Write documentation for <openssl/x509v3.h> DER decoding and

encoding functions from scratch.  All 46 functions are listed
in OpenSSL doc/man3/d2i_X509.pod.

9 files changed, 861 insertions, 8 deletions

diff --git a/lib/libcrypto/man/Makefile b/lib/libcrypto/man/Makefile
index 49990dff8d0..6065762acd0 100644
--- a/lib/libcrypto/man/Makefile
+++ b/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.107 2016/12/28 13:45:30 schwarze Exp $
+# $OpenBSD: Makefile,v 1.108 2016/12/28 20:36:33 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -228,16 +228,23 @@ MAN=	\
 	X509v3_get_ext_by_NID.3 \
 	crypto.3 \
 	d2i_ASN1_OBJECT.3 \
+	d2i_AUTHORITY_KEYID.3 \
+	d2i_BASIC_CONSTRAINTS.3 \
 	d2i_DHparams.3 \
+	d2i_DIST_POINT.3 \
 	d2i_DSAPublicKey.3 \
 	d2i_ECPKParameters.3 \
 	d2i_ESS_SIGNING_CERT.3 \
+	d2i_GENERAL_NAME.3 \
 	d2i_OCSP_REQUEST.3 \
 	d2i_OCSP_RESPONSE.3 \
 	d2i_PKCS12.3 \
 	d2i_PKCS7.3 \
 	d2i_PKCS8_PRIV_KEY_INFO.3 \
 	d2i_PKCS8PrivateKey_bio.3 \
+	d2i_PKEY_USAGE_PERIOD.3 \
+	d2i_POLICYINFO.3 \
+	d2i_PROXY_POLICY.3 \
 	d2i_PrivateKey.3 \
 	d2i_RSAPublicKey.3 \
 	d2i_TS_REQ.3 \
diff --git a/lib/libcrypto/man/SXNET_new.3 b/lib/libcrypto/man/SXNET_new.3
index 14849701137..cf6f6927481 100644
--- a/lib/libcrypto/man/SXNET_new.3
+++ b/lib/libcrypto/man/SXNET_new.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: SXNET_new.3,v 1.1 2016/12/24 01:00:48 schwarze Exp $
+.\"	$OpenBSD: SXNET_new.3,v 1.2 2016/12/28 20:36:33 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,14 +14,18 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2016 $
+.Dd $Mdocdate: December 28 2016 $
 .Dt SXNET_NEW 3
 .Os
 .Sh NAME
 .Nm SXNET_new ,
 .Nm SXNET_free ,
 .Nm SXNETID_new ,
-.Nm SXNETID_free
+.Nm SXNETID_free ,
+.Nm d2i_SXNET ,
+.Nm i2d_SXNET ,
+.Nm d2i_SXNETID ,
+.Nm i2d_SXNETID
 .Nd Thawte strong extranet X.509 extension
 .Sh SYNOPSIS
 .In openssl/x509v3.h
@@ -33,6 +37,28 @@
 .Fn SXNETID_new void
 .Ft void
 .Fn SXNETID_free "SXNETID *sxnetid"
+.Ft SXNET *
+.Fo d2i_SXNET
+.Fa "SXNET **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_SXNET
+.Fa "SXNET *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft SXNETID *
+.Fo d2i_SXNETID
+.Fa "SXNETID **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_SXNETID
+.Fa "SXNETID *val_in"
+.Fa "unsigned char **der_out"
+.Fc
 .Sh DESCRIPTION
 .Fn SXNET_new
 allocates and initializes an empty
@@ -52,17 +78,35 @@ It is used inside
 .Fn SXNETID_free
 frees
 .Fa sxnetid .
+.Pp
+The remaining functions decode and encode these objects
+using DER format.
+For details about the semantics, examples, caveats, and bugs, see
+.Xr ASN1_item_d2i 3 .
 .Sh RETURN VALUES
 .Fn SXNET_new
 and
-.Fn SXNETID_new
-return the new
+.Fn d2i_SXNET
+return an
 .Vt SXNET
-or
+object or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn SXNETID_new
+and
+.Fn d2i_SXNETID
+return an
 .Vt SXNETID
-object, respectively, or
+object or
 .Dv NULL
 if an error occurs.
+.Pp
+.Fn i2d_SXNET
+and
+.Fn i2d_SXNETID
+return the number of bytes successfully encoded or a negative value
+if an error occurs.
 .Sh SEE ALSO
 .Xr X509_EXTENSION_new 3 ,
 .Xr X509_new 3
diff --git a/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3 b/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3
new file mode 100644
index 00000000000..2f46454d8ba
--- /dev/null
+++ b/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3
@@ -0,0 +1,69 @@
+.\"	$OpenBSD: d2i_AUTHORITY_KEYID.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 28 2016 $
+.Dt D2I_AUTHORITY_KEYID 3
+.Os
+.Sh NAME
+.Nm d2i_AUTHORITY_KEYID ,
+.Nm i2d_AUTHORITY_KEYID
+.Nd decode and encode X.509 authority key identifiers
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft AUTHORITY_KEYID *
+.Fo d2i_AUTHORITY_KEYID
+.Fa "AUTHORITY_KEYID **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_AUTHORITY_KEYID
+.Fa "AUTHORITY_KEYID *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Sh DESCRIPTION
+.Fn d2i_AUTHORITY_KEYID
+and
+.Fn i2d_AUTHORITY_KEYID
+decode and encode an ASN.1
+.Vt AuthorityKeyIdentifier
+structure  defined in RFC 5280 section 4.2.1.1.
+For details about the semantics, examples, caveats, and bugs, see
+.Xr ASN1_item_d2i 3 .
+.Sh RETURN VALUES
+.Fn d2i_AUTHORITY_KEYID
+returns an
+.Vt AUTHORITY_KEYID
+object or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn i2d_AUTHORITY_KEYID
+returns the number of bytes successfully encoded or a negative value
+if an error occurs.
+.Sh SEE ALSO
+.Xr ASN1_item_d2i 3 ,
+.Xr AUTHORITY_KEYID_new 3 ,
+.Xr X509_EXTENSION_new 3
+.Sh STANDARDS
+RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
+Certificate Revocation List (CRL) Profile:
+.Bl -dash -compact
+.It
+section 4.2.1.1: Certificate Extensions: Authority Key Identifier
+.It
+section 5.2.1: CRL Extensions: Authority Key Identifier
+.El
diff --git a/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3 b/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3
new file mode 100644
index 00000000000..968541627f1
--- /dev/null
+++ b/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3
@@ -0,0 +1,94 @@
+.\"	$OpenBSD: d2i_BASIC_CONSTRAINTS.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 28 2016 $
+.Dt D2I_BASIC_CONSTRAINTS 3
+.Os
+.Sh NAME
+.Nm d2i_BASIC_CONSTRAINTS ,
+.Nm i2d_BASIC_CONSTRAINTS ,
+.Nm d2i_EXTENDED_KEY_USAGE ,
+.Nm i2d_EXTENDED_KEY_USAGE
+.Nd decode and encode X.509 key usage purposes
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft BASIC_CONSTRAINTS *
+.Fo d2i_BASIC_CONSTRAINTS
+.Fa "BASIC_CONSTRAINTS **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_BASIC_CONSTRAINTS
+.Fa "BASIC_CONSTRAINTS *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft EXTENDED_KEY_USAGE *
+.Fo d2i_EXTENDED_KEY_USAGE
+.Fa "EXTENDED_KEY_USAGE **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_EXTENDED_KEY_USAGE
+.Fa "EXTENDED_KEY_USAGE *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Sh DESCRIPTION
+These functions decode and encode data structures describing the
+intended purposes that the key contained in an X.509 certificate
+is to be used for.
+For details about the semantics, examples, caveats, and bugs, see
+.Xr ASN1_item_d2i 3 .
+.Pp
+.Fn d2i_BASIC_CONSTRAINTS
+and
+.Fn i2d_BASIC_CONSTRAINTS
+decode and encode an ASN.1
+.Vt BasicConstraints
+structure defined in RFC 5280 section 4.2.1.9.
+.Pp
+.Fn d2i_EXTENDED_KEY_USAGE
+and
+.Fn i2d_EXTENDED_KEY_USAGE
+decode and encode an ASN.1
+.Vt ExtKeyUsageSyntax
+structure defined in RFC 5280 section 4.2.1.12.
+.Sh RETURN VALUES
+.Fn d2i_BASIC_CONSTRAINTS
+and
+.Fn d2i_EXTENDED_KEY_USAGE
+return a
+.Vt BASIC_CONSTRAINTS
+or
+.Vt EXTENDED_KEY_USAGE
+object, respectively, or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn i2d_BASIC_CONSTRAINTS
+and
+.Fn i2d_EXTENDED_KEY_USAGE
+return the number of bytes successfully encoded or a negative value
+if an error occurs.
+.Sh SEE ALSO
+.Xr ASN1_item_d2i 3 ,
+.Xr BASIC_CONSTRAINTS_new 3 ,
+.Xr EXTENDED_KEY_USAGE_new 3 ,
+.Xr X509_EXTENSION_new 3
+.Sh STANDARDS
+RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
+Certificate Revocation List (CRL) Profile
diff --git a/lib/libcrypto/man/d2i_DIST_POINT.3 b/lib/libcrypto/man/d2i_DIST_POINT.3
new file mode 100644
index 00000000000..8862d336350
--- /dev/null
+++ b/lib/libcrypto/man/d2i_DIST_POINT.3
@@ -0,0 +1,177 @@
+.\"	$OpenBSD: d2i_DIST_POINT.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 28 2016 $
+.Dt D2I_DIST_POINT 3
+.Os
+.Sh NAME
+.Nm d2i_DIST_POINT ,
+.Nm i2d_DIST_POINT ,
+.Nm d2i_CRL_DIST_POINTS ,
+.Nm i2d_CRL_DIST_POINTS ,
+.Nm d2i_DIST_POINT_NAME ,
+.Nm i2d_DIST_POINT_NAME ,
+.Nm d2i_ISSUING_DIST_POINT ,
+.Nm i2d_ISSUING_DIST_POINT ,
+.Nm d2i_ACCESS_DESCRIPTION ,
+.Nm i2d_ACCESS_DESCRIPTION ,
+.Nm d2i_AUTHORITY_INFO_ACCESS ,
+.Nm i2d_AUTHORITY_INFO_ACCESS
+.Nd decode and encode X.509 data access extensions
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft DIST_POINT *
+.Fo d2i_DIST_POINT
+.Fa "DIST_POINT_NAME **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_DIST_POINT
+.Fa "DIST_POINT *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft CRL_DIST_POINTS *
+.Fo d2i_CRL_DIST_POINTS
+.Fa "CRL_DIST_POINTS_NAME **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_CRL_DIST_POINTS
+.Fa "CRL_DIST_POINTS *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft DIST_POINT_NAME *
+.Fo d2i_DIST_POINT_NAME
+.Fa "DIST_POINT_NAME_NAME **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_DIST_POINT_NAME
+.Fa "DIST_POINT_NAME *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft ISSUING_DIST_POINT *
+.Fo d2i_ISSUING_DIST_POINT
+.Fa "ISSUING_DIST_POINT_NAME **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_ISSUING_DIST_POINT
+.Fa "ISSUING_DIST_POINT *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft ACCESS_DESCRIPTION *
+.Fo d2i_ACCESS_DESCRIPTION
+.Fa "ACCESS_DESCRIPTION_NAME **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_ACCESS_DESCRIPTION
+.Fa "ACCESS_DESCRIPTION *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft AUTHORITY_INFO_ACCESS *
+.Fo d2i_AUTHORITY_INFO_ACCESS
+.Fa "AUTHORITY_INFO_ACCESS_NAME **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_AUTHORITY_INFO_ACCESS
+.Fa "AUTHORITY_INFO_ACCESS *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Sh DESCRIPTION
+These functions decode and encode X.509 extensions that communicate
+where to retrieve additional information online.
+For details about the semantics, examples, caveats, and bugs, see
+.Xr ASN1_item_d2i 3 .
+.Pp
+.Fn d2i_DIST_POINT
+and
+.Fn i2d_DIST_POINT
+decode and encode an ASN.1
+.Vt DistributionPoint
+structure defined in RFC 5280 section 4.2.1.13.
+.Pp
+.Fn d2i_CRL_DIST_POINTS
+and
+.Fn i2d_CRL_DIST_POINTS
+decode and encode an ASN.1
+.Vt CRLDistributionPoints
+structure defined in RFC 5280 section 4.2.1.13.
+.Pp
+.Fn d2i_DIST_POINT_NAME
+and
+.Fn i2d_DIST_POINT_NAME
+decode and encode an ASN.1
+.Vt DistributionPointName
+structure defined in RFC 5280 section 4.2.1.13.
+.Pp
+.Fn d2i_ISSUING_DIST_POINT
+and
+.Fn i2d_ISSUING_DIST_POINT
+decode and encode an ASN.1
+.Vt IssuingDistributionPoint
+structure defined in RFC 5280 section 5.2.5.
+.Pp
+.Fn d2i_ACCESS_DESCRIPTION
+and
+.Fn i2d_ACCESS_DESCRIPTION
+decode and encode an ASN.1
+.Vt AccessDescription
+structure defined in RFC 5280 section 4.2.2.1.
+.Pp
+.Fn d2i_AUTHORITY_INFO_ACCESS
+and
+.Fn i2d_AUTHORITY_INFO_ACCESS
+decode and encode an ASN.1
+.Vt AuthorityInfoAccessSyntax
+structure defined in RFC 5280 section 4.2.2.1.
+.Sh RETURN VALUES
+.Fn d2i_DIST_POINT ,
+.Fn d2i_CRL_DIST_POINTS ,
+.Fn d2i_DIST_POINT_NAME ,
+.Fn d2i_ISSUING_DIST_POINT ,
+.Fn d2i_ACCESS_DESCRIPTION ,
+and
+.Fn d2i_AUTHORITY_INFO_ACCESS
+return an object of the respective type or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn i2d_DIST_POINT ,
+.Fn i2d_CRL_DIST_POINTS ,
+.Fn i2d_DIST_POINT_NAME ,
+.Fn i2d_ISSUING_DIST_POINT ,
+.Fn i2d_ACCESS_DESCRIPTION ,
+and
+.Fn i2d_AUTHORITY_INFO_ACCESS
+return the number of bytes successfully encoded or a negative value
+if an error occurs.
+.Sh SEE ALSO
+.Xr ACCESS_DESCRIPTION_new 3 ,
+.Xr ASN1_item_d2i 3 ,
+.Xr DIST_POINT_new 3 ,
+.Xr X509_EXTENSION_new 3
+.Sh STANDARDS
+RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
+Certificate Revocation List (CRL) Profile
diff --git a/lib/libcrypto/man/d2i_GENERAL_NAME.3 b/lib/libcrypto/man/d2i_GENERAL_NAME.3
new file mode 100644
index 00000000000..0340d1e51ca
--- /dev/null
+++ b/lib/libcrypto/man/d2i_GENERAL_NAME.3
@@ -0,0 +1,140 @@
+.\"	$OpenBSD: d2i_GENERAL_NAME.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 28 2016 $
+.Dt D2I_GENERAL_NAME 3
+.Os
+.Sh NAME
+.Nm d2i_GENERAL_NAME ,
+.Nm i2d_GENERAL_NAME ,
+.Nm d2i_GENERAL_NAMES ,
+.Nm i2d_GENERAL_NAMES ,
+.Nm d2i_EDIPARTYNAME ,
+.Nm i2d_EDIPARTYNAME ,
+.Nm d2i_OTHERNAME ,
+.Nm i2d_OTHERNAME
+.Nd decode and encode names for use in X.509 extensions
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft GENERAL_NAME *
+.Fo d2i_GENERAL_NAME
+.Fa "GENERAL_NAME **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_GENERAL_NAME
+.Fa "GENERAL_NAME *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft GENERAL_NAMES *
+.Fo d2i_GENERAL_NAMES
+.Fa "GENERAL_NAMES **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_GENERAL_NAMES
+.Fa "GENERAL_NAMES *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft EDIPARTYNAME *
+.Fo d2i_EDIPARTYNAME
+.Fa "EDIPARTYNAME **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_EDIPARTYNAME
+.Fa "EDIPARTYNAME *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft OTHERNAME *
+.Fo d2i_OTHERNAME
+.Fa "OTHERNAME **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_OTHERNAME
+.Fa "OTHERNAME *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Sh DESCRIPTION
+These functions decode and encode names that can be used in X.509
+extensions.
+For details about the semantics, examples, caveats, and bugs, see
+.Xr ASN1_item_d2i 3 .
+.Pp
+.Fn d2i_GENERAL_NAME
+and
+.Fn i2d_GENERAL_NAME
+decode and encode an ASN.1
+.Vt GeneralName
+structure defined in RFC 5280 section 4.2.1.6.
+.Pp
+.Fn d2i_GENERAL_NAMES
+and
+.Fn i2d_GENERAL_NAMES
+decode and encode an ASN.1
+.Vt GeneralNames
+structure defined in RFC 5280 section 4.2.1.6.
+.Pp
+.Fn d2i_EDIPARTYNAME
+and
+.Fn i2d_EDIPARTYNAME
+decode and encode an ASN.1
+.Vt EDIPartyName
+structure defined in RFC 5280 section 4.2.1.6.
+.Pp
+.Fn d2i_OTHERNAME
+and
+.Fn i2d_OTHERNAME
+decode and encode an ASN.1
+.Vt OtherName
+structure defined in RFC 5280 section 4.2.1.6.
+.Sh RETURN VALUES
+.Fn d2i_GENERAL_NAME ,
+.Fn d2i_GENERAL_NAMES ,
+.Fn d2i_EDIPARTYNAME ,
+and
+.Fn d2i_OTHERNAME
+return a
+.Vt GENERAL_NAME ,
+.Vt GENERAL_NAMES ,
+.Vt EDIPARTYNAME ,
+or
+.Vt OTHERNAME
+object, respectively, or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn i2d_GENERAL_NAME ,
+.Fn i2d_GENERAL_NAMES ,
+.Fn i2d_EDIPARTYNAME ,
+and
+.Fn i2d_OTHERNAME
+return the number of bytes successfully encoded or a negative value
+if an error occurs.
+.Sh SEE ALSO
+.Xr ASN1_item_d2i 3 ,
+.Xr d2i_X509_NAME 3 ,
+.Xr GENERAL_NAME_new 3 ,
+.Xr X509_EXTENSION_new 3
+.Sh STANDARDS
+RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
+Certificate Revocation List (CRL) Profile,
+section 4.2: Certificate Extensions
diff --git a/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3 b/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3
new file mode 100644
index 00000000000..547b77970df
--- /dev/null
+++ b/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3
@@ -0,0 +1,68 @@
+.\"	$OpenBSD: d2i_PKEY_USAGE_PERIOD.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 28 2016 $
+.Dt D2I_PKEY_USAGE_PERIOD 3
+.Os
+.Sh NAME
+.Nm d2i_PKEY_USAGE_PERIOD ,
+.Nm i2d_PKEY_USAGE_PERIOD
+.Nd decode and encode X.509 key usage period extensions
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft PKEY_USAGE_PERIOD *
+.Fo d2i_PKEY_USAGE_PERIOD
+.Fa "PKEY_USAGE_PERIOD **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_PKEY_USAGE_PERIOD
+.Fa "PKEY_USAGE_PERIOD *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Sh DESCRIPTION
+.Fn d2i_PKEY_USAGE_PERIOD
+and
+.Fn i2d_PKEY_USAGE_PERIOD
+decode and encode an ASN.1
+.Vt PrivateKeyUsagePeriod
+structure defined in RFC 3280 section 4.2.1.4.
+For details about the semantics, examples, caveats, and bugs, see
+.Xr ASN1_item_d2i 3 .
+.Sh RETURN VALUES
+.Fn d2i_PKEY_USAGE_PERIOD
+returns a
+.Vt PKEY_USAGE_PERIOD
+object or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn i2d_PKEY_USAGE_PERIOD
+returns the number of bytes successfully encoded or a negative value
+if an error occurs.
+.Sh SEE ALSO
+.Xr ASN1_item_d2i 3 ,
+.Xr PKEY_USAGE_PERIOD_new 3 ,
+.Xr X509_EXTENSION_new 3
+.Sh STANDARDS
+RFC 3280: Internet X.509 Public Key Infrastructure Certificate and
+Certificate Revocation List (CRL) Profile,
+section 4.2.1.4: Private Key Usage Period
+.Pp
+RFC 3280 was obsoleted by RFC 5280; see
+.Xr PKEY_USAGE_PERIOD_new 3
+for details.
diff --git a/lib/libcrypto/man/d2i_POLICYINFO.3 b/lib/libcrypto/man/d2i_POLICYINFO.3
new file mode 100644
index 00000000000..6a93059bc27
--- /dev/null
+++ b/lib/libcrypto/man/d2i_POLICYINFO.3
@@ -0,0 +1,161 @@
+.\"	$OpenBSD: d2i_POLICYINFO.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 28 2016 $
+.Dt D2I_POLICYINFO 3
+.Os
+.Sh NAME
+.Nm d2i_POLICYINFO ,
+.Nm i2d_POLICYINFO ,
+.Nm d2i_CERTIFICATEPOLICIES ,
+.Nm i2d_CERTIFICATEPOLICIES ,
+.Nm d2i_POLICYQUALINFO ,
+.Nm i2d_POLICYQUALINFO ,
+.Nm d2i_USERNOTICE ,
+.Nm i2d_USERNOTICE ,
+.Nm d2i_NOTICEREF ,
+.Nm i2d_NOTICEREF
+.Nd decode and encode X.509 certificate policies
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft POLICYINFO *
+.Fo d2i_POLICYINFO
+.Fa "POLICYINFO **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_POLICYINFO
+.Fa "POLICYINFO *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft CERTIFICATEPOLICIES *
+.Fo d2i_CERTIFICATEPOLICIES
+.Fa "CERTIFICATEPOLICIES **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_CERTIFICATEPOLICIES
+.Fa "CERTIFICATEPOLICIES *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft POLICYQUALINFO *
+.Fo d2i_POLICYQUALINFO
+.Fa "POLICYQUALINFO **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_POLICYQUALINFO
+.Fa "POLICYQUALINFO *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft USERNOTICE *
+.Fo d2i_USERNOTICE
+.Fa "USERNOTICE **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_USERNOTICE
+.Fa "USERNOTICE *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft NOTICEREF *
+.Fo d2i_NOTICEREF
+.Fa "NOTICEREF **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_NOTICEREF
+.Fa "NOTICEREF *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Sh DESCRIPTION
+These functions decode and encode X.509 certificate policies.
+For details about the semantics, examples, caveats, and bugs, see
+.Xr ASN1_item_d2i 3 .
+.Pp
+.Fn d2i_POLICYINFO
+and
+.Fn i2d_POLICYINFO
+decode and encode an ASN.1
+.Vt PolicyInformation
+structure defined in RFC 5280 section 4.2.1.4.
+.Pp
+.Fn d2i_CERTIFICATEPOLICIES
+and
+.Fn i2d_CERTIFICATEPOLICIES
+decode and encode an ASN.1
+.Vt CertificatePolicies
+structure defined in RFC 5280 section 4.2.1.4.
+.Pp
+.Fn d2i_POLICYQUALINFO
+and
+.Fn i2d_POLICYQUALINFO
+decode and encode an ASN.1
+.Vt PolicyQualifierInfo
+structure defined in RFC 5280 section 4.2.1.4.
+.Pp
+.Fn d2i_USERNOTICE
+and
+.Fn i2d_USERNOTICE
+decode and encode an ASN.1
+.Vt UserNotice
+structure defined in RFC 5280 section 4.2.1.4.
+.Pp
+.Fn d2i_NOTICEREF
+and
+.Fn i2d_NOTICEREF
+decode and encode an ASN.1
+.Vt NoticeReference
+structure defined in RFC 5280 section 4.2.1.4.
+.Sh RETURN VALUES
+.Fn d2i_POLICYINFO ,
+.Fn d2i_CERTIFICATEPOLICIES ,
+.Fn d2i_POLICYQUALINFO ,
+.Fn d2i_USERNOTICE ,
+and
+.Fn d2i_NOTICEREF
+return a
+.Vt POLICYINFO ,
+.Vt CERTIFICATEPOLICIES ,
+.Vt POLICYQUALINFO ,
+.Vt USERNOTICE ,
+or
+.Vt NOTICEREF
+object, respectively, or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn i2d_POLICYINFO ,
+.Fn i2d_CERTIFICATEPOLICIES ,
+.Fn i2d_POLICYQUALINFO ,
+.Fn i2d_USERNOTICE ,
+and
+.Fn i2d_NOTICEREF
+return the number of bytes successfully encoded or a negative value
+if an error occurs.
+.Sh SEE ALSO
+.Xr ASN1_item_d2i 3 ,
+.Xr POLICYINFO_new 3 ,
+.Xr X509_EXTENSION_new 3
+.Sh STANDARDS
+RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
+Certificate Revocation List (CRL) Profile,
+section 4.2.1.4: Certificate Policies
diff --git a/lib/libcrypto/man/d2i_PROXY_POLICY.3 b/lib/libcrypto/man/d2i_PROXY_POLICY.3
new file mode 100644
index 00000000000..0c447b10347
--- /dev/null
+++ b/lib/libcrypto/man/d2i_PROXY_POLICY.3
@@ -0,0 +1,93 @@
+.\"	$OpenBSD: d2i_PROXY_POLICY.3,v 1.1 2016/12/28 20:36:33 schwarze Exp $
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: December 28 2016 $
+.Dt D2I_PROXY_POLICY 3
+.Os
+.Sh NAME
+.Nm d2i_PROXY_POLICY ,
+.Nm i2d_PROXY_POLICY ,
+.Nm d2i_PROXY_CERT_INFO_EXTENSION ,
+.Nm i2d_PROXY_CERT_INFO_EXTENSION
+.Nd decode and encode X.509 proxy certificate extensions
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft PROXY_POLICY *
+.Fo d2i_PROXY_POLICY
+.Fa "PROXY_POLICY **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_PROXY_POLICY
+.Fa "PROXY_POLICY *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Ft PROXY_CERT_INFO_EXTENSION *
+.Fo d2i_PROXY_CERT_INFO_EXTENSION
+.Fa "PROXY_CERT_INFO_EXTENSION **val_out"
+.Fa "const unsigned char **der_in"
+.Fa "long length"
+.Fc
+.Ft int
+.Fo i2d_PROXY_CERT_INFO_EXTENSION
+.Fa "PROXY_CERT_INFO_EXTENSION *val_in"
+.Fa "unsigned char **der_out"
+.Fc
+.Sh DESCRIPTION
+These functions encode and decode X.509 extensions that decide
+whether a certificate is a proxy certificate, and which policies
+apply to it.
+For details about the semantics, examples, caveats, and bugs, see
+.Xr ASN1_item_d2i 3 .
+.Pp
+.Fn d2i_PROXY_POLICY
+and
+.Fn i2d_PROXY_POLICY
+decode and encode an ASN.1
+.Vt ProxyPolicy
+structure defined in RFC 3820 section 3.8.
+.Pp
+.Fn d2i_PROXY_CERT_INFO_EXTENSION
+and
+.Fn i2d_PROXY_CERT_INFO_EXTENSION
+decode and encode an ASN.1
+.Vt ProxyCertInfo
+structure defined in RFC 3820 section 3.8.
+.Sh RETURN VALUES
+.Fn d2i_PROXY_POLICY
+and
+.Fn d2i_PROXY_CERT_INFO_EXTENSION
+return a
+.Vt PROXY_POLICY
+or
+.Vt PROXY_CERT_INFO_EXTENSION
+object, respectively, or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn i2d_PROXY_POLICY
+and
+.Fn i2d_PROXY_CERT_INFO_EXTENSION
+return the number of bytes successfully encoded or a negative value
+if an error occurs.
+.Sh SEE ALSO
+.Xr ASN1_item_d2i 3 ,
+.Xr PROXY_POLICY_new 3 ,
+.Xr X509_EXTENSION_new 3
+.Sh STANDARDS
+RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy
+Certificate Profile