resolve conflicts

7 files changed, 120 insertions, 42 deletions

diff --git a/lib/libcrypto/x509v3/ext_dat.h b/lib/libcrypto/x509v3/ext_dat.h
index 5442480595b..d8328ac468c 100644
--- a/lib/libcrypto/x509v3/ext_dat.h
+++ b/lib/libcrypto/x509v3/ext_dat.h
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -60,10 +60,11 @@
 extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3_crld;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
+extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
-extern X509V3_EXT_METHOD v3_crl_hold;
+extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
 
 /* This table will be searched using OBJ_bsearch so it *must* kept in
  * order of the ext_nid values.
@@ -89,6 +90,7 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_akey_id,
 &v3_crld,
 &v3_ext_ku,
+&v3_delta_crl,
 &v3_crl_reason,
 #ifndef OPENSSL_NO_OCSP
 &v3_crl_invdate,
@@ -105,8 +107,9 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 #endif
 &v3_sinfo,
 #ifndef OPENSSL_NO_OCSP
-&v3_crl_hold
+&v3_crl_hold,
 #endif
+&v3_pci,
 };
 
 /* Number of standard extensions */
diff --git a/lib/libcrypto/x509v3/v3_bitst.c b/lib/libcrypto/x509v3/v3_bitst.c
index 16cf1255621..274965306d4 100644
--- a/lib/libcrypto/x509v3/v3_bitst.c
+++ b/lib/libcrypto/x509v3/v3_bitst.c
@@ -124,7 +124,12 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
 		for(bnam = method->usr_data; bnam->lname; bnam++) {
 			if(!strcmp(bnam->sname, val->name) ||
 				!strcmp(bnam->lname, val->name) ) {
-				ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1);
+				if(!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {
+					X509V3err(X509V3_F_V2I_ASN1_BIT_STRING,
+						ERR_R_MALLOC_FAILURE);
+					M_ASN1_BIT_STRING_free(bs);
+					return NULL;
+				}
 				break;
 			}
 		}
diff --git a/lib/libcrypto/x509v3/v3_ia5.c b/lib/libcrypto/x509v3/v3_ia5.c
index f9414456de2..9683afa47c4 100644
--- a/lib/libcrypto/x509v3/v3_ia5.c
+++ b/lib/libcrypto/x509v3/v3_ia5.c
@@ -82,7 +82,10 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
 {
 	char *tmp;
 	if(!ia5 || !ia5->length) return NULL;
-	if (!(tmp = OPENSSL_malloc(ia5->length + 1))) return NULL;
+	if(!(tmp = OPENSSL_malloc(ia5->length + 1))) {
+		X509V3err(X509V3_F_I2S_ASN1_IA5STRING,ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
 	memcpy(tmp, ia5->data, ia5->length);
 	tmp[ia5->length] = 0;
 	return tmp;
diff --git a/lib/libcrypto/x509v3/v3_int.c b/lib/libcrypto/x509v3/v3_int.c
index f34cbfb7315..7a43b4717bc 100644
--- a/lib/libcrypto/x509v3/v3_int.c
+++ b/lib/libcrypto/x509v3/v3_int.c
@@ -3,7 +3,7 @@
  * project 1999.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -61,9 +61,16 @@
 #include <openssl/x509v3.h>
 
 X509V3_EXT_METHOD v3_crl_num = { 
-NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
-0,0,0,0,
-(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
-0,
-0,0,0,0, NULL};
+	NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
+	0,0,0,0,
+	(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+	0,
+	0,0,0,0, NULL};
+
+X509V3_EXT_METHOD v3_delta_crl = { 
+	NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER),
+	0,0,0,0,
+	(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+	0,
+	0,0,0,0, NULL};
 
diff --git a/lib/libcrypto/x509v3/v3_purp.c b/lib/libcrypto/x509v3/v3_purp.c
index b3d1ae5d1cc..bbdf6da4937 100644
--- a/lib/libcrypto/x509v3/v3_purp.c
+++ b/lib/libcrypto/x509v3/v3_purp.c
@@ -63,7 +63,6 @@
 
 static void x509v3_cache_extensions(X509 *x);
 
-static int ca_check(const X509 *x);
 static int check_ssl_ca(const X509 *x);
 static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca);
@@ -286,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex)
         	NID_key_usage,		/* 83 */
 		NID_subject_alt_name,	/* 85 */
 		NID_basic_constraints,	/* 87 */
-        	NID_ext_key_usage	/* 126 */
+        	NID_ext_key_usage,	/* 126 */
+		NID_proxyCertInfo	/* 661 */
 	};
 
 	int ex_nid;
@@ -307,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
 static void x509v3_cache_extensions(X509 *x)
 {
 	BASIC_CONSTRAINTS *bs;
+	PROXY_CERT_INFO_EXTENSION *pci;
 	ASN1_BIT_STRING *usage;
 	ASN1_BIT_STRING *ns;
 	EXTENDED_KEY_USAGE *extusage;
@@ -335,6 +336,16 @@ static void x509v3_cache_extensions(X509 *x)
 		BASIC_CONSTRAINTS_free(bs);
 		x->ex_flags |= EXFLAG_BCONS;
 	}
+	/* Handle proxy certificates */
+	if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
+		if (x->ex_flags & EXFLAG_CA
+		    || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
+		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
+			x->ex_flags |= EXFLAG_INVALID;
+		}
+		PROXY_CERT_INFO_EXTENSION_free(pci);
+		x->ex_flags |= EXFLAG_PROXY;
+	}
 	/* Handle key usage */
 	if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
 		if(usage->length > 0) {
@@ -426,7 +437,7 @@ static void x509v3_cache_extensions(X509 *x)
 #define ns_reject(x, usage) \
 	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
 
-static int ca_check(const X509 *x)
+static int check_ca(const X509 *x)
 {
 	/* keyUsage if present should allow cert signing */
 	if(ku_reject(x, KU_KEY_CERT_SIGN)) return 0;
@@ -435,25 +446,37 @@ static int ca_check(const X509 *x)
 		/* If basicConstraints says not a CA then say so */
 		else return 0;
 	} else {
+		/* we support V1 roots for...  uh, I don't really know why. */
 		if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
 		/* If key usage present it must have certSign so tolerate it */
 		else if (x->ex_flags & EXFLAG_KUSAGE) return 4;
-		else return 2;
+		/* Older certificates could have Netscape-specific CA types */
+		else if (x->ex_flags & EXFLAG_NSCERT
+			 && x->ex_nscert & NS_ANY_CA) return 5;
+		/* can this still be regarded a CA certificate?  I doubt it */
+		return 0;
 	}
 }
 
+int X509_check_ca(X509 *x)
+{
+	if(!(x->ex_flags & EXFLAG_SET)) {
+		CRYPTO_w_lock(CRYPTO_LOCK_X509);
+		x509v3_cache_extensions(x);
+		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+	}
+
+	return check_ca(x);
+}
+
 /* Check SSL CA: common checks for SSL client and server */
 static int check_ssl_ca(const X509 *x)
 {
 	int ca_ret;
-	ca_ret = ca_check(x);
+	ca_ret = check_ca(x);
 	if(!ca_ret) return 0;
 	/* check nsCertType if present */
-	if(x->ex_flags & EXFLAG_NSCERT) {
-		if(x->ex_nscert & NS_SSL_CA) return ca_ret;
-		return 0;
-	}
-	if(ca_ret != 2) return ca_ret;
+	if(ca_ret != 5 || x->ex_nscert & NS_SSL_CA) return ca_ret;
 	else return 0;
 }
 
@@ -498,14 +521,10 @@ static int purpose_smime(const X509 *x, int ca)
 	if(xku_reject(x,XKU_SMIME)) return 0;
 	if(ca) {
 		int ca_ret;
-		ca_ret = ca_check(x);
+		ca_ret = check_ca(x);
 		if(!ca_ret) return 0;
 		/* check nsCertType if present */
-		if(x->ex_flags & EXFLAG_NSCERT) {
-			if(x->ex_nscert & NS_SMIME_CA) return ca_ret;
-			return 0;
-		}
-		if(ca_ret != 2) return ca_ret;
+		if(ca_ret != 5 || x->ex_nscert & NS_SMIME_CA) return ca_ret;
 		else return 0;
 	}
 	if(x->ex_flags & EXFLAG_NSCERT) {
@@ -539,7 +558,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
 	if(ca) {
 		int ca_ret;
-		if((ca_ret = ca_check(x)) != 2) return ca_ret;
+		if((ca_ret = check_ca(x)) != 2) return ca_ret;
 		else return 0;
 	}
 	if(ku_reject(x, KU_CRL_SIGN)) return 0;
@@ -552,17 +571,9 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
 
 static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
-	/* Must be a valid CA */
-	if(ca) {
-		int ca_ret;
-		ca_ret = ca_check(x);
-		if(ca_ret != 2) return ca_ret;
-		if(x->ex_flags & EXFLAG_NSCERT) {
-			if(x->ex_nscert & NS_ANY_CA) return ca_ret;
-			return 0;
-		}
-		return 0;
-	}
+	/* Must be a valid CA.  Should we really support the "I don't know"
+	   value (2)? */
+	if(ca) return check_ca(x);
 	/* leaf certificate is checked in OCSP_verify() */
 	return 1;
 }
@@ -624,7 +635,13 @@ int X509_check_issued(X509 *issuer, X509 *subject)
 				return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
 		}
 	}
-	if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+	if(subject->ex_flags & EXFLAG_PROXY)
+		{
+		if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
+			return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
+		}
+	else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
+		return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
 	return X509_V_OK;
 }
 
diff --git a/lib/libcrypto/x509v3/v3err.c b/lib/libcrypto/x509v3/v3err.c
index 6458e95bb91..2df0c3ef01d 100644
--- a/lib/libcrypto/x509v3/v3err.c
+++ b/lib/libcrypto/x509v3/v3err.c
@@ -1,6 +1,6 @@
 /* crypto/x509v3/v3err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -72,12 +72,14 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_DO_EXT_I2D,0),	"DO_EXT_I2D"},
 {ERR_PACK(0,X509V3_F_HEX_TO_STRING,0),	"hex_to_string"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_ENUMERATED,0),	"i2s_ASN1_ENUMERATED"},
+{ERR_PACK(0,X509V3_F_I2S_ASN1_IA5STRING,0),	"I2S_ASN1_IA5STRING"},
 {ERR_PACK(0,X509V3_F_I2S_ASN1_INTEGER,0),	"i2s_ASN1_INTEGER"},
 {ERR_PACK(0,X509V3_F_I2V_AUTHORITY_INFO_ACCESS,0),	"I2V_AUTHORITY_INFO_ACCESS"},
 {ERR_PACK(0,X509V3_F_NOTICE_SECTION,0),	"NOTICE_SECTION"},
 {ERR_PACK(0,X509V3_F_NREF_NOS,0),	"NREF_NOS"},
 {ERR_PACK(0,X509V3_F_POLICY_SECTION,0),	"POLICY_SECTION"},
 {ERR_PACK(0,X509V3_F_R2I_CERTPOL,0),	"R2I_CERTPOL"},
+{ERR_PACK(0,X509V3_F_R2I_PCI,0),	"R2I_PCI"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_IA5STRING,0),	"S2I_ASN1_IA5STRING"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_INTEGER,0),	"s2i_ASN1_INTEGER"},
 {ERR_PACK(0,X509V3_F_S2I_ASN1_OCTET_STRING,0),	"s2i_ASN1_OCTET_STRING"},
@@ -128,6 +130,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
 {X509V3_R_EXTENSION_VALUE_ERROR          ,"extension value error"},
 {X509V3_R_ILLEGAL_HEX_DIGIT              ,"illegal hex digit"},
+{X509V3_R_INCORRECT_POLICY_SYNTAX_TAG    ,"incorrect policy syntax tag"},
 {X509V3_R_INVALID_BOOLEAN_STRING         ,"invalid boolean string"},
 {X509V3_R_INVALID_EXTENSION_STRING       ,"invalid extension string"},
 {X509V3_R_INVALID_NAME                   ,"invalid name"},
@@ -139,6 +142,8 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
 {X509V3_R_INVALID_OPTION                 ,"invalid option"},
 {X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
+{X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER,"invalid proxy policy identifier"},
+{X509V3_R_INVALID_PROXY_POLICY_SETTING   ,"invalid proxy policy setting"},
 {X509V3_R_INVALID_PURPOSE                ,"invalid purpose"},
 {X509V3_R_INVALID_SECTION                ,"invalid section"},
 {X509V3_R_INVALID_SYNTAX                 ,"invalid syntax"},
@@ -149,9 +154,16 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_NO_ISSUER_CERTIFICATE          ,"no issuer certificate"},
 {X509V3_R_NO_ISSUER_DETAILS              ,"no issuer details"},
 {X509V3_R_NO_POLICY_IDENTIFIER           ,"no policy identifier"},
+{X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED,"no proxy cert policy language defined"},
 {X509V3_R_NO_PUBLIC_KEY                  ,"no public key"},
 {X509V3_R_NO_SUBJECT_DETAILS             ,"no subject details"},
 {X509V3_R_ODD_NUMBER_OF_DIGITS           ,"odd number of digits"},
+{X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED,"policy language alreadty defined"},
+{X509V3_R_POLICY_PATH_LENGTH             ,"policy path length"},
+{X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED,"policy path length alreadty defined"},
+{X509V3_R_POLICY_SYNTAX_NOT              ,"policy syntax not"},
+{X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED,"policy syntax not currently supported"},
+{X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY,"policy when proxy language requires no policy"},
 {X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS   ,"unable to get issuer details"},
 {X509V3_R_UNABLE_TO_GET_ISSUER_KEYID     ,"unable to get issuer keyid"},
 {X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT    ,"unknown bit string argument"},
diff --git a/lib/libcrypto/x509v3/x509v3.h b/lib/libcrypto/x509v3/x509v3.h
index fb07a19016f..e6d91251c2a 100644
--- a/lib/libcrypto/x509v3/x509v3.h
+++ b/lib/libcrypto/x509v3/x509v3.h
@@ -287,6 +287,23 @@ typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
 DECLARE_STACK_OF(POLICYINFO)
 DECLARE_ASN1_SET_OF(POLICYINFO)
 
+/* Proxy certificate structures, see RFC 3820 */
+typedef struct PROXY_POLICY_st
+	{
+	ASN1_OBJECT *policyLanguage;
+	ASN1_OCTET_STRING *policy;
+	} PROXY_POLICY;
+
+typedef struct PROXY_CERT_INFO_EXTENSION_st
+	{
+	ASN1_INTEGER *pcPathLengthConstraint;
+	PROXY_POLICY *proxyPolicy;
+	} PROXY_CERT_INFO_EXTENSION;
+
+DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
+DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
+
+
 #define X509V3_conf_err(val) ERR_add_error_data(6, "section:", val->section, \
 ",name:", val->name, ",value:", val->value);
 
@@ -325,6 +342,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 #define EXFLAG_INVALID		0x80
 #define EXFLAG_SET		0x100
 #define EXFLAG_CRITICAL		0x200
+#define EXFLAG_PROXY		0x400
 
 #define KU_DIGITAL_SIGNATURE	0x0080
 #define KU_NON_REPUDIATION	0x0040
@@ -527,6 +545,7 @@ int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 
 int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
 
+int X509_check_ca(X509 *x);
 int X509_check_purpose(X509 *x, int id, int ca);
 int X509_supported_extension(X509_EXTENSION *ex);
 int X509_PURPOSE_set(int *p, int purpose);
@@ -564,12 +583,14 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_F_DO_EXT_I2D				 135
 #define X509V3_F_HEX_TO_STRING				 111
 #define X509V3_F_I2S_ASN1_ENUMERATED			 121
+#define X509V3_F_I2S_ASN1_IA5STRING			 142
 #define X509V3_F_I2S_ASN1_INTEGER			 120
 #define X509V3_F_I2V_AUTHORITY_INFO_ACCESS		 138
 #define X509V3_F_NOTICE_SECTION				 132
 #define X509V3_F_NREF_NOS				 133
 #define X509V3_F_POLICY_SECTION				 131
 #define X509V3_F_R2I_CERTPOL				 130
+#define X509V3_F_R2I_PCI				 142
 #define X509V3_F_S2I_ASN1_IA5STRING			 100
 #define X509V3_F_S2I_ASN1_INTEGER			 108
 #define X509V3_F_S2I_ASN1_OCTET_STRING			 112
@@ -617,6 +638,7 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED	 103
 #define X509V3_R_EXTENSION_VALUE_ERROR			 116
 #define X509V3_R_ILLEGAL_HEX_DIGIT			 113
+#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG		 153
 #define X509V3_R_INVALID_BOOLEAN_STRING			 104
 #define X509V3_R_INVALID_EXTENSION_STRING		 105
 #define X509V3_R_INVALID_NAME				 106
@@ -628,6 +650,8 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER		 110
 #define X509V3_R_INVALID_OPTION				 138
 #define X509V3_R_INVALID_POLICY_IDENTIFIER		 134
+#define X509V3_R_INVALID_PROXY_POLICY_IDENTIFIER	 147
+#define X509V3_R_INVALID_PROXY_POLICY_SETTING		 151
 #define X509V3_R_INVALID_PURPOSE			 146
 #define X509V3_R_INVALID_SECTION			 135
 #define X509V3_R_INVALID_SYNTAX				 143
@@ -638,9 +662,16 @@ void ERR_load_X509V3_strings(void);
 #define X509V3_R_NO_ISSUER_CERTIFICATE			 121
 #define X509V3_R_NO_ISSUER_DETAILS			 127
 #define X509V3_R_NO_POLICY_IDENTIFIER			 139
+#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED	 148
 #define X509V3_R_NO_PUBLIC_KEY				 114
 #define X509V3_R_NO_SUBJECT_DETAILS			 125
 #define X509V3_R_ODD_NUMBER_OF_DIGITS			 112
+#define X509V3_R_POLICY_LANGUAGE_ALREADTY_DEFINED	 149
+#define X509V3_R_POLICY_PATH_LENGTH			 152
+#define X509V3_R_POLICY_PATH_LENGTH_ALREADTY_DEFINED	 150
+#define X509V3_R_POLICY_SYNTAX_NOT			 154
+#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED	 155
+#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 156
 #define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS		 122
 #define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID		 123
 #define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT		 111