3_EXT_METHOD x509v3_ext_authority_key_identifier = {
        .ext_nid = NID_authority_key_identifier,
        .ext_flags = X509V3_EXT_MULTILINE,
        .it = &AUTHORITY_KEYID_it,
@@ -87,6 +87,12 @@ const X509V3_EXT_METHOD v3_akey_id = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_authority_key_identifier(void)
+{
+        return &x509v3_ext_authority_key_identifier;
+}
 static STACK_OF(CONF_VALUE) *
 i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, AUTHORITY_KEYID *akeyid,
    STACK_OF(CONF_VALUE) *extlist)
diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
index 59fa39fa6b..8981e4c4fb 100644
--- a/src/lib/libcrypto/x509/x509_alt.c
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.16 2023/08/30 00:49:32 tb Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.17 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -74,57 +74,75 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
 static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
 static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
-const X509V3_EXT_METHOD v3_alt[] = {
+static const X509V3_EXT_METHOD x509v3_ext_subject_alt_name = {
-        {
+        .ext_nid = NID_subject_alt_name,
-                .ext_nid = NID_subject_alt_name,
+        .ext_flags = 0,
-                .ext_flags = 0,
+        .it = &GENERAL_NAMES_it,
-                .it = &GENERAL_NAMES_it,
+        .ext_new = NULL,
-                .ext_new = NULL,
+        .ext_free = NULL,
-                .ext_free = NULL,
+        .d2i = NULL,
-                .d2i = NULL,
+        .i2d = NULL,
-                .i2d = NULL,
+        .i2s = NULL,
-                .i2s = NULL,
+        .s2i = NULL,
-                .s2i = NULL,
+        .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-                .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+        .v2i = (X509V3_EXT_V2I)v2i_subject_alt,
-                .v2i = (X509V3_EXT_V2I)v2i_subject_alt,
+        .i2r = NULL,
-                .i2r = NULL,
+        .r2i = NULL,
-                .r2i = NULL,
+        .usr_data = NULL,
-                .usr_data = NULL,
-        },
-        {
-                .ext_nid = NID_issuer_alt_name,
-                .ext_flags = 0,
-                .it = &GENERAL_NAMES_it,
-                .ext_new = NULL,
-                .ext_free = NULL,
-                .d2i = NULL,
-                .i2d = NULL,
-                .i2s = NULL,
-                .s2i = NULL,
-                .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-                .v2i = (X509V3_EXT_V2I)v2i_issuer_alt,
-                .i2r = NULL,
-                .r2i = NULL,
-                .usr_data = NULL,
-        },
-        {
-                .ext_nid = NID_certificate_issuer,
-                .ext_flags = 0,
-                .it = &GENERAL_NAMES_it,
-                .ext_new = NULL,
-                .ext_free = NULL,
-                .d2i = NULL,
-                .i2d = NULL,
-                .i2s = NULL,
-                .s2i = NULL,
-                .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-                .v2i = NULL,
-                .i2r = NULL,
-                .r2i = NULL,
-                .usr_data = NULL,
-        },
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_subject_alt_name(void)
+{
+        return &x509v3_ext_subject_alt_name;
+}
+static const X509V3_EXT_METHOD x509v3_ext_issuer_alt_name = {
+        .ext_nid = NID_issuer_alt_name,
+        .ext_flags = 0,
+        .it = &GENERAL_NAMES_it,
+        .ext_new = NULL,
+        .ext_free = NULL,
+        .d2i = NULL,
+        .i2d = NULL,
+        .i2s = NULL,
+        .s2i = NULL,
+        .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+        .v2i = (X509V3_EXT_V2I)v2i_issuer_alt,
+        .i2r = NULL,
+        .r2i = NULL,
+        .usr_data = NULL,
+};
+const X509V3_EXT_METHOD *
+x509v3_ext_method_issuer_alt_name(void)
+{
+        return &x509v3_ext_issuer_alt_name;
+}
+static const X509V3_EXT_METHOD x509v3_ext_certificate_issuer = {
+        .ext_nid = NID_certificate_issuer,
+        .ext_flags = 0,
+        .it = &GENERAL_NAMES_it,
+        .ext_new = NULL,
+        .ext_free = NULL,
+        .d2i = NULL,
+        .i2d = NULL,
+        .i2s = NULL,
+        .s2i = NULL,
+        .i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+        .v2i = NULL,
+        .i2r = NULL,
+        .r2i = NULL,
+        .usr_data = NULL,
+};
+const X509V3_EXT_METHOD *
+x509v3_ext_method_certificate_issuer(void)
+{
+        return &x509v3_ext_certificate_issuer;
+}
 STACK_OF(CONF_VALUE) *
 i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens,
    STACK_OF(CONF_VALUE) *ret)
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
index e3af673202..40ee201a9f 100644
--- a/src/lib/libcrypto/x509/x509_asid.c
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_asid.c,v 1.44 2024/07/08 14:47:44 beck Exp $ */
+/*      $OpenBSD: x509_asid.c,v 1.45 2024/07/13 15:08:58 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -946,7 +946,7 @@ v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
 /*
 * OpenSSL dispatch.
 */
-const X509V3_EXT_METHOD v3_asid = {
+static const X509V3_EXT_METHOD x509v3_ext_sbgp_autonomousSysNum = {
        .ext_nid = NID_sbgp_autonomousSysNum,
        .ext_flags = 0,
        .it = &ASIdentifiers_it,
@@ -963,6 +963,12 @@ const X509V3_EXT_METHOD v3_asid = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_sbgp_autonomousSysNum(void)
+{
+        return &x509v3_ext_sbgp_autonomousSysNum;
+}
 /*
 * Figure out whether extension uses inheritance.
 */
diff --git a/src/lib/libcrypto/x509/x509_bcons.c b/src/lib/libcrypto/x509/x509_bcons.c
index 7ad65231ec..e44ff4d1cb 100644
--- a/src/lib/libcrypto/x509/x509_bcons.c
+++ b/src/lib/libcrypto/x509/x509_bcons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bcons.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_bcons.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -70,7 +70,7 @@ static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
 static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
-const X509V3_EXT_METHOD v3_bcons = {
+static const X509V3_EXT_METHOD x509v3_ext_basic_constraints = {
        .ext_nid = NID_basic_constraints,
        .ext_flags = 0,
        .it = &BASIC_CONSTRAINTS_it,
@@ -87,6 +87,12 @@ const X509V3_EXT_METHOD v3_bcons = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_basic_constraints(void)
+{
+        return &x509v3_ext_basic_constraints;
+}
 static const ASN1_TEMPLATE BASIC_CONSTRAINTS_seq_tt[] = {
        {
                .flags = ASN1_TFLG_OPTIONAL,
diff --git a/src/lib/libcrypto/x509/x509_bitst.c b/src/lib/libcrypto/x509/x509_bitst.c
index 4c36d31b03..0328310f08 100644
--- a/src/lib/libcrypto/x509/x509_bitst.c
+++ b/src/lib/libcrypto/x509/x509_bitst.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bitst.c,v 1.5 2024/06/18 08:29:40 tb Exp $ */
+/* $OpenBSD: x509_bitst.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -102,7 +102,7 @@ static BIT_STRING_BITNAME crl_reasons[] = {
        {-1, NULL, NULL}
 };
-const X509V3_EXT_METHOD v3_nscert = {
+static const X509V3_EXT_METHOD x509v3_ext_netscape_cert_type = {
        .ext_nid = NID_netscape_cert_type,
        .ext_flags = 0,
        .it = &ASN1_BIT_STRING_it,
@@ -119,7 +119,13 @@ const X509V3_EXT_METHOD v3_nscert = {
        .usr_data = ns_cert_type_table,
 };
-const X509V3_EXT_METHOD v3_key_usage = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_cert_type(void)
+{
+        return &x509v3_ext_netscape_cert_type;
+}
+static const X509V3_EXT_METHOD x509v3_ext_key_usage = {
        .ext_nid = NID_key_usage,
        .ext_flags = 0,
        .it = &ASN1_BIT_STRING_it,
@@ -136,7 +142,13 @@ const X509V3_EXT_METHOD v3_key_usage = {
        .usr_data = key_usage_type_table,
 };
-const X509V3_EXT_METHOD v3_crl_reason = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_key_usage(void)
+{
+        return &x509v3_ext_key_usage;
+}
+static const X509V3_EXT_METHOD x509v3_ext_crl_reason = {
        .ext_nid = NID_crl_reason,
        .ext_flags = 0,
        .it = &ASN1_ENUMERATED_it,
@@ -153,6 +165,12 @@ const X509V3_EXT_METHOD v3_crl_reason = {
        .usr_data = crl_reasons,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_crl_reason(void)
+{
+        return &x509v3_ext_crl_reason;
+}
 STACK_OF(CONF_VALUE) *
 i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits,
    STACK_OF(CONF_VALUE) *ret)
diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c
index 34c9345a4f..7a701ea659 100644
--- a/src/lib/libcrypto/x509/x509_cpols.c
+++ b/src/lib/libcrypto/x509/x509_cpols.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.12 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.13 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -82,7 +82,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
    STACK_OF(CONF_VALUE) *unot, int ia5org);
 static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
-const X509V3_EXT_METHOD v3_cpols = {
+static const X509V3_EXT_METHOD x509v3_ext_certificate_policies = {
        .ext_nid = NID_certificate_policies,
        .ext_flags = 0,
        .it = &CERTIFICATEPOLICIES_it,
@@ -99,6 +99,12 @@ const X509V3_EXT_METHOD v3_cpols = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_certificate_policies(void)
+{
+        return &x509v3_ext_certificate_policies;
+}
 static const ASN1_TEMPLATE CERTIFICATEPOLICIES_item_tt = {
        .flags = ASN1_TFLG_SEQUENCE_OF,
        .tag = 0,
diff --git a/src/lib/libcrypto/x509/x509_crld.c b/src/lib/libcrypto/x509/x509_crld.c
index dfb5d27f65..e9252a247a 100644
--- a/src/lib/libcrypto/x509/x509_crld.c
+++ b/src/lib/libcrypto/x509/x509_crld.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_crld.c,v 1.6 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_crld.c,v 1.7 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -72,7 +72,7 @@ static void *v2i_crld(const X509V3_EXT_METHOD *method,
 static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
    int indent);
-const X509V3_EXT_METHOD v3_crld = {
+static const X509V3_EXT_METHOD x509v3_ext_crl_distribution_points = {
        .ext_nid = NID_crl_distribution_points,
        .ext_flags = 0,
        .it = &CRL_DIST_POINTS_it,
@@ -89,7 +89,13 @@ const X509V3_EXT_METHOD v3_crld = {
        .usr_data = NULL,
 };
-const X509V3_EXT_METHOD v3_freshest_crl = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_crl_distribution_points(void)
+{
+        return &x509v3_ext_crl_distribution_points;
+}
+static const X509V3_EXT_METHOD x509v3_ext_freshest_crl = {
        .ext_nid = NID_freshest_crl,
        .ext_flags = 0,
        .it = &CRL_DIST_POINTS_it,
@@ -106,6 +112,12 @@ const X509V3_EXT_METHOD v3_freshest_crl = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_freshest_crl(void)
+{
+        return &x509v3_ext_freshest_crl;
+}
 static STACK_OF(GENERAL_NAME) *
 gnames_from_sectname(X509V3_CTX *ctx, char *sect)
 {
@@ -655,17 +667,29 @@ static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
 static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
    STACK_OF(CONF_VALUE) *nval);
-const X509V3_EXT_METHOD v3_idp = {
+static const X509V3_EXT_METHOD x509v3_ext_issuing_distribution_point = {
-        NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
+        .ext_nid = NID_issuing_distribution_point,
-        &ISSUING_DIST_POINT_it,
+        .ext_flags = X509V3_EXT_MULTILINE,
-        0, 0, 0, 0,
+        .it = &ISSUING_DIST_POINT_it,
-        0, 0,
+        .ext_new = NULL,
-        0,
+        .ext_free = NULL,
-        v2i_idp,
+        .d2i = NULL,
-        i2r_idp, 0,
+        .i2d = NULL,
-        NULL
+        .i2s = NULL,
+        .s2i = NULL,
+        .i2v = NULL,
+        .v2i = v2i_idp,
+        .i2r = i2r_idp,
+        .r2i = NULL,
+        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_issuing_distribution_point(void)
+{
+        return &x509v3_ext_issuing_distribution_point;
+}
 static void *
 v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
    STACK_OF(CONF_VALUE) *nval)
diff --git a/src/lib/libcrypto/x509/x509_extku.c b/src/lib/libcrypto/x509/x509_extku.c
index f0f8d44aa6..6a69adabc6 100644
--- a/src/lib/libcrypto/x509/x509_extku.c
+++ b/src/lib/libcrypto/x509/x509_extku.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_extku.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_extku.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -68,7 +68,7 @@ static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
 static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(
    const X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist);
-const X509V3_EXT_METHOD v3_ext_ku = {
+static const X509V3_EXT_METHOD x509v3_ext_ext_key_usage = {
        .ext_nid = NID_ext_key_usage,
        .ext_flags = 0,
        .it = &EXTENDED_KEY_USAGE_it,
@@ -85,8 +85,14 @@ const X509V3_EXT_METHOD v3_ext_ku = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_ext_key_usage(void)
+{
+        return &x509v3_ext_ext_key_usage;
+}
 /* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
-const X509V3_EXT_METHOD v3_ocsp_accresp = {
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_acceptableResponses = {
        .ext_nid = NID_id_pkix_OCSP_acceptableResponses,
        .ext_flags = 0,
        .it = &EXTENDED_KEY_USAGE_it,
@@ -103,6 +109,12 @@ const X509V3_EXT_METHOD v3_ocsp_accresp = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_acceptableResponses(void)
+{
+        return &x509v3_ext_id_pkix_OCSP_acceptableResponses;
+}
 static const ASN1_TEMPLATE EXTENDED_KEY_USAGE_item_tt = {
        .flags = ASN1_TFLG_SEQUENCE_OF,
        .tag = 0,
diff --git a/src/lib/libcrypto/x509/x509_ia5.c b/src/lib/libcrypto/x509/x509_ia5.c
index 4113c3d3b3..4f62a9134c 100644
--- a/src/lib/libcrypto/x509/x509_ia5.c
+++ b/src/lib/libcrypto/x509/x509_ia5.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ia5.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_ia5.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -68,137 +68,167 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
 static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
    X509V3_CTX *ctx, char *str);
-const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
+static const X509V3_EXT_METHOD x509v3_ext_netscape_base_url = {
-        {
+        .ext_nid = NID_netscape_base_url,
-                .ext_nid = NID_netscape_base_url,
+        .ext_flags = 0,
-                .ext_flags = 0,
+        .it = &ASN1_IA5STRING_it,
-                .it = &ASN1_IA5STRING_it,
+        .ext_new = NULL,
-                .ext_new = NULL,
+        .ext_free = NULL,
-                .ext_free = NULL,
+        .d2i = NULL,
-                .d2i = NULL,
+        .i2d = NULL,
-                .i2d = NULL,
+        .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-                .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+        .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-                .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+        .i2v = NULL,
-                .i2v = NULL,
+        .v2i = NULL,
-                .v2i = NULL,
+        .i2r = NULL,
-                .i2r = NULL,
+        .r2i = NULL,
-                .r2i = NULL,
+        .usr_data = NULL,
-                .usr_data = NULL,
-        },
-        {
-                .ext_nid = NID_netscape_revocation_url,
-                .ext_flags = 0,
-                .it = &ASN1_IA5STRING_it,
-                .ext_new = NULL,
-                .ext_free = NULL,
-                .d2i = NULL,
-                .i2d = NULL,
-                .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-                .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-                .i2v = NULL,
-                .v2i = NULL,
-                .i2r = NULL,
-                .r2i = NULL,
-                .usr_data = NULL,
-        },
-        {
-                .ext_nid = NID_netscape_ca_revocation_url,
-                .ext_flags = 0,
-                .it = &ASN1_IA5STRING_it,
-                .ext_new = NULL,
-                .ext_free = NULL,
-                .d2i = NULL,
-                .i2d = NULL,
-                .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-                .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-                .i2v = NULL,
-                .v2i = NULL,
-                .i2r = NULL,
-                .r2i = NULL,
-                .usr_data = NULL,
-        },
-        {
-                .ext_nid = NID_netscape_renewal_url,
-                .ext_flags = 0,
-                .it = &ASN1_IA5STRING_it,
-                .ext_new = NULL,
-                .ext_free = NULL,
-                .d2i = NULL,
-                .i2d = NULL,
-                .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-                .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-                .i2v = NULL,
-                .v2i = NULL,
-                .i2r = NULL,
-                .r2i = NULL,
-                .usr_data = NULL,
-        },
-        {
-                .ext_nid = NID_netscape_ca_policy_url,
-                .ext_flags = 0,
-                .it = &ASN1_IA5STRING_it,
-                .ext_new = NULL,
-                .ext_free = NULL,
-                .d2i = NULL,
-                .i2d = NULL,
-                .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-                .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-                .i2v = NULL,
-                .v2i = NULL,
-                .i2r = NULL,
-                .r2i = NULL,
-                .usr_data = NULL,
-        },
-        {
-                .ext_nid = NID_netscape_ssl_server_name,
-                .ext_flags = 0,
-                .it = &ASN1_IA5STRING_it,
-                .ext_new = NULL,
-                .ext_free = NULL,
-                .d2i = NULL,
-                .i2d = NULL,
-                .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-                .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-                .i2v = NULL,
-                .v2i = NULL,
-                .i2r = NULL,
-                .r2i = NULL,
-                .usr_data = NULL,
-        },
-        {
-                .ext_nid = NID_netscape_comment,
-                .ext_flags = 0,
-                .it = &ASN1_IA5STRING_it,
-                .ext_new = NULL,
-                .ext_free = NULL,
-                .d2i = NULL,
-                .i2d = NULL,
-                .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-                .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-                .i2v = NULL,
-                .v2i = NULL,
-                .i2r = NULL,
-                .r2i = NULL,
-                .usr_data = NULL,
-        },
-        {
-                .ext_nid = -1,
-                .ext_flags = 0,
-                .it = NULL,
-                .ext_new = NULL,
-                .ext_free = NULL,
-                .d2i = NULL,
-                .i2d = NULL,
-                .i2s = NULL,
-                .s2i = NULL,
-                .i2v = NULL,
-                .v2i = NULL,
-                .i2r = NULL,
-                .r2i = NULL,
-                .usr_data = NULL,
-        },
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_base_url(void)
+{
+        return &x509v3_ext_netscape_base_url;
+}
+static const X509V3_EXT_METHOD x509v3_ext_netscape_revocation_url = {
+        .ext_nid = NID_netscape_revocation_url,
+        .ext_flags = 0,
+        .it = &ASN1_IA5STRING_it,
+        .ext_new = NULL,
+        .ext_free = NULL,
+        .d2i = NULL,
+        .i2d = NULL,
+        .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+        .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+        .i2v = NULL,
+        .v2i = NULL,
+        .i2r = NULL,
+        .r2i = NULL,
+        .usr_data = NULL,
+};
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_revocation_url(void)
+{
+        return &x509v3_ext_netscape_revocation_url;
+}
+static const X509V3_EXT_METHOD x509v3_ext_netscape_ca_revocation_url = {
+        .ext_nid = NID_netscape_ca_revocation_url,
+        .ext_flags = 0,
+        .it = &ASN1_IA5STRING_it,
+        .ext_new = NULL,
+        .ext_free = NULL,
+        .d2i = NULL,
+        .i2d = NULL,
+        .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+        .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+        .i2v = NULL,
+        .v2i = NULL,
+        .i2r = NULL,
+        .r2i = NULL,
+        .usr_data = NULL,
+};
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_ca_revocation_url(void)
+{
+        return &x509v3_ext_netscape_ca_revocation_url;
+}
+static const X509V3_EXT_METHOD x509v3_ext_netscape_renewal_url = {
+        .ext_nid = NID_netscape_renewal_url,
+        .ext_flags = 0,
+        .it = &ASN1_IA5STRING_it,
+        .ext_new = NULL,
+        .ext_free = NULL,
+        .d2i = NULL,
+        .i2d = NULL,
+        .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+        .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+        .i2v = NULL,
+        .v2i = NULL,
+        .i2r = NULL,
+        .r2i = NULL,
+        .usr_data = NULL,
+};
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_renewal_url(void)
+{
+        return &x509v3_ext_netscape_renewal_url;
+}
+static const X509V3_EXT_METHOD x509v3_ext_netscape_ca_policy_url = {
+        .ext_nid = NID_netscape_ca_policy_url,
+        .ext_flags = 0,
+        .it = &ASN1_IA5STRING_it,
+        .ext_new = NULL,
+        .ext_free = NULL,
+        .d2i = NULL,
+        .i2d = NULL,
+        .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+        .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+        .i2v = NULL,
+        .v2i = NULL,
+        .i2r = NULL,
+        .r2i = NULL,
+        .usr_data = NULL,
+};
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_ca_policy_url(void)
+{
+        return &x509v3_ext_netscape_ca_policy_url;
+}
+static const X509V3_EXT_METHOD x509v3_ext_netscape_ssl_server_name = {
+        .ext_nid = NID_netscape_ssl_server_name,
+        .ext_flags = 0,
+        .it = &ASN1_IA5STRING_it,
+        .ext_new = NULL,
+        .ext_free = NULL,
+        .d2i = NULL,
+        .i2d = NULL,
+        .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+        .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+        .i2v = NULL,
+        .v2i = NULL,
+        .i2r = NULL,
+        .r2i = NULL,
+        .usr_data = NULL,
+};
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_ssl_server_name(void)
+{
+        return &x509v3_ext_netscape_ssl_server_name;
+}
+static const X509V3_EXT_METHOD x509v3_ext_netscape_comment = {
+        .ext_nid = NID_netscape_comment,
+        .ext_flags = 0,
+        .it = &ASN1_IA5STRING_it,
+        .ext_new = NULL,
+        .ext_free = NULL,
+        .d2i = NULL,
+        .i2d = NULL,
+        .i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+        .s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+        .i2v = NULL,
+        .v2i = NULL,
+        .i2r = NULL,
+        .r2i = NULL,
+        .usr_data = NULL,
+};
+const X509V3_EXT_METHOD *
+x509v3_ext_method_netscape_comment(void)
+{
+        return &x509v3_ext_netscape_comment;
+}
 static char *
 i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
 {
diff --git a/src/lib/libcrypto/x509/x509_info.c b/src/lib/libcrypto/x509/x509_info.c
index 9372b066ae..d1de346ee6 100644
--- a/src/lib/libcrypto/x509/x509_info.c
+++ b/src/lib/libcrypto/x509/x509_info.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_info.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_info.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -71,7 +71,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
 static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(
    X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-const X509V3_EXT_METHOD v3_info = {
+static const X509V3_EXT_METHOD x509v3_ext_info_access = {
        .ext_nid = NID_info_access,
        .ext_flags = X509V3_EXT_MULTILINE,
        .it = &AUTHORITY_INFO_ACCESS_it,
@@ -88,7 +88,13 @@ const X509V3_EXT_METHOD v3_info = {
        .usr_data = NULL,
 };
-const X509V3_EXT_METHOD v3_sinfo = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_info_access(void)
+{
+        return &x509v3_ext_info_access;
+}
+static const X509V3_EXT_METHOD x509v3_ext_sinfo_access = {
        .ext_nid = NID_sinfo_access,
        .ext_flags = X509V3_EXT_MULTILINE,
        .it = &AUTHORITY_INFO_ACCESS_it,
@@ -105,6 +111,12 @@ const X509V3_EXT_METHOD v3_sinfo = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_sinfo_access(void)
+{
+        return &x509v3_ext_sinfo_access;
+}
 static const ASN1_TEMPLATE ACCESS_DESCRIPTION_seq_tt[] = {
        {
                .flags = 0,
diff --git a/src/lib/libcrypto/x509/x509_int.c b/src/lib/libcrypto/x509/x509_int.c
index 35c8853c13..2236bfe4c4 100644
--- a/src/lib/libcrypto/x509/x509_int.c
+++ b/src/lib/libcrypto/x509/x509_int.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_int.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_int.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -60,7 +60,7 @@
 #include <openssl/x509v3.h>
-const X509V3_EXT_METHOD v3_crl_num = {
+static const X509V3_EXT_METHOD x509v3_ext_crl_number = {
        .ext_nid = NID_crl_number,
        .ext_flags = 0,
        .it = &ASN1_INTEGER_it,
@@ -77,7 +77,13 @@ const X509V3_EXT_METHOD v3_crl_num = {
        .usr_data = NULL,
 };
-const X509V3_EXT_METHOD v3_delta_crl = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_crl_number(void)
+{
+        return &x509v3_ext_crl_number;
+}
+static const X509V3_EXT_METHOD x509v3_ext_delta_crl = {
        .ext_nid = NID_delta_crl,
        .ext_flags = 0,
        .it = &ASN1_INTEGER_it,
@@ -94,17 +100,37 @@ const X509V3_EXT_METHOD v3_delta_crl = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_delta_crl(void)
+{
+        return &x509v3_ext_delta_crl;
+}
 static void *
 s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
 {
        return s2i_ASN1_INTEGER(meth, value);
 }
-const X509V3_EXT_METHOD v3_inhibit_anyp = {
+static const X509V3_EXT_METHOD x509v3_ext_inhibit_any_policy = {
-        NID_inhibit_any_policy, 0, &ASN1_INTEGER_it,
+        .ext_nid = NID_inhibit_any_policy,
-        0, 0, 0, 0,
+        .ext_flags = 0,
-        (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+        .it = &ASN1_INTEGER_it,
-        (X509V3_EXT_S2I)s2i_asn1_int,
+        .ext_new = NULL,
-        0, 0, 0, 0,
+        .ext_free = NULL,
-        NULL
+        .d2i = NULL,
+        .i2d = NULL,
+        .i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+        .s2i = (X509V3_EXT_S2I)s2i_asn1_int,
+        .i2v = NULL,
+        .v2i = NULL,
+        .i2r = NULL,
+        .r2i = NULL,
+        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_inhibit_any_policy(void)
+{
+        return &x509v3_ext_inhibit_any_policy;
+}
diff --git a/src/lib/libcrypto/x509/x509_lib.c b/src/lib/libcrypto/x509/x509_lib.c
index 8382babbdf..6fa66ab88e 100644
--- a/src/lib/libcrypto/x509/x509_lib.c
+++ b/src/lib/libcrypto/x509/x509_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lib.c,v 1.23 2024/06/17 05:38:08 tb Exp $ */
+/* $OpenBSD: x509_lib.c,v 1.24 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -65,89 +65,104 @@
 #include "x509_local.h"
-extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
+const X509V3_EXT_METHOD *
-extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_info, v3_sinfo;
+X509V3_EXT_get_nid(int nid)
-extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
+{
-extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
+        switch (nid) {
-extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
+        case NID_authority_key_identifier:
-extern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
+                return x509v3_ext_method_authority_key_identifier();
-extern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
+        case NID_basic_constraints:
-extern const X509V3_EXT_METHOD v3_crl_hold;
+                return x509v3_ext_method_basic_constraints();
-extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
+        case NID_certificate_issuer:
-extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
+                return x509v3_ext_method_certificate_issuer();
-extern const X509V3_EXT_METHOD v3_addr, v3_asid;
+        case NID_certificate_policies:
-extern const X509V3_EXT_METHOD v3_ct_scts[3];
+                return x509v3_ext_method_certificate_policies();
+        case NID_crl_distribution_points:
-static const X509V3_EXT_METHOD *standard_exts[] = {
+                return x509v3_ext_method_crl_distribution_points();
-        &v3_nscert,
+        case NID_crl_number:
-        &v3_ns_ia5_list[0],
+                return x509v3_ext_method_crl_number();
-        &v3_ns_ia5_list[1],
+        case NID_crl_reason:
-        &v3_ns_ia5_list[2],
+                return x509v3_ext_method_crl_reason();
-        &v3_ns_ia5_list[3],
+#ifndef OPENSSL_NO_CT
-        &v3_ns_ia5_list[4],
+        case NID_ct_cert_scts:
-        &v3_ns_ia5_list[5],
+                return x509v3_ext_method_ct_cert_scts();
-        &v3_ns_ia5_list[6],
+        case NID_ct_precert_poison:
-        &v3_skey_id,
+                return x509v3_ext_method_ct_precert_poison();
-        &v3_key_usage,
+        case NID_ct_precert_scts:
-        &v3_pkey_usage_period,
+                return x509v3_ext_method_ct_precert_scts();
-        &v3_alt[0],
-        &v3_alt[1],
-        &v3_bcons,
-        &v3_crl_num,
-        &v3_cpols,
-        &v3_akey_id,
-        &v3_crld,
-        &v3_ext_ku,
-        &v3_delta_crl,
-        &v3_crl_reason,
-#ifndef OPENSSL_NO_OCSP
-        &v3_crl_invdate,
-#endif
-        &v3_info,
-#ifndef OPENSSL_NO_RFC3779
-        &v3_addr,
-        &v3_asid,
-#endif
-#ifndef OPENSSL_NO_OCSP
-        &v3_ocsp_nonce,
-        &v3_ocsp_crlid,
-        &v3_ocsp_accresp,
-        &v3_ocsp_nocheck,
-        &v3_ocsp_acutoff,
-        &v3_ocsp_serviceloc,
 #endif
-        &v3_sinfo,
+        case NID_delta_crl:
-        &v3_policy_constraints,
+                return x509v3_ext_method_delta_crl();
+        case NID_ext_key_usage:
+                return x509v3_ext_method_ext_key_usage();
+        case NID_freshest_crl:
+                return x509v3_ext_method_freshest_crl();
 #ifndef OPENSSL_NO_OCSP
-        &v3_crl_hold,
+        case NID_hold_instruction_code:
+                return x509v3_ext_method_hold_instruction_code();
+        case NID_id_pkix_OCSP_CrlID:
+                return x509v3_ext_method_id_pkix_OCSP_CrlID();
+        case NID_id_pkix_OCSP_Nonce:
+                return x509v3_ext_method_id_pkix_OCSP_Nonce();
+        case NID_id_pkix_OCSP_acceptableResponses:
+                return x509v3_ext_method_id_pkix_OCSP_acceptableResponses();
+        case NID_id_pkix_OCSP_archiveCutoff:
+                return x509v3_ext_method_id_pkix_OCSP_archiveCutoff();
+        case NID_id_pkix_OCSP_serviceLocator:
+                return x509v3_ext_method_id_pkix_OCSP_serviceLocator();
 #endif
-        &v3_name_constraints,
+        case NID_info_access:
-        &v3_policy_mappings,
+                return x509v3_ext_method_info_access();
-        &v3_inhibit_anyp,
+        case NID_inhibit_any_policy:
-        &v3_idp,
+                return x509v3_ext_method_inhibit_any_policy();
-        &v3_alt[2],
+        case NID_invalidity_date:
-        &v3_freshest_crl,
+                return x509v3_ext_method_invalidity_date();
-#ifndef OPENSSL_NO_CT
+        case NID_issuer_alt_name:
-        &v3_ct_scts[0],
+                return x509v3_ext_method_issuer_alt_name();
-        &v3_ct_scts[1],
+        case NID_issuing_distribution_point:
-        &v3_ct_scts[2],
+                return x509v3_ext_method_issuing_distribution_point();
+        case NID_key_usage:
+                return x509v3_ext_method_key_usage();
+        case NID_name_constraints:
+                return x509v3_ext_method_name_constraints();
+        case NID_netscape_base_url:
+                return x509v3_ext_method_netscape_base_url();
+        case NID_netscape_ca_policy_url:
+                return x509v3_ext_method_netscape_ca_policy_url();
+        case NID_netscape_ca_revocation_url:
+                return x509v3_ext_method_netscape_ca_revocation_url();
+        case NID_netscape_cert_type:
+                return x509v3_ext_method_netscape_cert_type();
+        case NID_netscape_comment:
+                return x509v3_ext_method_netscape_comment();
+        case NID_netscape_renewal_url:
+                return x509v3_ext_method_netscape_renewal_url();
+        case NID_netscape_revocation_url:
+                return x509v3_ext_method_netscape_revocation_url();
+        case NID_netscape_ssl_server_name:
+                return x509v3_ext_method_netscape_ssl_server_name();
+        case NID_policy_constraints:
+                return x509v3_ext_method_policy_constraints();
+        case NID_policy_mappings:
+                return x509v3_ext_method_policy_mappings();
+        case NID_private_key_usage_period:
+                return x509v3_ext_method_private_key_usage_period();
+#ifndef OPENSSL_NO_RFC3779
+        case NID_sbgp_ipAddrBlock:
+                return x509v3_ext_method_sbgp_ipAddrBlock();
+        case NID_sbgp_autonomousSysNum:
+                return x509v3_ext_method_sbgp_autonomousSysNum();
 #endif
-};
+        case NID_sinfo_access:
+                return x509v3_ext_method_sinfo_access();
-#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts) / sizeof(standard_exts[0]))
+        case NID_subject_alt_name:
+                return x509v3_ext_method_subject_alt_name();
-const X509V3_EXT_METHOD *
+        case NID_subject_key_identifier:
-X509V3_EXT_get_nid(int nid)
+                return x509v3_ext_method_subject_key_identifier();
-{
+        default:
-        size_t i;
+                return NULL;
-        for (i = 0; i < STANDARD_EXTENSION_COUNT; i++) {
-                if (standard_exts[i]->ext_nid == nid)
-                        return standard_exts[i];
        }
+};
-        return NULL;
-}
 LCRYPTO_ALIAS(X509V3_EXT_get_nid);
 const X509V3_EXT_METHOD *
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
index 6b72678e7a..81a237d860 100644
--- a/src/lib/libcrypto/x509/x509_local.h
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_local.h,v 1.25 2024/07/12 18:15:10 beck Exp $ */
+/*      $OpenBSD: x509_local.h,v 1.26 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2013.
 */
@@ -418,6 +418,49 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
 int X509_PURPOSE_get_by_id(int id);
 int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
+const X509V3_EXT_METHOD *x509v3_ext_method_authority_key_identifier(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_basic_constraints(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_certificate_issuer(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_certificate_policies(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_crl_distribution_points(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_crl_number(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_crl_reason(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_ct_cert_scts(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_ct_precert_poison(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_ct_precert_scts(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_delta_crl(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_ext_key_usage(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_freshest_crl(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_hold_instruction_code(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_CrlID(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_Nonce(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_acceptableResponses(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_archiveCutoff(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_id_pkix_OCSP_serviceLocator(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_info_access(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_inhibit_any_policy(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_invalidity_date(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_issuer_alt_name(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_issuing_distribution_point(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_key_usage(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_name_constraints(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_base_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ca_policy_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ca_revocation_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_cert_type(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_comment(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_renewal_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_revocation_url(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_netscape_ssl_server_name(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_policy_constraints(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_policy_mappings(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_private_key_usage_period(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_sbgp_ipAddrBlock(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_sbgp_autonomousSysNum(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_sinfo_access(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_subject_alt_name(void);
+const X509V3_EXT_METHOD *x509v3_ext_method_subject_key_identifier(void);
 __END_HIDDEN_DECLS
 #endif /* !HEADER_X509_LOCAL_H */
diff --git a/src/lib/libcrypto/x509/x509_ncons.c b/src/lib/libcrypto/x509/x509_ncons.c
index f8c63886a4..148a66e887 100644
--- a/src/lib/libcrypto/x509/x509_ncons.c
+++ b/src/lib/libcrypto/x509/x509_ncons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ncons.c,v 1.10 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_ncons.c,v 1.11 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -81,7 +81,7 @@ static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
 static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
 static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
-const X509V3_EXT_METHOD v3_name_constraints = {
+static const X509V3_EXT_METHOD x509v3_ext_name_constraints = {
        .ext_nid = NID_name_constraints,
        .ext_flags = 0,
        .it = &NAME_CONSTRAINTS_it,
@@ -98,6 +98,12 @@ const X509V3_EXT_METHOD v3_name_constraints = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_name_constraints(void)
+{
+        return &x509v3_ext_name_constraints;
+}
 static const ASN1_TEMPLATE GENERAL_SUBTREE_seq_tt[] = {
        {
                .flags = 0,
diff --git a/src/lib/libcrypto/x509/x509_ocsp.c b/src/lib/libcrypto/x509/x509_ocsp.c
index cc55d9390d..11d1a1c9c3 100644
--- a/src/lib/libcrypto/x509/x509_ocsp.c
+++ b/src/lib/libcrypto/x509/x509_ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ocsp.c,v 1.2 2022/01/07 09:45:52 tb Exp $ */
+/* $OpenBSD: x509_ocsp.c,v 1.3 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -95,7 +95,7 @@ static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
 static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
    BIO *bp, int ind);
-const X509V3_EXT_METHOD v3_ocsp_crlid = {
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_CrlID = {
        .ext_nid = NID_id_pkix_OCSP_CrlID,
        .ext_flags = 0,
        .it = &OCSP_CRLID_it,
@@ -112,7 +112,13 @@ const X509V3_EXT_METHOD v3_ocsp_crlid = {
        .usr_data = NULL,
 };
-const X509V3_EXT_METHOD v3_ocsp_acutoff = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_CrlID(void)
+{
+        return &x509v3_ext_id_pkix_OCSP_CrlID;
+}
+const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_archiveCutoff = {
        .ext_nid = NID_id_pkix_OCSP_archiveCutoff,
        .ext_flags = 0,
        .it = &ASN1_GENERALIZEDTIME_it,
@@ -129,7 +135,13 @@ const X509V3_EXT_METHOD v3_ocsp_acutoff = {
        .usr_data = NULL,
 };
-const X509V3_EXT_METHOD v3_crl_invdate = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_archiveCutoff(void)
+{
+        return &x509v3_ext_id_pkix_OCSP_archiveCutoff;
+}
+static const X509V3_EXT_METHOD x509v3_ext_invalidity_date = {
        .ext_nid = NID_invalidity_date,
        .ext_flags = 0,
        .it = &ASN1_GENERALIZEDTIME_it,
@@ -146,7 +158,13 @@ const X509V3_EXT_METHOD v3_crl_invdate = {
        .usr_data = NULL,
 };
-const X509V3_EXT_METHOD v3_crl_hold = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_invalidity_date(void)
+{
+        return &x509v3_ext_invalidity_date;
+}
+static const X509V3_EXT_METHOD x509v3_ext_hold_instruction_code = {
        .ext_nid = NID_hold_instruction_code,
        .ext_flags = 0,
        .it = &ASN1_OBJECT_it,
@@ -163,7 +181,13 @@ const X509V3_EXT_METHOD v3_crl_hold = {
        .usr_data = NULL,
 };
-const X509V3_EXT_METHOD v3_ocsp_nonce = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_hold_instruction_code(void)
+{
+        return &x509v3_ext_hold_instruction_code;
+}
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_Nonce = {
        .ext_nid = NID_id_pkix_OCSP_Nonce,
        .ext_flags = 0,
        .it = NULL,
@@ -180,7 +204,13 @@ const X509V3_EXT_METHOD v3_ocsp_nonce = {
        .usr_data = NULL,
 };
-const X509V3_EXT_METHOD v3_ocsp_nocheck = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_Nonce(void)
+{
+        return &x509v3_ext_id_pkix_OCSP_Nonce;
+}
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_noCheck = {
        .ext_nid = NID_id_pkix_OCSP_noCheck,
        .ext_flags = 0,
        .it = &ASN1_NULL_it,
@@ -197,7 +227,13 @@ const X509V3_EXT_METHOD v3_ocsp_nocheck = {
        .usr_data = NULL,
 };
-const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_noCheck(void)
+{
+        return &x509v3_ext_id_pkix_OCSP_noCheck;
+}
+static const X509V3_EXT_METHOD x509v3_ext_id_pkix_OCSP_serviceLocator = {
        .ext_nid = NID_id_pkix_OCSP_serviceLocator,
        .ext_flags = 0,
        .it = &OCSP_SERVICELOC_it,
@@ -214,6 +250,12 @@ const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_id_pkix_OCSP_serviceLocator(void)
+{
+        return &x509v3_ext_id_pkix_OCSP_serviceLocator;
+}
 static int
 i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
 {
diff --git a/src/lib/libcrypto/x509/x509_pcons.c b/src/lib/libcrypto/x509/x509_pcons.c
index 8f2109eaad..d6ee9d7e2c 100644
--- a/src/lib/libcrypto/x509/x509_pcons.c
+++ b/src/lib/libcrypto/x509/x509_pcons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pcons.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_pcons.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -71,7 +71,7 @@ i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
 static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
-const X509V3_EXT_METHOD v3_policy_constraints = {
+static const X509V3_EXT_METHOD x509v3_ext_policy_constraints = {
        .ext_nid = NID_policy_constraints,
        .ext_flags = 0,
        .it = &POLICY_CONSTRAINTS_it,
@@ -88,6 +88,12 @@ const X509V3_EXT_METHOD v3_policy_constraints = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_policy_constraints(void)
+{
+        return &x509v3_ext_policy_constraints;
+}
 static const ASN1_TEMPLATE POLICY_CONSTRAINTS_seq_tt[] = {
        {
                .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
diff --git a/src/lib/libcrypto/x509/x509_pku.c b/src/lib/libcrypto/x509/x509_pku.c
index 05c9ff2431..6753f0f733 100644
--- a/src/lib/libcrypto/x509/x509_pku.c
+++ b/src/lib/libcrypto/x509/x509_pku.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pku.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_pku.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -65,7 +65,7 @@
 static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
    PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
-const X509V3_EXT_METHOD v3_pkey_usage_period = {
+static const X509V3_EXT_METHOD x509v3_ext_private_key_usage_period = {
        .ext_nid = NID_private_key_usage_period,
        .ext_flags = 0,
        .it = &PKEY_USAGE_PERIOD_it,
@@ -82,6 +82,12 @@ const X509V3_EXT_METHOD v3_pkey_usage_period = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_private_key_usage_period(void)
+{
+        return &x509v3_ext_private_key_usage_period;
+}
 static const ASN1_TEMPLATE PKEY_USAGE_PERIOD_seq_tt[] = {
        {
                .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
diff --git a/src/lib/libcrypto/x509/x509_pmaps.c b/src/lib/libcrypto/x509/x509_pmaps.c
index b2d74dce1d..7a91917f65 100644
--- a/src/lib/libcrypto/x509/x509_pmaps.c
+++ b/src/lib/libcrypto/x509/x509_pmaps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pmaps.c,v 1.4 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_pmaps.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -69,7 +69,7 @@ static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
 static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(
    const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);
-const X509V3_EXT_METHOD v3_policy_mappings = {
+static const X509V3_EXT_METHOD x509v3_ext_policy_mappings = {
        .ext_nid = NID_policy_mappings,
        .ext_flags = 0,
        .it = &POLICY_MAPPINGS_it,
@@ -86,6 +86,12 @@ const X509V3_EXT_METHOD v3_policy_mappings = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_policy_mappings(void)
+{
+        return &x509v3_ext_policy_mappings;
+}
 static const ASN1_TEMPLATE POLICY_MAPPING_seq_tt[] = {
        {
                .flags = 0,
diff --git a/src/lib/libcrypto/x509/x509_skey.c b/src/lib/libcrypto/x509/x509_skey.c
index 245ba51586..d2c90b6f1c 100644
--- a/src/lib/libcrypto/x509/x509_skey.c
+++ b/src/lib/libcrypto/x509/x509_skey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_skey.c,v 1.5 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509_skey.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -67,7 +67,7 @@
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
    X509V3_CTX *ctx, char *str);
-const X509V3_EXT_METHOD v3_skey_id = {
+static const X509V3_EXT_METHOD x509v3_ext_subject_key_identifier = {
        .ext_nid = NID_subject_key_identifier,
        .ext_flags = 0,
        .it = &ASN1_OCTET_STRING_it,
@@ -84,6 +84,12 @@ const X509V3_EXT_METHOD v3_skey_id = {
        .usr_data = NULL,
 };
+const X509V3_EXT_METHOD *
+x509v3_ext_method_subject_key_identifier(void)
+{
+        return &x509v3_ext_subject_key_identifier;
+}
 char *
 i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct)
 {