Import Heimdal 7.5.0.vendor/heimdal/7.5.0

71 files changed, 5076 insertions, 1866 deletions

diff --git a/lib/hx509/Makefile.am b/lib/hx509/Makefile.am
index 53669cb7c523..b58deb3e37aa 100644
--- a/lib/hx509/Makefile.am
+++ b/lib/hx509/Makefile.am
@@ -1,5 +1,7 @@
 include $(top_srcdir)/Makefile.am.common
 
+AM_CPPFLAGS += $(INCLUDE_openssl_crypto)
+
 lib_LTLIBRARIES = libhx509.la
 libhx509_la_LDFLAGS = -version-info 5:0:0
 
@@ -58,12 +60,11 @@ dist_libhx509_la_SOURCES = \
 	cms.c \
 	collector.c \
 	crypto.c \
+	crypto-ec.c \
 	doxygen.c \
 	error.c \
 	env.c \
 	file.c \
-	hx509-private.h \
-	hx509-protos.h \
 	hx509.h \
 	hx_locl.h \
 	sel.c \
@@ -94,8 +95,10 @@ libhx509_la_DEPENDENCIES = version-script.map
 libhx509_la_LIBADD = \
 	$(LIB_com_err) \
 	$(LIB_hcrypto) \
+	$(LIB_openssl_crypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(top_builddir)/lib/wind/libwind.la \
+	$(top_builddir)/lib/base/libheimbase.la \
 	$(LIBADD_roken) \
 	$(LIB_dlopen)
 
@@ -108,14 +111,15 @@ libhx509_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 endif
 $(libhx509_la_OBJECTS): $(srcdir)/version-script.map $(nodist_include_HEADERS) $(priv_headers)
 
-libhx509_la_CPPFLAGS = -I$(srcdir)/ref $(INCLUDE_hcrypto)
 nodist_libhx509_la_SOURCES = $(BUILT_SOURCES)
 
 $(gen_files_ocsp) ocsp_asn1.hx ocsp_asn1-priv.hx: ocsp_asn1_files
 $(gen_files_pkcs10) pkcs10_asn1.hx pkcs10_asn1-priv.hx: pkcs10_asn1_files
 $(gen_files_crmf) crmf_asn1.hx crmf_asn1-priv.hx: crmf_asn1_files
 
-dist_include_HEADERS = hx509.h hx509-protos.h
+dist_include_HEADERS = hx509.h $(srcdir)/hx509-protos.h
+
+noinst_HEADERS = $(srcdir)/hx509-private.h
 
 nodist_include_HEADERS = hx509_err.h
 nodist_include_HEADERS += ocsp_asn1.h
@@ -128,34 +132,40 @@ priv_headers += crmf_asn1-priv.h
 
 
 ocsp_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/ocsp.asn1 $(srcdir)/ocsp.opt
-	$(ASN1_COMPILE) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
+	$(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
 
 pkcs10_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/pkcs10.asn1 $(srcdir)/pkcs10.opt
-	$(ASN1_COMPILE) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
+	$(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
 
 crmf_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/crmf.asn1
-	$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
+	$(heim_verbose)$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
+
+ALL_OBJECTS  = $(libhx509_la_OBJECTS)
+ALL_OBJECTS += $(hxtool_OBJECTS)
+
+HX509_PROTOS = $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h
+
+$(ALL_OBJECTS): $(HX509_PROTOS)
 
-$(libhx509_la_OBJECTS): $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h $(srcdir)/hx_locl.h
+$(libhx509_la_OBJECTS): $(srcdir)/hx_locl.h
 $(libhx509_la_OBJECTS): ocsp_asn1.h pkcs10_asn1.h
 
-$(srcdir)/hx509-protos.h:
-	cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
+$(srcdir)/hx509-protos.h: $(dist_libhx509_la_SOURCES)
+	$(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
 
-$(srcdir)/hx509-private.h:
-	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
+$(srcdir)/hx509-private.h: $(dist_libhx509_la_SOURCES)
+	$(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
 
 bin_PROGRAMS = hxtool
 
 hxtool-commands.c hxtool-commands.h: hxtool-commands.in $(SLC)
-	$(SLC) $(srcdir)/hxtool-commands.in
+	$(heim_verbose)$(SLC) $(srcdir)/hxtool-commands.in
 
 dist_hxtool_SOURCES = hxtool.c
 nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
 
-$(hxtool_OBJECTS): hxtool-commands.h
+$(hxtool_OBJECTS): hxtool-commands.h hx509_err.h
 
-hxtool_CPPFLAGS = $(INCLUDE_hcrypto)
 hxtool_LDADD = \
 	libhx509.la \
 	$(top_builddir)/lib/asn1/libasn1.la \
@@ -165,11 +175,11 @@ hxtool_LDADD = \
 
 CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \
 	$(gen_files_ocsp) ocsp_asn1_files ocsp_asn1{,-priv}.h* \
-	ocsp_asn1-template.[ch]* \
+	ocsp_asn1-template.[chx]* \
 	$(gen_files_pkcs10) pkcs10_asn1_files pkcs10_asn1{,-priv}.h* \
-	pkcs10_asn1-template.[ch]* \
+	pkcs10_asn1-template.[chx]* \
 	$(gen_files_crmf) crmf_asn1_files crmf_asn1{,-priv}.h* \
-	crmf_asn1-template.[ch]* \
+	crmf_asn1-template.[chx]* \
 	$(TESTS) \
 	hxtool-commands.c hxtool-commands.h *.tmp \
 	request.out \
@@ -198,11 +208,10 @@ check_PROGRAMS = $(PROGRAM_TESTS) test_soft_pkcs11
 
 LDADD = libhx509.la
 
-test_soft_pkcs11_LDADD = libhx509.la
-test_soft_pkcs11_CPPFLAGS = -I$(srcdir)/ref
+test_soft_pkcs11_LDADD = libhx509.la $(top_builddir)/lib/asn1/libasn1.la
 
-test_name_CPPFLAGS = $(INCLUDE_hcrypto)
-test_name_LDADD = libhx509.la $(LIB_roken)
+test_name_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la
+test_expr_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la
 
 TESTS = $(SCRIPT_TESTS) $(PROGRAM_TESTS)
 
@@ -226,78 +235,78 @@ SCRIPT_TESTS = 			\
 	test_windows		\
 	test_query
 
-do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+do_subst = $(heim_verbose)sed -e 's,[@]srcdir[@],$(srcdir),g' \
 	-e 's,[@]objdir[@],$(top_builddir)/lib/hx509,g' \
 	-e 's,[@]egrep[@],$(EGREP),g'
 
 test_ca: test_ca.in Makefile
 	$(do_subst) < $(srcdir)/test_ca.in > test_ca.tmp
-	chmod +x test_ca.tmp
+	$(heim_verbose)chmod +x test_ca.tmp
 	mv test_ca.tmp test_ca
 
 test_cert: test_cert.in Makefile
 	$(do_subst) < $(srcdir)/test_cert.in > test_cert.tmp
-	chmod +x test_cert.tmp
+	$(heim_verbose)chmod +x test_cert.tmp
 	mv test_cert.tmp test_cert
 
 test_chain: test_chain.in Makefile
 	$(do_subst) < $(srcdir)/test_chain.in > test_chain.tmp
-	chmod +x test_chain.tmp
+	$(heim_verbose)chmod +x test_chain.tmp
 	mv test_chain.tmp test_chain
 
 test_cms: test_cms.in Makefile
 	$(do_subst) < $(srcdir)/test_cms.in > test_cms.tmp
-	chmod +x test_cms.tmp
+	$(heim_verbose)chmod +x test_cms.tmp
 	mv test_cms.tmp test_cms
 
 test_crypto: test_crypto.in Makefile
 	$(do_subst) < $(srcdir)/test_crypto.in > test_crypto.tmp
-	chmod +x test_crypto.tmp
+	$(heim_verbose)chmod +x test_crypto.tmp
 	mv test_crypto.tmp test_crypto
 
 test_nist: test_nist.in Makefile
 	$(do_subst) < $(srcdir)/test_nist.in > test_nist.tmp
-	chmod +x test_nist.tmp
+	$(heim_verbose)chmod +x test_nist.tmp
 	mv test_nist.tmp test_nist
 
 test_nist2: test_nist2.in Makefile
 	$(do_subst) < $(srcdir)/test_nist2.in > test_nist2.tmp
-	chmod +x test_nist2.tmp
+	$(heim_verbose)chmod +x test_nist2.tmp
 	mv test_nist2.tmp test_nist2
 
 test_pkcs11: test_pkcs11.in Makefile
 	$(do_subst) < $(srcdir)/test_pkcs11.in > test_pkcs11.tmp
-	chmod +x test_pkcs11.tmp
+	$(heim_verbose)chmod +x test_pkcs11.tmp
 	mv test_pkcs11.tmp test_pkcs11
 
 test_java_pkcs11: test_java_pkcs11.in Makefile
 	$(do_subst) < $(srcdir)/test_java_pkcs11.in > test_java_pkcs11.tmp
-	chmod +x test_java_pkcs11.tmp
+	$(heim_verbose)chmod +x test_java_pkcs11.tmp
 	mv test_java_pkcs11.tmp test_java_pkcs11
 
 test_nist_cert: test_nist_cert.in Makefile
 	$(do_subst) < $(srcdir)/test_nist_cert.in > test_nist_cert.tmp
-	chmod +x test_nist_cert.tmp
+	$(heim_verbose)chmod +x test_nist_cert.tmp
 	mv test_nist_cert.tmp test_nist_cert
 
 test_nist_pkcs12: test_nist_pkcs12.in Makefile
 	$(do_subst) < $(srcdir)/test_nist_pkcs12.in > test_nist_pkcs12.tmp
-	chmod +x test_nist_pkcs12.tmp
+	$(heim_verbose)chmod +x test_nist_pkcs12.tmp
 	mv test_nist_pkcs12.tmp test_nist_pkcs12
 
 test_req: test_req.in Makefile
 	$(do_subst) < $(srcdir)/test_req.in > test_req.tmp
-	chmod +x test_req.tmp
+	$(heim_verbose)chmod +x test_req.tmp
 	mv test_req.tmp test_req
 
 test_windows: test_windows.in Makefile
 	$(do_subst) < $(srcdir)/test_windows.in > test_windows.tmp
-	chmod +x test_windows.tmp
+	$(heim_verbose)chmod +x test_windows.tmp
 	mv test_windows.tmp test_windows
 
 test_query: test_query.in Makefile
 	$(do_subst) < $(srcdir)/test_query.in > test_query.tmp
-	chmod +x test_query.tmp
+	$(heim_verbose)chmod +x test_query.tmp
 	mv test_query.tmp test_query
 
 EXTRA_DIST = \
@@ -338,16 +347,22 @@ EXTRA_DIST = \
 	tst-crypto-select5 \
 	tst-crypto-select6 \
 	tst-crypto-select7 \
+	data/PKITS_data.zip \
+	data/eccurve.pem \
+	data/https.crt \
+	data/https.key \
+	data/mkcert.sh \
+	data/nist-result2 \
 	data/n0ll.pem \
-	data/secp160r1TestCA.cert.pem \
-	data/secp160r1TestCA.key.pem \
-	data/secp160r1TestCA.pem \
-	data/secp160r2TestClient.cert.pem \
-	data/secp160r2TestClient.key.pem \
-	data/secp160r2TestClient.pem \
-	data/secp160r2TestServer.cert.pem \
-	data/secp160r2TestServer.key.pem \
-	data/secp160r2TestServer.pem \
+	data/secp256r1TestCA.cert.pem \
+	data/secp256r1TestCA.key.pem \
+	data/secp256r1TestCA.pem \
+	data/secp256r2TestClient.cert.pem \
+	data/secp256r2TestClient.key.pem \
+	data/secp256r2TestClient.pem \
+	data/secp256r2TestServer.cert.pem \
+	data/secp256r2TestServer.key.pem \
+	data/secp256r2TestServer.pem \
 	data/bleichenbacher-bad.pem \
 	data/bleichenbacher-good.pem \
 	data/bleichenbacher-sf-pad-correct.pem \
diff --git a/lib/hx509/Makefile.in b/lib/hx509/Makefile.in
index 98de7d540dd6..cca95bbc04ae 100644
--- a/lib/hx509/Makefile.in
+++ b/lib/hx509/Makefile.in
@@ -1,9 +1,8 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
+
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -22,6 +21,61 @@
 
 
 VPATH = @srcdir@
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -40,10 +94,6 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-DIST_COMMON = $(dist_include_HEADERS) $(srcdir)/Makefile.am \
-	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
-	$(top_srcdir)/cf/Makefile.am.common ChangeLog TODO sel-gram.c \
-	sel-gram.h sel-lex.c
 @FRAMEWORK_SECURITY_TRUE@am__append_1 = -framework Security -framework CoreFoundation
 @versionscript_TRUE@am__append_2 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 bin_PROGRAMS = hxtool$(EXEEXT)
@@ -64,8 +114,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
 	$(top_srcdir)/cf/check-type-extra.m4 \
-	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
-	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/crypto.m4 \
 	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
 	$(top_srcdir)/cf/dispatch.m4 $(top_srcdir)/cf/dlopen.m4 \
 	$(top_srcdir)/cf/find-func-no-libs.m4 \
@@ -78,6 +127,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
 	$(top_srcdir)/cf/krb-func-getlogin.m4 \
 	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-prog-perl.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
@@ -97,6 +147,8 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(dist_include_HEADERS) \
+	$(noinst_HEADERS) $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
@@ -122,106 +174,335 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \
 	"$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)"
 LTLIBRARIES = $(lib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
-dist_libhx509_la_OBJECTS = libhx509_la-ca.lo libhx509_la-cert.lo \
-	libhx509_la-cms.lo libhx509_la-collector.lo \
-	libhx509_la-crypto.lo libhx509_la-doxygen.lo \
-	libhx509_la-error.lo libhx509_la-env.lo libhx509_la-file.lo \
-	libhx509_la-sel.lo libhx509_la-sel-gram.lo \
-	libhx509_la-sel-lex.lo libhx509_la-keyset.lo \
-	libhx509_la-ks_dir.lo libhx509_la-ks_file.lo \
-	libhx509_la-ks_mem.lo libhx509_la-ks_null.lo \
-	libhx509_la-ks_p11.lo libhx509_la-ks_p12.lo \
-	libhx509_la-ks_keychain.lo libhx509_la-lock.lo \
-	libhx509_la-name.lo libhx509_la-peer.lo libhx509_la-print.lo \
-	libhx509_la-softp11.lo libhx509_la-req.lo \
-	libhx509_la-revoke.lo
-am__objects_1 = libhx509_la-asn1_OCSPBasicOCSPResponse.lo \
-	libhx509_la-asn1_OCSPCertID.lo \
-	libhx509_la-asn1_OCSPCertStatus.lo \
-	libhx509_la-asn1_OCSPInnerRequest.lo \
-	libhx509_la-asn1_OCSPKeyHash.lo \
-	libhx509_la-asn1_OCSPRequest.lo \
-	libhx509_la-asn1_OCSPResponderID.lo \
-	libhx509_la-asn1_OCSPResponse.lo \
-	libhx509_la-asn1_OCSPResponseBytes.lo \
-	libhx509_la-asn1_OCSPResponseData.lo \
-	libhx509_la-asn1_OCSPResponseStatus.lo \
-	libhx509_la-asn1_OCSPSignature.lo \
-	libhx509_la-asn1_OCSPSingleResponse.lo \
-	libhx509_la-asn1_OCSPTBSRequest.lo \
-	libhx509_la-asn1_OCSPVersion.lo \
-	libhx509_la-asn1_id_pkix_ocsp.lo \
-	libhx509_la-asn1_id_pkix_ocsp_basic.lo \
-	libhx509_la-asn1_id_pkix_ocsp_nonce.lo
-am__objects_2 = libhx509_la-asn1_CertificationRequestInfo.lo \
-	libhx509_la-asn1_CertificationRequest.lo
-am__objects_3 = $(am__objects_1) $(am__objects_2) \
-	libhx509_la-hx509_err.lo
+dist_libhx509_la_OBJECTS = ca.lo cert.lo cms.lo collector.lo crypto.lo \
+	crypto-ec.lo doxygen.lo error.lo env.lo file.lo sel.lo \
+	sel-gram.lo sel-lex.lo keyset.lo ks_dir.lo ks_file.lo \
+	ks_mem.lo ks_null.lo ks_p11.lo ks_p12.lo ks_keychain.lo \
+	lock.lo name.lo peer.lo print.lo softp11.lo req.lo revoke.lo
+am__objects_1 = asn1_OCSPBasicOCSPResponse.lo asn1_OCSPCertID.lo \
+	asn1_OCSPCertStatus.lo asn1_OCSPInnerRequest.lo \
+	asn1_OCSPKeyHash.lo asn1_OCSPRequest.lo \
+	asn1_OCSPResponderID.lo asn1_OCSPResponse.lo \
+	asn1_OCSPResponseBytes.lo asn1_OCSPResponseData.lo \
+	asn1_OCSPResponseStatus.lo asn1_OCSPSignature.lo \
+	asn1_OCSPSingleResponse.lo asn1_OCSPTBSRequest.lo \
+	asn1_OCSPVersion.lo asn1_id_pkix_ocsp.lo \
+	asn1_id_pkix_ocsp_basic.lo asn1_id_pkix_ocsp_nonce.lo
+am__objects_2 = asn1_CertificationRequestInfo.lo \
+	asn1_CertificationRequest.lo
+am__objects_3 = $(am__objects_1) $(am__objects_2) hx509_err.lo
 nodist_libhx509_la_OBJECTS = $(am__objects_3)
 libhx509_la_OBJECTS = $(dist_libhx509_la_OBJECTS) \
 	$(nodist_libhx509_la_OBJECTS)
-libhx509_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libhx509_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libhx509_la_LDFLAGS) $(LDFLAGS) -o $@
 am__EXEEXT_1 = test_name$(EXEEXT) test_expr$(EXEEXT)
 PROGRAMS = $(bin_PROGRAMS)
-dist_hxtool_OBJECTS = hxtool-hxtool.$(OBJEXT)
-nodist_hxtool_OBJECTS = hxtool-hxtool-commands.$(OBJEXT)
+dist_hxtool_OBJECTS = hxtool.$(OBJEXT)
+nodist_hxtool_OBJECTS = hxtool-commands.$(OBJEXT)
 hxtool_OBJECTS = $(dist_hxtool_OBJECTS) $(nodist_hxtool_OBJECTS)
 hxtool_DEPENDENCIES = libhx509.la $(top_builddir)/lib/asn1/libasn1.la \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(top_builddir)/lib/sl/libsl.la
 test_expr_SOURCES = test_expr.c
 test_expr_OBJECTS = test_expr.$(OBJEXT)
-test_expr_LDADD = $(LDADD)
-test_expr_DEPENDENCIES = libhx509.la
+test_expr_DEPENDENCIES = libhx509.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la
 test_name_SOURCES = test_name.c
-test_name_OBJECTS = test_name-test_name.$(OBJEXT)
-test_name_DEPENDENCIES = libhx509.la $(am__DEPENDENCIES_1)
+test_name_OBJECTS = test_name.$(OBJEXT)
+test_name_DEPENDENCIES = libhx509.la $(am__DEPENDENCIES_1) \
+	$(top_builddir)/lib/asn1/libasn1.la
 test_soft_pkcs11_SOURCES = test_soft_pkcs11.c
-test_soft_pkcs11_OBJECTS =  \
-	test_soft_pkcs11-test_soft_pkcs11.$(OBJEXT)
-test_soft_pkcs11_DEPENDENCIES = libhx509.la
+test_soft_pkcs11_OBJECTS = test_soft_pkcs11.$(OBJEXT)
+test_soft_pkcs11_DEPENDENCIES = libhx509.la \
+	$(top_builddir)/lib/asn1/libasn1.la
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
 @MAINTAINER_MODE_FALSE@am__skiplex = test -f $@ ||
-LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS)
-LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+LEXCOMPILE = $(LEX) $(AM_LFLAGS) $(LFLAGS)
+LTLEXCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)
+AM_V_LEX = $(am__v_LEX_@AM_V@)
+am__v_LEX_ = $(am__v_LEX_@AM_DEFAULT_V@)
+am__v_LEX_0 = @echo "  LEX     " $@;
+am__v_LEX_1 = 
 YLWRAP = $(top_srcdir)/ylwrap
 @MAINTAINER_MODE_FALSE@am__skipyacc = test -f $@ ||
-YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
+am__yacc_c2h = sed -e s/cc$$/hh/ -e s/cpp$$/hpp/ -e s/cxx$$/hxx/ \
+		   -e s/c++$$/h++/ -e s/c$$/h/
+YACCCOMPILE = $(YACC) $(AM_YFLAGS) $(YFLAGS)
+LTYACCCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
+AM_V_YACC = $(am__v_YACC_@AM_V@)
+am__v_YACC_ = $(am__v_YACC_@AM_DEFAULT_V@)
+am__v_YACC_0 = @echo "  YACC    " $@;
+am__v_YACC_1 = 
 SOURCES = $(dist_libhx509_la_SOURCES) $(nodist_libhx509_la_SOURCES) \
 	$(dist_hxtool_SOURCES) $(nodist_hxtool_SOURCES) test_expr.c \
 	test_name.c test_soft_pkcs11.c
 DIST_SOURCES = $(dist_libhx509_la_SOURCES) $(dist_hxtool_SOURCES) \
 	test_expr.c test_name.c test_soft_pkcs11.c
-HEADERS = $(dist_include_HEADERS) $(nodist_include_HEADERS)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+HEADERS = $(dist_include_HEADERS) $(nodist_include_HEADERS) \
+	$(noinst_HEADERS)
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
-am__tty_colors = \
-red=; grn=; lgn=; blu=; std=
+am__tty_colors_dummy = \
+  mgn= red= grn= lgn= blu= brg= std=; \
+  am__color_tests=no
+am__tty_colors = { \
+  $(am__tty_colors_dummy); \
+  if test "X$(AM_COLOR_TESTS)" = Xno; then \
+    am__color_tests=no; \
+  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+    am__color_tests=yes; \
+  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+    am__color_tests=yes; \
+  fi; \
+  if test $$am__color_tests = yes; then \
+    red=''; \
+    grn=''; \
+    lgn=''; \
+    blu=''; \
+    mgn=''; \
+    brg=''; \
+    std=''; \
+  fi; \
+}
+am__recheck_rx = ^[ 	]*:recheck:[ 	]*
+am__global_test_result_rx = ^[ 	]*:global-test-result:[ 	]*
+am__copy_in_global_log_rx = ^[ 	]*:copy-in-global-log:[ 	]*
+# A command that, given a newline-separated list of test names on the
+# standard input, print the name of the tests that are to be re-run
+# upon "make recheck".
+am__list_recheck_tests = $(AWK) '{ \
+  recheck = 1; \
+  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
+    { \
+      if (rc < 0) \
+        { \
+          if ((getline line2 < ($$0 ".log")) < 0) \
+	    recheck = 0; \
+          break; \
+        } \
+      else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \
+        { \
+          recheck = 0; \
+          break; \
+        } \
+      else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \
+        { \
+          break; \
+        } \
+    }; \
+  if (recheck) \
+    print $$0; \
+  close ($$0 ".trs"); \
+  close ($$0 ".log"); \
+}'
+# A command that, given a newline-separated list of test names on the
+# standard input, create the global log from their .trs and .log files.
+am__create_global_log = $(AWK) ' \
+function fatal(msg) \
+{ \
+  print "fatal: making $@: " msg | "cat >&2"; \
+  exit 1; \
+} \
+function rst_section(header) \
+{ \
+  print header; \
+  len = length(header); \
+  for (i = 1; i <= len; i = i + 1) \
+    printf "="; \
+  printf "\n\n"; \
+} \
+{ \
+  copy_in_global_log = 1; \
+  global_test_result = "RUN"; \
+  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
+    { \
+      if (rc < 0) \
+         fatal("failed to read from " $$0 ".trs"); \
+      if (line ~ /$(am__global_test_result_rx)/) \
+        { \
+          sub("$(am__global_test_result_rx)", "", line); \
+          sub("[ 	]*$$", "", line); \
+          global_test_result = line; \
+        } \
+      else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \
+        copy_in_global_log = 0; \
+    }; \
+  if (copy_in_global_log) \
+    { \
+      rst_section(global_test_result ": " $$0); \
+      while ((rc = (getline line < ($$0 ".log"))) != 0) \
+      { \
+        if (rc < 0) \
+          fatal("failed to read from " $$0 ".log"); \
+        print line; \
+      }; \
+      printf "\n"; \
+    }; \
+  close ($$0 ".trs"); \
+  close ($$0 ".log"); \
+}'
+# Restructured Text title.
+am__rst_title = { sed 's/.*/   &   /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; }
+# Solaris 10 'make', and several other traditional 'make' implementations,
+# pass "-e" to $(SHELL), and POSIX 2008 even requires this.  Work around it
+# by disabling -e (using the XSI extension "set +e") if it's set.
+am__sh_e_setup = case $$- in *e*) set +e;; esac
+# Default flags passed to test drivers.
+am__common_driver_flags = \
+  --color-tests "$$am__color_tests" \
+  --enable-hard-errors "$$am__enable_hard_errors" \
+  --expect-failure "$$am__expect_failure"
+# To be inserted before the command running the test.  Creates the
+# directory for the log if needed.  Stores in $dir the directory
+# containing $f, in $tst the test, in $log the log.  Executes the
+# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and
+# passes TESTS_ENVIRONMENT.  Set up options for the wrapper that
+# will run the test scripts (or their associated LOG_COMPILER, if
+# thy have one).
+am__check_pre = \
+$(am__sh_e_setup);					\
+$(am__vpath_adj_setup) $(am__vpath_adj)			\
+$(am__tty_colors);					\
+srcdir=$(srcdir); export srcdir;			\
+case "$@" in						\
+  */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;;	\
+    *) am__odir=.;; 					\
+esac;							\
+test "x$$am__odir" = x"." || test -d "$$am__odir" 	\
+  || $(MKDIR_P) "$$am__odir" || exit $$?;		\
+if test -f "./$$f"; then dir=./;			\
+elif test -f "$$f"; then dir=;				\
+else dir="$(srcdir)/"; fi;				\
+tst=$$dir$$f; log='$@'; 				\
+if test -n '$(DISABLE_HARD_ERRORS)'; then		\
+  am__enable_hard_errors=no; 				\
+else							\
+  am__enable_hard_errors=yes; 				\
+fi; 							\
+case " $(XFAIL_TESTS) " in				\
+  *[\ \	]$$f[\ \	]* | *[\ \	]$$dir$$f[\ \	]*) \
+    am__expect_failure=yes;;				\
+  *)							\
+    am__expect_failure=no;;				\
+esac; 							\
+$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT)
+# A shell command to get the names of the tests scripts with any registered
+# extension removed (i.e., equivalently, the names of the test logs, with
+# the '.log' extension removed).  The result is saved in the shell variable
+# '$bases'.  This honors runtime overriding of TESTS and TEST_LOGS.  Sadly,
+# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)",
+# since that might cause problem with VPATH rewrites for suffix-less tests.
+# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'.
+am__set_TESTS_bases = \
+  bases='$(TEST_LOGS)'; \
+  bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
+  bases=`echo $$bases`
+RECHECK_LOGS = $(TEST_LOGS)
+AM_RECURSIVE_TARGETS = check recheck
+TEST_SUITE_LOG = test-suite.log
+TEST_EXTENSIONS = @EXEEXT@ .test
+LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
+LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS)
+am__set_b = \
+  case '$@' in \
+    */*) \
+      case '$*' in \
+        */*) b='$*';; \
+          *) b=`echo '$@' | sed 's/\.log$$//'`; \
+       esac;; \
+    *) \
+      b='$*';; \
+  esac
+am__test_logs1 = $(TESTS:=.log)
+am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log)
+TEST_LOGS = $(am__test_logs2:.test.log=.log)
+TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
+TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
+	$(TEST_LOG_FLAGS)
+am__DIST_COMMON = $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/depcomp \
+	$(top_srcdir)/test-driver $(top_srcdir)/ylwrap ChangeLog TODO \
+	sel-gram.c sel-gram.h sel-lex.c
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+AS = @AS@
 ASN1_COMPILE = @ASN1_COMPILE@
 ASN1_COMPILE_DEP = @ASN1_COMPILE_DEP@
 AUTOCONF = @AUTOCONF@
@@ -240,12 +521,12 @@ COMPILE_ET = @COMPILE_ET@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
+DB1LIB = @DB1LIB@
+DB3LIB = @DB3LIB@
 DBHEADER = @DBHEADER@
-DBLIB = @DBLIB@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DIR_com_err = @DIR_com_err@
-DIR_hcrypto = @DIR_hcrypto@
 DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 DLLTOOL = @DLLTOOL@
@@ -255,17 +536,17 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ENABLE_AFS_STRING_TO_KEY = @ENABLE_AFS_STRING_TO_KEY@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GCD_MIG = @GCD_MIG@
 GREP = @GREP@
 GROFF = @GROFF@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_hcrypto = @INCLUDE_hcrypto@
-INCLUDE_hesiod = @INCLUDE_hesiod@
-INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_libedit = @INCLUDE_libedit@
 INCLUDE_libintl = @INCLUDE_libintl@
 INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_openssl_crypto = @INCLUDE_openssl_crypto@
 INCLUDE_readline = @INCLUDE_readline@
 INCLUDE_sqlite3 = @INCLUDE_sqlite3@
 INSTALL = @INSTALL@
@@ -284,12 +565,9 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
-LIB_NDBM = @LIB_NDBM@
-LIB_XauFileName = @LIB_XauFileName@
-LIB_XauReadAuth = @LIB_XauReadAuth@
-LIB_XauWriteAuth = @LIB_XauWriteAuth@
 LIB_bswap16 = @LIB_bswap16@
 LIB_bswap32 = @LIB_bswap32@
+LIB_bswap64 = @LIB_bswap64@
 LIB_com_err = @LIB_com_err@
 LIB_com_err_a = @LIB_com_err_a@
 LIB_com_err_so = @LIB_com_err_so@
@@ -298,6 +576,7 @@ LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
 LIB_dispatch_async_f = @LIB_dispatch_async_f@
+LIB_dladdr = @LIB_dladdr@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
 LIB_dns_search = @LIB_dns_search@
@@ -314,10 +593,8 @@ LIB_hcrypto = @LIB_hcrypto@
 LIB_hcrypto_a = @LIB_hcrypto_a@
 LIB_hcrypto_appl = @LIB_hcrypto_appl@
 LIB_hcrypto_so = @LIB_hcrypto_so@
-LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
-LIB_krb4 = @LIB_krb4@
 LIB_libedit = @LIB_libedit@
 LIB_libintl = @LIB_libintl@
 LIB_loadquery = @LIB_loadquery@
@@ -325,6 +602,7 @@ LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_openldap = @LIB_openldap@
 LIB_openpty = @LIB_openpty@
+LIB_openssl_crypto = @LIB_openssl_crypto@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
@@ -339,12 +617,15 @@ LIB_sqlite3 = @LIB_sqlite3@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 LIPO = @LIPO@
+LMDBLIB = @LMDBLIB@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
+NDBMLIB = @NDBMLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 NO_AFS = @NO_AFS@
@@ -361,6 +642,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
 PTHREAD_LDADD = @PTHREAD_LDADD@
@@ -375,13 +657,7 @@ STRIP = @STRIP@
 VERSION = @VERSION@
 VERSIONING = @VERSIONING@
 WFLAGS = @WFLAGS@
-WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
-WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
-XMKMF = @XMKMF@
-X_CFLAGS = @X_CFLAGS@
-X_EXTRA_LIBS = @X_EXTRA_LIBS@
-X_LIBS = @X_LIBS@
-X_PRE_LIBS = @X_PRE_LIBS@
+WFLAGS_LITE = @WFLAGS_LITE@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
 abs_builddir = @abs_builddir@
@@ -405,6 +681,8 @@ build_vendor = @build_vendor@
 builddir = @builddir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+db_type = @db_type@
+db_type_preference = @db_type_preference@
 docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
@@ -440,29 +718,37 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-SUFFIXES = .et .h .x .z .hx .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+SUFFIXES = .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 \
+	.cat5 .cat7 .cat8
 DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include
-AM_CPPFLAGS = $(INCLUDES_roken)
+AM_CPPFLAGS = $(INCLUDES_roken) $(INCLUDE_openssl_crypto)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
 buildinclude = $(top_builddir)/include
+LIB_XauReadAuth = @LIB_XauReadAuth@
 LIB_el_init = @LIB_el_init@
 LIB_getattr = @LIB_getattr@
 LIB_getpwent_r = @LIB_getpwent_r@
 LIB_odm_initialize = @LIB_odm_initialize@
 LIB_setpcred = @LIB_setpcred@
-HESIODLIB = @HESIODLIB@
-HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
 libexec_heimdaldir = $(libexecdir)/heimdal
 NROFF_MAN = groff -mandoc -Tascii
-LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@NO_AFS_FALSE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@NO_AFS_TRUE@LIB_kafs = 
 @KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
-LIB_heimbase = $(top_builddir)/base/libheimbase.la
+LIB_heimbase = $(top_builddir)/lib/base/libheimbase.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+
+#silent-rules
+heim_verbose = $(heim_verbose_$(V))
+heim_verbose_ = $(heim_verbose_$(AM_DEFAULT_VERBOSITY))
+heim_verbose_0 = @echo "  GEN    "$@;
 lib_LTLIBRARIES = libhx509.la
 libhx509_la_LDFLAGS = -version-info 5:0:0 $(am__append_1) \
 	$(am__append_2)
@@ -520,12 +806,11 @@ dist_libhx509_la_SOURCES = \
 	cms.c \
 	collector.c \
 	crypto.c \
+	crypto-ec.c \
 	doxygen.c \
 	error.c \
 	env.c \
 	file.c \
-	hx509-private.h \
-	hx509-protos.h \
 	hx509.h \
 	hx_locl.h \
 	sel.c \
@@ -553,20 +838,23 @@ libhx509_la_DEPENDENCIES = version-script.map
 libhx509_la_LIBADD = \
 	$(LIB_com_err) \
 	$(LIB_hcrypto) \
+	$(LIB_openssl_crypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(top_builddir)/lib/wind/libwind.la \
+	$(top_builddir)/lib/base/libheimbase.la \
 	$(LIBADD_roken) \
 	$(LIB_dlopen)
 
-libhx509_la_CPPFLAGS = -I$(srcdir)/ref $(INCLUDE_hcrypto)
 nodist_libhx509_la_SOURCES = $(BUILT_SOURCES)
-dist_include_HEADERS = hx509.h hx509-protos.h
+dist_include_HEADERS = hx509.h $(srcdir)/hx509-protos.h
+noinst_HEADERS = $(srcdir)/hx509-private.h
 nodist_include_HEADERS = hx509_err.h ocsp_asn1.h pkcs10_asn1.h \
 	crmf_asn1.h
 priv_headers = ocsp_asn1-priv.h pkcs10_asn1-priv.h crmf_asn1-priv.h
+ALL_OBJECTS = $(libhx509_la_OBJECTS) $(hxtool_OBJECTS)
+HX509_PROTOS = $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h
 dist_hxtool_SOURCES = hxtool.c
 nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
-hxtool_CPPFLAGS = $(INCLUDE_hcrypto)
 hxtool_LDADD = \
 	libhx509.la \
 	$(top_builddir)/lib/asn1/libasn1.la \
@@ -576,11 +864,11 @@ hxtool_LDADD = \
 
 CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \
 	$(gen_files_ocsp) ocsp_asn1_files ocsp_asn1{,-priv}.h* \
-	ocsp_asn1-template.[ch]* \
+	ocsp_asn1-template.[chx]* \
 	$(gen_files_pkcs10) pkcs10_asn1_files pkcs10_asn1{,-priv}.h* \
-	pkcs10_asn1-template.[ch]* \
+	pkcs10_asn1-template.[chx]* \
 	$(gen_files_crmf) crmf_asn1_files crmf_asn1{,-priv}.h* \
-	crmf_asn1-template.[ch]* \
+	crmf_asn1-template.[chx]* \
 	$(TESTS) \
 	hxtool-commands.c hxtool-commands.h *.tmp \
 	request.out \
@@ -603,10 +891,9 @@ CLEANFILES = $(BUILT_SOURCES) sel-gram.c sel-lex.c \
 #
 check_SCRIPTS = $(SCRIPT_TESTS)
 LDADD = libhx509.la
-test_soft_pkcs11_LDADD = libhx509.la
-test_soft_pkcs11_CPPFLAGS = -I$(srcdir)/ref
-test_name_CPPFLAGS = $(INCLUDE_hcrypto)
-test_name_LDADD = libhx509.la $(LIB_roken)
+test_soft_pkcs11_LDADD = libhx509.la $(top_builddir)/lib/asn1/libasn1.la
+test_name_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la
+test_expr_LDADD = libhx509.la $(LIB_roken) $(top_builddir)/lib/asn1/libasn1.la
 PROGRAM_TESTS = \
 	test_name		\
 	test_expr
@@ -627,7 +914,7 @@ SCRIPT_TESTS = \
 	test_windows		\
 	test_query
 
-do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+do_subst = $(heim_verbose)sed -e 's,[@]srcdir[@],$(srcdir),g' \
 	-e 's,[@]objdir[@],$(top_builddir)/lib/hx509,g' \
 	-e 's,[@]egrep[@],$(EGREP),g'
 
@@ -669,16 +956,22 @@ EXTRA_DIST = \
 	tst-crypto-select5 \
 	tst-crypto-select6 \
 	tst-crypto-select7 \
+	data/PKITS_data.zip \
+	data/eccurve.pem \
+	data/https.crt \
+	data/https.key \
+	data/mkcert.sh \
+	data/nist-result2 \
 	data/n0ll.pem \
-	data/secp160r1TestCA.cert.pem \
-	data/secp160r1TestCA.key.pem \
-	data/secp160r1TestCA.pem \
-	data/secp160r2TestClient.cert.pem \
-	data/secp160r2TestClient.key.pem \
-	data/secp160r2TestClient.pem \
-	data/secp160r2TestServer.cert.pem \
-	data/secp160r2TestServer.key.pem \
-	data/secp160r2TestServer.pem \
+	data/secp256r1TestCA.cert.pem \
+	data/secp256r1TestCA.key.pem \
+	data/secp256r1TestCA.pem \
+	data/secp256r2TestClient.cert.pem \
+	data/secp256r2TestClient.key.pem \
+	data/secp256r2TestClient.pem \
+	data/secp256r2TestServer.cert.pem \
+	data/secp256r2TestServer.key.pem \
+	data/secp256r2TestServer.pem \
 	data/bleichenbacher-bad.pem \
 	data/bleichenbacher-good.pem \
 	data/bleichenbacher-sf-pad-correct.pem \
@@ -770,7 +1063,7 @@ all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .z .hx .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y
+.SUFFIXES: .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 .cat5 .cat7 .cat8 .c .l .lo .log .o .obj .test .test$(EXEEXT) .trs .y
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -783,7 +1076,6 @@ $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/hx509/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --foreign lib/hx509/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -792,6 +1084,7 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
 	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
 	esac;
+$(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__empty):
 
 $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
@@ -801,9 +1094,9 @@ $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
 $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -811,6 +1104,8 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
 	}
@@ -826,29 +1121,35 @@ uninstall-libLTLIBRARIES:
 
 clean-libLTLIBRARIES:
 	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
-	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
+	@list='$(lib_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
 sel-gram.h: sel-gram.c
-	@if test ! -f $@; then \
-	  rm -f sel-gram.c; \
-	  $(MAKE) $(AM_MAKEFLAGS) sel-gram.c; \
-	else :; fi
-libhx509.la: $(libhx509_la_OBJECTS) $(libhx509_la_DEPENDENCIES) 
-	$(libhx509_la_LINK) -rpath $(libdir) $(libhx509_la_OBJECTS) $(libhx509_la_LIBADD) $(LIBS)
+	@if test ! -f $@; then rm -f sel-gram.c; else :; fi
+	@if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) sel-gram.c; else :; fi
+
+libhx509.la: $(libhx509_la_OBJECTS) $(libhx509_la_DEPENDENCIES) $(EXTRA_libhx509_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libhx509_la_LINK) -rpath $(libdir) $(libhx509_la_OBJECTS) $(libhx509_la_LIBADD) $(LIBS)
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
 	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
-	while read p p1; do if test -f $$p || test -f $$p1; \
-	  then echo "$$p"; echo "$$p"; else :; fi; \
+	while read p p1; do if test -f $$p \
+	 || test -f $$p1 \
+	  ; then echo "$$p"; echo "$$p"; else :; fi; \
 	done | \
-	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	sed -e 'p;s,.*/,,;n;h' \
+	    -e 's|.*|.|' \
 	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
 	sed 'N;N;N;s,\n, ,g' | \
 	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
@@ -869,7 +1170,8 @@ uninstall-binPROGRAMS:
 	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
 	files=`for p in $$list; do echo "$$p"; done | \
 	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-	      -e 's/$$/$(EXEEXT)/' `; \
+	      -e 's/$$/$(EXEEXT)/' \
+	`; \
 	test -n "$$list" || exit 0; \
 	echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
 	cd "$(DESTDIR)$(bindir)" && rm -f $$files
@@ -891,18 +1193,22 @@ clean-checkPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-hxtool$(EXEEXT): $(hxtool_OBJECTS) $(hxtool_DEPENDENCIES) 
+
+hxtool$(EXEEXT): $(hxtool_OBJECTS) $(hxtool_DEPENDENCIES) $(EXTRA_hxtool_DEPENDENCIES) 
 	@rm -f hxtool$(EXEEXT)
-	$(LINK) $(hxtool_OBJECTS) $(hxtool_LDADD) $(LIBS)
-test_expr$(EXEEXT): $(test_expr_OBJECTS) $(test_expr_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(hxtool_OBJECTS) $(hxtool_LDADD) $(LIBS)
+
+test_expr$(EXEEXT): $(test_expr_OBJECTS) $(test_expr_DEPENDENCIES) $(EXTRA_test_expr_DEPENDENCIES) 
 	@rm -f test_expr$(EXEEXT)
-	$(LINK) $(test_expr_OBJECTS) $(test_expr_LDADD) $(LIBS)
-test_name$(EXEEXT): $(test_name_OBJECTS) $(test_name_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(test_expr_OBJECTS) $(test_expr_LDADD) $(LIBS)
+
+test_name$(EXEEXT): $(test_name_OBJECTS) $(test_name_DEPENDENCIES) $(EXTRA_test_name_DEPENDENCIES) 
 	@rm -f test_name$(EXEEXT)
-	$(LINK) $(test_name_OBJECTS) $(test_name_LDADD) $(LIBS)
-test_soft_pkcs11$(EXEEXT): $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(test_name_OBJECTS) $(test_name_LDADD) $(LIBS)
+
+test_soft_pkcs11$(EXEEXT): $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_DEPENDENCIES) $(EXTRA_test_soft_pkcs11_DEPENDENCIES) 
 	@rm -f test_soft_pkcs11$(EXEEXT)
-	$(LINK) $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(test_soft_pkcs11_OBJECTS) $(test_soft_pkcs11_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -910,478 +1216,87 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hxtool-hxtool-commands.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hxtool-hxtool.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_CertificationRequest.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_CertificationRequestInfo.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPBasicOCSPResponse.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPCertID.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPCertStatus.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPInnerRequest.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPKeyHash.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPRequest.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPResponderID.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPResponse.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPResponseBytes.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPResponseData.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPResponseStatus.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPSignature.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPSingleResponse.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPTBSRequest.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_OCSPVersion.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_basic.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_nonce.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ca.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-cert.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-cms.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-collector.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-crypto.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-doxygen.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-env.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-error.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-file.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-hx509_err.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-keyset.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_dir.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_file.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_keychain.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_mem.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_null.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_p11.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-ks_p12.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-lock.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-name.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-peer.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-print.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-req.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-revoke.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-sel-gram.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-sel-lex.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-sel.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libhx509_la-softp11.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_CertificationRequest.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_CertificationRequestInfo.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPBasicOCSPResponse.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPCertID.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPCertStatus.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPInnerRequest.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPKeyHash.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPRequest.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponderID.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponse.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponseBytes.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponseData.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPResponseStatus.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPSignature.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPSingleResponse.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPTBSRequest.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_OCSPVersion.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_id_pkix_ocsp.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_id_pkix_ocsp_basic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_id_pkix_ocsp_nonce.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cms.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/collector.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto-ec.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/doxygen.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/env.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/error.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hx509_err.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hxtool-commands.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hxtool.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyset.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_dir.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_file.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_keychain.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_mem.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_null.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_p11.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ks_p12.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lock.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/peer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/print.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/req.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/revoke.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sel-gram.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sel-lex.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sel.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/softp11.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_expr.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_name-test_name.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_name.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_soft_pkcs11.Po@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
-
-libhx509_la-ca.lo: ca.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ca.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ca.Tpo -c -o libhx509_la-ca.lo `test -f 'ca.c' || echo '$(srcdir)/'`ca.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-ca.Tpo $(DEPDIR)/libhx509_la-ca.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ca.c' object='libhx509_la-ca.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ca.lo `test -f 'ca.c' || echo '$(srcdir)/'`ca.c
-
-libhx509_la-cert.lo: cert.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-cert.lo -MD -MP -MF $(DEPDIR)/libhx509_la-cert.Tpo -c -o libhx509_la-cert.lo `test -f 'cert.c' || echo '$(srcdir)/'`cert.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-cert.Tpo $(DEPDIR)/libhx509_la-cert.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='cert.c' object='libhx509_la-cert.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-cert.lo `test -f 'cert.c' || echo '$(srcdir)/'`cert.c
-
-libhx509_la-cms.lo: cms.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-cms.lo -MD -MP -MF $(DEPDIR)/libhx509_la-cms.Tpo -c -o libhx509_la-cms.lo `test -f 'cms.c' || echo '$(srcdir)/'`cms.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-cms.Tpo $(DEPDIR)/libhx509_la-cms.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='cms.c' object='libhx509_la-cms.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-cms.lo `test -f 'cms.c' || echo '$(srcdir)/'`cms.c
-
-libhx509_la-collector.lo: collector.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-collector.lo -MD -MP -MF $(DEPDIR)/libhx509_la-collector.Tpo -c -o libhx509_la-collector.lo `test -f 'collector.c' || echo '$(srcdir)/'`collector.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-collector.Tpo $(DEPDIR)/libhx509_la-collector.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='collector.c' object='libhx509_la-collector.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-collector.lo `test -f 'collector.c' || echo '$(srcdir)/'`collector.c
-
-libhx509_la-crypto.lo: crypto.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-crypto.lo -MD -MP -MF $(DEPDIR)/libhx509_la-crypto.Tpo -c -o libhx509_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-crypto.Tpo $(DEPDIR)/libhx509_la-crypto.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto.c' object='libhx509_la-crypto.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
-
-libhx509_la-doxygen.lo: doxygen.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-doxygen.lo -MD -MP -MF $(DEPDIR)/libhx509_la-doxygen.Tpo -c -o libhx509_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-doxygen.Tpo $(DEPDIR)/libhx509_la-doxygen.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='doxygen.c' object='libhx509_la-doxygen.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c
-
-libhx509_la-error.lo: error.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-error.lo -MD -MP -MF $(DEPDIR)/libhx509_la-error.Tpo -c -o libhx509_la-error.lo `test -f 'error.c' || echo '$(srcdir)/'`error.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-error.Tpo $(DEPDIR)/libhx509_la-error.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='error.c' object='libhx509_la-error.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-error.lo `test -f 'error.c' || echo '$(srcdir)/'`error.c
-
-libhx509_la-env.lo: env.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-env.lo -MD -MP -MF $(DEPDIR)/libhx509_la-env.Tpo -c -o libhx509_la-env.lo `test -f 'env.c' || echo '$(srcdir)/'`env.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-env.Tpo $(DEPDIR)/libhx509_la-env.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='env.c' object='libhx509_la-env.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-env.lo `test -f 'env.c' || echo '$(srcdir)/'`env.c
-
-libhx509_la-file.lo: file.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-file.lo -MD -MP -MF $(DEPDIR)/libhx509_la-file.Tpo -c -o libhx509_la-file.lo `test -f 'file.c' || echo '$(srcdir)/'`file.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-file.Tpo $(DEPDIR)/libhx509_la-file.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='file.c' object='libhx509_la-file.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-file.lo `test -f 'file.c' || echo '$(srcdir)/'`file.c
-
-libhx509_la-sel.lo: sel.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-sel.lo -MD -MP -MF $(DEPDIR)/libhx509_la-sel.Tpo -c -o libhx509_la-sel.lo `test -f 'sel.c' || echo '$(srcdir)/'`sel.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-sel.Tpo $(DEPDIR)/libhx509_la-sel.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sel.c' object='libhx509_la-sel.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-sel.lo `test -f 'sel.c' || echo '$(srcdir)/'`sel.c
-
-libhx509_la-sel-gram.lo: sel-gram.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-sel-gram.lo -MD -MP -MF $(DEPDIR)/libhx509_la-sel-gram.Tpo -c -o libhx509_la-sel-gram.lo `test -f 'sel-gram.c' || echo '$(srcdir)/'`sel-gram.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-sel-gram.Tpo $(DEPDIR)/libhx509_la-sel-gram.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sel-gram.c' object='libhx509_la-sel-gram.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-sel-gram.lo `test -f 'sel-gram.c' || echo '$(srcdir)/'`sel-gram.c
-
-libhx509_la-sel-lex.lo: sel-lex.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-sel-lex.lo -MD -MP -MF $(DEPDIR)/libhx509_la-sel-lex.Tpo -c -o libhx509_la-sel-lex.lo `test -f 'sel-lex.c' || echo '$(srcdir)/'`sel-lex.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-sel-lex.Tpo $(DEPDIR)/libhx509_la-sel-lex.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sel-lex.c' object='libhx509_la-sel-lex.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-sel-lex.lo `test -f 'sel-lex.c' || echo '$(srcdir)/'`sel-lex.c
-
-libhx509_la-keyset.lo: keyset.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-keyset.lo -MD -MP -MF $(DEPDIR)/libhx509_la-keyset.Tpo -c -o libhx509_la-keyset.lo `test -f 'keyset.c' || echo '$(srcdir)/'`keyset.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-keyset.Tpo $(DEPDIR)/libhx509_la-keyset.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='keyset.c' object='libhx509_la-keyset.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-keyset.lo `test -f 'keyset.c' || echo '$(srcdir)/'`keyset.c
-
-libhx509_la-ks_dir.lo: ks_dir.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_dir.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_dir.Tpo -c -o libhx509_la-ks_dir.lo `test -f 'ks_dir.c' || echo '$(srcdir)/'`ks_dir.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-ks_dir.Tpo $(DEPDIR)/libhx509_la-ks_dir.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ks_dir.c' object='libhx509_la-ks_dir.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_dir.lo `test -f 'ks_dir.c' || echo '$(srcdir)/'`ks_dir.c
-
-libhx509_la-ks_file.lo: ks_file.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_file.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_file.Tpo -c -o libhx509_la-ks_file.lo `test -f 'ks_file.c' || echo '$(srcdir)/'`ks_file.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-ks_file.Tpo $(DEPDIR)/libhx509_la-ks_file.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ks_file.c' object='libhx509_la-ks_file.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_file.lo `test -f 'ks_file.c' || echo '$(srcdir)/'`ks_file.c
-
-libhx509_la-ks_mem.lo: ks_mem.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_mem.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_mem.Tpo -c -o libhx509_la-ks_mem.lo `test -f 'ks_mem.c' || echo '$(srcdir)/'`ks_mem.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-ks_mem.Tpo $(DEPDIR)/libhx509_la-ks_mem.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ks_mem.c' object='libhx509_la-ks_mem.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_mem.lo `test -f 'ks_mem.c' || echo '$(srcdir)/'`ks_mem.c
-
-libhx509_la-ks_null.lo: ks_null.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_null.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_null.Tpo -c -o libhx509_la-ks_null.lo `test -f 'ks_null.c' || echo '$(srcdir)/'`ks_null.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-ks_null.Tpo $(DEPDIR)/libhx509_la-ks_null.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ks_null.c' object='libhx509_la-ks_null.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_null.lo `test -f 'ks_null.c' || echo '$(srcdir)/'`ks_null.c
-
-libhx509_la-ks_p11.lo: ks_p11.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_p11.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_p11.Tpo -c -o libhx509_la-ks_p11.lo `test -f 'ks_p11.c' || echo '$(srcdir)/'`ks_p11.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-ks_p11.Tpo $(DEPDIR)/libhx509_la-ks_p11.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ks_p11.c' object='libhx509_la-ks_p11.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_p11.lo `test -f 'ks_p11.c' || echo '$(srcdir)/'`ks_p11.c
-
-libhx509_la-ks_p12.lo: ks_p12.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_p12.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_p12.Tpo -c -o libhx509_la-ks_p12.lo `test -f 'ks_p12.c' || echo '$(srcdir)/'`ks_p12.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-ks_p12.Tpo $(DEPDIR)/libhx509_la-ks_p12.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ks_p12.c' object='libhx509_la-ks_p12.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_p12.lo `test -f 'ks_p12.c' || echo '$(srcdir)/'`ks_p12.c
-
-libhx509_la-ks_keychain.lo: ks_keychain.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-ks_keychain.lo -MD -MP -MF $(DEPDIR)/libhx509_la-ks_keychain.Tpo -c -o libhx509_la-ks_keychain.lo `test -f 'ks_keychain.c' || echo '$(srcdir)/'`ks_keychain.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-ks_keychain.Tpo $(DEPDIR)/libhx509_la-ks_keychain.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='ks_keychain.c' object='libhx509_la-ks_keychain.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-ks_keychain.lo `test -f 'ks_keychain.c' || echo '$(srcdir)/'`ks_keychain.c
-
-libhx509_la-lock.lo: lock.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-lock.lo -MD -MP -MF $(DEPDIR)/libhx509_la-lock.Tpo -c -o libhx509_la-lock.lo `test -f 'lock.c' || echo '$(srcdir)/'`lock.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-lock.Tpo $(DEPDIR)/libhx509_la-lock.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='lock.c' object='libhx509_la-lock.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-lock.lo `test -f 'lock.c' || echo '$(srcdir)/'`lock.c
-
-libhx509_la-name.lo: name.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-name.lo -MD -MP -MF $(DEPDIR)/libhx509_la-name.Tpo -c -o libhx509_la-name.lo `test -f 'name.c' || echo '$(srcdir)/'`name.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-name.Tpo $(DEPDIR)/libhx509_la-name.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='name.c' object='libhx509_la-name.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-name.lo `test -f 'name.c' || echo '$(srcdir)/'`name.c
-
-libhx509_la-peer.lo: peer.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-peer.lo -MD -MP -MF $(DEPDIR)/libhx509_la-peer.Tpo -c -o libhx509_la-peer.lo `test -f 'peer.c' || echo '$(srcdir)/'`peer.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-peer.Tpo $(DEPDIR)/libhx509_la-peer.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='peer.c' object='libhx509_la-peer.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-peer.lo `test -f 'peer.c' || echo '$(srcdir)/'`peer.c
-
-libhx509_la-print.lo: print.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-print.lo -MD -MP -MF $(DEPDIR)/libhx509_la-print.Tpo -c -o libhx509_la-print.lo `test -f 'print.c' || echo '$(srcdir)/'`print.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-print.Tpo $(DEPDIR)/libhx509_la-print.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='print.c' object='libhx509_la-print.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-print.lo `test -f 'print.c' || echo '$(srcdir)/'`print.c
-
-libhx509_la-softp11.lo: softp11.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-softp11.lo -MD -MP -MF $(DEPDIR)/libhx509_la-softp11.Tpo -c -o libhx509_la-softp11.lo `test -f 'softp11.c' || echo '$(srcdir)/'`softp11.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-softp11.Tpo $(DEPDIR)/libhx509_la-softp11.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='softp11.c' object='libhx509_la-softp11.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-softp11.lo `test -f 'softp11.c' || echo '$(srcdir)/'`softp11.c
-
-libhx509_la-req.lo: req.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-req.lo -MD -MP -MF $(DEPDIR)/libhx509_la-req.Tpo -c -o libhx509_la-req.lo `test -f 'req.c' || echo '$(srcdir)/'`req.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-req.Tpo $(DEPDIR)/libhx509_la-req.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='req.c' object='libhx509_la-req.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-req.lo `test -f 'req.c' || echo '$(srcdir)/'`req.c
-
-libhx509_la-revoke.lo: revoke.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-revoke.lo -MD -MP -MF $(DEPDIR)/libhx509_la-revoke.Tpo -c -o libhx509_la-revoke.lo `test -f 'revoke.c' || echo '$(srcdir)/'`revoke.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-revoke.Tpo $(DEPDIR)/libhx509_la-revoke.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='revoke.c' object='libhx509_la-revoke.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-revoke.lo `test -f 'revoke.c' || echo '$(srcdir)/'`revoke.c
-
-libhx509_la-asn1_OCSPBasicOCSPResponse.lo: asn1_OCSPBasicOCSPResponse.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPBasicOCSPResponse.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPBasicOCSPResponse.Tpo -c -o libhx509_la-asn1_OCSPBasicOCSPResponse.lo `test -f 'asn1_OCSPBasicOCSPResponse.c' || echo '$(srcdir)/'`asn1_OCSPBasicOCSPResponse.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPBasicOCSPResponse.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPBasicOCSPResponse.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPBasicOCSPResponse.c' object='libhx509_la-asn1_OCSPBasicOCSPResponse.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPBasicOCSPResponse.lo `test -f 'asn1_OCSPBasicOCSPResponse.c' || echo '$(srcdir)/'`asn1_OCSPBasicOCSPResponse.c
-
-libhx509_la-asn1_OCSPCertID.lo: asn1_OCSPCertID.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPCertID.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPCertID.Tpo -c -o libhx509_la-asn1_OCSPCertID.lo `test -f 'asn1_OCSPCertID.c' || echo '$(srcdir)/'`asn1_OCSPCertID.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPCertID.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPCertID.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPCertID.c' object='libhx509_la-asn1_OCSPCertID.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPCertID.lo `test -f 'asn1_OCSPCertID.c' || echo '$(srcdir)/'`asn1_OCSPCertID.c
-
-libhx509_la-asn1_OCSPCertStatus.lo: asn1_OCSPCertStatus.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPCertStatus.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPCertStatus.Tpo -c -o libhx509_la-asn1_OCSPCertStatus.lo `test -f 'asn1_OCSPCertStatus.c' || echo '$(srcdir)/'`asn1_OCSPCertStatus.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPCertStatus.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPCertStatus.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPCertStatus.c' object='libhx509_la-asn1_OCSPCertStatus.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPCertStatus.lo `test -f 'asn1_OCSPCertStatus.c' || echo '$(srcdir)/'`asn1_OCSPCertStatus.c
-
-libhx509_la-asn1_OCSPInnerRequest.lo: asn1_OCSPInnerRequest.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPInnerRequest.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPInnerRequest.Tpo -c -o libhx509_la-asn1_OCSPInnerRequest.lo `test -f 'asn1_OCSPInnerRequest.c' || echo '$(srcdir)/'`asn1_OCSPInnerRequest.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPInnerRequest.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPInnerRequest.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPInnerRequest.c' object='libhx509_la-asn1_OCSPInnerRequest.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPInnerRequest.lo `test -f 'asn1_OCSPInnerRequest.c' || echo '$(srcdir)/'`asn1_OCSPInnerRequest.c
-
-libhx509_la-asn1_OCSPKeyHash.lo: asn1_OCSPKeyHash.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPKeyHash.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPKeyHash.Tpo -c -o libhx509_la-asn1_OCSPKeyHash.lo `test -f 'asn1_OCSPKeyHash.c' || echo '$(srcdir)/'`asn1_OCSPKeyHash.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPKeyHash.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPKeyHash.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPKeyHash.c' object='libhx509_la-asn1_OCSPKeyHash.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPKeyHash.lo `test -f 'asn1_OCSPKeyHash.c' || echo '$(srcdir)/'`asn1_OCSPKeyHash.c
-
-libhx509_la-asn1_OCSPRequest.lo: asn1_OCSPRequest.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPRequest.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPRequest.Tpo -c -o libhx509_la-asn1_OCSPRequest.lo `test -f 'asn1_OCSPRequest.c' || echo '$(srcdir)/'`asn1_OCSPRequest.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPRequest.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPRequest.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPRequest.c' object='libhx509_la-asn1_OCSPRequest.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPRequest.lo `test -f 'asn1_OCSPRequest.c' || echo '$(srcdir)/'`asn1_OCSPRequest.c
-
-libhx509_la-asn1_OCSPResponderID.lo: asn1_OCSPResponderID.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPResponderID.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPResponderID.Tpo -c -o libhx509_la-asn1_OCSPResponderID.lo `test -f 'asn1_OCSPResponderID.c' || echo '$(srcdir)/'`asn1_OCSPResponderID.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPResponderID.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPResponderID.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPResponderID.c' object='libhx509_la-asn1_OCSPResponderID.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponderID.lo `test -f 'asn1_OCSPResponderID.c' || echo '$(srcdir)/'`asn1_OCSPResponderID.c
-
-libhx509_la-asn1_OCSPResponse.lo: asn1_OCSPResponse.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPResponse.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPResponse.Tpo -c -o libhx509_la-asn1_OCSPResponse.lo `test -f 'asn1_OCSPResponse.c' || echo '$(srcdir)/'`asn1_OCSPResponse.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPResponse.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPResponse.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPResponse.c' object='libhx509_la-asn1_OCSPResponse.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponse.lo `test -f 'asn1_OCSPResponse.c' || echo '$(srcdir)/'`asn1_OCSPResponse.c
-
-libhx509_la-asn1_OCSPResponseBytes.lo: asn1_OCSPResponseBytes.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPResponseBytes.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPResponseBytes.Tpo -c -o libhx509_la-asn1_OCSPResponseBytes.lo `test -f 'asn1_OCSPResponseBytes.c' || echo '$(srcdir)/'`asn1_OCSPResponseBytes.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPResponseBytes.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPResponseBytes.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPResponseBytes.c' object='libhx509_la-asn1_OCSPResponseBytes.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponseBytes.lo `test -f 'asn1_OCSPResponseBytes.c' || echo '$(srcdir)/'`asn1_OCSPResponseBytes.c
-
-libhx509_la-asn1_OCSPResponseData.lo: asn1_OCSPResponseData.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPResponseData.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPResponseData.Tpo -c -o libhx509_la-asn1_OCSPResponseData.lo `test -f 'asn1_OCSPResponseData.c' || echo '$(srcdir)/'`asn1_OCSPResponseData.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPResponseData.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPResponseData.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPResponseData.c' object='libhx509_la-asn1_OCSPResponseData.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponseData.lo `test -f 'asn1_OCSPResponseData.c' || echo '$(srcdir)/'`asn1_OCSPResponseData.c
-
-libhx509_la-asn1_OCSPResponseStatus.lo: asn1_OCSPResponseStatus.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPResponseStatus.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPResponseStatus.Tpo -c -o libhx509_la-asn1_OCSPResponseStatus.lo `test -f 'asn1_OCSPResponseStatus.c' || echo '$(srcdir)/'`asn1_OCSPResponseStatus.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPResponseStatus.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPResponseStatus.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPResponseStatus.c' object='libhx509_la-asn1_OCSPResponseStatus.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPResponseStatus.lo `test -f 'asn1_OCSPResponseStatus.c' || echo '$(srcdir)/'`asn1_OCSPResponseStatus.c
-
-libhx509_la-asn1_OCSPSignature.lo: asn1_OCSPSignature.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPSignature.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPSignature.Tpo -c -o libhx509_la-asn1_OCSPSignature.lo `test -f 'asn1_OCSPSignature.c' || echo '$(srcdir)/'`asn1_OCSPSignature.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPSignature.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPSignature.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPSignature.c' object='libhx509_la-asn1_OCSPSignature.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPSignature.lo `test -f 'asn1_OCSPSignature.c' || echo '$(srcdir)/'`asn1_OCSPSignature.c
-
-libhx509_la-asn1_OCSPSingleResponse.lo: asn1_OCSPSingleResponse.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPSingleResponse.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPSingleResponse.Tpo -c -o libhx509_la-asn1_OCSPSingleResponse.lo `test -f 'asn1_OCSPSingleResponse.c' || echo '$(srcdir)/'`asn1_OCSPSingleResponse.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPSingleResponse.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPSingleResponse.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPSingleResponse.c' object='libhx509_la-asn1_OCSPSingleResponse.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPSingleResponse.lo `test -f 'asn1_OCSPSingleResponse.c' || echo '$(srcdir)/'`asn1_OCSPSingleResponse.c
-
-libhx509_la-asn1_OCSPTBSRequest.lo: asn1_OCSPTBSRequest.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPTBSRequest.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPTBSRequest.Tpo -c -o libhx509_la-asn1_OCSPTBSRequest.lo `test -f 'asn1_OCSPTBSRequest.c' || echo '$(srcdir)/'`asn1_OCSPTBSRequest.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPTBSRequest.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPTBSRequest.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPTBSRequest.c' object='libhx509_la-asn1_OCSPTBSRequest.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPTBSRequest.lo `test -f 'asn1_OCSPTBSRequest.c' || echo '$(srcdir)/'`asn1_OCSPTBSRequest.c
-
-libhx509_la-asn1_OCSPVersion.lo: asn1_OCSPVersion.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_OCSPVersion.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_OCSPVersion.Tpo -c -o libhx509_la-asn1_OCSPVersion.lo `test -f 'asn1_OCSPVersion.c' || echo '$(srcdir)/'`asn1_OCSPVersion.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_OCSPVersion.Tpo $(DEPDIR)/libhx509_la-asn1_OCSPVersion.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_OCSPVersion.c' object='libhx509_la-asn1_OCSPVersion.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_OCSPVersion.lo `test -f 'asn1_OCSPVersion.c' || echo '$(srcdir)/'`asn1_OCSPVersion.c
-
-libhx509_la-asn1_id_pkix_ocsp.lo: asn1_id_pkix_ocsp.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_id_pkix_ocsp.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp.Tpo -c -o libhx509_la-asn1_id_pkix_ocsp.lo `test -f 'asn1_id_pkix_ocsp.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp.Tpo $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_id_pkix_ocsp.c' object='libhx509_la-asn1_id_pkix_ocsp.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_id_pkix_ocsp.lo `test -f 'asn1_id_pkix_ocsp.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp.c
-
-libhx509_la-asn1_id_pkix_ocsp_basic.lo: asn1_id_pkix_ocsp_basic.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_id_pkix_ocsp_basic.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_basic.Tpo -c -o libhx509_la-asn1_id_pkix_ocsp_basic.lo `test -f 'asn1_id_pkix_ocsp_basic.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp_basic.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_basic.Tpo $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_basic.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_id_pkix_ocsp_basic.c' object='libhx509_la-asn1_id_pkix_ocsp_basic.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_id_pkix_ocsp_basic.lo `test -f 'asn1_id_pkix_ocsp_basic.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp_basic.c
-
-libhx509_la-asn1_id_pkix_ocsp_nonce.lo: asn1_id_pkix_ocsp_nonce.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_id_pkix_ocsp_nonce.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_nonce.Tpo -c -o libhx509_la-asn1_id_pkix_ocsp_nonce.lo `test -f 'asn1_id_pkix_ocsp_nonce.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp_nonce.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_nonce.Tpo $(DEPDIR)/libhx509_la-asn1_id_pkix_ocsp_nonce.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_id_pkix_ocsp_nonce.c' object='libhx509_la-asn1_id_pkix_ocsp_nonce.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_id_pkix_ocsp_nonce.lo `test -f 'asn1_id_pkix_ocsp_nonce.c' || echo '$(srcdir)/'`asn1_id_pkix_ocsp_nonce.c
-
-libhx509_la-asn1_CertificationRequestInfo.lo: asn1_CertificationRequestInfo.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_CertificationRequestInfo.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_CertificationRequestInfo.Tpo -c -o libhx509_la-asn1_CertificationRequestInfo.lo `test -f 'asn1_CertificationRequestInfo.c' || echo '$(srcdir)/'`asn1_CertificationRequestInfo.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_CertificationRequestInfo.Tpo $(DEPDIR)/libhx509_la-asn1_CertificationRequestInfo.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_CertificationRequestInfo.c' object='libhx509_la-asn1_CertificationRequestInfo.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_CertificationRequestInfo.lo `test -f 'asn1_CertificationRequestInfo.c' || echo '$(srcdir)/'`asn1_CertificationRequestInfo.c
-
-libhx509_la-asn1_CertificationRequest.lo: asn1_CertificationRequest.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-asn1_CertificationRequest.lo -MD -MP -MF $(DEPDIR)/libhx509_la-asn1_CertificationRequest.Tpo -c -o libhx509_la-asn1_CertificationRequest.lo `test -f 'asn1_CertificationRequest.c' || echo '$(srcdir)/'`asn1_CertificationRequest.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-asn1_CertificationRequest.Tpo $(DEPDIR)/libhx509_la-asn1_CertificationRequest.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1_CertificationRequest.c' object='libhx509_la-asn1_CertificationRequest.lo' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-asn1_CertificationRequest.lo `test -f 'asn1_CertificationRequest.c' || echo '$(srcdir)/'`asn1_CertificationRequest.c
-
-libhx509_la-hx509_err.lo: hx509_err.c
-@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libhx509_la-hx509_err.lo -MD -MP -MF $(DEPDIR)/libhx509_la-hx509_err.Tpo -c -o libhx509_la-hx509_err.lo `test -f 'hx509_err.c' || echo '$(srcdir)/'`hx509_err.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libhx509_la-hx509_err.Tpo $(DEPDIR)/libhx509_la-hx509_err.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hx509_err.c' object='libhx509_la-hx509_err.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libhx509_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libhx509_la-hx509_err.lo `test -f 'hx509_err.c' || echo '$(srcdir)/'`hx509_err.c
-
-hxtool-hxtool.o: hxtool.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hxtool-hxtool.o -MD -MP -MF $(DEPDIR)/hxtool-hxtool.Tpo -c -o hxtool-hxtool.o `test -f 'hxtool.c' || echo '$(srcdir)/'`hxtool.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hxtool-hxtool.Tpo $(DEPDIR)/hxtool-hxtool.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hxtool.c' object='hxtool-hxtool.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hxtool-hxtool.o `test -f 'hxtool.c' || echo '$(srcdir)/'`hxtool.c
-
-hxtool-hxtool.obj: hxtool.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hxtool-hxtool.obj -MD -MP -MF $(DEPDIR)/hxtool-hxtool.Tpo -c -o hxtool-hxtool.obj `if test -f 'hxtool.c'; then $(CYGPATH_W) 'hxtool.c'; else $(CYGPATH_W) '$(srcdir)/hxtool.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hxtool-hxtool.Tpo $(DEPDIR)/hxtool-hxtool.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hxtool.c' object='hxtool-hxtool.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hxtool-hxtool.obj `if test -f 'hxtool.c'; then $(CYGPATH_W) 'hxtool.c'; else $(CYGPATH_W) '$(srcdir)/hxtool.c'; fi`
-
-hxtool-hxtool-commands.o: hxtool-commands.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hxtool-hxtool-commands.o -MD -MP -MF $(DEPDIR)/hxtool-hxtool-commands.Tpo -c -o hxtool-hxtool-commands.o `test -f 'hxtool-commands.c' || echo '$(srcdir)/'`hxtool-commands.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hxtool-hxtool-commands.Tpo $(DEPDIR)/hxtool-hxtool-commands.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hxtool-commands.c' object='hxtool-hxtool-commands.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hxtool-hxtool-commands.o `test -f 'hxtool-commands.c' || echo '$(srcdir)/'`hxtool-commands.c
-
-hxtool-hxtool-commands.obj: hxtool-commands.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hxtool-hxtool-commands.obj -MD -MP -MF $(DEPDIR)/hxtool-hxtool-commands.Tpo -c -o hxtool-hxtool-commands.obj `if test -f 'hxtool-commands.c'; then $(CYGPATH_W) 'hxtool-commands.c'; else $(CYGPATH_W) '$(srcdir)/hxtool-commands.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/hxtool-hxtool-commands.Tpo $(DEPDIR)/hxtool-hxtool-commands.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='hxtool-commands.c' object='hxtool-hxtool-commands.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(hxtool_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hxtool-hxtool-commands.obj `if test -f 'hxtool-commands.c'; then $(CYGPATH_W) 'hxtool-commands.c'; else $(CYGPATH_W) '$(srcdir)/hxtool-commands.c'; fi`
-
-test_name-test_name.o: test_name.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_name_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_name-test_name.o -MD -MP -MF $(DEPDIR)/test_name-test_name.Tpo -c -o test_name-test_name.o `test -f 'test_name.c' || echo '$(srcdir)/'`test_name.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_name-test_name.Tpo $(DEPDIR)/test_name-test_name.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_name.c' object='test_name-test_name.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_name_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_name-test_name.o `test -f 'test_name.c' || echo '$(srcdir)/'`test_name.c
-
-test_name-test_name.obj: test_name.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_name_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_name-test_name.obj -MD -MP -MF $(DEPDIR)/test_name-test_name.Tpo -c -o test_name-test_name.obj `if test -f 'test_name.c'; then $(CYGPATH_W) 'test_name.c'; else $(CYGPATH_W) '$(srcdir)/test_name.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_name-test_name.Tpo $(DEPDIR)/test_name-test_name.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_name.c' object='test_name-test_name.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_name_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_name-test_name.obj `if test -f 'test_name.c'; then $(CYGPATH_W) 'test_name.c'; else $(CYGPATH_W) '$(srcdir)/test_name.c'; fi`
-
-test_soft_pkcs11-test_soft_pkcs11.o: test_soft_pkcs11.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_soft_pkcs11_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_soft_pkcs11-test_soft_pkcs11.o -MD -MP -MF $(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Tpo -c -o test_soft_pkcs11-test_soft_pkcs11.o `test -f 'test_soft_pkcs11.c' || echo '$(srcdir)/'`test_soft_pkcs11.c
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Tpo $(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_soft_pkcs11.c' object='test_soft_pkcs11-test_soft_pkcs11.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_soft_pkcs11_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_soft_pkcs11-test_soft_pkcs11.o `test -f 'test_soft_pkcs11.c' || echo '$(srcdir)/'`test_soft_pkcs11.c
-
-test_soft_pkcs11-test_soft_pkcs11.obj: test_soft_pkcs11.c
-@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_soft_pkcs11_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_soft_pkcs11-test_soft_pkcs11.obj -MD -MP -MF $(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Tpo -c -o test_soft_pkcs11-test_soft_pkcs11.obj `if test -f 'test_soft_pkcs11.c'; then $(CYGPATH_W) 'test_soft_pkcs11.c'; else $(CYGPATH_W) '$(srcdir)/test_soft_pkcs11.c'; fi`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Tpo $(DEPDIR)/test_soft_pkcs11-test_soft_pkcs11.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='test_soft_pkcs11.c' object='test_soft_pkcs11-test_soft_pkcs11.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(test_soft_pkcs11_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_soft_pkcs11-test_soft_pkcs11.obj `if test -f 'test_soft_pkcs11.c'; then $(CYGPATH_W) 'test_soft_pkcs11.c'; else $(CYGPATH_W) '$(srcdir)/test_soft_pkcs11.c'; fi`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 .l.c:
-	$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
+	$(AM_V_LEX)$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
 
 .y.c:
-	$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
+	$(AM_V_YACC)$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h `echo $@ | $(am__yacc_c2h)` y.output $*.output -- $(YACCCOMPILE)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -1390,8 +1305,11 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-dist_includeHEADERS: $(dist_include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
 	@list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -1405,13 +1323,14 @@ uninstall-dist_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(includedir)" && rm -f $$files
+	dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
 install-nodist_includeHEADERS: $(nodist_include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
 	@list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -1425,30 +1344,17 @@ uninstall-nodist_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(includedir)" && rm -f $$files
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
+	dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
 	set x; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	$(am__define_uniq_tagged_files); \
 	shift; \
 	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
@@ -1460,15 +1366,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	      $$unique; \
 	  fi; \
 	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
 	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
 	     $$unique
@@ -1477,101 +1379,292 @@ GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
 	  && $(am__cd) $(top_srcdir) \
 	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
-check-TESTS: $(TESTS)
-	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
-	srcdir=$(srcdir); export srcdir; \
-	list=' $(TESTS) '; \
-	$(am__tty_colors); \
-	if test -n "$$list"; then \
-	  for tst in $$list; do \
-	    if test -f ./$$tst; then dir=./; \
-	    elif test -f $$tst; then dir=; \
-	    else dir="$(srcdir)/"; fi; \
-	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
-	      all=`expr $$all + 1`; \
-	      case " $(XFAIL_TESTS) " in \
-	      *[\ \	]$$tst[\ \	]*) \
-		xpass=`expr $$xpass + 1`; \
-		failed=`expr $$failed + 1`; \
-		col=$$red; res=XPASS; \
-	      ;; \
-	      *) \
-		col=$$grn; res=PASS; \
-	      ;; \
-	      esac; \
-	    elif test $$? -ne 77; then \
-	      all=`expr $$all + 1`; \
-	      case " $(XFAIL_TESTS) " in \
-	      *[\ \	]$$tst[\ \	]*) \
-		xfail=`expr $$xfail + 1`; \
-		col=$$lgn; res=XFAIL; \
-	      ;; \
-	      *) \
-		failed=`expr $$failed + 1`; \
-		col=$$red; res=FAIL; \
-	      ;; \
-	      esac; \
-	    else \
-	      skip=`expr $$skip + 1`; \
-	      col=$$blu; res=SKIP; \
-	    fi; \
-	    echo "$${col}$$res$${std}: $$tst"; \
-	  done; \
-	  if test "$$all" -eq 1; then \
-	    tests="test"; \
-	    All=""; \
-	  else \
-	    tests="tests"; \
-	    All="All "; \
+# Recover from deleted '.trs' file; this should ensure that
+# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create
+# both 'foo.log' and 'foo.trs'.  Break the recipe in two subshells
+# to avoid problems with "make -n".
+.log.trs:
+	rm -f $< $@
+	$(MAKE) $(AM_MAKEFLAGS) $<
+
+# Leading 'am--fnord' is there to ensure the list of targets does not
+# expand to empty, as could happen e.g. with make check TESTS=''.
+am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck)
+am--force-recheck:
+	@:
+
+$(TEST_SUITE_LOG): $(TEST_LOGS)
+	@$(am__set_TESTS_bases); \
+	am__f_ok () { test -f "$$1" && test -r "$$1"; }; \
+	redo_bases=`for i in $$bases; do \
+	              am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \
+	            done`; \
+	if test -n "$$redo_bases"; then \
+	  redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \
+	  redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \
+	  if $(am__make_dryrun); then :; else \
+	    rm -f $$redo_logs && rm -f $$redo_results || exit 1; \
 	  fi; \
-	  if test "$$failed" -eq 0; then \
-	    if test "$$xfail" -eq 0; then \
-	      banner="$$All$$all $$tests passed"; \
-	    else \
-	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
-	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
-	    fi; \
-	  else \
-	    if test "$$xpass" -eq 0; then \
-	      banner="$$failed of $$all $$tests failed"; \
+	fi; \
+	if test -n "$$am__remaking_logs"; then \
+	  echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
+	       "recursion detected" >&2; \
+	elif test -n "$$redo_logs"; then \
+	  am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
+	fi; \
+	if $(am__make_dryrun); then :; else \
+	  st=0;  \
+	  errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \
+	  for i in $$redo_bases; do \
+	    test -f $$i.trs && test -r $$i.trs \
+	      || { echo "$$errmsg $$i.trs" >&2; st=1; }; \
+	    test -f $$i.log && test -r $$i.log \
+	      || { echo "$$errmsg $$i.log" >&2; st=1; }; \
+	  done; \
+	  test $$st -eq 0 || exit 1; \
+	fi
+	@$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \
+	ws='[ 	]'; \
+	results=`for b in $$bases; do echo $$b.trs; done`; \
+	test -n "$$results" || results=/dev/null; \
+	all=`  grep "^$$ws*:test-result:"           $$results | wc -l`; \
+	pass=` grep "^$$ws*:test-result:$$ws*PASS"  $$results | wc -l`; \
+	fail=` grep "^$$ws*:test-result:$$ws*FAIL"  $$results | wc -l`; \
+	skip=` grep "^$$ws*:test-result:$$ws*SKIP"  $$results | wc -l`; \
+	xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \
+	xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \
+	error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \
+	if test `expr $$fail + $$xpass + $$error` -eq 0; then \
+	  success=true; \
+	else \
+	  success=false; \
+	fi; \
+	br='==================='; br=$$br$$br$$br$$br; \
+	result_count () \
+	{ \
+	    if test x"$$1" = x"--maybe-color"; then \
+	      maybe_colorize=yes; \
+	    elif test x"$$1" = x"--no-color"; then \
+	      maybe_colorize=no; \
 	    else \
-	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
-	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	      echo "$@: invalid 'result_count' usage" >&2; exit 4; \
 	    fi; \
-	  fi; \
-	  dashes="$$banner"; \
-	  skipped=""; \
-	  if test "$$skip" -ne 0; then \
-	    if test "$$skip" -eq 1; then \
-	      skipped="($$skip test was not run)"; \
+	    shift; \
+	    desc=$$1 count=$$2; \
+	    if test $$maybe_colorize = yes && test $$count -gt 0; then \
+	      color_start=$$3 color_end=$$std; \
 	    else \
-	      skipped="($$skip tests were not run)"; \
+	      color_start= color_end=; \
 	    fi; \
-	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
-	      dashes="$$skipped"; \
-	  fi; \
-	  report=""; \
-	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
-	    report="Please report to $(PACKAGE_BUGREPORT)"; \
-	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
-	      dashes="$$report"; \
-	  fi; \
-	  dashes=`echo "$$dashes" | sed s/./=/g`; \
-	  if test "$$failed" -eq 0; then \
-	    echo "$$grn$$dashes"; \
-	  else \
-	    echo "$$red$$dashes"; \
-	  fi; \
-	  echo "$$banner"; \
-	  test -z "$$skipped" || echo "$$skipped"; \
-	  test -z "$$report" || echo "$$report"; \
-	  echo "$$dashes$$std"; \
-	  test "$$failed" -eq 0; \
-	else :; fi
+	    echo "$${color_start}# $$desc $$count$${color_end}"; \
+	}; \
+	create_testsuite_report () \
+	{ \
+	  result_count $$1 "TOTAL:" $$all   "$$brg"; \
+	  result_count $$1 "PASS: " $$pass  "$$grn"; \
+	  result_count $$1 "SKIP: " $$skip  "$$blu"; \
+	  result_count $$1 "XFAIL:" $$xfail "$$lgn"; \
+	  result_count $$1 "FAIL: " $$fail  "$$red"; \
+	  result_count $$1 "XPASS:" $$xpass "$$red"; \
+	  result_count $$1 "ERROR:" $$error "$$mgn"; \
+	}; \
+	{								\
+	  echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" |	\
+	    $(am__rst_title);						\
+	  create_testsuite_report --no-color;				\
+	  echo;								\
+	  echo ".. contents:: :depth: 2";				\
+	  echo;								\
+	  for b in $$bases; do echo $$b; done				\
+	    | $(am__create_global_log);					\
+	} >$(TEST_SUITE_LOG).tmp || exit 1;				\
+	mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG);			\
+	if $$success; then						\
+	  col="$$grn";							\
+	 else								\
+	  col="$$red";							\
+	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
+	fi;								\
+	echo "$${col}$$br$${std}"; 					\
+	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}$$br$${std}"; 					\
+	create_testsuite_report --maybe-color;				\
+	echo "$$col$$br$$std";						\
+	if $$success; then :; else					\
+	  echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}";		\
+	  if test -n "$(PACKAGE_BUGREPORT)"; then			\
+	    echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}";	\
+	  fi;								\
+	  echo "$$col$$br$$std";					\
+	fi;								\
+	$$success || exit 1
+
+check-TESTS:
+	@list='$(RECHECK_LOGS)';           test -z "$$list" || rm -f $$list
+	@list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
+	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
+	@set +e; $(am__set_TESTS_bases); \
+	log_list=`for i in $$bases; do echo $$i.log; done`; \
+	trs_list=`for i in $$bases; do echo $$i.trs; done`; \
+	log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
+	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
+	exit $$?;
+recheck: all $(check_PROGRAMS) $(check_SCRIPTS)
+	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
+	@set +e; $(am__set_TESTS_bases); \
+	bases=`for i in $$bases; do echo $$i; done \
+	         | $(am__list_recheck_tests)` || exit 1; \
+	log_list=`for i in $$bases; do echo $$i.log; done`; \
+	log_list=`echo $$log_list`; \
+	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \
+	        am__force_recheck=am--force-recheck \
+	        TEST_LOGS="$$log_list"; \
+	exit $$?
+test_ca.log: test_ca
+	@p='test_ca'; \
+	b='test_ca'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_cert.log: test_cert
+	@p='test_cert'; \
+	b='test_cert'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_chain.log: test_chain
+	@p='test_chain'; \
+	b='test_chain'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_cms.log: test_cms
+	@p='test_cms'; \
+	b='test_cms'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_crypto.log: test_crypto
+	@p='test_crypto'; \
+	b='test_crypto'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_nist.log: test_nist
+	@p='test_nist'; \
+	b='test_nist'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_nist2.log: test_nist2
+	@p='test_nist2'; \
+	b='test_nist2'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_pkcs11.log: test_pkcs11
+	@p='test_pkcs11'; \
+	b='test_pkcs11'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_java_pkcs11.log: test_java_pkcs11
+	@p='test_java_pkcs11'; \
+	b='test_java_pkcs11'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_nist_cert.log: test_nist_cert
+	@p='test_nist_cert'; \
+	b='test_nist_cert'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_nist_pkcs12.log: test_nist_pkcs12
+	@p='test_nist_pkcs12'; \
+	b='test_nist_pkcs12'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_req.log: test_req
+	@p='test_req'; \
+	b='test_req'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_windows.log: test_windows
+	@p='test_windows'; \
+	b='test_windows'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_query.log: test_query
+	@p='test_query'; \
+	b='test_query'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_name.log: test_name$(EXEEXT)
+	@p='test_name$(EXEEXT)'; \
+	b='test_name'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+test_expr.log: test_expr$(EXEEXT)
+	@p='test_expr$(EXEEXT)'; \
+	b='test_expr'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+.test.log:
+	@p='$<'; \
+	$(am__set_b); \
+	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+@am__EXEEXT_TRUE@.test$(EXEEXT).log:
+@am__EXEEXT_TRUE@	@p='$<'; \
+@am__EXEEXT_TRUE@	$(am__set_b); \
+@am__EXEEXT_TRUE@	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
+@am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
+@am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
+@am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
 
 distdir: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -1629,11 +1722,19 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
+	-test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS)
+	-test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs)
+	-test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
 
 clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
@@ -1680,9 +1781,9 @@ install-dvi: install-dvi-am
 
 install-dvi-am:
 
-install-exec-am: install-binPROGRAMS install-libLTLIBRARIES
-	@$(NORMAL_INSTALL)
-	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec-am: install-binPROGRAMS install-exec-local \
+	install-libLTLIBRARIES
+
 install-html: install-html-am
 
 install-html-am:
@@ -1726,17 +1827,18 @@ uninstall-am: uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 .MAKE: all check check-am install install-am install-data-am \
-	install-exec-am install-strip uninstall-am
+	install-strip uninstall-am
 
-.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
-	check-local clean clean-binPROGRAMS clean-checkPROGRAMS \
-	clean-generic clean-libLTLIBRARIES clean-libtool clean-local \
-	ctags dist-hook distclean distclean-compile distclean-generic \
+.PHONY: CTAGS GTAGS TAGS all all-am all-local check check-TESTS \
+	check-am check-local clean clean-binPROGRAMS \
+	clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
+	clean-libtool clean-local cscopelist-am ctags ctags-am \
+	dist-hook distclean distclean-compile distclean-generic \
 	distclean-libtool distclean-tags distdir dvi dvi-am html \
 	html-am info info-am install install-am install-binPROGRAMS \
 	install-data install-data-am install-data-hook \
 	install-dist_includeHEADERS install-dvi install-dvi-am \
-	install-exec install-exec-am install-exec-hook install-html \
+	install-exec install-exec-am install-exec-local install-html \
 	install-html-am install-info install-info-am \
 	install-libLTLIBRARIES install-man \
 	install-nodist_includeHEADERS install-pdf install-pdf-am \
@@ -1744,25 +1846,40 @@ uninstall-am: uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
 	installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-binPROGRAMS \
-	uninstall-dist_includeHEADERS uninstall-hook \
-	uninstall-libLTLIBRARIES uninstall-nodist_includeHEADERS
+	recheck tags tags-am uninstall uninstall-am \
+	uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
+	uninstall-hook uninstall-libLTLIBRARIES \
+	uninstall-nodist_includeHEADERS
+
+.PRECIOUS: Makefile
 
 
 install-suid-programs:
 	@foo='$(bin_SUIDS)'; \
 	for file in $$foo; do \
-	x=$(DESTDIR)$(bindir)/$$file; \
-	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	echo "*"; \
-	echo "* Failed to install $$x setuid root"; \
-	echo "*"; \
-	fi; done
+		x=$(DESTDIR)$(bindir)/$$file; \
+		if chown 0:0 $$x && chmod u+s $$x; then :; else \
+			echo "*"; \
+			echo "* Failed to install $$x setuid root"; \
+			echo "*"; \
+		fi; \
+	done
+
+install-exec-local: install-suid-programs
 
-install-exec-hook: install-suid-programs
+codesign-all:
+	@if [ X"$$CODE_SIGN_IDENTITY" != X ] ; then \
+		foo='$(bin_PROGRAMS) $(sbin_PROGRAMS) $(libexec_PROGRAMS)' ; \
+		for file in $$foo ; do \
+			echo "CODESIGN $$file" ; \
+			codesign -f -s "$$CODE_SIGN_IDENTITY" $$file || exit 1 ; \
+		done ; \
+	fi
 
-install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
-	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+all-local: codesign-all
+
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS) $(noinst_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(noinst_HEADERS)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -1770,7 +1887,7 @@ install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_incl
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
-			$(CP) $$file $(buildinclude)/$$f; \
+			$(CP) $$file $(buildinclude)/$$f || true; \
 		fi ; \
 	done ; \
 	foo='$(nobase_include_HEADERS)'; \
@@ -1827,6 +1944,8 @@ check-local::
 	$(NROFF_MAN) $< > $@
 .5.cat5:
 	$(NROFF_MAN) $< > $@
+.7.cat7:
+	$(NROFF_MAN) $< > $@
 .8.cat8:
 	$(NROFF_MAN) $< > $@
 
@@ -1869,6 +1988,19 @@ dist-cat5-mans:
 		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
 	done
 
+dist-cat7-mans:
+	@foo='$(man7_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.7) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat7/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
 dist-cat8-mans:
 	@foo='$(man8_MANS)'; \
 	bar='$(man_MANS)'; \
@@ -1882,13 +2014,13 @@ dist-cat8-mans:
 		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
 	done
 
-dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat7-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
 
 uninstall-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
 uninstall-hook: uninstall-cat-mans
@@ -1927,99 +2059,101 @@ $(gen_files_pkcs10) pkcs10_asn1.hx pkcs10_asn1-priv.hx: pkcs10_asn1_files
 $(gen_files_crmf) crmf_asn1.hx crmf_asn1-priv.hx: crmf_asn1_files
 
 ocsp_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/ocsp.asn1 $(srcdir)/ocsp.opt
-	$(ASN1_COMPILE) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
+	$(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
 
 pkcs10_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/pkcs10.asn1 $(srcdir)/pkcs10.opt
-	$(ASN1_COMPILE) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
+	$(heim_verbose)$(ASN1_COMPILE) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
 
 crmf_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/crmf.asn1
-	$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
+	$(heim_verbose)$(ASN1_COMPILE) $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
+
+$(ALL_OBJECTS): $(HX509_PROTOS)
 
-$(libhx509_la_OBJECTS): $(srcdir)/hx509-protos.h $(srcdir)/hx509-private.h $(srcdir)/hx_locl.h
+$(libhx509_la_OBJECTS): $(srcdir)/hx_locl.h
 $(libhx509_la_OBJECTS): ocsp_asn1.h pkcs10_asn1.h
 
-$(srcdir)/hx509-protos.h:
-	cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
+$(srcdir)/hx509-protos.h: $(dist_libhx509_la_SOURCES)
+	$(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -R '^(_|^C)' -E HX509_LIB -q -P comment -o hx509-protos.h $(dist_libhx509_la_SOURCES) || rm -f hx509-protos.h
 
-$(srcdir)/hx509-private.h:
-	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
+$(srcdir)/hx509-private.h: $(dist_libhx509_la_SOURCES)
+	$(heim_verbose)cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p hx509-private.h $(dist_libhx509_la_SOURCES) || rm -f hx509-private.h
 
 hxtool-commands.c hxtool-commands.h: hxtool-commands.in $(SLC)
-	$(SLC) $(srcdir)/hxtool-commands.in
+	$(heim_verbose)$(SLC) $(srcdir)/hxtool-commands.in
 
-$(hxtool_OBJECTS): hxtool-commands.h
+$(hxtool_OBJECTS): hxtool-commands.h hx509_err.h
 
 clean-local:
 	@echo "cleaning PKITS" ; rm -rf PKITS_data
 
 test_ca: test_ca.in Makefile
 	$(do_subst) < $(srcdir)/test_ca.in > test_ca.tmp
-	chmod +x test_ca.tmp
+	$(heim_verbose)chmod +x test_ca.tmp
 	mv test_ca.tmp test_ca
 
 test_cert: test_cert.in Makefile
 	$(do_subst) < $(srcdir)/test_cert.in > test_cert.tmp
-	chmod +x test_cert.tmp
+	$(heim_verbose)chmod +x test_cert.tmp
 	mv test_cert.tmp test_cert
 
 test_chain: test_chain.in Makefile
 	$(do_subst) < $(srcdir)/test_chain.in > test_chain.tmp
-	chmod +x test_chain.tmp
+	$(heim_verbose)chmod +x test_chain.tmp
 	mv test_chain.tmp test_chain
 
 test_cms: test_cms.in Makefile
 	$(do_subst) < $(srcdir)/test_cms.in > test_cms.tmp
-	chmod +x test_cms.tmp
+	$(heim_verbose)chmod +x test_cms.tmp
 	mv test_cms.tmp test_cms
 
 test_crypto: test_crypto.in Makefile
 	$(do_subst) < $(srcdir)/test_crypto.in > test_crypto.tmp
-	chmod +x test_crypto.tmp
+	$(heim_verbose)chmod +x test_crypto.tmp
 	mv test_crypto.tmp test_crypto
 
 test_nist: test_nist.in Makefile
 	$(do_subst) < $(srcdir)/test_nist.in > test_nist.tmp
-	chmod +x test_nist.tmp
+	$(heim_verbose)chmod +x test_nist.tmp
 	mv test_nist.tmp test_nist
 
 test_nist2: test_nist2.in Makefile
 	$(do_subst) < $(srcdir)/test_nist2.in > test_nist2.tmp
-	chmod +x test_nist2.tmp
+	$(heim_verbose)chmod +x test_nist2.tmp
 	mv test_nist2.tmp test_nist2
 
 test_pkcs11: test_pkcs11.in Makefile
 	$(do_subst) < $(srcdir)/test_pkcs11.in > test_pkcs11.tmp
-	chmod +x test_pkcs11.tmp
+	$(heim_verbose)chmod +x test_pkcs11.tmp
 	mv test_pkcs11.tmp test_pkcs11
 
 test_java_pkcs11: test_java_pkcs11.in Makefile
 	$(do_subst) < $(srcdir)/test_java_pkcs11.in > test_java_pkcs11.tmp
-	chmod +x test_java_pkcs11.tmp
+	$(heim_verbose)chmod +x test_java_pkcs11.tmp
 	mv test_java_pkcs11.tmp test_java_pkcs11
 
 test_nist_cert: test_nist_cert.in Makefile
 	$(do_subst) < $(srcdir)/test_nist_cert.in > test_nist_cert.tmp
-	chmod +x test_nist_cert.tmp
+	$(heim_verbose)chmod +x test_nist_cert.tmp
 	mv test_nist_cert.tmp test_nist_cert
 
 test_nist_pkcs12: test_nist_pkcs12.in Makefile
 	$(do_subst) < $(srcdir)/test_nist_pkcs12.in > test_nist_pkcs12.tmp
-	chmod +x test_nist_pkcs12.tmp
+	$(heim_verbose)chmod +x test_nist_pkcs12.tmp
 	mv test_nist_pkcs12.tmp test_nist_pkcs12
 
 test_req: test_req.in Makefile
 	$(do_subst) < $(srcdir)/test_req.in > test_req.tmp
-	chmod +x test_req.tmp
+	$(heim_verbose)chmod +x test_req.tmp
 	mv test_req.tmp test_req
 
 test_windows: test_windows.in Makefile
 	$(do_subst) < $(srcdir)/test_windows.in > test_windows.tmp
-	chmod +x test_windows.tmp
+	$(heim_verbose)chmod +x test_windows.tmp
 	mv test_windows.tmp test_windows
 
 test_query: test_query.in Makefile
 	$(do_subst) < $(srcdir)/test_query.in > test_query.tmp
-	chmod +x test_query.tmp
+	$(heim_verbose)chmod +x test_query.tmp
 	mv test_query.tmp test_query
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/lib/hx509/NTMakefile b/lib/hx509/NTMakefile
index 99116d76ed26..ee1bb69d09d6 100644
--- a/lib/hx509/NTMakefile
+++ b/lib/hx509/NTMakefile
@@ -1,6 +1,6 @@
 ########################################################################
 #
-# Copyright (c) 2009, Secure Endpoints Inc.
+# Copyright (c) 2009-2017, Secure Endpoints Inc.
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -30,7 +30,7 @@
 # 
 
 RELDIR=lib\hx509
-intcflags=-I$(SRCDIR)\ref -I$(OBJ)
+intcflags=-I$(OBJ)
 localcflags=-DASN1_LIB
 
 !include ../../windows/NTMakefile.w32
@@ -47,6 +47,7 @@ libhx509_la_OBJS =			\
 	$(OBJ)\cms.obj			\
 	$(OBJ)\collector.obj		\
 	$(OBJ)\crypto.obj		\
+	$(OBJ)\crypto-ec.obj		\
 	$(OBJ)\error.obj		\
 	$(OBJ)\env.obj			\
 	$(OBJ)\file.obj			\
@@ -81,6 +82,7 @@ dist_libhx509_la_SOURCES =	\
 	$(SRCDIR)\cms.c		\
 	$(SRCDIR)\collector.c	\
 	$(SRCDIR)\crypto.c	\
+	$(SRCDIR)\crypto-ec.c	\
 	$(SRCDIR)\doxygen.c	\
 	$(SRCDIR)\error.c	\
 	$(SRCDIR)\env.c		\
@@ -162,7 +164,7 @@ $(OBJ)\hxtool-commands.c $(OBJ)\hxtool-commands.h: hxtool-commands.in $(SLC)
 	cd $(SRCDIR)
 
 $(BINDIR)\hxtool.exe: $(OBJ)\tool\hxtool.obj $(OBJ)\tool\hxtool-commands.obj $(LIBHEIMDAL) $(OBJ)\hxtool-version.res
-	$(EXECONLINK) $(LIBHEIMDAL) $(LIBROKEN) $(LIBSL) $(LIBVERS) $(LIBCOMERR)
+	$(EXECONLINK) $(LIBHEIMDAL) $(LIBROKEN) $(LIBSL) $(LIBVERS) $(LIBCOMERR) $(LIB_openssl_crypto)
 	$(EXEPREP)
 
 $(OBJ)\hx509-protos.h:
@@ -190,7 +192,7 @@ $(OBJ)\sel-gram.c: sel-gram.y
 	$(YACC) -o $@ --defines=$(OBJ)\sel-gram.h sel-gram.y
 
 $(OBJ)\sel-lex.c: sel-lex.l
-	$(LEX) -o$@ sel-lex.l
+	$(LEX) -P_hx509_sel_yy -o$@ sel-lex.l
 
 all:: $(INCFILES) $(LIBHX509)
 
diff --git a/lib/hx509/ca.c b/lib/hx509/ca.c
index cb5a7be62cc3..418a404b4aa9 100644
--- a/lib/hx509/ca.c
+++ b/lib/hx509/ca.c
@@ -61,7 +61,7 @@ struct hx509_ca_tbs {
     CRLDistributionPoints crldp;
     heim_bit_string subjectUniqueID;
     heim_bit_string issuerUniqueID;
-
+    AlgorithmIdentifier *sigalg;
 };
 
 /**
@@ -109,6 +109,10 @@ hx509_ca_tbs_free(hx509_ca_tbs *tbs)
     der_free_bit_string(&(*tbs)->subjectUniqueID);
     der_free_bit_string(&(*tbs)->issuerUniqueID);
     hx509_name_free(&(*tbs)->subject);
+    if ((*tbs)->sigalg) {
+	free_AlgorithmIdentifier((*tbs)->sigalg);
+	free((*tbs)->sigalg);
+    }
 
     memset(*tbs, 0, sizeof(**tbs));
     free(*tbs);
@@ -888,7 +892,7 @@ hx509_ca_tbs_set_unique(hx509_context context,
  *
  * @param context A hx509 context.
  * @param tbs object to be signed.
- * @param env enviroment variable to expand variables in the subject
+ * @param env environment variable to expand variables in the subject
  * name, see hx509_env_init().
  *
  * @return An hx509 error code, see hx509_get_error_string().
@@ -904,6 +908,39 @@ hx509_ca_tbs_subject_expand(hx509_context context,
     return hx509_name_expand(context, tbs->subject, env);
 }
 
+/**
+ * Set signature algorithm on the to be signed certificate
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param sigalg signature algorithm to use
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_signature_algorithm(hx509_context context,
+				     hx509_ca_tbs tbs,
+				     const AlgorithmIdentifier *sigalg)
+{
+    int ret;
+
+    tbs->sigalg = calloc(1, sizeof(*tbs->sigalg));
+    if (tbs->sigalg == NULL) {
+	hx509_set_error_string(context, 0, ENOMEM, "Out of memory");
+	return ENOMEM;
+    }
+    ret = copy_AlgorithmIdentifier(sigalg, tbs->sigalg);
+    if (ret) {
+	free(tbs->sigalg);
+	tbs->sigalg = NULL;
+	return ret;
+    }
+    return 0;
+}
+
 /*
  *
  */
@@ -965,8 +1002,8 @@ build_proxy_prefix(hx509_context context, const Name *issuer, Name *subject)
     }
 
     t = time(NULL);
-    asprintf(&tstr, "ts-%lu", (unsigned long)t);
-    if (tstr == NULL) {
+    ret = asprintf(&tstr, "ts-%lu", (unsigned long)t);
+    if (ret == -1 || tstr == NULL) {
 	hx509_set_error_string(context, 0, ENOMEM,
 			       "Failed to copy subject name");
 	return ENOMEM;
@@ -987,6 +1024,7 @@ ca_sign(hx509_context context,
 	const Name *issuername,
 	hx509_cert *certificate)
 {
+    heim_error_t error = NULL;
     heim_octet_string data;
     Certificate c;
     TBSCertificate *tbsc;
@@ -997,7 +1035,9 @@ ca_sign(hx509_context context,
     time_t notAfter;
     unsigned key_usage;
 
-    sigalg = _hx509_crypto_default_sig_alg;
+    sigalg = tbs->sigalg;
+    if (sigalg == NULL)
+	sigalg = _hx509_crypto_default_sig_alg;
 
     memset(&c, 0, sizeof(c));
 
@@ -1086,6 +1126,12 @@ ca_sign(hx509_context context,
 	    goto out;
 	}
     } else {
+	/*
+	 * If no explicit serial number is specified, 20 random bytes should be
+	 * sufficiently collision resistant.  Since the serial number must be a
+	 * positive integer, ensure minimal ASN.1 DER form by forcing the high
+	 * bit off and the next bit on (thus avoiding an all zero first octet).
+	 */
 	tbsc->serialNumber.length = 20;
 	tbsc->serialNumber.data = malloc(tbsc->serialNumber.length);
 	if (tbsc->serialNumber.data == NULL){
@@ -1093,9 +1139,9 @@ ca_sign(hx509_context context,
 	    hx509_set_error_string(context, 0, ret, "Out of memory");
 	    goto out;
 	}
-	/* XXX diffrent */
 	RAND_bytes(tbsc->serialNumber.data, tbsc->serialNumber.length);
 	((unsigned char *)tbsc->serialNumber.data)[0] &= 0x7f;
+	((unsigned char *)tbsc->serialNumber.data)[0] |= 0x40;
     }
     /* signature            AlgorithmIdentifier, */
     ret = copy_AlgorithmIdentifier(sigalg, &tbsc->signature);
@@ -1408,9 +1454,12 @@ ca_sign(hx509_context context,
     if (ret)
 	goto out;
 
-    ret = hx509_cert_init(context, &c, certificate);
-    if (ret)
+    *certificate = hx509_cert_init(context, &c, &error);
+    if (*certificate == NULL) {
+	ret = heim_error_get_code(error);
+	heim_release(error);
 	goto out;
+    }
 
     free_Certificate(&c);
 
diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 70e575603779..dd6d38917499 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -93,6 +93,14 @@ typedef struct hx509_name_constraints {
 #define GeneralSubtrees_SET(g,var) \
 	(g)->len = (var)->len, (g)->val = (var)->val;
 
+static void
+init_context_once(void *ignored)
+{
+
+    ENGINE_add_conf_module();
+    OpenSSL_add_all_algorithms();
+}
+
 /**
  * Creates a hx509 context that most functions in the library
  * uses. The context is only allowed to be used by one thread at each
@@ -108,10 +116,14 @@ typedef struct hx509_name_constraints {
 int
 hx509_context_init(hx509_context *context)
 {
+    static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
+
     *context = calloc(1, sizeof(**context));
     if (*context == NULL)
 	return ENOMEM;
 
+    heim_base_once_f(&init_context, NULL, init_context_once);
+
     _hx509_ks_null_register(*context);
     _hx509_ks_mem_register(*context);
     _hx509_ks_file_register(*context);
@@ -120,9 +132,6 @@ hx509_context_init(hx509_context *context)
     _hx509_ks_dir_register(*context);
     _hx509_ks_keychain_register(*context);
 
-    ENGINE_add_conf_module();
-    OpenSSL_add_all_algorithms();
-
     (*context)->ocsp_time_diff = HX509_DEFAULT_OCSP_TIME_DIFF;
 
     initialize_hx_error_table_r(&(*context)->et_list);
@@ -209,42 +218,48 @@ _hx509_cert_get_version(const Certificate *t)
  *
  * @param context A hx509 context.
  * @param c
- * @param cert
+ * @param error
  *
- * @return Returns an hx509 error code.
+ * @return Returns an hx509 certificate
  *
  * @ingroup hx509_cert
  */
 
-int
-hx509_cert_init(hx509_context context, const Certificate *c, hx509_cert *cert)
+hx509_cert
+hx509_cert_init(hx509_context context, const Certificate *c, heim_error_t *error)
 {
+    hx509_cert cert;
     int ret;
 
-    *cert = malloc(sizeof(**cert));
-    if (*cert == NULL)
-	return ENOMEM;
-    (*cert)->ref = 1;
-    (*cert)->friendlyname = NULL;
-    (*cert)->attrs.len = 0;
-    (*cert)->attrs.val = NULL;
-    (*cert)->private_key = NULL;
-    (*cert)->basename = NULL;
-    (*cert)->release = NULL;
-    (*cert)->ctx = NULL;
-
-    (*cert)->data = calloc(1, sizeof(*(*cert)->data));
-    if ((*cert)->data == NULL) {
-	free(*cert);
-	return ENOMEM;
+    cert = malloc(sizeof(*cert));
+    if (cert == NULL) {
+	if (error)
+	    *error = heim_error_create_enomem();
+	return NULL;
+    }
+    cert->ref = 1;
+    cert->friendlyname = NULL;
+    cert->attrs.len = 0;
+    cert->attrs.val = NULL;
+    cert->private_key = NULL;
+    cert->basename = NULL;
+    cert->release = NULL;
+    cert->ctx = NULL;
+
+    cert->data = calloc(1, sizeof(*(cert->data)));
+    if (cert->data == NULL) {
+	free(cert);
+	if (error)
+	    *error = heim_error_create_enomem();
+	return NULL;
     }
-    ret = copy_Certificate(c, (*cert)->data);
+    ret = copy_Certificate(c, cert->data);
     if (ret) {
-	free((*cert)->data);
-	free(*cert);
-	*cert = NULL;
+	free(cert->data);
+	free(cert);
+	cert = NULL;
     }
-    return ret;
+    return cert;
 }
 
 /**
@@ -259,39 +274,41 @@ hx509_cert_init(hx509_context context, const Certificate *c, hx509_cert *cert)
  * @param context A hx509 context.
  * @param ptr pointer to memory region containing encoded certificate.
  * @param len length of memory region.
- * @param cert a return pointer to a hx509 certificate object, will
- * contain NULL on error.
+ * @param error possibly returns an error
  *
- * @return An hx509 error code, see hx509_get_error_string().
+ * @return An hx509 certificate
  *
  * @ingroup hx509_cert
  */
 
-int
+hx509_cert
 hx509_cert_init_data(hx509_context context,
 		     const void *ptr,
 		     size_t len,
-		     hx509_cert *cert)
+		     heim_error_t *error)
 {
+    hx509_cert cert;
     Certificate t;
     size_t size;
     int ret;
 
     ret = decode_Certificate(ptr, len, &t, &size);
     if (ret) {
-	hx509_set_error_string(context, 0, ret, "Failed to decode certificate");
-	return ret;
+	if (error)
+	    *error = heim_error_create(ret, "Failed to decode certificate");
+	return NULL;
     }
     if (size != len) {
 	free_Certificate(&t);
-	hx509_set_error_string(context, 0, HX509_EXTRA_DATA_AFTER_STRUCTURE,
-			       "Extra data after certificate");
-	return HX509_EXTRA_DATA_AFTER_STRUCTURE;
+	if (error)
+	    *error = heim_error_create(HX509_EXTRA_DATA_AFTER_STRUCTURE,
+				       "Extra data after certificate");
+	return NULL;
     }
 
-    ret = hx509_cert_init(context, &t, cert);
+    cert = hx509_cert_init(context, &t, error);
     free_Certificate(&t);
-    return ret;
+    return cert;
 }
 
 void
@@ -827,7 +844,8 @@ check_key_usage(hx509_context context, const Certificate *cert,
 	_hx509_unparse_Name(&cert->tbsCertificate.subject, &name);
 	hx509_set_error_string(context, 0, HX509_KU_CERT_MISSING,
 			       "Key usage %s required but missing "
-			       "from certifiate %s", buf, name);
+			       "from certifiate %s", buf,
+                               name ? name : "<unknown>");
 	free(name);
 	return HX509_KU_CERT_MISSING;
     }
@@ -970,7 +988,7 @@ _hx509_cert_is_parent_cmp(const Certificate *subject,
 	if (ai.authorityCertIssuer->val[0].element != choice_GeneralName_directoryName)
 	    return -1;
 
-	name.element =
+	name.element = (enum Name_enum)
 	    ai.authorityCertIssuer->val[0].u.directoryName.element;
 	name.u.rdnSequence =
 	    ai.authorityCertIssuer->val[0].u.directoryName.u.rdnSequence;
@@ -1803,12 +1821,12 @@ match_general_name(const GeneralName *c, const GeneralName *n, int *match)
 
 	c_name._save.data = NULL;
 	c_name._save.length = 0;
-	c_name.element = c->u.directoryName.element;
+	c_name.element = (enum Name_enum)c->u.directoryName.element;
 	c_name.u.rdnSequence = c->u.directoryName.u.rdnSequence;
 
 	n_name._save.data = NULL;
 	n_name._save.length = 0;
-	n_name.element = n->u.directoryName.element;
+	n_name.element = (enum Name_enum)n->u.directoryName.element;
 	n_name.u.rdnSequence = n->u.directoryName.u.rdnSequence;
 
 	ret = match_X501Name(&c_name, &n_name);
@@ -1829,7 +1847,7 @@ match_alt_name(const GeneralName *n, const Certificate *c,
 	       int *same, int *match)
 {
     GeneralNames sa;
-    int ret;
+    int ret = 0;
     size_t i, j;
 
     i = 0;
@@ -1844,7 +1862,7 @@ match_alt_name(const GeneralName *n, const Certificate *c,
 	for (j = 0; j < sa.len; j++) {
 	    if (n->element == sa.val[j].element) {
 		*same = 1;
-		ret = match_general_name(n, &sa.val[j], match);
+		match_general_name(n, &sa.val[j], match);
 	    }
 	}
 	free_GeneralNames(&sa);
@@ -1878,12 +1896,12 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match)
 
 	    memset(&certname, 0, sizeof(certname));
 	    certname.element = choice_GeneralName_directoryName;
-	    certname.u.directoryName.element =
+	    certname.u.directoryName.element = (enum GeneralName_directoryName_enum)
 		c->tbsCertificate.subject.element;
 	    certname.u.directoryName.u.rdnSequence =
 		c->tbsCertificate.subject.u.rdnSequence;
 
-	    ret = match_general_name(&t->val[i].base, &certname, &name);
+	    match_general_name(&t->val[i].base, &certname, &name);
 	}
 
 	/* Handle subjectAltNames, this is icky since they
@@ -1891,7 +1909,7 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match)
 	 * same type. So if there have been a match of type, require
 	 * altname to be set.
 	 */
-	ret = match_alt_name(&t->val[i].base, c, &same, &alt_name);
+	match_alt_name(&t->val[i].base, c, &same, &alt_name);
     }
     if (name && (!same || alt_name))
 	*match = 1;
@@ -1985,6 +2003,16 @@ hx509_verify_path(hx509_context context,
 
     memset(&proxy_issuer, 0, sizeof(proxy_issuer));
 
+    if ((ctx->flags & HX509_VERIFY_CTX_F_ALLOW_PROXY_CERTIFICATE) == 0 &&
+	is_proxy_cert(context, cert->data, NULL) == 0)
+    {
+	ret = HX509_PROXY_CERT_INVALID;
+	hx509_set_error_string(context, 0, ret,
+			       "Proxy certificate is not allowed as an EE "
+			       "certificae if proxy certificate is disabled");
+	return ret;
+    }
+
     ret = init_name_constraints(&nc);
     if (ret)
 	return ret;
@@ -2353,20 +2381,12 @@ hx509_verify_path(hx509_context context,
 	    goto out;
 	}
 	/*
-	 * Verify that the sigature algorithm "best-before" date is
-	 * before the creation date of the certificate, do this for
-	 * trust anchors too, since any trust anchor that is created
-	 * after a algorithm is known to be bad deserved to be invalid.
-	 *
-	 * Skip the leaf certificate for now...
+	 * Verify that the sigature algorithm is not weak. Ignore
+	 * trust anchors since they are provisioned by the user.
 	 */
 
-	if (i != 0 && (ctx->flags & HX509_VERIFY_CTX_F_NO_BEST_BEFORE_CHECK) == 0) {
-	    time_t notBefore =
-		_hx509_Time2time_t(&c->tbsCertificate.validity.notBefore);
-	    ret = _hx509_signature_best_before(context,
-					       &c->signatureAlgorithm,
-					       notBefore);
+	if (i + 1 != path.len && (ctx->flags & HX509_VERIFY_CTX_F_NO_BEST_BEFORE_CHECK) == 0) {
+	    ret = _hx509_signature_is_weak(context, &c->signatureAlgorithm);
 	    if (ret)
 		goto out;
 	}
@@ -3384,7 +3404,7 @@ hx509_cert_binary(hx509_context context, hx509_cert c, heim_octet_string *os)
 
 void
 _hx509_abort(const char *fmt, ...)
-     __attribute__ ((noreturn, format (printf, 1, 2)))
+     __attribute__ ((__noreturn__, __format__ (__printf__, 1, 2)))
 {
     va_list ap;
     va_start(ap, fmt);
@@ -3425,7 +3445,9 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
     *env = NULL;
 
     /* version */
-    asprintf(&buf, "%d", _hx509_cert_get_version(_hx509_get_cert(cert)));
+    ret = asprintf(&buf, "%d", _hx509_cert_get_version(_hx509_get_cert(cert)));
+    if (ret == -1)
+	goto out;
     ret = hx509_env_add(context, &envcert, "version", buf);
     free(buf);
     if (ret)
diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c
index 4e0a2e03fcb6..7aa159cbb2d6 100644
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -209,7 +209,7 @@ unparse_CMSIdentifier(hx509_context context,
 		      CMSIdentifier *id,
 		      char **str)
 {
-    int ret;
+    int ret = -1;
 
     *str = NULL;
     switch (id->element) {
@@ -227,8 +227,8 @@ unparse_CMSIdentifier(hx509_context context,
 	    free(name);
 	    return ret;
 	}
-	asprintf(str, "certificate issued by %s with serial number %s",
-		 name, serial);
+	ret = asprintf(str, "certificate issued by %s with serial number %s",
+		       name, serial);
 	free(name);
 	free(serial);
 	break;
@@ -242,15 +242,19 @@ unparse_CMSIdentifier(hx509_context context,
 	if (len < 0)
 	    return ENOMEM;
 
-	asprintf(str, "certificate with id %s", keyid);
+	ret = asprintf(str, "certificate with id %s", keyid);
 	free(keyid);
 	break;
     }
     default:
-	asprintf(str, "certificate have unknown CMSidentifier type");
+	ret = asprintf(str, "certificate have unknown CMSidentifier type");
 	break;
     }
-    if (*str == NULL)
+    /*
+     * In the following if, we check ret and *str which should be returned/set
+     * by asprintf(3) in every branch of the switch statement.
+     */
+    if (ret == -1 || *str == NULL)
 	return ENOMEM;
     return 0;
 }
@@ -340,6 +344,8 @@ find_CMSIdentifier(hx509_context context,
  * @param contentType output type oid, should be freed with der_free_oid().
  * @param content the data, free with der_free_octet_string().
  *
+ * @return an hx509 error code.
+ *
  * @ingroup hx509_cms
  */
 
@@ -544,6 +550,8 @@ out:
  * @param content the output of the function,
  * free with der_free_octet_string().
  *
+ * @return an hx509 error code.
+ *
  * @ingroup hx509_cms
  */
 
@@ -726,14 +734,18 @@ any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs)
 	return 0;
 
     for (i = 0; i < sd->certificates->len; i++) {
+	heim_error_t error;
 	hx509_cert c;
 
-	ret = hx509_cert_init_data(context,
-				   sd->certificates->val[i].data,
-				   sd->certificates->val[i].length,
-				   &c);
-	if (ret)
+	c = hx509_cert_init_data(context,
+				 sd->certificates->val[i].data,
+				 sd->certificates->val[i].length,
+				 &error);
+	if (c == NULL) {
+	    ret = heim_error_get_code(error);
+	    heim_release(error);
 	    return ret;
+	}
 	ret = hx509_certs_add(context, certs, c);
 	hx509_cert_free(c);
 	if (ret)
@@ -772,6 +784,8 @@ find_attribute(const CMSAttributes *attr, const heim_oid *oid)
  * @param signer_certs list of the cerficates used to sign this
  * request, free with hx509_certs_free().
  *
+ * @return an hx509 error code.
+ *
  * @ingroup hx509_cms
  */
 
@@ -855,7 +869,7 @@ hx509_cms_verify_signed(hx509_context context,
     }
 
     for (found_valid_sig = 0, i = 0; i < sd.signerInfos.len; i++) {
-	heim_octet_string signed_data;
+	heim_octet_string signed_data = { 0, 0 };
 	const heim_oid *match_oid;
 	heim_oid decode_oid;
 
@@ -1016,8 +1030,10 @@ hx509_cms_verify_signed(hx509_context context,
 				       "Failed to verify signature in "
 				       "CMS SignedData");
 	}
-        if (signer_info->signedAttrs)
-	    free(signed_data.data);
+        if (signed_data.data != NULL && content->data != signed_data.data) {
+            free(signed_data.data);
+            signed_data.data = NULL;
+        }
 	if (ret)
 	    goto next_sigature;
 
@@ -1137,6 +1153,8 @@ add_one_attribute(Attribute **attr,
  * @param signed_data the output of the function, free with
  * der_free_octet_string().
  *
+ * @return Returns an hx509 error code.
+ *
  * @ingroup hx509_cms
  */
 
diff --git a/lib/hx509/crypto-ec.c b/lib/hx509/crypto-ec.c
new file mode 100644
index 000000000000..4777171cae52
--- /dev/null
+++ b/lib/hx509/crypto-ec.c
@@ -0,0 +1,533 @@
+/*
+ * Copyright (c) 2016 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+#include <openssl/ec.h>
+#include <openssl/ecdsa.h>
+#include <openssl/rsa.h>
+#include <openssl/bn.h>
+#include <openssl/objects.h>
+#define HEIM_NO_CRYPTO_HDRS
+#endif /* HAVE_HCRYPTO_W_OPENSSL */
+
+#include "hx_locl.h"
+
+extern const AlgorithmIdentifier _hx509_signature_sha512_data;
+extern const AlgorithmIdentifier _hx509_signature_sha384_data;
+extern const AlgorithmIdentifier _hx509_signature_sha256_data;
+extern const AlgorithmIdentifier _hx509_signature_sha1_data;
+
+void
+_hx509_private_eckey_free(void *eckey)
+{
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+    EC_KEY_free(eckey);
+#endif
+}
+
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+static int
+heim_oid2ecnid(heim_oid *oid)
+{
+    /*
+     * Now map to openssl OID fun
+     */
+
+    if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP256R1) == 0)
+	return NID_X9_62_prime256v1;
+#ifdef NID_secp521r1
+    else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP521R1) == 0)
+        return NID_secp521r1;
+#endif
+#ifdef NID_secp384r1
+    else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP384R1) == 0)
+        return NID_secp384r1;
+#endif
+#ifdef NID_secp160r1
+    else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R1) == 0)
+	return NID_secp160r1;
+#endif
+#ifdef NID_secp160r2
+    else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R2) == 0)
+	return NID_secp160r2;
+#endif
+
+    return NID_undef;
+}
+
+static int
+parse_ECParameters(hx509_context context,
+		   heim_octet_string *parameters, int *nid)
+{
+    ECParameters ecparam;
+    size_t size;
+    int ret;
+
+    if (parameters == NULL) {
+	ret = HX509_PARSING_KEY_FAILED;
+	hx509_set_error_string(context, 0, ret,
+			       "EC parameters missing");
+	return ret;
+    }
+
+    ret = decode_ECParameters(parameters->data, parameters->length,
+			      &ecparam, &size);
+    if (ret) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to decode EC parameters");
+	return ret;
+    }
+
+    if (ecparam.element != choice_ECParameters_namedCurve) {
+	free_ECParameters(&ecparam);
+	hx509_set_error_string(context, 0, ret,
+			       "EC parameters is not a named curve");
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    }
+
+    *nid = heim_oid2ecnid(&ecparam.u.namedCurve);
+    free_ECParameters(&ecparam);
+    if (*nid == NID_undef) {
+	hx509_set_error_string(context, 0, ret,
+			       "Failed to find matcing NID for EC curve");
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    }
+    return 0;
+}
+
+
+/*
+ *
+ */
+
+static int
+ecdsa_verify_signature(hx509_context context,
+		       const struct signature_alg *sig_alg,
+		       const Certificate *signer,
+		       const AlgorithmIdentifier *alg,
+		       const heim_octet_string *data,
+		       const heim_octet_string *sig)
+{
+    const AlgorithmIdentifier *digest_alg;
+    const SubjectPublicKeyInfo *spi;
+    heim_octet_string digest;
+    int ret;
+    EC_KEY *key = NULL;
+    int groupnid;
+    EC_GROUP *group;
+    const unsigned char *p;
+    long len;
+
+    digest_alg = sig_alg->digest_alg;
+
+    ret = _hx509_create_signature(context,
+				  NULL,
+				  digest_alg,
+				  data,
+				  NULL,
+				  &digest);
+    if (ret)
+	return ret;
+
+    /* set up EC KEY */
+    spi = &signer->tbsCertificate.subjectPublicKeyInfo;
+
+    if (der_heim_oid_cmp(&spi->algorithm.algorithm, ASN1_OID_ID_ECPUBLICKEY) != 0)
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+
+    /*
+     * Find the group id
+     */
+
+    ret = parse_ECParameters(context, spi->algorithm.parameters, &groupnid);
+    if (ret) {
+	der_free_octet_string(&digest);
+	return ret;
+    }
+
+    /*
+     * Create group, key, parse key
+     */
+
+    key = EC_KEY_new();
+    group = EC_GROUP_new_by_curve_name(groupnid);
+    EC_KEY_set_group(key, group);
+    EC_GROUP_free(group);
+
+    p = spi->subjectPublicKey.data;
+    len = spi->subjectPublicKey.length / 8;
+
+    if (o2i_ECPublicKey(&key, &p, len) == NULL) {
+	EC_KEY_free(key);
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    }
+
+    ret = ECDSA_verify(-1, digest.data, digest.length,
+		       sig->data, sig->length, key);
+    der_free_octet_string(&digest);
+    EC_KEY_free(key);
+    if (ret != 1) {
+	ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
+	return ret;
+    }
+
+    return 0;
+}
+
+static int
+ecdsa_create_signature(hx509_context context,
+		       const struct signature_alg *sig_alg,
+		       const hx509_private_key signer,
+		       const AlgorithmIdentifier *alg,
+		       const heim_octet_string *data,
+		       AlgorithmIdentifier *signatureAlgorithm,
+		       heim_octet_string *sig)
+{
+    const AlgorithmIdentifier *digest_alg;
+    heim_octet_string indata;
+    const heim_oid *sig_oid;
+    unsigned int siglen;
+    int ret;
+
+    if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) != 0)
+	_hx509_abort("internal error passing private key to wrong ops");
+
+    sig_oid = sig_alg->sig_oid;
+    digest_alg = sig_alg->digest_alg;
+
+    if (signatureAlgorithm) {
+        ret = _hx509_set_digest_alg(signatureAlgorithm, sig_oid,
+                                    "\x05\x00", 2);
+	if (ret) {
+	    hx509_clear_error_string(context);
+	    return ret;
+	}
+    }
+
+    ret = _hx509_create_signature(context,
+				  NULL,
+				  digest_alg,
+				  data,
+				  NULL,
+				  &indata);
+    if (ret)
+	goto error;
+
+    sig->length = ECDSA_size(signer->private_key.ecdsa);
+    sig->data = malloc(sig->length);
+    if (sig->data == NULL) {
+	der_free_octet_string(&indata);
+	ret = ENOMEM;
+	hx509_set_error_string(context, 0, ret, "out of memory");
+	goto error;
+    }
+
+    siglen = sig->length;
+
+    ret = ECDSA_sign(-1, indata.data, indata.length,
+		     sig->data, &siglen, signer->private_key.ecdsa);
+    der_free_octet_string(&indata);
+    if (ret != 1) {
+	ret = HX509_CMS_FAILED_CREATE_SIGATURE;
+	hx509_set_error_string(context, 0, ret,
+			       "ECDSA sign failed: %d", ret);
+	goto error;
+    }
+    if (siglen > sig->length)
+	_hx509_abort("ECDSA signature prelen longer the output len");
+
+    sig->length = siglen;
+
+    return 0;
+ error:
+    if (signatureAlgorithm)
+	free_AlgorithmIdentifier(signatureAlgorithm);
+    return ret;
+}
+
+static int
+ecdsa_available(const hx509_private_key signer,
+		const AlgorithmIdentifier *sig_alg)
+{
+    const struct signature_alg *sig;
+    const EC_GROUP *group;
+    BN_CTX *bnctx = NULL;
+    BIGNUM *order = NULL;
+    int ret = 0;
+
+    if (der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_ecPublicKey) != 0)
+	_hx509_abort("internal error passing private key to wrong ops");
+
+    sig = _hx509_find_sig_alg(&sig_alg->algorithm);
+
+    if (sig == NULL || sig->digest_size == 0)
+	return 0;
+
+    group = EC_KEY_get0_group(signer->private_key.ecdsa);
+    if (group == NULL)
+	return 0;
+
+    bnctx = BN_CTX_new();
+    order = BN_new();
+    if (order == NULL)
+	goto err;
+
+    if (EC_GROUP_get_order(group, order, bnctx) != 1)
+	goto err;
+
+#if 0
+    /* If anything, require a digest at least as wide as the EC key size */
+    if (BN_num_bytes(order) > sig->digest_size)
+#endif
+	ret = 1;
+ err:
+    if (bnctx)
+	BN_CTX_free(bnctx);
+    if (order)
+	BN_clear_free(order);
+
+    return ret;
+}
+
+static int
+ecdsa_private_key2SPKI(hx509_context context,
+		       hx509_private_key private_key,
+		       SubjectPublicKeyInfo *spki)
+{
+    memset(spki, 0, sizeof(*spki));
+    return ENOMEM;
+}
+
+static int
+ecdsa_private_key_export(hx509_context context,
+			 const hx509_private_key key,
+			 hx509_key_format_t format,
+			 heim_octet_string *data)
+{
+    return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
+}
+
+static int
+ecdsa_private_key_import(hx509_context context,
+			 const AlgorithmIdentifier *keyai,
+			 const void *data,
+			 size_t len,
+			 hx509_key_format_t format,
+			 hx509_private_key private_key)
+{
+    const unsigned char *p = data;
+    EC_KEY **pkey = NULL;
+    EC_KEY *key;
+
+    if (keyai->parameters) {
+	EC_GROUP *group;
+	int groupnid;
+	int ret;
+
+	ret = parse_ECParameters(context, keyai->parameters, &groupnid);
+	if (ret)
+	    return ret;
+
+	key = EC_KEY_new();
+	if (key == NULL)
+	    return ENOMEM;
+
+	group = EC_GROUP_new_by_curve_name(groupnid);
+	if (group == NULL) {
+	    EC_KEY_free(key);
+	    return ENOMEM;
+	}
+	EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
+	if (EC_KEY_set_group(key, group) == 0) {
+	    EC_KEY_free(key);
+	    EC_GROUP_free(group);
+	    return ENOMEM;
+	}
+	EC_GROUP_free(group);
+	pkey = &key;
+    }
+
+    switch (format) {
+    case HX509_KEY_FORMAT_DER:
+
+	private_key->private_key.ecdsa = d2i_ECPrivateKey(pkey, &p, len);
+	if (private_key->private_key.ecdsa == NULL) {
+	    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
+				   "Failed to parse EC private key");
+	    return HX509_PARSING_KEY_FAILED;
+	}
+	private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256;
+	break;
+
+    default:
+	return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
+    }
+
+    return 0;
+}
+
+static int
+ecdsa_generate_private_key(hx509_context context,
+			   struct hx509_generate_private_context *ctx,
+			   hx509_private_key private_key)
+{
+    return ENOMEM;
+}
+
+static BIGNUM *
+ecdsa_get_internal(hx509_context context,
+		   hx509_private_key key,
+		   const char *type)
+{
+    return NULL;
+}
+
+static const unsigned ecPublicKey[] ={ 1, 2, 840, 10045, 2, 1 };
+const AlgorithmIdentifier _hx509_signature_ecPublicKey = {
+    { 6, rk_UNCONST(ecPublicKey) }, NULL
+};
+
+static const unsigned ecdsa_with_sha256_oid[] ={ 1, 2, 840, 10045, 4, 3, 2 };
+const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha256_data = {
+    { 7, rk_UNCONST(ecdsa_with_sha256_oid) }, NULL
+};
+
+static const unsigned ecdsa_with_sha384_oid[] ={ 1, 2, 840, 10045, 4, 3, 3 };
+const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha384_data = {
+    { 7, rk_UNCONST(ecdsa_with_sha384_oid) }, NULL
+};
+
+static const unsigned ecdsa_with_sha512_oid[] ={ 1, 2, 840, 10045, 4, 3, 4 };
+const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha512_data = {
+    { 7, rk_UNCONST(ecdsa_with_sha512_oid) }, NULL
+};
+
+static const unsigned ecdsa_with_sha1_oid[] ={ 1, 2, 840, 10045, 4, 1 };
+const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha1_data = {
+    { 6, rk_UNCONST(ecdsa_with_sha1_oid) }, NULL
+};
+
+hx509_private_key_ops ecdsa_private_key_ops = {
+    "EC PRIVATE KEY",
+    ASN1_OID_ID_ECPUBLICKEY,
+    ecdsa_available,
+    ecdsa_private_key2SPKI,
+    ecdsa_private_key_export,
+    ecdsa_private_key_import,
+    ecdsa_generate_private_key,
+    ecdsa_get_internal
+};
+
+const struct signature_alg ecdsa_with_sha512_alg = {
+    "ecdsa-with-sha512",
+    ASN1_OID_ID_ECDSA_WITH_SHA512,
+    &_hx509_signature_ecdsa_with_sha512_data,
+    ASN1_OID_ID_ECPUBLICKEY,
+    &_hx509_signature_sha512_data,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|
+        SIG_PUBLIC_SIG|SELF_SIGNED_OK,
+    0,
+    NULL,
+    ecdsa_verify_signature,
+    ecdsa_create_signature,
+    64
+};
+
+const struct signature_alg ecdsa_with_sha384_alg = {
+    "ecdsa-with-sha384",
+    ASN1_OID_ID_ECDSA_WITH_SHA384,
+    &_hx509_signature_ecdsa_with_sha384_data,
+    ASN1_OID_ID_ECPUBLICKEY,
+    &_hx509_signature_sha384_data,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|
+        SIG_PUBLIC_SIG|SELF_SIGNED_OK,
+    0,
+    NULL,
+    ecdsa_verify_signature,
+    ecdsa_create_signature,
+    48
+};
+
+const struct signature_alg ecdsa_with_sha256_alg = {
+    "ecdsa-with-sha256",
+    ASN1_OID_ID_ECDSA_WITH_SHA256,
+    &_hx509_signature_ecdsa_with_sha256_data,
+    ASN1_OID_ID_ECPUBLICKEY,
+    &_hx509_signature_sha256_data,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|
+        SIG_PUBLIC_SIG|SELF_SIGNED_OK,
+    0,
+    NULL,
+    ecdsa_verify_signature,
+    ecdsa_create_signature,
+    32
+};
+
+const struct signature_alg ecdsa_with_sha1_alg = {
+    "ecdsa-with-sha1",
+    ASN1_OID_ID_ECDSA_WITH_SHA1,
+    &_hx509_signature_ecdsa_with_sha1_data,
+    ASN1_OID_ID_ECPUBLICKEY,
+    &_hx509_signature_sha1_data,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|
+        SIG_PUBLIC_SIG|SELF_SIGNED_OK,
+    0,
+    NULL,
+    ecdsa_verify_signature,
+    ecdsa_create_signature,
+    20
+};
+
+#endif /* HAVE_HCRYPTO_W_OPENSSL */
+
+const AlgorithmIdentifier *
+hx509_signature_ecPublicKey(void)
+{
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+    return &_hx509_signature_ecPublicKey;
+#else
+    return NULL;
+#endif /* HAVE_HCRYPTO_W_OPENSSL */
+}
+
+const AlgorithmIdentifier *
+hx509_signature_ecdsa_with_sha256(void)
+{
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+    return &_hx509_signature_ecdsa_with_sha256_data;
+#else
+    return NULL;
+#endif /* HAVE_HCRYPTO_W_OPENSSL */
+}
diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c
index 4559a9c49391..5ddc54b9f232 100644
--- a/lib/hx509/crypto.c
+++ b/lib/hx509/crypto.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * Copyright (c) 2004 - 2016 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -33,95 +33,12 @@
 
 #include "hx_locl.h"
 
-struct hx509_crypto;
-
-struct signature_alg;
-
-struct hx509_generate_private_context {
-    const heim_oid *key_oid;
-    int isCA;
-    unsigned long num_bits;
-};
-
-struct hx509_private_key_ops {
-    const char *pemtype;
-    const heim_oid *key_oid;
-    int (*available)(const hx509_private_key,
-		     const AlgorithmIdentifier *);
-    int (*get_spki)(hx509_context,
-		    const hx509_private_key,
-		    SubjectPublicKeyInfo *);
-    int (*export)(hx509_context context,
-		  const hx509_private_key,
-		  hx509_key_format_t,
-		  heim_octet_string *);
-    int (*import)(hx509_context, const AlgorithmIdentifier *,
-		  const void *, size_t, hx509_key_format_t,
-		  hx509_private_key);
-    int (*generate_private_key)(hx509_context,
-				struct hx509_generate_private_context *,
-				hx509_private_key);
-    BIGNUM *(*get_internal)(hx509_context, hx509_private_key, const char *);
-};
-
-struct hx509_private_key {
-    unsigned int ref;
-    const struct signature_alg *md;
-    const heim_oid *signature_alg;
-    union {
-	RSA *rsa;
-	void *keydata;
-#ifdef HAVE_OPENSSL
-	EC_KEY *ecdsa;
-#endif
-    } private_key;
-    hx509_private_key_ops *ops;
-};
-
-/*
- *
- */
-
-struct signature_alg {
-    const char *name;
-    const heim_oid *sig_oid;
-    const AlgorithmIdentifier *sig_alg;
-    const heim_oid *key_oid;
-    const AlgorithmIdentifier *digest_alg;
-    int flags;
-#define PROVIDE_CONF	0x1
-#define REQUIRE_SIGNER	0x2
-#define SELF_SIGNED_OK	0x4
-
-#define SIG_DIGEST	0x100
-#define SIG_PUBLIC_SIG	0x200
-#define SIG_SECRET	0x400
-
-#define RA_RSA_USES_DIGEST_INFO 0x1000000
-
-    time_t best_before; /* refuse signature made after best before date */
-    const EVP_MD *(*evp_md)(void);
-    int (*verify_signature)(hx509_context context,
-			    const struct signature_alg *,
-			    const Certificate *,
-			    const AlgorithmIdentifier *,
-			    const heim_octet_string *,
-			    const heim_octet_string *);
-    int (*create_signature)(hx509_context,
-			    const struct signature_alg *,
-			    const hx509_private_key,
-			    const AlgorithmIdentifier *,
-			    const heim_octet_string *,
-			    AlgorithmIdentifier *,
-			    heim_octet_string *);
-    int digest_size;
-};
-
-static const struct signature_alg *
-find_sig_alg(const heim_oid *oid);
-
-/*
+/*-
+ * RFC5758 specifies no parameters for ecdsa-with-SHA<N> signatures
+ * RFC5754 specifies NULL parameters for sha<N>WithRSAEncryption signatures
  *
+ * XXX: Make sure that the parameters are either NULL in both the tbs and the
+ * signature, or absent from both the tbs and the signature.
  */
 
 static const heim_octet_string null_entry_oid = { 2, rk_UNCONST("\x05\x00") };
@@ -151,44 +68,29 @@ const AlgorithmIdentifier _hx509_signature_md5_data = {
     { 6, rk_UNCONST(md5_oid_tree) }, rk_UNCONST(&null_entry_oid)
 };
 
-static const unsigned ecPublicKey[] ={ 1, 2, 840, 10045, 2, 1 };
-const AlgorithmIdentifier _hx509_signature_ecPublicKey = {
-    { 6, rk_UNCONST(ecPublicKey) }, NULL
-};
-
-static const unsigned ecdsa_with_sha256_oid[] ={ 1, 2, 840, 10045, 4, 3, 2 };
-const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha256_data = {
-    { 7, rk_UNCONST(ecdsa_with_sha256_oid) }, NULL
-};
-
-static const unsigned ecdsa_with_sha1_oid[] ={ 1, 2, 840, 10045, 4, 1 };
-const AlgorithmIdentifier _hx509_signature_ecdsa_with_sha1_data = {
-    { 6, rk_UNCONST(ecdsa_with_sha1_oid) }, NULL
-};
-
 static const unsigned rsa_with_sha512_oid[] ={ 1, 2, 840, 113549, 1, 1, 13 };
 const AlgorithmIdentifier _hx509_signature_rsa_with_sha512_data = {
-    { 7, rk_UNCONST(rsa_with_sha512_oid) }, NULL
+    { 7, rk_UNCONST(rsa_with_sha512_oid) }, rk_UNCONST(&null_entry_oid)
 };
 
 static const unsigned rsa_with_sha384_oid[] ={ 1, 2, 840, 113549, 1, 1, 12 };
 const AlgorithmIdentifier _hx509_signature_rsa_with_sha384_data = {
-    { 7, rk_UNCONST(rsa_with_sha384_oid) }, NULL
+    { 7, rk_UNCONST(rsa_with_sha384_oid) }, rk_UNCONST(&null_entry_oid)
 };
 
 static const unsigned rsa_with_sha256_oid[] ={ 1, 2, 840, 113549, 1, 1, 11 };
 const AlgorithmIdentifier _hx509_signature_rsa_with_sha256_data = {
-    { 7, rk_UNCONST(rsa_with_sha256_oid) }, NULL
+    { 7, rk_UNCONST(rsa_with_sha256_oid) }, rk_UNCONST(&null_entry_oid)
 };
 
 static const unsigned rsa_with_sha1_oid[] ={ 1, 2, 840, 113549, 1, 1, 5 };
 const AlgorithmIdentifier _hx509_signature_rsa_with_sha1_data = {
-    { 7, rk_UNCONST(rsa_with_sha1_oid) }, NULL
+    { 7, rk_UNCONST(rsa_with_sha1_oid) }, rk_UNCONST(&null_entry_oid)
 };
 
 static const unsigned rsa_with_md5_oid[] ={ 1, 2, 840, 113549, 1, 1, 4 };
 const AlgorithmIdentifier _hx509_signature_rsa_with_md5_data = {
-    { 7, rk_UNCONST(rsa_with_md5_oid) }, NULL
+    { 7, rk_UNCONST(rsa_with_md5_oid) }, rk_UNCONST(&null_entry_oid)
 };
 
 static const unsigned rsa_oid[] ={ 1, 2, 840, 113549, 1, 1, 1 };
@@ -234,10 +136,10 @@ heim_int2BN(const heim_integer *i)
  *
  */
 
-static int
-set_digest_alg(DigestAlgorithmIdentifier *id,
-	       const heim_oid *oid,
-	       const void *param, size_t length)
+int
+_hx509_set_digest_alg(DigestAlgorithmIdentifier *id,
+                      const heim_oid *oid,
+                      const void *param, size_t length)
 {
     int ret;
     if (param) {
@@ -266,265 +168,6 @@ set_digest_alg(DigestAlgorithmIdentifier *id,
     return 0;
 }
 
-#ifdef HAVE_OPENSSL
-
-static int
-heim_oid2ecnid(heim_oid *oid)
-{
-    /*
-     * Now map to openssl OID fun
-     */
-
-    if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP256R1) == 0)
-	return NID_X9_62_prime256v1;
-    else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R1) == 0)
-	return NID_secp160r1;
-    else if (der_heim_oid_cmp(oid, ASN1_OID_ID_EC_GROUP_SECP160R2) == 0)
-	return NID_secp160r2;
-
-    return -1;
-}
-
-static int
-parse_ECParameters(hx509_context context,
-		   heim_octet_string *parameters, int *nid)
-{
-    ECParameters ecparam;
-    size_t size;
-    int ret;
-
-    if (parameters == NULL) {
-	ret = HX509_PARSING_KEY_FAILED;
-	hx509_set_error_string(context, 0, ret,
-			       "EC parameters missing");
-	return ret;
-    }
-
-    ret = decode_ECParameters(parameters->data, parameters->length,
-			      &ecparam, &size);
-    if (ret) {
-	hx509_set_error_string(context, 0, ret,
-			       "Failed to decode EC parameters");
-	return ret;
-    }
-
-    if (ecparam.element != choice_ECParameters_namedCurve) {
-	free_ECParameters(&ecparam);
-	hx509_set_error_string(context, 0, ret,
-			       "EC parameters is not a named curve");
-	return HX509_CRYPTO_SIG_INVALID_FORMAT;
-    }
-
-    *nid = heim_oid2ecnid(&ecparam.u.namedCurve);
-    free_ECParameters(&ecparam);
-    if (*nid == -1) {
-	hx509_set_error_string(context, 0, ret,
-			       "Failed to find matcing NID for EC curve");
-	return HX509_CRYPTO_SIG_INVALID_FORMAT;
-    }
-    return 0;
-}
-
-
-/*
- *
- */
-
-static int
-ecdsa_verify_signature(hx509_context context,
-		       const struct signature_alg *sig_alg,
-		       const Certificate *signer,
-		       const AlgorithmIdentifier *alg,
-		       const heim_octet_string *data,
-		       const heim_octet_string *sig)
-{
-    const AlgorithmIdentifier *digest_alg;
-    const SubjectPublicKeyInfo *spi;
-    heim_octet_string digest;
-    int ret;
-    EC_KEY *key = NULL;
-    int groupnid;
-    EC_GROUP *group;
-    const unsigned char *p;
-    long len;
-
-    digest_alg = sig_alg->digest_alg;
-
-    ret = _hx509_create_signature(context,
-				  NULL,
-				  digest_alg,
-				  data,
-				  NULL,
-				  &digest);
-    if (ret)
-	return ret;
-
-    /* set up EC KEY */
-    spi = &signer->tbsCertificate.subjectPublicKeyInfo;
-
-    if (der_heim_oid_cmp(&spi->algorithm.algorithm, ASN1_OID_ID_ECPUBLICKEY) != 0)
-	return HX509_CRYPTO_SIG_INVALID_FORMAT;
-
-#ifdef HAVE_OPENSSL
-    /*
-     * Find the group id
-     */
-
-    ret = parse_ECParameters(context, spi->algorithm.parameters, &groupnid);
-    if (ret) {
-	der_free_octet_string(&digest);
-	return ret;
-    }
-
-    /*
-     * Create group, key, parse key
-     */
-
-    key = EC_KEY_new();
-    group = EC_GROUP_new_by_curve_name(groupnid);
-    EC_KEY_set_group(key, group);
-    EC_GROUP_free(group);
-
-    p = spi->subjectPublicKey.data;
-    len = spi->subjectPublicKey.length / 8;
-
-    if (o2i_ECPublicKey(&key, &p, len) == NULL) {
-	EC_KEY_free(key);
-	return HX509_CRYPTO_SIG_INVALID_FORMAT;
-    }
-#else
-    key = SubjectPublicKeyInfo2EC_KEY(spi);
-#endif
-
-    ret = ECDSA_verify(-1, digest.data, digest.length,
-		       sig->data, sig->length, key);
-    der_free_octet_string(&digest);
-    EC_KEY_free(key);
-    if (ret != 1) {
-	ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
-	return ret;
-    }
-
-    return 0;
-}
-
-static int
-ecdsa_create_signature(hx509_context context,
-		       const struct signature_alg *sig_alg,
-		       const hx509_private_key signer,
-		       const AlgorithmIdentifier *alg,
-		       const heim_octet_string *data,
-		       AlgorithmIdentifier *signatureAlgorithm,
-		       heim_octet_string *sig)
-{
-    const AlgorithmIdentifier *digest_alg;
-    heim_octet_string indata;
-    const heim_oid *sig_oid;
-    unsigned int siglen;
-    int ret;
-
-    if (signer->ops && der_heim_oid_cmp(signer->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) != 0)
-	_hx509_abort("internal error passing private key to wrong ops");
-
-    sig_oid = sig_alg->sig_oid;
-    digest_alg = sig_alg->digest_alg;
-
-    if (signatureAlgorithm) {
-	ret = set_digest_alg(signatureAlgorithm, sig_oid, "\x05\x00", 2);
-	if (ret) {
-	    hx509_clear_error_string(context);
-	    goto error;
-	}
-    }
-
-    ret = _hx509_create_signature(context,
-				  NULL,
-				  digest_alg,
-				  data,
-				  NULL,
-				  &indata);
-    if (ret) {
-	if (signatureAlgorithm)
-	    free_AlgorithmIdentifier(signatureAlgorithm);
-	goto error;
-    }
-
-    sig->length = ECDSA_size(signer->private_key.ecdsa);
-    sig->data = malloc(sig->length);
-    if (sig->data == NULL) {
-	der_free_octet_string(&indata);
-	ret = ENOMEM;
-	hx509_set_error_string(context, 0, ret, "out of memory");
-	goto error;
-    }
-
-    siglen = sig->length;
-
-    ret = ECDSA_sign(-1, indata.data, indata.length,
-		     sig->data, &siglen, signer->private_key.ecdsa);
-    der_free_octet_string(&indata);
-    if (ret != 1) {
-	ret = HX509_CMS_FAILED_CREATE_SIGATURE;
-	hx509_set_error_string(context, 0, ret,
-			       "ECDSA sign failed: %d", ret);
-	goto error;
-    }
-    if (siglen > sig->length)
-	_hx509_abort("ECDSA signature prelen longer the output len");
-
-    sig->length = siglen;
-
-    return 0;
- error:
-    if (signatureAlgorithm)
-	free_AlgorithmIdentifier(signatureAlgorithm);
-    return ret;
-}
-
-static int
-ecdsa_available(const hx509_private_key signer,
-		const AlgorithmIdentifier *sig_alg)
-{
-    const struct signature_alg *sig;
-    const EC_GROUP *group;
-    BN_CTX *bnctx = NULL;
-    BIGNUM *order = NULL;
-    int ret = 0;
-
-    if (der_heim_oid_cmp(signer->ops->key_oid, &asn1_oid_id_ecPublicKey) != 0)
-	_hx509_abort("internal error passing private key to wrong ops");
-
-    sig = find_sig_alg(&sig_alg->algorithm);
-
-    if (sig == NULL || sig->digest_size == 0)
-	return 0;
-
-    group = EC_KEY_get0_group(signer->private_key.ecdsa);
-    if (group == NULL)
-	return 0;
-
-    bnctx = BN_CTX_new();
-    order = BN_new();
-    if (order == NULL)
-	goto err;
-
-    if (EC_GROUP_get_order(group, order, bnctx) != 1)
-	goto err;
-
-    if (BN_num_bytes(order) > sig->digest_size)
-	ret = 1;
- err:
-    if (bnctx)
-	BN_CTX_free(bnctx);
-    if (order)
-	BN_clear_free(order);
-
-    return ret;
-}
-
-
-#endif /* HAVE_OPENSSL */
-
 /*
  *
  */
@@ -619,6 +262,9 @@ rsa_verify_signature(hx509_context context,
 				      &di.digestAlgorithm,
 				      data,
 				      &di.digest);
+	if (ret)
+	    goto out;
+
     } else {
 	if ((size_t)retsize != data->length ||
 	    ct_memcmp(to, data->data, retsize) != 0)
@@ -628,8 +274,8 @@ rsa_verify_signature(hx509_context context,
 	    goto out;
 	}
 	free(to);
+	ret = 0;
     }
-    ret = 0;
 
  out:
     free_DigestInfo(&di);
@@ -683,7 +329,8 @@ rsa_create_signature(hx509_context context,
 	return HX509_ALG_NOT_SUPP;
 
     if (signatureAlgorithm) {
-	ret = set_digest_alg(signatureAlgorithm, sig_oid, "\x05\x00", 2);
+        ret = _hx509_set_digest_alg(signatureAlgorithm, sig_oid,
+                                    "\x05\x00", 2);
 	if (ret) {
 	    hx509_clear_error_string(context);
 	    return ret;
@@ -739,11 +386,13 @@ rsa_create_signature(hx509_context context,
 			       "RSA private encrypt failed: %d", ret);
 	return ret;
     }
-    if ((size_t)ret > sig->length)
+    if (sig->length > (size_t)ret) {
+	size = sig->length - ret;
+	memmove((uint8_t *)sig->data + size, sig->data, ret);
+	memset(sig->data, 0, size);
+    } else if (sig->length < (size_t)ret)
 	_hx509_abort("RSA signature prelen longer the output len");
 
-    sig->length = ret;
-
     return 0;
 }
 
@@ -795,8 +444,9 @@ rsa_private_key2SPKI(hx509_context context,
     }
     spki->subjectPublicKey.length = len * 8;
 
-    ret = set_digest_alg(&spki->algorithm, ASN1_OID_ID_PKCS1_RSAENCRYPTION,
-			 "\x05\x00", 2);
+    ret = _hx509_set_digest_alg(&spki->algorithm,
+                                ASN1_OID_ID_PKCS1_RSAENCRYPTION,
+                                "\x05\x00", 2);
     if (ret) {
 	hx509_set_error_string(context, 0, ret, "malloc - out of memory");
 	free(spki->subjectPublicKey.data);
@@ -920,115 +570,6 @@ static hx509_private_key_ops rsa_private_key_ops = {
     rsa_get_internal
 };
 
-#ifdef HAVE_OPENSSL
-
-static int
-ecdsa_private_key2SPKI(hx509_context context,
-		       hx509_private_key private_key,
-		       SubjectPublicKeyInfo *spki)
-{
-    memset(spki, 0, sizeof(*spki));
-    return ENOMEM;
-}
-
-static int
-ecdsa_private_key_export(hx509_context context,
-			 const hx509_private_key key,
-			 hx509_key_format_t format,
-			 heim_octet_string *data)
-{
-    return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
-}
-
-static int
-ecdsa_private_key_import(hx509_context context,
-			 const AlgorithmIdentifier *keyai,
-			 const void *data,
-			 size_t len,
-			 hx509_key_format_t format,
-			 hx509_private_key private_key)
-{
-    const unsigned char *p = data;
-    EC_KEY **pkey = NULL;
-
-    if (keyai->parameters) {
-	EC_GROUP *group;
-	int groupnid;
-	EC_KEY *key;
-	int ret;
-
-	ret = parse_ECParameters(context, keyai->parameters, &groupnid);
-	if (ret)
-	    return ret;
-
-	key = EC_KEY_new();
-	if (key == NULL)
-	    return ENOMEM;
-
-	group = EC_GROUP_new_by_curve_name(groupnid);
-	if (group == NULL) {
-	    EC_KEY_free(key);
-	    return ENOMEM;
-	}
-	EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
-	if (EC_KEY_set_group(key, group) == 0) {
-	    EC_KEY_free(key);
-	    EC_GROUP_free(group);
-	    return ENOMEM;
-	}
-	EC_GROUP_free(group);
-	pkey = &key;
-    }
-
-    switch (format) {
-    case HX509_KEY_FORMAT_DER:
-
-	private_key->private_key.ecdsa = d2i_ECPrivateKey(pkey, &p, len);
-	if (private_key->private_key.ecdsa == NULL) {
-	    hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
-				   "Failed to parse EC private key");
-	    return HX509_PARSING_KEY_FAILED;
-	}
-	private_key->signature_alg = ASN1_OID_ID_ECDSA_WITH_SHA256;
-	break;
-
-    default:
-	return HX509_CRYPTO_KEY_FORMAT_UNSUPPORTED;
-    }
-
-    return 0;
-}
-
-static int
-ecdsa_generate_private_key(hx509_context context,
-			   struct hx509_generate_private_context *ctx,
-			   hx509_private_key private_key)
-{
-    return ENOMEM;
-}
-
-static BIGNUM *
-ecdsa_get_internal(hx509_context context,
-		   hx509_private_key key,
-		   const char *type)
-{
-    return NULL;
-}
-
-
-static hx509_private_key_ops ecdsa_private_key_ops = {
-    "EC PRIVATE KEY",
-    ASN1_OID_ID_ECPUBLICKEY,
-    ecdsa_available,
-    ecdsa_private_key2SPKI,
-    ecdsa_private_key_export,
-    ecdsa_private_key_import,
-    ecdsa_generate_private_key,
-    ecdsa_get_internal
-};
-
-#endif /* HAVE_OPENSSL */
-
 /*
  *
  */
@@ -1157,8 +698,8 @@ evp_md_create_signature(hx509_context context,
 
     if (signatureAlgorithm) {
 	int ret;
-	ret = set_digest_alg(signatureAlgorithm, sig_alg->sig_oid,
-			     "\x05\x00", 2);
+        ret = _hx509_set_digest_alg(signatureAlgorithm,
+                                    sig_alg->sig_oid, "\x05\x00", 2);
 	if (ret)
 	    return ret;
     }
@@ -1214,36 +755,11 @@ evp_md_verify_signature(hx509_context context,
     return 0;
 }
 
-#ifdef HAVE_OPENSSL
-
-static const struct signature_alg ecdsa_with_sha256_alg = {
-    "ecdsa-with-sha256",
-    ASN1_OID_ID_ECDSA_WITH_SHA256,
-    &_hx509_signature_ecdsa_with_sha256_data,
-    ASN1_OID_ID_ECPUBLICKEY,
-    &_hx509_signature_sha256_data,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
-    0,
-    NULL,
-    ecdsa_verify_signature,
-    ecdsa_create_signature,
-    32
-};
-
-static const struct signature_alg ecdsa_with_sha1_alg = {
-    "ecdsa-with-sha1",
-    ASN1_OID_ID_ECDSA_WITH_SHA1,
-    &_hx509_signature_ecdsa_with_sha1_data,
-    ASN1_OID_ID_ECPUBLICKEY,
-    &_hx509_signature_sha1_data,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
-    0,
-    NULL,
-    ecdsa_verify_signature,
-    ecdsa_create_signature,
-    20
-};
-
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+extern const struct signature_alg ecdsa_with_sha512_alg;
+extern const struct signature_alg ecdsa_with_sha384_alg;
+extern const struct signature_alg ecdsa_with_sha256_alg;
+extern const struct signature_alg ecdsa_with_sha1_alg;
 #endif
 
 static const struct signature_alg heim_rsa_pkcs1_x509 = {
@@ -1350,7 +866,7 @@ static const struct signature_alg rsa_with_md5_alg = {
     &_hx509_signature_rsa_with_md5_data,
     ASN1_OID_ID_PKCS1_RSAENCRYPTION,
     &_hx509_signature_md5_data,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|WEAK_SIG_ALG,
     1230739889,
     NULL,
     rsa_verify_signature,
@@ -1434,7 +950,7 @@ static const struct signature_alg md5_alg = {
     &_hx509_signature_md5_data,
     NULL,
     NULL,
-    SIG_DIGEST,
+    SIG_DIGEST|WEAK_SIG_ALG,
     0,
     EVP_md5,
     evp_md_verify_signature,
@@ -1448,7 +964,9 @@ static const struct signature_alg md5_alg = {
  */
 
 static const struct signature_alg *sig_algs[] = {
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+    &ecdsa_with_sha512_alg,
+    &ecdsa_with_sha384_alg,
     &ecdsa_with_sha256_alg,
     &ecdsa_with_sha1_alg,
 #endif
@@ -1469,8 +987,8 @@ static const struct signature_alg *sig_algs[] = {
     NULL
 };
 
-static const struct signature_alg *
-find_sig_alg(const heim_oid *oid)
+const struct signature_alg *
+_hx509_find_sig_alg(const heim_oid *oid)
 {
     unsigned int i;
     for (i = 0; sig_algs[i]; i++)
@@ -1511,10 +1029,13 @@ alg_for_privatekey(const hx509_private_key pk, int type)
 /*
  *
  */
+#ifdef HAVE_HCRYPTO_W_OPENSSL
+extern hx509_private_key_ops ecdsa_private_key_ops;
+#endif
 
 static struct hx509_private_key_ops *private_algs[] = {
     &rsa_private_key_ops,
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_HCRYPTO_W_OPENSSL
     &ecdsa_private_key_ops,
 #endif
     NULL
@@ -1539,21 +1060,18 @@ hx509_find_private_alg(const heim_oid *oid)
  */
 
 int
-_hx509_signature_best_before(hx509_context context,
-			     const AlgorithmIdentifier *alg,
-			     time_t t)
+_hx509_signature_is_weak(hx509_context context, const AlgorithmIdentifier *alg)
 {
     const struct signature_alg *md;
 
-    md = find_sig_alg(&alg->algorithm);
+    md = _hx509_find_sig_alg(&alg->algorithm);
     if (md == NULL) {
 	hx509_clear_error_string(context);
 	return HX509_SIG_ALG_NO_SUPPORTED;
     }
-    if (md->best_before && md->best_before < t) {
+    if (md->flags & WEAK_SIG_ALG) {
 	hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE,
-			       "Algorithm %s has passed it best before date",
-			       md->name);
+			       "Algorithm %s is weak", md->name);
 	return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
     }
     return 0;
@@ -1565,7 +1083,7 @@ _hx509_self_signed_valid(hx509_context context,
 {
     const struct signature_alg *md;
 
-    md = find_sig_alg(&alg->algorithm);
+    md = _hx509_find_sig_alg(&alg->algorithm);
     if (md == NULL) {
 	hx509_clear_error_string(context);
 	return HX509_SIG_ALG_NO_SUPPORTED;
@@ -1593,7 +1111,7 @@ _hx509_verify_signature(hx509_context context,
     if (cert)
 	signer = _hx509_get_cert(cert);
 
-    md = find_sig_alg(&alg->algorithm);
+    md = _hx509_find_sig_alg(&alg->algorithm);
     if (md == NULL) {
 	hx509_clear_error_string(context);
 	return HX509_SIG_ALG_NO_SUPPORTED;
@@ -1628,7 +1146,7 @@ _hx509_create_signature(hx509_context context,
 {
     const struct signature_alg *md;
 
-    md = find_sig_alg(&alg->algorithm);
+    md = _hx509_find_sig_alg(&alg->algorithm);
     if (md == NULL) {
 	hx509_set_error_string(context, 0, HX509_SIG_ALG_NO_SUPPORTED,
 	    "algorithm no supported");
@@ -1923,18 +1441,6 @@ hx509_signature_md5(void)
 { return &_hx509_signature_md5_data; }
 
 const AlgorithmIdentifier *
-hx509_signature_ecPublicKey(void)
-{ return &_hx509_signature_ecPublicKey; }
-
-const AlgorithmIdentifier *
-hx509_signature_ecdsa_with_sha256(void)
-{ return &_hx509_signature_ecdsa_with_sha256_data; }
-
-const AlgorithmIdentifier *
-hx509_signature_ecdsa_with_sha1(void)
-{ return &_hx509_signature_ecdsa_with_sha1_data; }
-
-const AlgorithmIdentifier *
 hx509_signature_rsa_with_sha512(void)
 { return &_hx509_signature_rsa_with_sha512_data; }
 
@@ -2034,11 +1540,10 @@ hx509_private_key_free(hx509_private_key *key)
     if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0) {
 	if ((*key)->private_key.rsa)
 	    RSA_free((*key)->private_key.rsa);
-#ifdef HAVE_OPENSSL
-    } else if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) == 0) {
-	if ((*key)->private_key.ecdsa)
-	    EC_KEY_free((*key)->private_key.ecdsa);
-#endif
+    } else if ((*key)->ops && der_heim_oid_cmp((*key)->ops->key_oid,
+                                               ASN1_OID_ID_ECPUBLICKEY) == 0 &&
+               (*key)->private_key.ecdsa != NULL) {
+      _hx509_private_eckey_free((*key)->private_key.ecdsa);
     }
     (*key)->private_key.rsa = NULL;
     free(*key);
@@ -2806,29 +2311,49 @@ find_string2key(const heim_oid *oid,
 {
     if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND40BITRC2_CBC) == 0) {
 	*c = EVP_rc2_40_cbc();
+        if (*c == NULL)
+            return NULL;
 	*md = EVP_sha1();
+        if (*md == NULL)
+            return NULL;
 	*s2k = PBE_string2key;
 	return &asn1_oid_private_rc2_40;
     } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND128BITRC2_CBC) == 0) {
 	*c = EVP_rc2_cbc();
+        if (*c == NULL)
+            return NULL;
 	*md = EVP_sha1();
+        if (*md == NULL)
+            return NULL;
 	*s2k = PBE_string2key;
 	return ASN1_OID_ID_PKCS3_RC2_CBC;
 #if 0
     } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND40BITRC4) == 0) {
 	*c = EVP_rc4_40();
+        if (*c == NULL)
+            return NULL;
 	*md = EVP_sha1();
+        if (*md == NULL)
+            return NULL;
 	*s2k = PBE_string2key;
 	return NULL;
     } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND128BITRC4) == 0) {
 	*c = EVP_rc4();
+        if (*c == NULL)
+            return NULL;
 	*md = EVP_sha1();
+        if (*md == NULL)
+            return NULL;
 	*s2k = PBE_string2key;
 	return ASN1_OID_ID_PKCS3_RC4;
 #endif
     } else if (der_heim_oid_cmp(oid, ASN1_OID_ID_PBEWITHSHAAND3_KEYTRIPLEDES_CBC) == 0) {
 	*c = EVP_des_ede3_cbc();
+        if (*c == NULL)
+            return NULL;
 	*md = EVP_sha1();
+        if (*md == NULL)
+            return NULL;
 	*s2k = PBE_string2key;
 	return ASN1_OID_ID_PKCS3_DES_EDE3_CBC;
     }
@@ -3008,6 +2533,8 @@ match_keys_ec(hx509_cert c, hx509_private_key private_key)
 int
 _hx509_match_keys(hx509_cert c, hx509_private_key key)
 {
+    if (!key->ops)
+	return 0;
     if (der_heim_oid_cmp(key->ops->key_oid, ASN1_OID_ID_PKCS1_RSAENCRYPTION) == 0)
 	return match_keys_rsa(c, key);
     if (der_heim_oid_cmp(key->ops->key_oid, ASN1_OID_ID_ECPUBLICKEY) == 0)
@@ -3025,7 +2552,7 @@ find_keytype(const hx509_private_key key)
     if (key == NULL)
 	return NULL;
 
-    md = find_sig_alg(key->signature_alg);
+    md = _hx509_find_sig_alg(key->signature_alg);
     if (md == NULL)
 	return NULL;
     return md->key_oid;
diff --git a/lib/hx509/data/PKITS_data.zip b/lib/hx509/data/PKITS_data.zip
new file mode 100644
index 000000000000..50d6fbb375ce
--- /dev/null
+++ b/lib/hx509/data/PKITS_data.zip
diff --git a/lib/hx509/data/eccurve.pem b/lib/hx509/data/eccurve.pem
new file mode 100644
index 000000000000..a76e47d9590b
--- /dev/null
+++ b/lib/hx509/data/eccurve.pem
@@ -0,0 +1,3 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
diff --git a/lib/hx509/data/https.crt b/lib/hx509/data/https.crt
new file mode 100644
index 000000000000..2056c899c8cb
--- /dev/null
+++ b/lib/hx509/data/https.crt
@@ -0,0 +1,53 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 9 (0x9)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: CN=hx509 Test Root CA, C=SE
+        Validity
+            Not Before: Apr 26 20:29:41 2009 GMT
+            Not After : Apr 24 20:29:41 2019 GMT
+        Subject: C=SE, CN=www.test.h5l.se
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (1024 bit)
+                Modulus:
+                    00:c6:f4:94:25:2b:d5:fa:e9:3d:00:a9:46:24:f1:
+                    bf:fe:61:df:bd:cc:da:74:b7:f9:36:c1:ce:51:d2:
+                    01:6f:79:ba:b3:4a:d5:a4:43:5a:c7:ad:e4:e0:50:
+                    e2:a6:bf:54:73:ad:a5:86:0a:bd:56:c4:4f:b5:f5:
+                    7f:7e:fe:10:78:17:e2:35:4c:bb:cc:4b:74:35:d0:
+                    ab:63:b1:02:72:94:a7:9a:dc:10:ef:28:82:a9:6c:
+                    dc:19:8d:b8:3e:5b:21:52:1f:88:51:a6:5a:f8:67:
+                    cd:cb:48:6f:f5:8b:71:7c:4d:52:da:bb:f9:26:8a:
+                    27:9c:7e:8a:d1:99:54:35:7f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Subject Key Identifier: 
+                8A:BB:2D:06:4B:BD:DE:9A:BA:7C:5A:35:D0:E2:19:37:48:29:0E:9C
+    Signature Algorithm: sha1WithRSAEncryption
+        90:35:ec:8c:f2:62:14:76:8a:29:52:99:44:c1:d7:c8:9e:74:
+        ef:90:4f:e7:ea:4d:cf:8f:c1:73:0c:d9:49:06:93:30:b0:19:
+        5e:de:9c:11:93:66:02:4d:8f:e9:8c:52:fc:26:26:9e:09:69:
+        a5:a7:63:d2:2d:40:de:e5:d8:d5:51:c3:32:60:6a:2f:26:13:
+        91:69:36:f6:67:e4:b0:54:9e:77:68:22:5f:51:b8:3c:42:bd:
+        e3:09:dc:11:9b:ed:db:63:df:90:57:38:00:90:be:89:e7:ea:
+        8e:d8:21:cd:96:68:69:4b:a3:15:50:ce:63:80:2a:99:4b:ff:
+        dd:1c
+-----BEGIN CERTIFICATE-----
+MIICADCCAWmgAwIBAgIBCTANBgkqhkiG9w0BAQUFADAqMRswGQYDVQQDDBJoeDUw
+OSBUZXN0IFJvb3QgQ0ExCzAJBgNVBAYTAlNFMB4XDTA5MDQyNjIwMjk0MVoXDTE5
+MDQyNDIwMjk0MVowJzELMAkGA1UEBhMCU0UxGDAWBgNVBAMMD3d3dy50ZXN0Lmg1
+bC5zZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxvSUJSvV+uk9AKlGJPG/
+/mHfvczadLf5NsHOUdIBb3m6s0rVpENax63k4FDipr9Uc62lhgq9VsRPtfV/fv4Q
+eBfiNUy7zEt0NdCrY7ECcpSnmtwQ7yiCqWzcGY24PlshUh+IUaZa+GfNy0hv9Ytx
+fE1S2rv5JoonnH6K0ZlUNX8CAwEAAaM5MDcwCQYDVR0TBAIwADALBgNVHQ8EBAMC
+BeAwHQYDVR0OBBYEFIq7LQZLvd6aunxaNdDiGTdIKQ6cMA0GCSqGSIb3DQEBBQUA
+A4GBAJA17IzyYhR2iilSmUTB18iedO+QT+fqTc+PwXMM2UkGkzCwGV7enBGTZgJN
+j+mMUvwmJp4JaaWnY9ItQN7l2NVRwzJgai8mE5FpNvZn5LBUnndoIl9RuDxCveMJ
+3BGb7dtj35BXOACQvonn6o7YIc2WaGlLoxVQzmOAKplL/90c
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/https.key b/lib/hx509/data/https.key
new file mode 100644
index 000000000000..ee6065a0006f
--- /dev/null
+++ b/lib/hx509/data/https.key
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMb0lCUr1frpPQCp
+RiTxv/5h373M2nS3+TbBzlHSAW95urNK1aRDWset5OBQ4qa/VHOtpYYKvVbET7X1
+f37+EHgX4jVMu8xLdDXQq2OxAnKUp5rcEO8ogqls3BmNuD5bIVIfiFGmWvhnzctI
+b/WLcXxNUtq7+SaKJ5x+itGZVDV/AgMBAAECgYBfO282I7d3NPGYQW5r/LPUBfFd
+HpNqzy0hQr+JdqZtP61YaPe+eucXMWue29jBzE+WV4YllTpwL+Ofy3VNyjsDCIva
+acqVrimYl5EAT1yiqvC1DNC0SvAfEsBlpMJr7w8F4M7wbSxvGIWjRVeZtLd7H4pw
+8ooDNZNlcXPyrBozQQJBAPGxPPiO66EpiN66ffRiqnof1lGUFaZPqBKYF/M3mybt
+X7vMKQsrQpdNQTbtR2u42yBUJGw4trhIn1qDInkgXfECQQDSu61Z/m5xRVlBk3mj
+QMqSVX+FoD3WtSry003lcxGfNsuguJtYHXHHhPbPNMUaDEtErkbUMQHNFX5mEjGp
+0RpvAkEAwbDhhOy8pw5rMtvP3w9HQdHL5tq/MuY5cpVS9EaG335yL0VhSyMjHa/6
+6HLlvs2JRnJIMjaNMEh69IWNFfc7cQJBAIOzIy3BI0jLLHMdNcHfdjpqEJ50fPE4
+nDTR9jbV6Ud1uWEivoMdM8SbxpvMwPn8gPXVbRKj5hpDupEUAdG9iyUCQQCNSVcl
+NREl42G5ZQ2Q+zYtYIJbe9SAxu7WcfzctFleRbmKPLqrcnCLWenWWHtrzZLRgFhw
+rLiglEkVDRXivfhq
+-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/mkcert.sh b/lib/hx509/data/mkcert.sh
new file mode 100755
index 000000000000..5faa571206a8
--- /dev/null
+++ b/lib/hx509/data/mkcert.sh
@@ -0,0 +1,84 @@
+#! /bin/bash
+
+set -e
+
+# For now, avoid going past the 2038 32-bit clock rollover
+DAYS=$(( ( 0x7fffffff - $(date +%s) ) / 86400 - 1 ))
+
+key() {
+    local key=$1; shift
+
+    if [ ! -f "${key}.pem" ]; then
+	openssl genpkey \
+	    -paramfile <(openssl ecparam -name prime256v1) \
+	    -out "${key}.pem"
+    fi
+}
+
+req() {
+    local key=$1; shift
+    local dn=$1; shift
+
+    openssl req -new -sha256 -key "${key}.pem" \
+	-config <(printf "[req]\n%s\n%s\n[dn]\nCN_default=foo\n" \
+		   "prompt = yes" "distinguished_name = dn") \
+	-subj "${dn}"
+}
+
+cert() {
+    local cert=$1; shift
+    local exts=$1; shift
+
+    openssl x509 -req -sha256 -out "${cert}.pem" \
+	-extfile <(printf "%s\n" "$exts") "$@"
+}
+
+genroot() {
+    local dn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n" \
+	   "subjectKeyIdentifier = hash" \
+	   "authorityKeyIdentifier  = keyid" \
+	   "basicConstraints = CA:true" \
+	   "keyUsage = keyCertSign, cRLSign" )
+    key "$key"; req "$key" "$dn" |
+	cert "$cert" "$exts" -signkey "${key}.pem" \
+	    -set_serial 1 -days "${DAYS}"
+}
+
+genee() {
+    local dn=$1; shift
+    local key=$1; shift
+    local cert=$1; shift
+    local cakey=$1; shift
+    local cacert=$1; shift
+
+    exts=$(printf "%s\n%s\n%s\n%s\n" \
+	    "subjectKeyIdentifier = hash" \
+	    "authorityKeyIdentifier = keyid, issuer" \
+	    "basicConstraints = CA:false" \
+	    "keyUsage = digitalSignature, keyEncipherment, dataEncipherment" \
+	)
+    key "$key"; req "$key" "$dn" |
+	cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
+	    -set_serial 2 -days "${DAYS}" "$@"
+}
+
+
+genroot "/C=SE/O=Heimdal/CN=CA secp256r1" \
+	secp256r1TestCA.key secp256r1TestCA.cert
+genee "/C=SE/O=Heimdal/CN=Server" \
+	secp256r2TestServer.key secp256r2TestServer.cert \
+	secp256r1TestCA.key secp256r1TestCA.cert
+genee "/C=SE/O=Heimdal/CN=Client" \
+	secp256r2TestClient.key secp256r2TestClient.cert \
+	secp256r1TestCA.key secp256r1TestCA.cert
+
+cat secp256r1TestCA.key.pem secp256r1TestCA.cert.pem > \
+	secp256r1TestCA.pem
+cat secp256r2TestClient.cert.pem secp256r2TestClient.key.pem > \
+	secp256r2TestClient.pem
+cat secp256r2TestServer.cert.pem secp256r2TestServer.key.pem > \
+	secp256r2TestServer.pem
diff --git a/lib/hx509/data/nist-result2 b/lib/hx509/data/nist-result2
new file mode 100644
index 000000000000..93a22e7aea75
--- /dev/null
+++ b/lib/hx509/data/nist-result2
@@ -0,0 +1,31 @@
+# $Id$
+# id FAIL
+4.2.8 EITHER	depeneds on if time_t is 64 bit or not
+4.3.5 FAIL
+4.4.13 EITHER	depeneds on if time_t is 64 bit or not
+4.5.1 FAIL	
+4.5.4 FAIL
+4.5.6 FAIL
+4.6.15 FAIL
+4.6.17 FAIL
+4.11.2 FAIL
+4.12.2 FAIL
+4.13.19 FAIL
+4.13.21 FAIL
+4.13.23 FAIL
+4.13.26 FAIL
+4.13.27 FAIL
+4.13.30 FAIL
+4.13.33 FAIL
+4.13.34 FAIL
+4.13.37 FAIL
+4.14.1 FAIL
+4.14.4 FAIL
+4.14.5 FAIL
+4.14.7 FAIL
+4.14.13 FAIL
+4.14.18 FAIL
+4.14.19 FAIL
+4.15.4 FAIL
+4.15.5 FAIL
+4.16.2 FAIL
diff --git a/lib/hx509/data/openssl.cnf b/lib/hx509/data/openssl.cnf
index a6054009d955..b0146564592a 100644
--- a/lib/hx509/data/openssl.cnf
+++ b/lib/hx509/data/openssl.cnf
@@ -82,7 +82,7 @@ certs		= .
 
 [req]
 distinguished_name	= req_distinguished_name
-x509_extensions		= v3_ca	# The extentions to add to the self signed cert
+x509_extensions		= v3_ca	# The extensions to add to the self signed cert
 
 string_mask = utf8only
 
diff --git a/lib/hx509/data/secp160r1TestCA.cert.pem b/lib/hx509/data/secp160r1TestCA.cert.pem
deleted file mode 100644
index 2d30fab2c608..000000000000
--- a/lib/hx509/data/secp160r1TestCA.cert.pem
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBxjCCAYagAwIBAgIJAKjMYS/6EOLdMAkGByqGSM49BAEwNjELMAkGA1UEBhMC
-U0UxEDAOBgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMTAeFw0w
-OTAyMTQxNzUwMDRaFw0yMDAxMjgxNzUwMDRaMDYxCzAJBgNVBAYTAlNFMRAwDgYD
-VQQKEwdIZWltZGFsMRUwEwYDVQQDEwxDQSBzZWNwMTYwcjEwPjAQBgcqhkjOPQIB
-BgUrgQQACAMqAASMHokF13aCVrlhMSr9Vgofj7loM2a7ZrU3h8/j1n/cO24ceyN/
-DpsOo4GYMIGVMB0GA1UdDgQWBBS58EWwgNdBwkYVhUSNzwIehHhEDzBmBgNVHSME
-XzBdgBS58EWwgNdBwkYVhUSNzwIehHhED6E6pDgwNjELMAkGA1UEBhMCU0UxEDAO
-BgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMYIJAKjMYS/6EOLd
-MAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQMvADAsAhRZPKbqMYDATJasRcXQfEh5
-8oHCywIUGZ0h6FqSvPgpkZ7hoU+ZEFJ/D88=
------END CERTIFICATE-----
diff --git a/lib/hx509/data/secp160r1TestCA.key.pem b/lib/hx509/data/secp160r1TestCA.key.pem
deleted file mode 100644
index f0ce773cf8ac..000000000000
--- a/lib/hx509/data/secp160r1TestCA.key.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MFACAQEEFHegiSlX0311KSBjNrbzq6HrKjkYoAcGBSuBBAAIoSwDKgAEjB6JBdd2
-gla5YTEq/VYKH4+5aDNmu2a1N4fP49Z/3DtuHHsjfw6bDg==
------END EC PRIVATE KEY-----
diff --git a/lib/hx509/data/secp160r1TestCA.pem b/lib/hx509/data/secp160r1TestCA.pem
deleted file mode 100644
index a6f068d5476a..000000000000
--- a/lib/hx509/data/secp160r1TestCA.pem
+++ /dev/null
@@ -1,18 +0,0 @@
-issuer= /C=SE/O=Heimdal/CN=CA secp160r1
-subject= /C=SE/O=Heimdal/CN=CA secp160r1
------BEGIN CERTIFICATE-----
-MIIBxjCCAYagAwIBAgIJAKjMYS/6EOLdMAkGByqGSM49BAEwNjELMAkGA1UEBhMC
-U0UxEDAOBgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMTAeFw0w
-OTAyMTQxNzUwMDRaFw0yMDAxMjgxNzUwMDRaMDYxCzAJBgNVBAYTAlNFMRAwDgYD
-VQQKEwdIZWltZGFsMRUwEwYDVQQDEwxDQSBzZWNwMTYwcjEwPjAQBgcqhkjOPQIB
-BgUrgQQACAMqAASMHokF13aCVrlhMSr9Vgofj7loM2a7ZrU3h8/j1n/cO24ceyN/
-DpsOo4GYMIGVMB0GA1UdDgQWBBS58EWwgNdBwkYVhUSNzwIehHhEDzBmBgNVHSME
-XzBdgBS58EWwgNdBwkYVhUSNzwIehHhED6E6pDgwNjELMAkGA1UEBhMCU0UxEDAO
-BgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMYIJAKjMYS/6EOLd
-MAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQMvADAsAhRZPKbqMYDATJasRcXQfEh5
-8oHCywIUGZ0h6FqSvPgpkZ7hoU+ZEFJ/D88=
------END CERTIFICATE-----
------BEGIN EC PRIVATE KEY-----
-MFACAQEEFHegiSlX0311KSBjNrbzq6HrKjkYoAcGBSuBBAAIoSwDKgAEjB6JBdd2
-gla5YTEq/VYKH4+5aDNmu2a1N4fP49Z/3DtuHHsjfw6bDg==
------END EC PRIVATE KEY-----
diff --git a/lib/hx509/data/secp160r2TestClient.cert.pem b/lib/hx509/data/secp160r2TestClient.cert.pem
deleted file mode 100644
index 716395bf8e1e..000000000000
--- a/lib/hx509/data/secp160r2TestClient.cert.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBIDCB4AIJAN1XzNknE3lDMAkGByqGSM49BAEwNjELMAkGA1UEBhMCU0UxEDAO
-BgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMTAeFw0wOTAyMTQx
-NzUwMDRaFw0yMDAxMjgxNzUwMDRaMDAxCzAJBgNVBAYTAlNFMRAwDgYDVQQKEwdI
-ZWltZGFsMQ8wDQYDVQQDEwZDbGllbnQwPjAQBgcqhkjOPQIBBgUrgQQAHgMqAASA
-oVzj3A0W1FaSmc0NwTRdX4A8eCbDb6pf07vMpUcOqvdXVGwWN3HhMAkGByqGSM49
-BAEDMAAwLQIURJ9Jdesm0rqwpOAn8K23GdWlCkYCFQDmJtqiOLs4jjUUP6T7O17M
-Iwyrvg==
------END CERTIFICATE-----
diff --git a/lib/hx509/data/secp160r2TestClient.key.pem b/lib/hx509/data/secp160r2TestClient.key.pem
deleted file mode 100644
index e5a2fef7941b..000000000000
--- a/lib/hx509/data/secp160r2TestClient.key.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MFACAQEEFNz0QJPbDlTBMSOfUoxNSzOOpRKyoAcGBSuBBAAeoSwDKgAEgKFc49wN
-FtRWkpnNDcE0XV+APHgmw2+qX9O7zKVHDqr3V1RsFjdx4Q==
------END EC PRIVATE KEY-----
diff --git a/lib/hx509/data/secp160r2TestClient.pem b/lib/hx509/data/secp160r2TestClient.pem
deleted file mode 100644
index ca4bb331d767..000000000000
--- a/lib/hx509/data/secp160r2TestClient.pem
+++ /dev/null
@@ -1,15 +0,0 @@
-issuer= /C=SE/O=Heimdal/CN=CA secp160r1
-subject= /C=SE/O=Heimdal/CN=Client
------BEGIN CERTIFICATE-----
-MIIBIDCB4AIJAN1XzNknE3lDMAkGByqGSM49BAEwNjELMAkGA1UEBhMCU0UxEDAO
-BgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMTAeFw0wOTAyMTQx
-NzUwMDRaFw0yMDAxMjgxNzUwMDRaMDAxCzAJBgNVBAYTAlNFMRAwDgYDVQQKEwdI
-ZWltZGFsMQ8wDQYDVQQDEwZDbGllbnQwPjAQBgcqhkjOPQIBBgUrgQQAHgMqAASA
-oVzj3A0W1FaSmc0NwTRdX4A8eCbDb6pf07vMpUcOqvdXVGwWN3HhMAkGByqGSM49
-BAEDMAAwLQIURJ9Jdesm0rqwpOAn8K23GdWlCkYCFQDmJtqiOLs4jjUUP6T7O17M
-Iwyrvg==
------END CERTIFICATE-----
------BEGIN EC PRIVATE KEY-----
-MFACAQEEFNz0QJPbDlTBMSOfUoxNSzOOpRKyoAcGBSuBBAAeoSwDKgAEgKFc49wN
-FtRWkpnNDcE0XV+APHgmw2+qX9O7zKVHDqr3V1RsFjdx4Q==
------END EC PRIVATE KEY-----
diff --git a/lib/hx509/data/secp160r2TestServer.cert.pem b/lib/hx509/data/secp160r2TestServer.cert.pem
deleted file mode 100644
index 6b56036583cb..000000000000
--- a/lib/hx509/data/secp160r2TestServer.cert.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBIDCB4AIJAN1XzNknE3lCMAkGByqGSM49BAEwNjELMAkGA1UEBhMCU0UxEDAO
-BgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMTAeFw0wOTAyMTQx
-NzUwMDRaFw0yMDAxMjgxNzUwMDRaMDAxCzAJBgNVBAYTAlNFMRAwDgYDVQQKEwdI
-ZWltZGFsMQ8wDQYDVQQDEwZTZXJ2ZXIwPjAQBgcqhkjOPQIBBgUrgQQAHgMqAARA
-IUAwnwABnZAs378hcEgnk8efxE35RF6B+MmxSq1Twhp2C1ophD6yMAkGByqGSM49
-BAEDMAAwLQIVAO0hl59KWXRMBaJ2iKsiu/j73/bPAhRfsTT6SIBL5+3gjLhl7SqK
-1kTMQw==
------END CERTIFICATE-----
diff --git a/lib/hx509/data/secp160r2TestServer.key.pem b/lib/hx509/data/secp160r2TestServer.key.pem
deleted file mode 100644
index a903d0f76655..000000000000
--- a/lib/hx509/data/secp160r2TestServer.key.pem
+++ /dev/null
@@ -1,4 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MFACAQEEFBR1r2nPL1Ln1U5Nk1kW9XtNEkk1oAcGBSuBBAAeoSwDKgAEQCFAMJ8A
-AZ2QLN+/IXBIJ5PHn8RN+URegfjJsUqtU8IadgtaKYQ+sg==
------END EC PRIVATE KEY-----
diff --git a/lib/hx509/data/secp160r2TestServer.pem b/lib/hx509/data/secp160r2TestServer.pem
deleted file mode 100644
index 329d871534c7..000000000000
--- a/lib/hx509/data/secp160r2TestServer.pem
+++ /dev/null
@@ -1,15 +0,0 @@
-issuer= /C=SE/O=Heimdal/CN=CA secp160r1
-subject= /C=SE/O=Heimdal/CN=Server
------BEGIN CERTIFICATE-----
-MIIBIDCB4AIJAN1XzNknE3lCMAkGByqGSM49BAEwNjELMAkGA1UEBhMCU0UxEDAO
-BgNVBAoTB0hlaW1kYWwxFTATBgNVBAMTDENBIHNlY3AxNjByMTAeFw0wOTAyMTQx
-NzUwMDRaFw0yMDAxMjgxNzUwMDRaMDAxCzAJBgNVBAYTAlNFMRAwDgYDVQQKEwdI
-ZWltZGFsMQ8wDQYDVQQDEwZTZXJ2ZXIwPjAQBgcqhkjOPQIBBgUrgQQAHgMqAARA
-IUAwnwABnZAs378hcEgnk8efxE35RF6B+MmxSq1Twhp2C1ophD6yMAkGByqGSM49
-BAEDMAAwLQIVAO0hl59KWXRMBaJ2iKsiu/j73/bPAhRfsTT6SIBL5+3gjLhl7SqK
-1kTMQw==
------END CERTIFICATE-----
------BEGIN EC PRIVATE KEY-----
-MFACAQEEFBR1r2nPL1Ln1U5Nk1kW9XtNEkk1oAcGBSuBBAAeoSwDKgAEQCFAMJ8A
-AZ2QLN+/IXBIJ5PHn8RN+URegfjJsUqtU8IadgtaKYQ+sg==
------END EC PRIVATE KEY-----
diff --git a/lib/hx509/data/secp256r1TestCA.cert.pem b/lib/hx509/data/secp256r1TestCA.cert.pem
new file mode 100644
index 000000000000..6cac58ee11ff
--- /dev/null
+++ b/lib/hx509/data/secp256r1TestCA.cert.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBuDCCAV6gAwIBAgIBATAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
+NDAyM1oXDTM4MDExNzE5NDAyM1owNjELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
+aW1kYWwxFTATBgNVBAMTDENBIHNlY3AyNTZyMTBZMBMGByqGSM49AgEGCCqGSM49
+AwEHA0IABOUrhSvioYJaKUK9WjI5eGRAWsOB2DNslTkcgTkFsd3vD4/dGxaHBOIM
+kuD9ldGK2sQArEIDKfrOHvP+oFz3jLajXTBbMB0GA1UdDgQWBBTrUd8AqGhfZvHV
+spcznXeb328JgzAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAMBgNV
+HRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDAgNIADBFAiBd6J2N4B6L
+mtn0ZP/6vOyPkA7YMq2EwbVyTGlnBTwYsQIhALjsLWHQVSkt08rly48ns93DeSbM
+XejBzmT8QXEdib+1
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/secp256r1TestCA.key.pem b/lib/hx509/data/secp256r1TestCA.key.pem
new file mode 100644
index 000000000000..388826621dc7
--- /dev/null
+++ b/lib/hx509/data/secp256r1TestCA.key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgL2N0gdHhAjBGcJ40
+gHePPMwGKygIVDXTfjysn9zPiSOhRANCAATlK4Ur4qGCWilCvVoyOXhkQFrDgdgz
+bJU5HIE5BbHd7w+P3RsWhwTiDJLg/ZXRitrEAKxCAyn6zh7z/qBc94y2
+-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/secp256r1TestCA.pem b/lib/hx509/data/secp256r1TestCA.pem
new file mode 100644
index 000000000000..d0c7431880ae
--- /dev/null
+++ b/lib/hx509/data/secp256r1TestCA.pem
@@ -0,0 +1,17 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgL2N0gdHhAjBGcJ40
+gHePPMwGKygIVDXTfjysn9zPiSOhRANCAATlK4Ur4qGCWilCvVoyOXhkQFrDgdgz
+bJU5HIE5BbHd7w+P3RsWhwTiDJLg/ZXRitrEAKxCAyn6zh7z/qBc94y2
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIBuDCCAV6gAwIBAgIBATAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
+NDAyM1oXDTM4MDExNzE5NDAyM1owNjELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
+aW1kYWwxFTATBgNVBAMTDENBIHNlY3AyNTZyMTBZMBMGByqGSM49AgEGCCqGSM49
+AwEHA0IABOUrhSvioYJaKUK9WjI5eGRAWsOB2DNslTkcgTkFsd3vD4/dGxaHBOIM
+kuD9ldGK2sQArEIDKfrOHvP+oFz3jLajXTBbMB0GA1UdDgQWBBTrUd8AqGhfZvHV
+spcznXeb328JgzAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAMBgNV
+HRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDAgNIADBFAiBd6J2N4B6L
+mtn0ZP/6vOyPkA7YMq2EwbVyTGlnBTwYsQIhALjsLWHQVSkt08rly48ns93DeSbM
+XejBzmT8QXEdib+1
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/secp256r2TestClient.cert.pem b/lib/hx509/data/secp256r2TestClient.cert.pem
new file mode 100644
index 000000000000..f0f3a2445c55
--- /dev/null
+++ b/lib/hx509/data/secp256r2TestClient.cert.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBrzCCAVWgAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
+NDAyM1oXDTM4MDExNzE5NDAyM1owMDELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
+aW1kYWwxDzANBgNVBAMTBkNsaWVudDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BO7/MCIBHf8gQLQ5ltp1uyCOCAw8uylZZ7+v/rB3oKHuAIyL6q/QjZXZH3FR5VcI
+zANavN5SAfx9CFJpPk+pUISjWjBYMB0GA1UdDgQWBBSjXg4X3fs5xOQgTumjZQwF
+I13RejAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIEsDAKBggqhkjOPQQDAgNIADBFAiAa9d6aCxlioep3ViYqujWv
+A28/16yXOrmLY1a2wcj3awIhAMeVjMiUTP/U4yXfb3uJjJmq8hfyNZ/CAiTQKORx
+JjIt
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/secp256r2TestClient.key.pem b/lib/hx509/data/secp256r2TestClient.key.pem
new file mode 100644
index 000000000000..36c67f9db6f2
--- /dev/null
+++ b/lib/hx509/data/secp256r2TestClient.key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg6oD5CbNzN7oAWqcq
+dKJKw2WU5EwnUV05+7S9gXgeW/qhRANCAATu/zAiAR3/IEC0OZbadbsgjggMPLsp
+WWe/r/6wd6Ch7gCMi+qv0I2V2R9xUeVXCMwDWrzeUgH8fQhSaT5PqVCE
+-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/secp256r2TestClient.pem b/lib/hx509/data/secp256r2TestClient.pem
new file mode 100644
index 000000000000..acf11b0413ff
--- /dev/null
+++ b/lib/hx509/data/secp256r2TestClient.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIIBrzCCAVWgAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
+NDAyM1oXDTM4MDExNzE5NDAyM1owMDELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
+aW1kYWwxDzANBgNVBAMTBkNsaWVudDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BO7/MCIBHf8gQLQ5ltp1uyCOCAw8uylZZ7+v/rB3oKHuAIyL6q/QjZXZH3FR5VcI
+zANavN5SAfx9CFJpPk+pUISjWjBYMB0GA1UdDgQWBBSjXg4X3fs5xOQgTumjZQwF
+I13RejAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIEsDAKBggqhkjOPQQDAgNIADBFAiAa9d6aCxlioep3ViYqujWv
+A28/16yXOrmLY1a2wcj3awIhAMeVjMiUTP/U4yXfb3uJjJmq8hfyNZ/CAiTQKORx
+JjIt
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg6oD5CbNzN7oAWqcq
+dKJKw2WU5EwnUV05+7S9gXgeW/qhRANCAATu/zAiAR3/IEC0OZbadbsgjggMPLsp
+WWe/r/6wd6Ch7gCMi+qv0I2V2R9xUeVXCMwDWrzeUgH8fQhSaT5PqVCE
+-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/secp256r2TestServer.cert.pem b/lib/hx509/data/secp256r2TestServer.cert.pem
new file mode 100644
index 000000000000..91acde8f60e5
--- /dev/null
+++ b/lib/hx509/data/secp256r2TestServer.cert.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVWgAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
+NDAyM1oXDTM4MDExNzE5NDAyM1owMDELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
+aW1kYWwxDzANBgNVBAMTBlNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BItZgn1C8ZBvKkkNoEofWL0JLCTaHT2lJj7d9jRtSKiR2PlOtd5HhteDqP78K4eg
+lRMk5nqsmEooalfbNsFBy8SjWjBYMB0GA1UdDgQWBBTqMDTOezcRsax6lf6E/Xk+
+QzPorjAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIEsDAKBggqhkjOPQQDAgNJADBGAiEAsvf//YdUWCD6OLZesENa
+1mH8+b+kZDR6jx1JchRXAEQCIQDkTvTZrlmmxUaWEsf08/4xbxkYbrPAg4+VX2uI
+QcEwUA==
+-----END CERTIFICATE-----
diff --git a/lib/hx509/data/secp256r2TestServer.key.pem b/lib/hx509/data/secp256r2TestServer.key.pem
new file mode 100644
index 000000000000..fb57e798c73e
--- /dev/null
+++ b/lib/hx509/data/secp256r2TestServer.key.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKo/47DaveCl90GxH
+LCE7IGBua2XsE+jI4RUWZrqjhBGhRANCAASLWYJ9QvGQbypJDaBKH1i9CSwk2h09
+pSY+3fY0bUiokdj5TrXeR4bXg6j+/CuHoJUTJOZ6rJhKKGpX2zbBQcvE
+-----END PRIVATE KEY-----
diff --git a/lib/hx509/data/secp256r2TestServer.pem b/lib/hx509/data/secp256r2TestServer.pem
new file mode 100644
index 000000000000..0e9edd782bcf
--- /dev/null
+++ b/lib/hx509/data/secp256r2TestServer.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAVWgAwIBAgIBAjAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJTRTEQMA4G
+A1UEChMHSGVpbWRhbDEVMBMGA1UEAxMMQ0Egc2VjcDI1NnIxMB4XDTE0MDMxMDE5
+NDAyM1oXDTM4MDExNzE5NDAyM1owMDELMAkGA1UEBhMCU0UxEDAOBgNVBAoTB0hl
+aW1kYWwxDzANBgNVBAMTBlNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BItZgn1C8ZBvKkkNoEofWL0JLCTaHT2lJj7d9jRtSKiR2PlOtd5HhteDqP78K4eg
+lRMk5nqsmEooalfbNsFBy8SjWjBYMB0GA1UdDgQWBBTqMDTOezcRsax6lf6E/Xk+
+QzPorjAfBgNVHSMEGDAWgBTrUd8AqGhfZvHVspcznXeb328JgzAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIEsDAKBggqhkjOPQQDAgNJADBGAiEAsvf//YdUWCD6OLZesENa
+1mH8+b+kZDR6jx1JchRXAEQCIQDkTvTZrlmmxUaWEsf08/4xbxkYbrPAg4+VX2uI
+QcEwUA==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKo/47DaveCl90GxH
+LCE7IGBua2XsE+jI4RUWZrqjhBGhRANCAASLWYJ9QvGQbypJDaBKH1i9CSwk2h09
+pSY+3fY0bUiokdj5TrXeR4bXg6j+/CuHoJUTJOZ6rJhKKGpX2zbBQcvE
+-----END PRIVATE KEY-----
diff --git a/lib/hx509/doxygen.c b/lib/hx509/doxygen.c
index 0c7dd780aedb..a6d3d9ca0ab1 100644
--- a/lib/hx509/doxygen.c
+++ b/lib/hx509/doxygen.c
@@ -82,4 +82,4 @@
  * See the @ref page_ca for description and examples. */
 /** @defgroup hx509_peer hx509 certificate selecting functions */
 /** @defgroup hx509_print hx509 printing functions */
-/** @defgroup hx509_env hx509 enviroment functions */
+/** @defgroup hx509_env hx509 environment functions */
diff --git a/lib/hx509/env.c b/lib/hx509/env.c
index 7598aebaae74..70969504b3a8 100644
--- a/lib/hx509/env.c
+++ b/lib/hx509/env.c
@@ -34,7 +34,7 @@
 #include "hx_locl.h"
 
 /**
- * @page page_env Hx509 enviroment functions
+ * @page page_env Hx509 environment functions
  *
  * See the library functions here: @ref hx509_env
  */
@@ -43,7 +43,7 @@
  * Add a new key/value pair to the hx509_env.
  *
  * @param context A hx509 context.
- * @param env enviroment to add the enviroment variable too.
+ * @param env environment to add the environment variable too.
  * @param key key to add
  * @param value value to add
  *
@@ -94,7 +94,7 @@ hx509_env_add(hx509_context context, hx509_env *env,
  * Add a new key/binding pair to the hx509_env.
  *
  * @param context A hx509 context.
- * @param env enviroment to add the enviroment variable too.
+ * @param env environment to add the environment variable too.
  * @param key key to add
  * @param list binding list to add
  *
@@ -141,7 +141,7 @@ hx509_env_add_binding(hx509_context context, hx509_env *env,
  * Search the hx509_env for a length based key.
  *
  * @param context A hx509 context.
- * @param env enviroment to add the enviroment variable too.
+ * @param env environment to add the environment variable too.
  * @param key key to search for.
  * @param len length of key.
  *
@@ -167,7 +167,7 @@ hx509_env_lfind(hx509_context context, hx509_env env,
  * Search the hx509_env for a key.
  *
  * @param context A hx509 context.
- * @param env enviroment to add the enviroment variable too.
+ * @param env environment to add the environment variable too.
  * @param key key to search for.
  *
  * @return the value if the key is found, NULL otherwise.
@@ -190,7 +190,7 @@ hx509_env_find(hx509_context context, hx509_env env, const char *key)
  * Search the hx509_env for a binding.
  *
  * @param context A hx509 context.
- * @param env enviroment to add the enviroment variable too.
+ * @param env environment to add the environment variable too.
  * @param key key to search for.
  *
  * @return the binding if the key is found, NULL if not found.
@@ -229,9 +229,9 @@ env_free(hx509_env b)
 }
 
 /**
- * Free an hx509_env enviroment context.
+ * Free an hx509_env environment context.
  *
- * @param env the enviroment to free.
+ * @param env the environment to free.
  *
  * @ingroup hx509_env
  */
diff --git a/lib/hx509/error.c b/lib/hx509/error.c
index fc3cf90b3255..be09414bfffa 100644
--- a/lib/hx509/error.c
+++ b/lib/hx509/error.c
@@ -45,17 +45,6 @@ struct hx509_error_data {
     char *msg;
 };
 
-static void
-free_error_string(hx509_error msg)
-{
-    while(msg) {
-	hx509_error m2 = msg->next;
-	free(msg->msg);
-	free(msg);
-	msg = m2;
-    }
-}
-
 /**
  * Resets the error strings the hx509 context.
  *
@@ -68,7 +57,7 @@ void
 hx509_clear_error_string(hx509_context context)
 {
     if (context) {
-	free_error_string(context->error);
+	heim_release(context->error);
 	context->error = NULL;
     }
 }
@@ -91,31 +80,18 @@ void
 hx509_set_error_stringv(hx509_context context, int flags, int code,
 			const char *fmt, va_list ap)
 {
-    hx509_error msg;
+    heim_error_t msg;
 
     if (context == NULL)
 	return;
 
-    msg = calloc(1, sizeof(*msg));
-    if (msg == NULL) {
-	hx509_clear_error_string(context);
-	return;
-    }
-
-    if (vasprintf(&msg->msg, fmt, ap) == -1) {
-	hx509_clear_error_string(context);
-	free(msg);
-	return;
-    }
-    msg->code = code;
-
-    if (flags & HX509_ERROR_APPEND) {
-	msg->next = context->error;
-	context->error = msg;
-    } else  {
-	free_error_string(context->error);
-	context->error = msg;
+    msg = heim_error_createv(code, fmt, ap);
+    if (msg) {
+	if (flags & HX509_ERROR_APPEND)
+	    heim_error_append(msg, context->error);
+	heim_release(context->error);
     }
+    context->error = msg;
 }
 
 /**
@@ -157,12 +133,12 @@ hx509_set_error_string(hx509_context context, int flags, int code,
 char *
 hx509_get_error_string(hx509_context context, int error_code)
 {
-    struct rk_strpool *p = NULL;
-    hx509_error msg = context->error;
+    heim_error_t msg = context->error;
+    heim_string_t s;
+    char *str = NULL;
 
-    if (msg == NULL || msg->code != error_code) {
+    if (msg == NULL || heim_error_get_code(msg) != error_code) {
 	const char *cstr;
-	char *str;
 
 	cstr = com_right(context->et_list, error_code);
 	if (cstr)
@@ -175,11 +151,14 @@ hx509_get_error_string(hx509_context context, int error_code)
 	return str;
     }
 
-    for (msg = context->error; msg; msg = msg->next)
-	p = rk_strpoolprintf(p, "%s%s", msg->msg,
-			     msg->next != NULL ? "; " : "");
-
-    return rk_strpoolcollect(p);
+    s = heim_error_copy_string(msg);
+    if (s) {
+	const char *cstr = heim_string_get_utf8(s);
+	if (cstr)
+	    str = strdup(cstr);
+	heim_release(s);
+    }
+    return str;
 }
 
 /**
@@ -215,13 +194,14 @@ hx509_err(hx509_context context, int exit_code,
     va_list ap;
     const char *msg;
     char *str;
+    int ret;
 
     va_start(ap, fmt);
-    vasprintf(&str, fmt, ap);
+    ret = vasprintf(&str, fmt, ap);
     va_end(ap);
     msg = hx509_get_error_string(context, error_code);
     if (msg == NULL)
 	msg = "no error";
 
-    errx(exit_code, "%s: %s", str, msg);
+    errx(exit_code, "%s: %s", ret != -1 ? str : "ENOMEM", msg);
 }
diff --git a/lib/hx509/file.c b/lib/hx509/file.c
index 4f7e87f070ae..5401af7a0f43 100644
--- a/lib/hx509/file.c
+++ b/lib/hx509/file.c
@@ -98,7 +98,7 @@ hx509_pem_write(hx509_context context, const char *type,
 	if (length > ENCODE_LINE_LENGTH)
 	    length = ENCODE_LINE_LENGTH;
 
-	l = base64_encode(p, length, &line);
+	l = rk_base64_encode(p, length, &line);
 	if (l < 0) {
 	    hx509_set_error_string(context, 0, ENOMEM,
 				   "malloc - out of memory");
@@ -255,7 +255,7 @@ hx509_pem_read(hx509_context context,
 	    }
 
 	    p = emalloc(i);
-	    i = base64_decode(buf, p);
+	    i = rk_base64_decode(buf, p);
 	    if (i < 0) {
 		free(p);
 		goto out;
diff --git a/lib/hx509/hx509-private.h b/lib/hx509/hx509-private.h
index 60891f27fca6..72d3bbdfa748 100644
--- a/lib/hx509/hx509-private.h
+++ b/lib/hx509/hx509-private.h
@@ -30,7 +30,7 @@ void
 _hx509_abort (
 	const char */*fmt*/,
 	...)
-     __attribute__ ((noreturn, format (printf, 1, 2)));
+     __attribute__ ((__noreturn__, __format__ (__printf__, 1, 2)));
 
 int
 _hx509_calculate_path (
@@ -193,6 +193,9 @@ _hx509_find_extension_subject_key_id (
 	const Certificate */*issuer*/,
 	SubjectKeyIdentifier */*si*/);
 
+const struct signature_alg *
+_hx509_find_sig_alg (const heim_oid */*oid*/);
+
 int
 _hx509_generate_private_key (
 	hx509_context /*context*/,
@@ -333,6 +336,9 @@ _hx509_pi_printf (
 	const char */*fmt*/,
 	...);
 
+void
+_hx509_private_eckey_free (void */*eckey*/);
+
 int
 _hx509_private_key_export (
 	hx509_context /*context*/,
@@ -440,10 +446,16 @@ _hx509_set_cert_attribute (
 	const heim_octet_string */*attr*/);
 
 int
-_hx509_signature_best_before (
+_hx509_set_digest_alg (
+	DigestAlgorithmIdentifier */*id*/,
+	const heim_oid */*oid*/,
+	const void */*param*/,
+	size_t /*length*/);
+
+int
+_hx509_signature_is_weak (
 	hx509_context /*context*/,
-	const AlgorithmIdentifier */*alg*/,
-	time_t /*t*/);
+	const AlgorithmIdentifier */*alg*/);
 
 void
 _hx509_unmap_file_os (heim_octet_string */*os*/);
diff --git a/lib/hx509/hx509-protos.h b/lib/hx509/hx509-protos.h
index d03c7767e541..8de7a67ab7df 100644
--- a/lib/hx509/hx509-protos.h
+++ b/lib/hx509/hx509-protos.h
@@ -1,6 +1,7 @@
 /* This is a generated file */
 #ifndef __hx509_protos_h__
 #define __hx509_protos_h__
+#ifndef DOXY
 
 #include <stdarg.h>
 
@@ -21,12 +22,47 @@ extern "C" {
 #endif
 #endif
 #endif
+/**
+ * Print a bitstring using a hx509_vprint_func function. To print to
+ * stdout use hx509_print_stdout().
+ *
+ * @param b bit string to print.
+ * @param func hx509_vprint_func to print with.
+ * @param ctx context variable to hx509_vprint_func function.
+ *
+ * @ingroup hx509_print
+ */
+
 void
 hx509_bitstring_print (
 	const heim_bit_string */*b*/,
 	hx509_vprint_func /*func*/,
 	void */*ctx*/);
 
+/**
+ * Sign a to-be-signed certificate object with a issuer certificate.
+ *
+ * The caller needs to at least have called the following functions on the
+ * to-be-signed certificate object:
+ * - hx509_ca_tbs_init()
+ * - hx509_ca_tbs_set_subject()
+ * - hx509_ca_tbs_set_spki()
+ *
+ * When done the to-be-signed certificate object should be freed with
+ * hx509_ca_tbs_free().
+ *
+ * When creating self-signed certificate use hx509_ca_sign_self() instead.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param signer the CA certificate object to sign with (need private key).
+ * @param certificate return cerificate, free with hx509_cert_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_sign (
 	hx509_context /*context*/,
@@ -34,6 +70,19 @@ hx509_ca_sign (
 	hx509_cert /*signer*/,
 	hx509_cert */*certificate*/);
 
+/**
+ * Work just like hx509_ca_sign() but signs it-self.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param signer private key to sign with.
+ * @param certificate return cerificate, free with hx509_cert_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_sign_self (
 	hx509_context /*context*/,
@@ -41,6 +90,20 @@ hx509_ca_sign_self (
 	hx509_private_key /*signer*/,
 	hx509_cert */*certificate*/);
 
+/**
+ * Add CRL distribution point URI to the to-be-signed certificate
+ * object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param uri uri to the CRL.
+ * @param issuername name of the issuer.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_add_crl_dp_uri (
 	hx509_context /*context*/,
@@ -48,30 +111,99 @@ hx509_ca_tbs_add_crl_dp_uri (
 	const char */*uri*/,
 	hx509_name /*issuername*/);
 
+/**
+ * An an extended key usage to the to-be-signed certificate object.
+ * Duplicates will detected and not added.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param oid extended key usage to add.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_add_eku (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	const heim_oid */*oid*/);
 
+/**
+ * Add a Subject Alternative Name hostname to to-be-signed certificate
+ * object. A domain match starts with ., an exact match does not.
+ *
+ * Example of a an domain match: .domain.se matches the hostname
+ * host.domain.se.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param dnsname a hostame.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_add_san_hostname (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	const char */*dnsname*/);
 
+/**
+ * Add a Jabber/XMPP jid Subject Alternative Name to the to-be-signed
+ * certificate object. The jid is an UTF8 string.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param jid string of an a jabber id in UTF8.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_add_san_jid (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	const char */*jid*/);
 
+/**
+ * Add Microsoft UPN Subject Alternative Name to the to-be-signed
+ * certificate object. The principal string is a UTF8 string.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param principal Microsoft UPN string.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_add_san_ms_upn (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	const char */*principal*/);
 
+/**
+ * Add Subject Alternative Name otherName to the to-be-signed
+ * certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param oid the oid of the OtherName.
+ * @param os data in the other name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_add_san_otherName (
 	hx509_context /*context*/,
@@ -79,79 +211,273 @@ hx509_ca_tbs_add_san_otherName (
 	const heim_oid */*oid*/,
 	const heim_octet_string */*os*/);
 
+/**
+ * Add Kerberos Subject Alternative Name to the to-be-signed
+ * certificate object. The principal string is a UTF8 string.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param principal Kerberos principal to add to the certificate.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_add_san_pkinit (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	const char */*principal*/);
 
+/**
+ * Add a Subject Alternative Name rfc822 (email address) to
+ * to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param rfc822Name a string to a email address.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_add_san_rfc822name (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	const char */*rfc822Name*/);
 
+/**
+ * Free an To Be Signed object.
+ *
+ * @param tbs object to free.
+ *
+ * @ingroup hx509_ca
+ */
+
 void
 hx509_ca_tbs_free (hx509_ca_tbs */*tbs*/);
 
+/**
+ * Allocate an to-be-signed certificate object that will be converted
+ * into an certificate.
+ *
+ * @param context A hx509 context.
+ * @param tbs returned to-be-signed certicate object, free with
+ * hx509_ca_tbs_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_init (
 	hx509_context /*context*/,
 	hx509_ca_tbs */*tbs*/);
 
+/**
+ * Make the to-be-signed certificate object a CA certificate. If the
+ * pathLenConstraint is negative path length constraint is used.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param pathLenConstraint path length constraint, negative, no
+ * constraint.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_set_ca (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	int /*pathLenConstraint*/);
 
+/**
+ * Make the to-be-signed certificate object a windows domain controller certificate.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_set_domaincontroller (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/);
 
+/**
+ * Set the absolute time when the certificate is valid to.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param t time when the certificate will expire
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_set_notAfter (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	time_t /*t*/);
 
+/**
+ * Set the relative time when the certificiate is going to expire.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param delta seconds to the certificate is going to expire.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_set_notAfter_lifetime (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	time_t /*delta*/);
 
+/**
+ * Set the absolute time when the certificate is valid from. If not
+ * set the current time will be used.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param t time the certificated will start to be valid
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_set_notBefore (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	time_t /*t*/);
 
+/**
+ * Make the to-be-signed certificate object a proxy certificate. If the
+ * pathLenConstraint is negative path length constraint is used.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param pathLenConstraint path length constraint, negative, no
+ * constraint.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_set_proxy (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	int /*pathLenConstraint*/);
 
+/**
+ * Set the serial number to use for to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param serialNumber serial number to use for the to-be-signed
+ * certificate object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_set_serialnumber (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	const heim_integer */*serialNumber*/);
 
+/**
+ * Set signature algorithm on the to be signed certificate
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param sigalg signature algorithm to use
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
+int
+hx509_ca_tbs_set_signature_algorithm (
+	hx509_context /*context*/,
+	hx509_ca_tbs /*tbs*/,
+	const AlgorithmIdentifier */*sigalg*/);
+
+/**
+ * Set the subject public key info (SPKI) in the to-be-signed certificate
+ * object. SPKI is the public key and key related parameters in the
+ * certificate.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param spki subject public key info to use for the to-be-signed certificate object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_set_spki (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	const SubjectPublicKeyInfo */*spki*/);
 
+/**
+ * Set the subject name of a to-be-signed certificate object.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param subject the name to set a subject.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_set_subject (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	hx509_name /*subject*/);
 
+/**
+ * Initialize the to-be-signed certificate object from a template certifiate.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param flags bit field selecting what to copy from the template
+ * certifiate.
+ * @param cert template certificate.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_set_template (
 	hx509_context /*context*/,
@@ -159,6 +485,24 @@ hx509_ca_tbs_set_template (
 	int /*flags*/,
 	hx509_cert /*cert*/);
 
+/**
+ * Set the issuerUniqueID and subjectUniqueID
+ *
+ * These are only supposed to be used considered with version 2
+ * certificates, replaced by the two extensions SubjectKeyIdentifier
+ * and IssuerKeyIdentifier. This function is to allow application
+ * using legacy protocol to issue them.
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param issuerUniqueID to be set
+ * @param subjectUniqueID to be set
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_set_unique (
 	hx509_context /*context*/,
@@ -166,21 +510,71 @@ hx509_ca_tbs_set_unique (
 	const heim_bit_string */*subjectUniqueID*/,
 	const heim_bit_string */*issuerUniqueID*/);
 
+/**
+ * Expand the the subject name in the to-be-signed certificate object
+ * using hx509_name_expand().
+ *
+ * @param context A hx509 context.
+ * @param tbs object to be signed.
+ * @param env environment variable to expand variables in the subject
+ * name, see hx509_env_init().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_ca
+ */
+
 int
 hx509_ca_tbs_subject_expand (
 	hx509_context /*context*/,
 	hx509_ca_tbs /*tbs*/,
 	hx509_env /*env*/);
 
+/**
+ * Make of template units, use to build flags argument to
+ * hx509_ca_tbs_set_template() with parse_units().
+ *
+ * @return an units structure.
+ *
+ * @ingroup hx509_ca
+ */
+
 const struct units *
 hx509_ca_tbs_template_units (void);
 
+/**
+ * Encodes the hx509 certificate as a DER encode binary.
+ *
+ * @param context A hx509 context.
+ * @param c the certificate to encode.
+ * @param os the encode certificate, set to NULL, 0 on case of
+ * error. Free the os->data with hx509_xfree().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_binary (
 	hx509_context /*context*/,
 	hx509_cert /*c*/,
 	heim_octet_string */*os*/);
 
+/**
+ * Check the extended key usage on the hx509 certificate.
+ *
+ * @param context A hx509 context.
+ * @param cert A hx509 context.
+ * @param eku the EKU to check for
+ * @param allow_any_eku if the any EKU is set, allow that to be a
+ * substitute.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_check_eku (
 	hx509_context /*context*/,
@@ -188,11 +582,40 @@ hx509_cert_check_eku (
 	const heim_oid */*eku*/,
 	int /*allow_any_eku*/);
 
+/**
+ * Compare to hx509 certificate object, useful for sorting.
+ *
+ * @param p a hx509 certificate object.
+ * @param q a hx509 certificate object.
+ *
+ * @return 0 the objects are the same, returns > 0 is p is "larger"
+ * then q, < 0 if p is "smaller" then q.
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_cmp (
 	hx509_cert /*p*/,
 	hx509_cert /*q*/);
 
+/**
+ * Return a list of subjectAltNames specified by oid in the
+ * certificate. On error the
+ *
+ * The returned list of octet string should be freed with
+ * hx509_free_octet_string_list().
+ *
+ * @param context A hx509 context.
+ * @param cert a hx509 certificate object.
+ * @param oid an oid to for SubjectAltName.
+ * @param list list of matching SubjectAltName.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_find_subjectAltName_otherName (
 	hx509_context /*context*/,
@@ -200,62 +623,223 @@ hx509_cert_find_subjectAltName_otherName (
 	const heim_oid */*oid*/,
 	hx509_octet_string_list */*list*/);
 
+/**
+ * Free reference to the hx509 certificate object, if the refcounter
+ * reaches 0, the object if freed. Its allowed to pass in NULL.
+ *
+ * @param cert the cert to free.
+ *
+ * @ingroup hx509_cert
+ */
+
 void
 hx509_cert_free (hx509_cert /*cert*/);
 
+/**
+ * Get the SubjectPublicKeyInfo structure from the hx509 certificate.
+ *
+ * @param context a hx509 context.
+ * @param p a hx509 certificate object.
+ * @param spki SubjectPublicKeyInfo, should be freed with
+ * free_SubjectPublicKeyInfo().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_get_SPKI (
 	hx509_context /*context*/,
 	hx509_cert /*p*/,
 	SubjectPublicKeyInfo */*spki*/);
 
+/**
+ * Get the AlgorithmIdentifier from the hx509 certificate.
+ *
+ * @param context a hx509 context.
+ * @param p a hx509 certificate object.
+ * @param alg AlgorithmIdentifier, should be freed with
+ *            free_AlgorithmIdentifier(). The algorithmidentifier is
+ *            typicly rsaEncryption, or id-ecPublicKey, or some other
+ *            public key mechanism.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_get_SPKI_AlgorithmIdentifier (
 	hx509_context /*context*/,
 	hx509_cert /*p*/,
 	AlgorithmIdentifier */*alg*/);
 
+/**
+ * Get an external attribute for the certificate, examples are
+ * friendly name and id.
+ *
+ * @param cert hx509 certificate object to search
+ * @param oid an oid to search for.
+ *
+ * @return an hx509_cert_attribute, only valid as long as the
+ * certificate is referenced.
+ *
+ * @ingroup hx509_cert
+ */
+
 hx509_cert_attribute
 hx509_cert_get_attribute (
 	hx509_cert /*cert*/,
 	const heim_oid */*oid*/);
 
+/**
+ * Return the name of the base subject of the hx509 certificate. If
+ * the certiicate is a verified proxy certificate, the this function
+ * return the base certificate (root of the proxy chain). If the proxy
+ * certificate is not verified with the base certificate
+ * HX509_PROXY_CERTIFICATE_NOT_CANONICALIZED is returned.
+ *
+ * @param context a hx509 context.
+ * @param c a hx509 certificate object.
+ * @param name a pointer to a hx509 name, should be freed by
+ * hx509_name_free(). See also hx509_cert_get_subject().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_get_base_subject (
 	hx509_context /*context*/,
 	hx509_cert /*c*/,
 	hx509_name */*name*/);
 
+/**
+ * Get friendly name of the certificate.
+ *
+ * @param cert cert to get the friendly name from.
+ *
+ * @return an friendly name or NULL if there is. The friendly name is
+ * only valid as long as the certificate is referenced.
+ *
+ * @ingroup hx509_cert
+ */
+
 const char *
 hx509_cert_get_friendly_name (hx509_cert /*cert*/);
 
+/**
+ * Return the name of the issuer of the hx509 certificate.
+ *
+ * @param p a hx509 certificate object.
+ * @param name a pointer to a hx509 name, should be freed by
+ * hx509_name_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_get_issuer (
 	hx509_cert /*p*/,
 	hx509_name */*name*/);
 
+/**
+ * Get a copy of the Issuer Unique ID
+ *
+ * @param context a hx509_context
+ * @param p a hx509 certificate
+ * @param issuer the issuer id returned, free with der_free_bit_string()
+ *
+ * @return An hx509 error code, see hx509_get_error_string(). The
+ * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate
+ * doesn't have a issuerUniqueID
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_get_issuer_unique_id (
 	hx509_context /*context*/,
 	hx509_cert /*p*/,
 	heim_bit_string */*issuer*/);
 
+/**
+ * Get notAfter time of the certificate.
+ *
+ * @param p a hx509 certificate object.
+ *
+ * @return return not after time.
+ *
+ * @ingroup hx509_cert
+ */
+
 time_t
 hx509_cert_get_notAfter (hx509_cert /*p*/);
 
+/**
+ * Get notBefore time of the certificate.
+ *
+ * @param p a hx509 certificate object.
+ *
+ * @return return not before time
+ *
+ * @ingroup hx509_cert
+ */
+
 time_t
 hx509_cert_get_notBefore (hx509_cert /*p*/);
 
+/**
+ * Get serial number of the certificate.
+ *
+ * @param p a hx509 certificate object.
+ * @param i serial number, should be freed ith der_free_heim_integer().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_get_serialnumber (
 	hx509_cert /*p*/,
 	heim_integer */*i*/);
 
+/**
+ * Return the name of the subject of the hx509 certificate.
+ *
+ * @param p a hx509 certificate object.
+ * @param name a pointer to a hx509 name, should be freed by
+ * hx509_name_free(). See also hx509_cert_get_base_subject().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_get_subject (
 	hx509_cert /*p*/,
 	hx509_name */*name*/);
 
+/**
+ * Get a copy of the Subect Unique ID
+ *
+ * @param context a hx509_context
+ * @param p a hx509 certificate
+ * @param subject the subject id returned, free with der_free_bit_string()
+ *
+ * @return An hx509 error code, see hx509_get_error_string(). The
+ * error code HX509_EXTENSION_NOT_FOUND is returned if the certificate
+ * doesn't have a subjectUniqueID
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_get_subject_unique_id (
 	hx509_context /*context*/,
@@ -265,18 +849,63 @@ hx509_cert_get_subject_unique_id (
 int
 hx509_cert_have_private_key (hx509_cert /*p*/);
 
-int
+/**
+ * Allocate and init an hx509 certificate object from the decoded
+ * certificate `c´.
+ *
+ * @param context A hx509 context.
+ * @param c
+ * @param error
+ *
+ * @return Returns an hx509 certificate
+ *
+ * @ingroup hx509_cert
+ */
+
+hx509_cert
 hx509_cert_init (
 	hx509_context /*context*/,
 	const Certificate */*c*/,
-	hx509_cert */*cert*/);
+	heim_error_t */*error*/);
+
+/**
+ * Just like hx509_cert_init(), but instead of a decode certificate
+ * takes an pointer and length to a memory region that contains a
+ * DER/BER encoded certificate.
+ *
+ * If the memory region doesn't contain just the certificate and
+ * nothing more the function will fail with
+ * HX509_EXTRA_DATA_AFTER_STRUCTURE.
+ *
+ * @param context A hx509 context.
+ * @param ptr pointer to memory region containing encoded certificate.
+ * @param len length of memory region.
+ * @param error possibly returns an error
+ *
+ * @return An hx509 certificate
+ *
+ * @ingroup hx509_cert
+ */
 
-int
+hx509_cert
 hx509_cert_init_data (
 	hx509_context /*context*/,
 	const void */*ptr*/,
 	size_t /*len*/,
-	hx509_cert */*cert*/);
+	heim_error_t */*error*/);
+
+/**
+ * Print certificate usage for a certificate to a string.
+ *
+ * @param context A hx509 context.
+ * @param c a certificate print the keyusage for.
+ * @param s the return string with the keysage printed in to, free
+ * with hx509_xfree().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
 
 int
 hx509_cert_keyusage_print (
@@ -292,20 +921,72 @@ hx509_cert_public_encrypt (
 	heim_oid */*encryption_oid*/,
 	heim_octet_string */*ciphertext*/);
 
+/**
+ * Add a reference to a hx509 certificate object.
+ *
+ * @param cert a pointer to an hx509 certificate object.
+ *
+ * @return the same object as is passed in.
+ *
+ * @ingroup hx509_cert
+ */
+
 hx509_cert
 hx509_cert_ref (hx509_cert /*cert*/);
 
+/**
+ * Set the friendly name on the certificate.
+ *
+ * @param cert The certificate to set the friendly name on
+ * @param name Friendly name.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_cert_set_friendly_name (
 	hx509_cert /*cert*/,
 	const char */*name*/);
 
+/**
+ * Add a certificate to the certificiate store.
+ *
+ * The receiving keyset certs will either increase reference counter
+ * of the cert or make a deep copy, either way, the caller needs to
+ * free the cert itself.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to add the certificate to.
+ * @param cert certificate to add.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_certs_add (
 	hx509_context /*context*/,
 	hx509_certs /*certs*/,
 	hx509_cert /*cert*/);
 
+/**
+ * Same a hx509_certs_merge() but use a lock and name to describe the
+ * from source.
+ *
+ * @param context a hx509 context.
+ * @param to the store to merge into.
+ * @param lock a lock that unlocks the certificates store, use NULL to
+ * select no password/certifictes/prompt lock (see @ref page_lock).
+ * @param name name of the source store
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_certs_append (
 	hx509_context /*context*/,
@@ -313,12 +994,38 @@ hx509_certs_append (
 	hx509_lock /*lock*/,
 	const char */*name*/);
 
+/**
+ * End the iteration over certificates.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param cursor cursor that will keep track of progress, freed.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_certs_end_seq (
 	hx509_context /*context*/,
 	hx509_certs /*certs*/,
 	hx509_cursor /*cursor*/);
 
+/**
+ * Filter certificate matching the query.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to search.
+ * @param q query allocated with @ref hx509_query functions.
+ * @param result the filtered certificate store, caller must free with
+ *        hx509_certs_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_certs_filter (
 	hx509_context /*context*/,
@@ -326,6 +1033,20 @@ hx509_certs_filter (
 	const hx509_query */*q*/,
 	hx509_certs */*result*/);
 
+/**
+ * Find a certificate matching the query.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to search.
+ * @param q query allocated with @ref hx509_query functions.
+ * @param r return certificate (or NULL on error), should be freed
+ * with hx509_cert_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_certs_find (
 	hx509_context /*context*/,
@@ -333,9 +1054,32 @@ hx509_certs_find (
 	const hx509_query */*q*/,
 	hx509_cert */*r*/);
 
+/**
+ * Free a certificate store.
+ *
+ * @param certs certificate store to free.
+ *
+ * @ingroup hx509_keyset
+ */
+
 void
 hx509_certs_free (hx509_certs */*certs*/);
 
+/**
+ * Print some info about the certificate store.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to print information about.
+ * @param func function that will get each line of the information, if
+ * NULL is used the data is printed on a FILE descriptor that should
+ * be passed in ctx, if ctx also is NULL, stdout is used.
+ * @param ctx parameter to func.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_certs_info (
 	hx509_context /*context*/,
@@ -343,6 +1087,24 @@ hx509_certs_info (
 	int (*/*func*/)(void *, const char *),
 	void */*ctx*/);
 
+/**
+ * Open or creates a new hx509 certificate store.
+ *
+ * @param context A hx509 context
+ * @param name name of the store, format is TYPE:type-specific-string,
+ * if NULL is used the MEMORY store is used.
+ * @param flags list of flags:
+ * - HX509_CERTS_CREATE create a new keystore of the specific TYPE.
+ * - HX509_CERTS_UNPROTECT_ALL fails if any private key failed to be extracted.
+ * @param lock a lock that unlocks the certificates store, use NULL to
+ * select no password/certifictes/prompt lock (see @ref page_lock).
+ * @param certs return pointer, free with hx509_certs_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_certs_init (
 	hx509_context /*context*/,
@@ -351,6 +1113,21 @@ hx509_certs_init (
 	hx509_lock /*lock*/,
 	hx509_certs */*certs*/);
 
+/**
+ * Iterate over all certificates in a keystore and call a block
+ * for each of them.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param func block to call for each certificate. The function
+ * should return non-zero to abort the iteration, that value is passed
+ * back to the caller of hx509_certs_iter().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 #ifdef __BLOCKS__
 int
 hx509_certs_iter (
@@ -359,6 +1136,22 @@ hx509_certs_iter (
 	int (^func)(hx509_cert));
 #endif /* __BLOCKS__ */
 
+/**
+ * Iterate over all certificates in a keystore and call a function
+ * for each of them.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param func function to call for each certificate. The function
+ * should return non-zero to abort the iteration, that value is passed
+ * back to the caller of hx509_certs_iter_f().
+ * @param ctx context variable that will passed to the function.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_certs_iter_f (
 	hx509_context /*context*/,
@@ -366,12 +1159,40 @@ hx509_certs_iter_f (
 	int (*/*func*/)(hx509_context, void *, hx509_cert),
 	void */*ctx*/);
 
+/**
+ * Merge a certificate store into another. The from store is keep
+ * intact.
+ *
+ * @param context a hx509 context.
+ * @param to the store to merge into.
+ * @param from the store to copy the object from.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_certs_merge (
 	hx509_context /*context*/,
 	hx509_certs /*to*/,
 	hx509_certs /*from*/);
 
+/**
+ * Get next ceritificate from the certificate keystore pointed out by
+ * cursor.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param cursor cursor that keeps track of progress.
+ * @param cert return certificate next in store, NULL if the store
+ * contains no more certificates. Free with hx509_cert_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_certs_next_cert (
 	hx509_context /*context*/,
@@ -382,12 +1203,42 @@ hx509_certs_next_cert (
 hx509_certs
 hx509_certs_ref (hx509_certs /*certs*/);
 
+/**
+ * Start the integration
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over
+ * @param cursor cursor that will keep track of progress, free with
+ * hx509_certs_end_seq().
+ *
+ * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION is
+ * returned if the certificate store doesn't support the iteration
+ * operation.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_certs_start_seq (
 	hx509_context /*context*/,
 	hx509_certs /*certs*/,
 	hx509_cursor */*cursor*/);
 
+/**
+ * Write the certificate store to stable storage.
+ *
+ * @param context A hx509 context.
+ * @param certs a certificate store to store.
+ * @param flags currently unused, use 0.
+ * @param lock a lock that unlocks the certificates store, use NULL to
+ * select no password/certifictes/prompt lock (see @ref page_lock).
+ *
+ * @return Returns an hx509 error code. HX509_UNSUPPORTED_OPERATION if
+ * the certificate store doesn't support the store operation.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_certs_store (
 	hx509_context /*context*/,
@@ -395,12 +1246,33 @@ hx509_certs_store (
 	int /*flags*/,
 	hx509_lock /*lock*/);
 
+/**
+ * Function to use to hx509_certs_iter_f() as a function argument, the
+ * ctx variable to hx509_certs_iter_f() should be a FILE file descriptor.
+ *
+ * @param context a hx509 context.
+ * @param ctx used by hx509_certs_iter_f().
+ * @param c a certificate
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_ci_print_names (
 	hx509_context /*context*/,
 	void */*ctx*/,
 	hx509_cert /*c*/);
 
+/**
+ * Resets the error strings the hx509 context.
+ *
+ * @param context A hx509 context.
+ *
+ * @ingroup hx509_error
+ */
+
 void
 hx509_clear_error_string (hx509_context /*context*/);
 
@@ -418,6 +1290,31 @@ hx509_cms_create_signed (
 	hx509_certs /*pool*/,
 	heim_octet_string */*signed_data*/);
 
+/**
+ * Decode SignedData and verify that the signature is correct.
+ *
+ * @param context A hx509 context.
+ * @param flags
+ * @param eContentType the type of the data.
+ * @param data data to sign
+ * @param length length of the data that data point to.
+ * @param digest_alg digest algorithm to use, use NULL to get the
+ * default or the peer determined algorithm.
+ * @param cert certificate to use for sign the data.
+ * @param peer info about the peer the message to send the message to,
+ * like what digest algorithm to use.
+ * @param anchors trust anchors that the client will use, used to
+ * polulate the certificates included in the message
+ * @param pool certificates to use in try to build the path to the
+ * trust anchors.
+ * @param signed_data the output of the function, free with
+ * der_free_octet_string().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
 int
 hx509_cms_create_signed_1 (
 	hx509_context /*context*/,
@@ -432,6 +1329,11 @@ hx509_cms_create_signed_1 (
 	hx509_certs /*pool*/,
 	heim_octet_string */*signed_data*/);
 
+/**
+     * Use HX509_CMS_SIGNATURE_NO_SIGNER to create no sigInfo (no
+     * signatures).
+ */
+
 int
 hx509_cms_decrypt_encrypted (
 	hx509_context /*context*/,
@@ -441,6 +1343,34 @@ hx509_cms_decrypt_encrypted (
 	heim_oid */*contentType*/,
 	heim_octet_string */*content*/);
 
+/**
+ * Encrypt end encode EnvelopedData.
+ *
+ * Encrypt and encode EnvelopedData. The data is encrypted with a
+ * random key and the the random key is encrypted with the
+ * certificates private key. This limits what private key type can be
+ * used to RSA.
+ *
+ * @param context A hx509 context.
+ * @param flags flags to control the behavior.
+ *    - HX509_CMS_EV_NO_KU_CHECK - Dont check KU on certificate
+ *    - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo
+ *    - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number
+ * @param cert Certificate to encrypt the EnvelopedData encryption key
+ * with.
+ * @param data pointer the data to encrypt.
+ * @param length length of the data that data point to.
+ * @param encryption_type Encryption cipher to use for the bulk data,
+ * use NULL to get default.
+ * @param contentType type of the data that is encrypted
+ * @param content the output of the function,
+ * free with der_free_octet_string().
+ *
+ * @return an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
 int
 hx509_cms_envelope_1 (
 	hx509_context /*context*/,
@@ -452,6 +1382,30 @@ hx509_cms_envelope_1 (
 	const heim_oid */*contentType*/,
 	heim_octet_string */*content*/);
 
+/**
+ * Decode and unencrypt EnvelopedData.
+ *
+ * Extract data and parameteres from from the EnvelopedData. Also
+ * supports using detached EnvelopedData.
+ *
+ * @param context A hx509 context.
+ * @param certs Certificate that can decrypt the EnvelopedData
+ * encryption key.
+ * @param flags HX509_CMS_UE flags to control the behavior.
+ * @param data pointer the structure the contains the DER/BER encoded
+ * EnvelopedData stucture.
+ * @param length length of the data that data point to.
+ * @param encryptedContent in case of detached signature, this
+ * contains the actual encrypted data, othersize its should be NULL.
+ * @param time_now set the current time, if zero the library uses now as the date.
+ * @param contentType output type oid, should be freed with der_free_oid().
+ * @param content the data, free with der_free_octet_string().
+ *
+ * @return an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
 int
 hx509_cms_unenvelope (
 	hx509_context /*context*/,
@@ -464,6 +1418,20 @@ hx509_cms_unenvelope (
 	heim_oid */*contentType*/,
 	heim_octet_string */*content*/);
 
+/**
+ * Decode an ContentInfo and unwrap data and oid it.
+ *
+ * @param in the encoded buffer.
+ * @param oid type of the content.
+ * @param out data to be wrapped.
+ * @param have_data since the data is optional, this flags show dthe
+ * diffrence between no data and the zero length data.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
 int
 hx509_cms_unwrap_ContentInfo (
 	const heim_octet_string */*in*/,
@@ -471,6 +1439,30 @@ hx509_cms_unwrap_ContentInfo (
 	heim_octet_string */*out*/,
 	int */*have_data*/);
 
+/**
+ * Decode SignedData and verify that the signature is correct.
+ *
+ * @param context A hx509 context.
+ * @param ctx a hx509 verify context.
+ * @param flags to control the behaivor of the function.
+ *    - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage
+ *    - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch
+ *    - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below.
+ * @param data pointer to CMS SignedData encoded data.
+ * @param length length of the data that data point to.
+ * @param signedContent external data used for signature.
+ * @param pool certificate pool to build certificates paths.
+ * @param contentType free with der_free_oid().
+ * @param content the output of the function, free with
+ * der_free_octet_string().
+ * @param signer_certs list of the cerficates used to sign this
+ * request, free with hx509_certs_free().
+ *
+ * @return an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
 int
 hx509_cms_verify_signed (
 	hx509_context /*context*/,
@@ -484,45 +1476,152 @@ hx509_cms_verify_signed (
 	heim_octet_string */*content*/,
 	hx509_certs */*signer_certs*/);
 
+/**
+ * Wrap data and oid in a ContentInfo and encode it.
+ *
+ * @param oid type of the content.
+ * @param buf data to be wrapped. If a NULL pointer is passed in, the
+ * optional content field in the ContentInfo is not going be filled
+ * in.
+ * @param res the encoded buffer, the result should be freed with
+ * der_free_octet_string().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_cms
+ */
+
 int
 hx509_cms_wrap_ContentInfo (
 	const heim_oid */*oid*/,
 	const heim_octet_string */*buf*/,
 	heim_octet_string */*res*/);
 
+/**
+ * Free the context allocated by hx509_context_init().
+ *
+ * @param context context to be freed.
+ *
+ * @ingroup hx509
+ */
+
 void
 hx509_context_free (hx509_context */*context*/);
 
+/**
+ * Creates a hx509 context that most functions in the library
+ * uses. The context is only allowed to be used by one thread at each
+ * moment. Free the context with hx509_context_free().
+ *
+ * @param context Returns a pointer to new hx509 context.
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509
+ */
+
 int
 hx509_context_init (hx509_context */*context*/);
 
+/**
+ * Selects if the hx509_revoke_verify() function is going to require
+ * the existans of a revokation method (OCSP, CRL) or not. Note that
+ * hx509_verify_path(), hx509_cms_verify_signed(), and other function
+ * call hx509_revoke_verify().
+ *
+ * @param context hx509 context to change the flag for.
+ * @param flag zero, revokation method required, non zero missing
+ * revokation method ok
+ *
+ * @ingroup hx509_verify
+ */
+
 void
 hx509_context_set_missing_revoke (
 	hx509_context /*context*/,
 	int /*flag*/);
 
+/**
+ * Add revoked certificate to an CRL context.
+ *
+ * @param context a hx509 context.
+ * @param crl the CRL to add the revoked certificate to.
+ * @param certs keyset of certificate to revoke.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
 int
 hx509_crl_add_revoked_certs (
 	hx509_context /*context*/,
 	hx509_crl /*crl*/,
 	hx509_certs /*certs*/);
 
+/**
+ * Create a CRL context. Use hx509_crl_free() to free the CRL context.
+ *
+ * @param context a hx509 context.
+ * @param crl return pointer to a newly allocated CRL context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
 int
 hx509_crl_alloc (
 	hx509_context /*context*/,
 	hx509_crl */*crl*/);
 
+/**
+ * Free a CRL context.
+ *
+ * @param context a hx509 context.
+ * @param crl a CRL context to free.
+ *
+ * @ingroup hx509_verify
+ */
+
 void
 hx509_crl_free (
 	hx509_context /*context*/,
 	hx509_crl */*crl*/);
 
+/**
+ * Set the lifetime of a CRL context.
+ *
+ * @param context a hx509 context.
+ * @param crl a CRL context
+ * @param delta delta time the certificate is valid, library adds the
+ * current time to this.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
 int
 hx509_crl_lifetime (
 	hx509_context /*context*/,
 	hx509_crl /*crl*/,
 	int /*delta*/);
 
+/**
+ * Sign a CRL and return an encode certificate.
+ *
+ * @param context a hx509 context.
+ * @param signer certificate to sign the CRL with
+ * @param crl the CRL to sign
+ * @param os return the signed and encoded CRL, free with
+ * free_heim_octet_string()
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
 int
 hx509_crl_sign (
 	hx509_context /*context*/,
@@ -635,6 +1734,19 @@ hx509_crypto_set_random_key (
 	hx509_crypto /*crypto*/,
 	heim_octet_string */*key*/);
 
+/**
+ * Add a new key/value pair to the hx509_env.
+ *
+ * @param context A hx509 context.
+ * @param env environment to add the environment variable too.
+ * @param key key to add
+ * @param value value to add
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_env
+ */
+
 int
 hx509_env_add (
 	hx509_context /*context*/,
@@ -642,6 +1754,19 @@ hx509_env_add (
 	const char */*key*/,
 	const char */*value*/);
 
+/**
+ * Add a new key/binding pair to the hx509_env.
+ *
+ * @param context A hx509 context.
+ * @param env environment to add the environment variable too.
+ * @param key key to add
+ * @param list binding list to add
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_env
+ */
+
 int
 hx509_env_add_binding (
 	hx509_context /*context*/,
@@ -649,21 +1774,66 @@ hx509_env_add_binding (
 	const char */*key*/,
 	hx509_env /*list*/);
 
+/**
+ * Search the hx509_env for a key.
+ *
+ * @param context A hx509 context.
+ * @param env environment to add the environment variable too.
+ * @param key key to search for.
+ *
+ * @return the value if the key is found, NULL otherwise.
+ *
+ * @ingroup hx509_env
+ */
+
 const char *
 hx509_env_find (
 	hx509_context /*context*/,
 	hx509_env /*env*/,
 	const char */*key*/);
 
+/**
+ * Search the hx509_env for a binding.
+ *
+ * @param context A hx509 context.
+ * @param env environment to add the environment variable too.
+ * @param key key to search for.
+ *
+ * @return the binding if the key is found, NULL if not found.
+ *
+ * @ingroup hx509_env
+ */
+
 hx509_env
 hx509_env_find_binding (
 	hx509_context /*context*/,
 	hx509_env /*env*/,
 	const char */*key*/);
 
+/**
+ * Free an hx509_env environment context.
+ *
+ * @param env the environment to free.
+ *
+ * @ingroup hx509_env
+ */
+
 void
 hx509_env_free (hx509_env */*env*/);
 
+/**
+ * Search the hx509_env for a length based key.
+ *
+ * @param context A hx509 context.
+ * @param env environment to add the environment variable too.
+ * @param key key to search for.
+ * @param len length of key.
+ *
+ * @return the value if the key is found, NULL otherwise.
+ *
+ * @ingroup hx509_env
+ */
+
 const char *
 hx509_env_lfind (
 	hx509_context /*context*/,
@@ -671,6 +1841,18 @@ hx509_env_lfind (
 	const char */*key*/,
 	size_t /*len*/);
 
+/**
+ * Print error message and fatally exit from error code
+ *
+ * @param context A hx509 context.
+ * @param exit_code exit() code from process.
+ * @param error_code Error code for the reason to exit.
+ * @param fmt format string with the exit message.
+ * @param ... argument to format string.
+ *
+ * @ingroup hx509_error
+ */
+
 void
 hx509_err (
 	hx509_context /*context*/,
@@ -682,22 +1864,73 @@ hx509_err (
 hx509_private_key_ops *
 hx509_find_private_alg (const heim_oid */*oid*/);
 
+/**
+ * Free error string returned by hx509_get_error_string().
+ *
+ * @param str error string to free.
+ *
+ * @ingroup hx509_error
+ */
+
 void
 hx509_free_error_string (char */*str*/);
 
+/**
+ * Free a list of octet strings returned by another hx509 library
+ * function.
+ *
+ * @param list list to be freed.
+ *
+ * @ingroup hx509_misc
+ */
+
 void
 hx509_free_octet_string_list (hx509_octet_string_list */*list*/);
 
+/**
+ * Unparse the hx509 name in name into a string.
+ *
+ * @param name the name to print
+ * @param str an allocated string returns the name in string form
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
 int
 hx509_general_name_unparse (
 	GeneralName */*name*/,
 	char **/*str*/);
 
+/**
+ * Get an error string from context associated with error_code.
+ *
+ * @param context A hx509 context.
+ * @param error_code Get error message for this error code.
+ *
+ * @return error string, free with hx509_free_error_string().
+ *
+ * @ingroup hx509_error
+ */
+
 char *
 hx509_get_error_string (
 	hx509_context /*context*/,
 	int /*error_code*/);
 
+/**
+ * Get one random certificate from the certificate store.
+ *
+ * @param context a hx509 context.
+ * @param certs a certificate store to get the certificate from.
+ * @param c return certificate, should be freed with hx509_cert_free().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
 int
 hx509_get_one_cert (
 	hx509_context /*context*/,
@@ -729,6 +1962,12 @@ hx509_lock_command_string (
 void
 hx509_lock_free (hx509_lock /*lock*/);
 
+/**
+ * @page page_lock Locking and unlocking certificates and encrypted data.
+ *
+ * See the library functions here: @ref hx509_lock
+ */
+
 int
 hx509_lock_init (
 	hx509_context /*context*/,
@@ -756,31 +1995,98 @@ hx509_lock_set_prompter (
 	hx509_prompter_fct /*prompt*/,
 	void */*data*/);
 
+/**
+ * Convert a hx509_name object to DER encoded name.
+ *
+ * @param name name to concert
+ * @param os data to a DER encoded name, free the resulting octet
+ * string with hx509_xfree(os->data).
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
 int
 hx509_name_binary (
 	const hx509_name /*name*/,
 	heim_octet_string */*os*/);
 
+/**
+ * Compare to hx509 name object, useful for sorting.
+ *
+ * @param n1 a hx509 name object.
+ * @param n2 a hx509 name object.
+ *
+ * @return 0 the objects are the same, returns > 0 is n2 is "larger"
+ * then n2, < 0 if n1 is "smaller" then n2.
+ *
+ * @ingroup hx509_name
+ */
+
 int
 hx509_name_cmp (
 	hx509_name /*n1*/,
 	hx509_name /*n2*/);
 
+/**
+ * Copy a hx509 name object.
+ *
+ * @param context A hx509 cotext.
+ * @param from the name to copy from
+ * @param to the name to copy to
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
 int
 hx509_name_copy (
 	hx509_context /*context*/,
 	const hx509_name /*from*/,
 	hx509_name */*to*/);
 
+/**
+ * Expands variables in the name using env. Variables are on the form
+ * ${name}. Useful when dealing with certificate templates.
+ *
+ * @param context A hx509 cotext.
+ * @param name the name to expand.
+ * @param env environment variable to expand.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
 int
 hx509_name_expand (
 	hx509_context /*context*/,
 	hx509_name /*name*/,
 	hx509_env /*env*/);
 
+/**
+ * Free a hx509 name object, upond return *name will be NULL.
+ *
+ * @param name a hx509 name object to be freed.
+ *
+ * @ingroup hx509_name
+ */
+
 void
 hx509_name_free (hx509_name */*name*/);
 
+/**
+ * Unparse the hx509 name in name into a string.
+ *
+ * @param name the name to check if its empty/null.
+ *
+ * @return non zero if the name is empty/null.
+ *
+ * @ingroup hx509_name
+ */
+
 int
 hx509_name_is_null_p (const hx509_name /*name*/);
 
@@ -789,16 +2095,56 @@ hx509_name_normalize (
 	hx509_context /*context*/,
 	hx509_name /*name*/);
 
+/**
+ * Convert a hx509_name into a Name.
+ *
+ * @param from the name to copy from
+ * @param to the name to copy to
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
 int
 hx509_name_to_Name (
 	const hx509_name /*from*/,
 	Name */*to*/);
 
+/**
+ * Convert the hx509 name object into a printable string.
+ * The resulting string should be freed with free().
+ *
+ * @param name name to print
+ * @param str the string to return
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
 int
 hx509_name_to_string (
 	const hx509_name /*name*/,
 	char **/*str*/);
 
+/**
+ * Create an OCSP request for a set of certificates.
+ *
+ * @param context a hx509 context
+ * @param reqcerts list of certificates to request ocsp data for
+ * @param pool certificate pool to use when signing
+ * @param signer certificate to use to sign the request
+ * @param digest the signing algorithm in the request, if NULL use the
+ * default signature algorithm,
+ * @param request the encoded request, free with free_heim_octet_string().
+ * @param nonce nonce in the request, free with free_heim_octet_string().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
 int
 hx509_ocsp_request (
 	hx509_context /*context*/,
@@ -809,6 +2155,25 @@ hx509_ocsp_request (
 	heim_octet_string */*request*/,
 	heim_octet_string */*nonce*/);
 
+/**
+ * Verify that the certificate is part of the OCSP reply and it's not
+ * expired. Doesn't verify signature the OCSP reply or it's done by a
+ * authorized sender, that is assumed to be already done.
+ *
+ * @param context a hx509 context
+ * @param now the time right now, if 0, use the current time.
+ * @param cert the certificate to verify
+ * @param flags flags control the behavior
+ * @param data pointer to the encode ocsp reply
+ * @param length the length of the encode ocsp reply
+ * @param expiration return the time the OCSP will expire and need to
+ * be rechecked.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
 int
 hx509_ocsp_verify (
 	hx509_context /*context*/,
@@ -819,17 +2184,51 @@ hx509_ocsp_verify (
 	size_t /*length*/,
 	time_t */*expiration*/);
 
+/**
+ * Print a oid using a hx509_vprint_func function. To print to stdout
+ * use hx509_print_stdout().
+ *
+ * @param oid oid to print
+ * @param func hx509_vprint_func to print with.
+ * @param ctx context variable to hx509_vprint_func function.
+ *
+ * @ingroup hx509_print
+ */
+
 void
 hx509_oid_print (
 	const heim_oid */*oid*/,
 	hx509_vprint_func /*func*/,
 	void */*ctx*/);
 
+/**
+ * Print a oid to a string.
+ *
+ * @param oid oid to print
+ * @param str allocated string, free with hx509_xfree().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
 int
 hx509_oid_sprint (
 	const heim_oid */*oid*/,
 	char **/*str*/);
 
+/**
+ * Parse a string into a hx509 name object.
+ *
+ * @param context A hx509 context.
+ * @param str a string to parse.
+ * @param name the resulting object, NULL in case of error.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
 int
 hx509_parse_name (
 	hx509_context /*context*/,
@@ -845,25 +2244,80 @@ hx509_parse_private_key (
 	hx509_key_format_t /*format*/,
 	hx509_private_key */*private_key*/);
 
+/**
+ * Add an additional algorithm that the peer supports.
+ *
+ * @param context A hx509 context.
+ * @param peer the peer to set the new algorithms for
+ * @param val an AlgorithmsIdentier to add
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_peer
+ */
+
 int
 hx509_peer_info_add_cms_alg (
 	hx509_context /*context*/,
 	hx509_peer_info /*peer*/,
 	const AlgorithmIdentifier */*val*/);
 
+/**
+ * Allocate a new peer info structure an init it to default values.
+ *
+ * @param context A hx509 context.
+ * @param peer return an allocated peer, free with hx509_peer_info_free().
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_peer
+ */
+
 int
 hx509_peer_info_alloc (
 	hx509_context /*context*/,
 	hx509_peer_info */*peer*/);
 
+/**
+ * Free a peer info structure.
+ *
+ * @param peer peer info to be freed.
+ *
+ * @ingroup hx509_peer
+ */
+
 void
 hx509_peer_info_free (hx509_peer_info /*peer*/);
 
+/**
+ * Set the certificate that remote peer is using.
+ *
+ * @param peer peer info to update
+ * @param cert cerificate of the remote peer.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_peer
+ */
+
 int
 hx509_peer_info_set_cert (
 	hx509_peer_info /*peer*/,
 	hx509_cert /*cert*/);
 
+/**
+ * Set the algorithms that the peer supports.
+ *
+ * @param context A hx509 context.
+ * @param peer the peer to set the new algorithms for
+ * @param val array of supported AlgorithmsIdentiers
+ * @param len length of array val.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_peer
+ */
+
 int
 hx509_peer_info_set_cms_algs (
 	hx509_context /*context*/,
@@ -901,12 +2355,38 @@ hx509_pem_write (
 	const void */*data*/,
 	size_t /*size*/);
 
+/**
+ * Print a simple representation of a certificate
+ *
+ * @param context A hx509 context, can be NULL
+ * @param cert certificate to print
+ * @param out the stdio output stream, if NULL, stdout is used
+ *
+ * @return An hx509 error code
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_print_cert (
 	hx509_context /*context*/,
 	hx509_cert /*cert*/,
 	FILE */*out*/);
 
+/**
+ * Helper function to print on stdout for:
+ * - hx509_oid_print(),
+ * - hx509_bitstring_print(),
+ * - hx509_validate_ctx_set_print().
+ *
+ * @param ctx the context to the print function. If the ctx is NULL,
+ * stdout is used.
+ * @param fmt the printing format.
+ * @param va the argumet list.
+ *
+ * @ingroup hx509_print
+ */
+
 void
 hx509_print_stdout (
 	void */*ctx*/,
@@ -944,22 +2424,68 @@ hx509_private_key_private_decrypt (
 int
 hx509_prompt_hidden (hx509_prompt_type /*type*/);
 
+/**
+ * Allocate an query controller. Free using hx509_query_free().
+ *
+ * @param context A hx509 context.
+ * @param q return pointer to a hx509_query.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_query_alloc (
 	hx509_context /*context*/,
 	hx509_query **/*q*/);
 
+/**
+ * Free the query controller.
+ *
+ * @param context A hx509 context.
+ * @param q a pointer to the query controller.
+ *
+ * @ingroup hx509_cert
+ */
+
 void
 hx509_query_free (
 	hx509_context /*context*/,
 	hx509_query */*q*/);
 
+/**
+ * Set the query controller to match using a specific match function.
+ *
+ * @param q a hx509 query controller.
+ * @param func function to use for matching, if the argument is NULL,
+ * the match function is removed.
+ * @param ctx context passed to the function.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_query_match_cmp_func (
 	hx509_query */*q*/,
 	int (*/*func*/)(hx509_context, hx509_cert, void *),
 	void */*ctx*/);
 
+/**
+ * Set the query controller to require an one specific EKU (extended
+ * key usage). Any previous EKU matching is overwitten. If NULL is
+ * passed in as the eku, the EKU requirement is reset.
+ *
+ * @param q a hx509 query controller.
+ * @param eku an EKU to match on.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_query_match_eku (
 	hx509_query */*q*/,
@@ -971,27 +2497,81 @@ hx509_query_match_expr (
 	hx509_query */*q*/,
 	const char */*expr*/);
 
+/**
+ * Set the query controller to match on a friendly name
+ *
+ * @param q a hx509 query controller.
+ * @param name a friendly name to match on
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_query_match_friendly_name (
 	hx509_query */*q*/,
 	const char */*name*/);
 
+/**
+ * Set the issuer and serial number of match in the query
+ * controller. The function make copies of the isser and serial number.
+ *
+ * @param q a hx509 query controller
+ * @param issuer issuer to search for
+ * @param serialNumber the serialNumber of the issuer.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_query_match_issuer_serial (
 	hx509_query */*q*/,
 	const Name */*issuer*/,
 	const heim_integer */*serialNumber*/);
 
+/**
+ * Set match options for the hx509 query controller.
+ *
+ * @param q query controller.
+ * @param option options to control the query controller.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 void
 hx509_query_match_option (
 	hx509_query */*q*/,
 	hx509_query_option /*option*/);
 
+/**
+ * Set a statistic file for the query statistics.
+ *
+ * @param context A hx509 context.
+ * @param fn statistics file name
+ *
+ * @ingroup hx509_cert
+ */
+
 void
 hx509_query_statistic_file (
 	hx509_context /*context*/,
 	const char */*fn*/);
 
+/**
+ * Unparse the statistics file and print the result on a FILE descriptor.
+ *
+ * @param context A hx509 context.
+ * @param printtype tyep to print
+ * @param out the FILE to write the data on.
+ *
+ * @ingroup hx509_cert
+ */
+
 void
 hx509_query_unparse_stats (
 	hx509_context /*context*/,
@@ -1030,26 +2610,81 @@ hx509_request_set_name (
 	hx509_request /*req*/,
 	hx509_name /*name*/);
 
+/**
+ * Add a CRL file to the revokation context.
+ *
+ * @param context hx509 context
+ * @param ctx hx509 revokation context
+ * @param path path to file that is going to be added to the context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
 int
 hx509_revoke_add_crl (
 	hx509_context /*context*/,
 	hx509_revoke_ctx /*ctx*/,
 	const char */*path*/);
 
+/**
+ * Add a OCSP file to the revokation context.
+ *
+ * @param context hx509 context
+ * @param ctx hx509 revokation context
+ * @param path path to file that is going to be added to the context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
 int
 hx509_revoke_add_ocsp (
 	hx509_context /*context*/,
 	hx509_revoke_ctx /*ctx*/,
 	const char */*path*/);
 
+/**
+ * Free a hx509 revokation context.
+ *
+ * @param ctx context to be freed
+ *
+ * @ingroup hx509_revoke
+ */
+
 void
 hx509_revoke_free (hx509_revoke_ctx */*ctx*/);
 
+/**
+ * Allocate a revokation context. Free with hx509_revoke_free().
+ *
+ * @param context A hx509 context.
+ * @param ctx returns a newly allocated revokation context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
 int
 hx509_revoke_init (
 	hx509_context /*context*/,
 	hx509_revoke_ctx */*ctx*/);
 
+/**
+ * Print the OCSP reply stored in a file.
+ *
+ * @param context a hx509 context
+ * @param path path to a file with a OCSP reply
+ * @param out the out FILE descriptor to print the reply on
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
 int
 hx509_revoke_ocsp_print (
 	hx509_context /*context*/,
@@ -1057,6 +2692,29 @@ hx509_revoke_ocsp_print (
 	FILE */*out*/);
 
 int
+hx509_revoke_print (
+	hx509_context /*context*/,
+	hx509_revoke_ctx /*ctx*/,
+	FILE */*out*/);
+
+/**
+ * Check that a certificate is not expired according to a revokation
+ * context. Also need the parent certificte to the check OCSP
+ * parent identifier.
+ *
+ * @param context hx509 context
+ * @param ctx hx509 revokation context
+ * @param certs
+ * @param now
+ * @param cert
+ * @param parent_cert
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
+int
 hx509_revoke_verify (
 	hx509_context /*context*/,
 	hx509_revoke_ctx /*ctx*/,
@@ -1065,6 +2723,20 @@ hx509_revoke_verify (
 	hx509_cert /*cert*/,
 	hx509_cert /*parent_cert*/);
 
+/**
+ * See hx509_set_error_stringv().
+ *
+ * @param context A hx509 context.
+ * @param flags
+ * - HX509_ERROR_APPEND appends the error string to the old messages
+     (code is updated).
+ * @param code error code related to error message
+ * @param fmt error message format
+ * @param ... arguments to error message format
+ *
+ * @ingroup hx509_error
+ */
+
 void
 hx509_set_error_string (
 	hx509_context /*context*/,
@@ -1073,6 +2745,20 @@ hx509_set_error_string (
 	const char */*fmt*/,
 	...);
 
+/**
+ * Add an error message to the hx509 context.
+ *
+ * @param context A hx509 context.
+ * @param flags
+ * - HX509_ERROR_APPEND appends the error string to the old messages
+     (code is updated).
+ * @param code error code related to error message
+ * @param fmt error message format
+ * @param ap arguments to error message format
+ *
+ * @ingroup hx509_error
+ */
+
 void
 hx509_set_error_stringv (
 	hx509_context /*context*/,
@@ -1085,9 +2771,6 @@ const AlgorithmIdentifier *
 hx509_signature_ecPublicKey (void);
 
 const AlgorithmIdentifier *
-hx509_signature_ecdsa_with_sha1 (void);
-
-const AlgorithmIdentifier *
 hx509_signature_ecdsa_with_sha256 (void);
 
 const AlgorithmIdentifier *
@@ -1126,42 +2809,135 @@ hx509_signature_sha384 (void);
 const AlgorithmIdentifier *
 hx509_signature_sha512 (void);
 
+/**
+ * Convert a DER encoded name info a string.
+ *
+ * @param data data to a DER/BER encoded name
+ * @param length length of data
+ * @param str the resulting string, is NULL on failure.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_name
+ */
+
 int
 hx509_unparse_der_name (
 	const void */*data*/,
 	size_t /*length*/,
 	char **/*str*/);
 
+/**
+ * Validate/Print the status of the certificate.
+ *
+ * @param context A hx509 context.
+ * @param ctx A hx509 validation context.
+ * @param cert the cerificate to validate/print.
+
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
 int
 hx509_validate_cert (
 	hx509_context /*context*/,
 	hx509_validate_ctx /*ctx*/,
 	hx509_cert /*cert*/);
 
+/**
+ * Add flags to control the behaivor of the hx509_validate_cert()
+ * function.
+ *
+ * @param ctx A hx509 validation context.
+ * @param flags flags to add to the validation context.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
 void
 hx509_validate_ctx_add_flags (
 	hx509_validate_ctx /*ctx*/,
 	int /*flags*/);
 
+/**
+ * Free an hx509 validate context.
+ *
+ * @param ctx the hx509 validate context to free.
+ *
+ * @ingroup hx509_print
+ */
+
 void
 hx509_validate_ctx_free (hx509_validate_ctx /*ctx*/);
 
+/**
+ * Allocate a hx509 validation/printing context.
+ *
+ * @param context A hx509 context.
+ * @param ctx a new allocated hx509 validation context, free with
+ * hx509_validate_ctx_free().
+
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
 int
 hx509_validate_ctx_init (
 	hx509_context /*context*/,
 	hx509_validate_ctx */*ctx*/);
 
+/**
+ * Set the printing functions for the validation context.
+ *
+ * @param ctx a hx509 valication context.
+ * @param func the printing function to usea.
+ * @param c the context variable to the printing function.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_print
+ */
+
 void
 hx509_validate_ctx_set_print (
 	hx509_validate_ctx /*ctx*/,
 	hx509_vprint_func /*func*/,
 	void */*c*/);
 
+/**
+ * Set the trust anchors in the verification context, makes an
+ * reference to the keyset, so the consumer can free the keyset
+ * independent of the destruction of the verification context (ctx).
+ * If there already is a keyset attached, it's released.
+ *
+ * @param ctx a verification context
+ * @param set a keyset containing the trust anchors.
+ *
+ * @ingroup hx509_verify
+ */
+
 void
 hx509_verify_attach_anchors (
 	hx509_verify_ctx /*ctx*/,
 	hx509_certs /*set*/);
 
+/**
+ * Attach an revocation context to the verfication context, , makes an
+ * reference to the revoke context, so the consumer can free the
+ * revoke context independent of the destruction of the verification
+ * context. If there is no revoke context, the verification process is
+ * NOT going to check any verification status.
+ *
+ * @param ctx a verification context.
+ * @param revoke_ctx a revoke context.
+ *
+ * @ingroup hx509_verify
+ */
+
 void
 hx509_verify_attach_revoke (
 	hx509_verify_ctx /*ctx*/,
@@ -1172,14 +2948,56 @@ hx509_verify_ctx_f_allow_best_before_signature_algs (
 	hx509_context /*ctx*/,
 	int /*boolean*/);
 
+/**
+ * Allow using the operating system builtin trust anchors if no other
+ * trust anchors are configured.
+ *
+ * @param ctx a verification context
+ * @param boolean if non zero, useing the operating systems builtin
+ * trust anchors.
+ *
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 void
 hx509_verify_ctx_f_allow_default_trustanchors (
 	hx509_verify_ctx /*ctx*/,
 	int /*boolean*/);
 
+/**
+ * Free an hx509 verification context.
+ *
+ * @param ctx the context to be freed.
+ *
+ * @ingroup hx509_verify
+ */
+
 void
 hx509_verify_destroy_ctx (hx509_verify_ctx /*ctx*/);
 
+/**
+ * Verify that the certificate is allowed to be used for the hostname
+ * and address.
+ *
+ * @param context A hx509 context.
+ * @param cert the certificate to match with
+ * @param flags Flags to modify the behavior:
+ * - HX509_VHN_F_ALLOW_NO_MATCH no match is ok
+ * @param type type of hostname:
+ * - HX509_HN_HOSTNAME for plain hostname.
+ * - HX509_HN_DNSSRV for DNS SRV names.
+ * @param hostname the hostname to check
+ * @param sa address of the host
+ * @param sa_size length of address
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_cert
+ */
+
 int
 hx509_verify_hostname (
 	hx509_context /*context*/,
@@ -1190,11 +3008,38 @@ hx509_verify_hostname (
 	const struct sockaddr */*sa*/,
 	int /*sa_size*/);
 
+/**
+ * Allocate an verification context that is used fo control the
+ * verification process.
+ *
+ * @param context A hx509 context.
+ * @param ctx returns a pointer to a hx509_verify_ctx object.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
 int
 hx509_verify_init_ctx (
 	hx509_context /*context*/,
 	hx509_verify_ctx */*ctx*/);
 
+/**
+ * Build and verify the path for the certificate to the trust anchor
+ * specified in the verify context. The path is constructed from the
+ * certificate, the pool and the trust anchors.
+ *
+ * @param context A hx509 context.
+ * @param ctx A hx509 verification context.
+ * @param cert the certificate to build the path from.
+ * @param pool A keyset of certificates to build the chain from.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_verify
+ */
+
 int
 hx509_verify_path (
 	hx509_context /*context*/,
@@ -1202,26 +3047,83 @@ hx509_verify_path (
 	hx509_cert /*cert*/,
 	hx509_certs /*pool*/);
 
+/**
+ * Set the maximum depth of the certificate chain that the path
+ * builder is going to try.
+ *
+ * @param ctx a verification context
+ * @param max_depth maxium depth of the certificate chain, include
+ * trust anchor.
+ *
+ * @ingroup hx509_verify
+ */
+
 void
 hx509_verify_set_max_depth (
 	hx509_verify_ctx /*ctx*/,
 	unsigned int /*max_depth*/);
 
+/**
+ * Allow or deny the use of proxy certificates
+ *
+ * @param ctx a verification context
+ * @param boolean if non zero, allow proxy certificates.
+ *
+ * @ingroup hx509_verify
+ */
+
 void
 hx509_verify_set_proxy_certificate (
 	hx509_verify_ctx /*ctx*/,
 	int /*boolean*/);
 
+/**
+ * Select strict RFC3280 verification of certificiates. This means
+ * checking key usage on CA certificates, this will make version 1
+ * certificiates unuseable.
+ *
+ * @param ctx a verification context
+ * @param boolean if non zero, use strict verification.
+ *
+ * @ingroup hx509_verify
+ */
+
 void
 hx509_verify_set_strict_rfc3280_verification (
 	hx509_verify_ctx /*ctx*/,
 	int /*boolean*/);
 
+/**
+ * Set the clock time the the verification process is going to
+ * use. Used to check certificate in the past and future time. If not
+ * set the current time will be used.
+ *
+ * @param ctx a verification context.
+ * @param t the time the verifiation is using.
+ *
+ *
+ * @ingroup hx509_verify
+ */
+
 void
 hx509_verify_set_time (
 	hx509_verify_ctx /*ctx*/,
 	time_t /*t*/);
 
+/**
+ * Verify a signature made using the private key of an certificate.
+ *
+ * @param context A hx509 context.
+ * @param signer the certificate that made the signature.
+ * @param alg algorthm that was used to sign the data.
+ * @param data the data that was signed.
+ * @param sig the sigature to verify.
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_crypto
+ */
+
 int
 hx509_verify_signature (
 	hx509_context /*context*/,
@@ -1230,6 +3132,14 @@ hx509_verify_signature (
 	const heim_octet_string */*data*/,
 	const heim_octet_string */*sig*/);
 
+/**
+ * Free a data element allocated in the library.
+ *
+ * @param ptr data to be freed.
+ *
+ * @ingroup hx509_misc
+ */
+
 void
 hx509_xfree (void */*ptr*/);
 
@@ -1240,4 +3150,5 @@ yywrap (void);
 }
 #endif
 
+#endif /* DOXY */
 #endif /* __hx509_protos_h__ */
diff --git a/lib/hx509/hx509.h b/lib/hx509/hx509.h
index 3954b54b1c04..781f4a59cc73 100644
--- a/lib/hx509/hx509.h
+++ b/lib/hx509/hx509.h
@@ -39,6 +39,7 @@
 #include <rfc2459_asn1.h>
 #include <stdarg.h>
 #include <stdio.h>
+#include <heimbase.h>
 
 typedef struct hx509_cert_attribute_data *hx509_cert_attribute;
 typedef struct hx509_cert_data *hx509_cert;
diff --git a/lib/hx509/hx509_err.et b/lib/hx509/hx509_err.et
index 6225f125fb20..f0a27e83620c 100644
--- a/lib/hx509/hx509_err.et
+++ b/lib/hx509/hx509_err.et
@@ -8,7 +8,7 @@ id "$Id$"
 error_table hx
 prefix HX509
 
-# path validateion and construction related errors
+# path validation and construction related errors
 error_code BAD_TIMEFORMAT,	"ASN.1 failed call to system time library"
 error_code EXTENSION_NOT_FOUND,	"Extension not found"
 error_code NO_PATH,		"Certification path not found"
@@ -21,9 +21,9 @@ error_code CERT_USED_AFTER_TIME, "Certificate used after it became invalid"
 error_code PRIVATE_KEY_MISSING,	"Private key required for the operation is missing"
 error_code ALG_NOT_SUPP, 	"Algorithm not supported"
 error_code ISSUER_NOT_FOUND, 	"Issuer couldn't be found"
-error_code VERIFY_CONSTRAINTS,	"Error verifing constraints"
+error_code VERIFY_CONSTRAINTS,	"Error verifying constraints"
 error_code RANGE,		"Number too large"
-error_code NAME_CONSTRAINT_ERROR, "Error while verifing name constraints"
+error_code NAME_CONSTRAINT_ERROR, "Error while verifying name constraints"
 error_code PATH_TOO_LONG, "Path is too long, failed to find valid anchor"
 error_code KU_CERT_MISSING, "Required keyusage for this certificate is missing"
 error_code CERT_NOT_FOUND, "Certificate not found"
@@ -32,10 +32,10 @@ error_code PARENT_IS_CA, "Parent certificate is a CA"
 error_code EXTRA_DATA_AFTER_STRUCTURE, "Extra data was found after the structure"
 error_code PROXY_CERT_INVALID, "Proxy certificate is invalid"
 error_code PROXY_CERT_NAME_WRONG, "Proxy certificate name is wrong"
-error_code NAME_MALFORMED, "Name is malformated"
-error_code CERTIFICATE_MALFORMED, "Certificate is malformated"
+error_code NAME_MALFORMED, "Name is malformed"
+error_code CERTIFICATE_MALFORMED, "Certificate is malformed"
 error_code CERTIFICATE_MISSING_EKU, "Certificate is missing a required EKU"
-error_code PROXY_CERTIFICATE_NOT_CANONICALIZED, "Proxy certificate not canonicalize" 
+error_code PROXY_CERTIFICATE_NOT_CANONICALIZED, "Proxy certificate not canonicalized"
 
 # cms related errors
 index 32
@@ -58,9 +58,9 @@ error_code SIGNATURE_MISSING, "Signature missing for data"
 error_code BAD_SIGNATURE, "Signature is not valid"
 error_code SIG_NO_CONF, "Sigature doesn't provide confidentiality"
 error_code SIG_INVALID_FORMAT, "Invalid format on signature"
-error_code OID_MISMATCH, "Mismatch bewteen oids"
+error_code OID_MISMATCH, "Mismatch between oids"
 error_code NO_PROMPTER, "No prompter function defined"
-error_code SIGNATURE_WITHOUT_SIGNER, "Signature require signer, but non available"
+error_code SIGNATURE_WITHOUT_SIGNER, "Signature requires signer, but none available"
 error_code RSA_PUBLIC_ENCRYPT, "RSA public encyption failed"
 error_code RSA_PRIVATE_ENCRYPT, "RSA private encyption failed"
 error_code RSA_PUBLIC_DECRYPT, "RSA public decryption failed"
@@ -100,4 +100,10 @@ error_code OPEN_SESSION,  "Failed to open session to slot"
 error_code LOGIN,  "Failed to login to slot"
 error_code LOAD,  "Failed to load PKCS module"
 
+# pkinit related errors
+error_code PIN_INCORRECT, "Incorrect User PIN"
+error_code PIN_LOCKED, "User PIN locked"
+error_code PIN_NOT_INITIALIZED, "User PIN not initialized"
+error_code PIN_EXPIRED, "User PIN expired"
+
 end
diff --git a/lib/hx509/hx_locl.h b/lib/hx509/hx_locl.h
index a0a5235c7586..44d241f350ae 100644
--- a/lib/hx509/hx_locl.h
+++ b/lib/hx509/hx_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004 - 2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 2004 - 2016 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -70,14 +70,24 @@
 
 #include <der.h>
 
+/*
+ * We use OpenSSL for EC, but to do this we need to disable cross-references
+ * between OpenSSL and hcrypto bn.h and such.  Source files that use OpenSSL EC
+ * must define HEIM_NO_CRYPTO_HDRS before including this file.
+ */
+
 #define HC_DEPRECATED_CRYPTO
+#ifndef HEIM_NO_CRYPTO_HDRS
 #include "crypto-headers.h"
+#endif
 
 struct hx509_keyset_ops;
 struct hx509_collector;
 struct hx509_generate_private_context;
 typedef struct hx509_path hx509_path;
 
+#include <heimbase.h>
+
 #include <hx509.h>
 
 typedef void (*_hx509_cert_release_func)(struct hx509_cert_data *, void *);
@@ -186,7 +196,7 @@ struct hx509_context_data {
 #define HX509_CTX_VERIFY_MISSING_OK	1
     int ocsp_time_diff;
 #define HX509_DEFAULT_OCSP_TIME_DIFF	(5*60)
-    hx509_error error;
+    heim_error_t error;
     struct et_list *et_list;
     char *querystat;
     hx509_certs default_trust_anchors;
@@ -212,6 +222,95 @@ extern const AlgorithmIdentifier * _hx509_crypto_default_digest_alg;
 extern const AlgorithmIdentifier * _hx509_crypto_default_secret_alg;
 
 /*
+ * Private bits from crypto.c, so crypto-ec.c can also see them.
+ *
+ * This is part of the use-OpenSSL-for-EC hack.
+ */
+
+struct hx509_crypto;
+
+struct signature_alg;
+
+struct hx509_generate_private_context {
+    const heim_oid *key_oid;
+    int isCA;
+    unsigned long num_bits;
+};
+
+struct hx509_private_key_ops {
+    const char *pemtype;
+    const heim_oid *key_oid;
+    int (*available)(const hx509_private_key,
+		     const AlgorithmIdentifier *);
+    int (*get_spki)(hx509_context,
+		    const hx509_private_key,
+		    SubjectPublicKeyInfo *);
+    int (*export)(hx509_context context,
+		  const hx509_private_key,
+		  hx509_key_format_t,
+		  heim_octet_string *);
+    int (*import)(hx509_context, const AlgorithmIdentifier *,
+		  const void *, size_t, hx509_key_format_t,
+		  hx509_private_key);
+    int (*generate_private_key)(hx509_context,
+				struct hx509_generate_private_context *,
+				hx509_private_key);
+    BIGNUM *(*get_internal)(hx509_context, hx509_private_key, const char *);
+};
+
+struct hx509_private_key {
+    unsigned int ref;
+    const struct signature_alg *md;
+    const heim_oid *signature_alg;
+    union {
+	RSA *rsa;
+	void *keydata;
+        void *ecdsa; /* EC_KEY */
+    } private_key;
+    hx509_private_key_ops *ops;
+};
+
+/*
+ *
+ */
+
+struct signature_alg {
+    const char *name;
+    const heim_oid *sig_oid;
+    const AlgorithmIdentifier *sig_alg;
+    const heim_oid *key_oid;
+    const AlgorithmIdentifier *digest_alg;
+    int flags;
+#define PROVIDE_CONF	0x1
+#define REQUIRE_SIGNER	0x2
+#define SELF_SIGNED_OK	0x4
+#define WEAK_SIG_ALG	0x8
+
+#define SIG_DIGEST	0x100
+#define SIG_PUBLIC_SIG	0x200
+#define SIG_SECRET	0x400
+
+#define RA_RSA_USES_DIGEST_INFO 0x1000000
+
+    time_t best_before; /* refuse signature made after best before date */
+    const EVP_MD *(*evp_md)(void);
+    int (*verify_signature)(hx509_context context,
+			    const struct signature_alg *,
+			    const Certificate *,
+			    const AlgorithmIdentifier *,
+			    const heim_octet_string *,
+			    const heim_octet_string *);
+    int (*create_signature)(hx509_context,
+			    const struct signature_alg *,
+			    const hx509_private_key,
+			    const AlgorithmIdentifier *,
+			    const heim_octet_string *,
+			    AlgorithmIdentifier *,
+			    heim_octet_string *);
+    int digest_size;
+};
+
+/*
  * Configurable options
  */
 
diff --git a/lib/hx509/hxtool-commands.in b/lib/hx509/hxtool-commands.in
index ab517224ecd7..49e392d038ef 100644
--- a/lib/hx509/hxtool-commands.in
+++ b/lib/hx509/hxtool-commands.in
@@ -107,7 +107,7 @@ command = {
 	option = {
 		long = "embedded-certs"
 		type = "-flag"
-		help = "dont embedded certficiates"
+		help = "don't embed certificates"
 	}
 	option = {
 		long = "embed-leaf-only"
@@ -409,6 +409,17 @@ command = {
 	help = "Print the OCSP responses"
 }
 command = {
+	name = "revoke-print"
+	option = {
+		long = "verbose"
+		type = "flag"
+		help = "verbose"
+	}
+	min_args="1"
+	argument="ocsp/crl files"
+	help = "Print the OCSP/CRL files"
+}
+command = {
 	name = "request-create"
 	option = {
 		long = "subject"
@@ -624,6 +635,11 @@ command = {
 		help = "Lifetime of certificate"
 	}
 	option = {
+		long = "signature-algorithm"
+		type = "string"
+		help = "Signature algorithm to use"
+	}
+	option = {
 		long = "serial-number"
 		type = "string"
 		help = "serial-number of certificate"
@@ -646,7 +662,7 @@ command = {
 	}
 	option = {
 		long = "pk-init-principal"
-		type = "string"
+		type = "strings"
 		help = "PK-INIT principal (for SAN)"
 	}
 	option = {
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index 4bd467f4284a..0a7048bdf428 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * Copyright (c) 2004 - 2016 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -372,9 +372,9 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
     infile = argv[0];
 
     if (argc < 2) {
-	asprintf(&outfile, "%s.%s", infile,
-		 opt->pem_flag ? "pem" : "cms-signeddata");
-	if (outfile == NULL)
+	ret = asprintf(&outfile, "%s.%s", infile,
+		       opt->pem_flag ? "pem" : "cms-signeddata");
+	if (ret == -1 || outfile == NULL)
 	    errx(1, "out of memory");
     } else
 	outfile = argv[1];
@@ -1135,6 +1135,45 @@ ocsp_print(struct ocsp_print_options *opt, int argc, char **argv)
     return 0;
 }
 
+int
+revoke_print(struct revoke_print_options *opt, int argc, char **argv)
+{
+    hx509_revoke_ctx revoke_ctx;
+    int ret;
+
+    ret = hx509_revoke_init(context, &revoke_ctx);
+    if (ret)
+	errx(1, "hx509_revoke_init: %d", ret);
+
+    while(argc--) {
+	char *s = *argv++;
+
+	if (strncmp(s, "crl:", 4) == 0) {
+	    s += 4;
+
+	    ret = hx509_revoke_add_crl(context, revoke_ctx, s);
+	    if (ret)
+		errx(1, "hx509_revoke_add_crl: %s: %d", s, ret);
+
+	} else if (strncmp(s, "ocsp:", 4) == 0) {
+	    s += 5;
+
+	    ret = hx509_revoke_add_ocsp(context, revoke_ctx, s);
+	    if (ret)
+		errx(1, "hx509_revoke_add_ocsp: %s: %d", s, ret);
+
+	} else {
+	    errx(1, "unknown option to verify: `%s'\n", s);
+	}
+    }
+
+    ret = hx509_revoke_print(context, revoke_ctx, stdout);
+    if (ret)
+	warnx("hx509_revoke_print: %d", ret);
+
+    return ret;
+}
+
 /*
  *
  */
@@ -1394,7 +1433,7 @@ info(void *opt, int argc, char **argv)
 	if (m != NULL)
 	    printf("dh: %s\n", m->name);
     }
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_HCRYPTO_W_OPENSSL
     {
 	printf("ecdsa: ECDSA_METHOD-not-export\n");
     }
@@ -1692,12 +1731,13 @@ eval_types(hx509_context contextp,
 	}
     }
 
-    if (opt->pk_init_principal_string) {
+    for (i = 0; i < opt->pk_init_principal_strings.num_strings; i++) {
+	const char *pk_init_princ = opt->pk_init_principal_strings.strings[i];
+
 	if (!ctopt.pkinit)
 	    errx(1, "pk-init principal given but no pk-init oid");
 
-	ret = hx509_ca_tbs_add_san_pkinit(contextp, tbs,
-					  opt->pk_init_principal_string);
+	ret = hx509_ca_tbs_add_san_pkinit(contextp, tbs, pk_init_princ);
 	if (ret)
 	    hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_pkinit");
     }
@@ -1888,6 +1928,17 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
     if (ret)
 	hx509_err(context, 1, ret, "hx509_ca_tbs_init");
 
+    if (opt->signature_algorithm_string) {
+	const AlgorithmIdentifier *sigalg;
+	if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha1") == 0)
+	    sigalg = hx509_signature_rsa_with_sha1();
+	else if (strcasecmp(opt->signature_algorithm_string, "rsa-with-sha256") == 0)
+	    sigalg = hx509_signature_rsa_with_sha256();
+	else
+	    errx(1, "unsupported sigature algorithm");
+	hx509_ca_tbs_set_signature_algorithm(context, tbs, sigalg);
+    }
+
     if (opt->template_certificate_string) {
 	hx509_cert template;
 	hx509_certs tcerts;
diff --git a/lib/hx509/keyset.c b/lib/hx509/keyset.c
index c0275d949d06..ed5b22b981d3 100644
--- a/lib/hx509/keyset.c
+++ b/lib/hx509/keyset.c
@@ -107,6 +107,8 @@ _hx509_ks_register(hx509_context context, struct hx509_keyset_ops *ops)
  * select no password/certifictes/prompt lock (see @ref page_lock).
  * @param certs return pointer, free with hx509_certs_free().
  *
+ * @return Returns an hx509 error code.
+ *
  * @ingroup hx509_keyset
  */
 
@@ -318,8 +320,8 @@ hx509_certs_end_seq(hx509_context context,
 }
 
 /**
- * Iterate over all certificates in a keystore and call an function
- * for each fo them.
+ * Iterate over all certificates in a keystore and call a function
+ * for each of them.
  *
  * @param context a hx509 context.
  * @param certs certificate store to iterate over.
@@ -366,21 +368,6 @@ hx509_certs_iter_f(hx509_context context,
     return ret;
 }
 
-/**
- * Iterate over all certificates in a keystore and call an function
- * for each fo them.
- *
- * @param context a hx509 context.
- * @param certs certificate store to iterate over.
- * @param func function to call for each certificate. The function
- * should return non-zero to abort the iteration, that value is passed
- * back to the caller of hx509_certs_iter().
- *
- * @return Returns an hx509 error code.
- *
- * @ingroup hx509_keyset
- */
-
 #ifdef __BLOCKS__
 
 static int
@@ -391,8 +378,8 @@ certs_iter(hx509_context context, void *ctx, hx509_cert cert)
 }
 
 /**
- * Iterate over all certificates in a keystore and call an block
- * for each fo them.
+ * Iterate over all certificates in a keystore and call a block
+ * for each of them.
  *
  * @param context a hx509 context.
  * @param certs certificate store to iterate over.
@@ -752,11 +739,12 @@ _hx509_pi_printf(int (*func)(void *, const char *), void *ctx,
 {
     va_list ap;
     char *str;
+    int ret;
 
     va_start(ap, fmt);
-    vasprintf(&str, fmt, ap);
+    ret = vasprintf(&str, fmt, ap);
     va_end(ap);
-    if (str == NULL)
+    if (ret == -1 || str == NULL)
 	return;
     (*func)(ctx, str);
     free(str);
diff --git a/lib/hx509/ks_dir.c b/lib/hx509/ks_dir.c
index 264b1bf552d8..1740dfe42c74 100644
--- a/lib/hx509/ks_dir.c
+++ b/lib/hx509/ks_dir.c
@@ -211,7 +211,10 @@ static struct hx509_keyset_ops keyset_dir = {
     NULL,
     dir_iter_start,
     dir_iter,
-    dir_iter_end
+    dir_iter_end,
+    NULL,
+    NULL,
+    NULL
 };
 
 void
diff --git a/lib/hx509/ks_file.c b/lib/hx509/ks_file.c
index d21d88928708..642dd173b53c 100644
--- a/lib/hx509/ks_file.c
+++ b/lib/hx509/ks_file.c
@@ -52,12 +52,16 @@ parse_certificate(hx509_context context, const char *fn,
 		  const void *data, size_t len,
 		  const AlgorithmIdentifier *ai)
 {
+    heim_error_t error = NULL;
     hx509_cert cert;
     int ret;
 
-    ret = hx509_cert_init_data(context, data, len, &cert);
-    if (ret)
+    cert = hx509_cert_init_data(context, data, len, &error);
+    if (cert == NULL) {
+	ret = heim_error_get_code(error);
+	heim_release(error);
 	return ret;
+    }
 
     ret = _hx509_collector_certs_add(context, c, cert);
     hx509_cert_free(cert);
@@ -92,9 +96,10 @@ try_decrypt(hx509_context context,
 			 password, passwordlen,
 			 1, key, NULL);
     if (ret <= 0) {
-	hx509_set_error_string(context, 0, HX509_CRYPTO_INTERNAL_ERROR,
+	ret = HX509_CRYPTO_INTERNAL_ERROR;
+	hx509_set_error_string(context, 0, ret,
 			       "Failed to do string2key for private key");
-	return HX509_CRYPTO_INTERNAL_ERROR;
+        goto out;
     }
 
     clear.data = malloc(len);
@@ -315,7 +320,9 @@ struct pem_formats {
     { "CERTIFICATE", parse_certificate, NULL },
     { "PRIVATE KEY", parse_pkcs8_private_key, NULL },
     { "RSA PRIVATE KEY", parse_pem_private_key, hx509_signature_rsa },
+#ifdef HAVE_HCRYPTO_W_OPENSSL
     { "EC PRIVATE KEY", parse_pem_private_key, hx509_signature_ecPublicKey }
+#endif
 };
 
 
diff --git a/lib/hx509/ks_keychain.c b/lib/hx509/ks_keychain.c
index 0552d8f7e97a..9b8224f1d237 100644
--- a/lib/hx509/ks_keychain.c
+++ b/lib/hx509/ks_keychain.c
@@ -35,6 +35,9 @@
 
 #ifdef HAVE_FRAMEWORK_SECURITY
 
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
 #include <Security/Security.h>
 
 /* Missing function decls in pre Leopard */
@@ -246,6 +249,7 @@ static const RSA_METHOD kc_rsa_pkcs1_method = {
     0,
     NULL,
     NULL,
+    NULL,
     NULL
 };
 
@@ -340,11 +344,13 @@ keychain_init(hx509_context context,
 	    if (ret != noErr) {
 		hx509_set_error_string(context, 0, ENOENT,
 				       "Failed to open %s", residue);
+		free(ctx);
 		return ENOENT;
 	    }
 	} else {
 	    hx509_set_error_string(context, 0, ENOENT,
 				   "Unknown subtype %s", residue);
+	    free(ctx);
 	    return ENOENT;
 	}
     }
@@ -420,8 +426,8 @@ keychain_iter_start(hx509_context context,
 
 	    SecCertificateGetData(cr, &cssm);
 
-	    ret = hx509_cert_init_data(context, cssm.Data, cssm.Length, &cert);
-	    if (ret)
+	    cert = hx509_cert_init_data(context, cssm.Data, cssm.Length, NULL);
+	    if (cert == NULL)
 		continue;
 
 	    ret = hx509_certs_add(context, iter->certs, cert);
@@ -470,6 +476,7 @@ keychain_iter(hx509_context context,
     UInt32 attrFormat[1] = { 0 };
     SecKeychainItemRef itemRef;
     SecItemAttr item[1];
+    heim_error_t error = NULL;
     struct iter *iter = cursor;
     OSStatus ret;
     UInt32 len;
@@ -501,9 +508,12 @@ keychain_iter(hx509_context context,
     if (ret)
 	return EINVAL;
 
-    ret = hx509_cert_init_data(context, ptr, len, cert);
-    if (ret)
+    *cert = hx509_cert_init_data(context, ptr, len, &error);
+    if (*cert == NULL) {
+	ret = heim_error_get_code(error);
+	heim_release(error);
 	goto out;
+    }
 
     /*
      * Find related private key if there is one by looking at
@@ -586,9 +596,14 @@ struct hx509_keyset_ops keyset_keychain = {
     NULL,
     keychain_iter_start,
     keychain_iter,
-    keychain_iter_end
+    keychain_iter_end,
+    NULL,
+    NULL,
+    NULL
 };
 
+#pragma clang diagnostic pop
+
 #endif /* HAVE_FRAMEWORK_SECURITY */
 
 /*
diff --git a/lib/hx509/ks_null.c b/lib/hx509/ks_null.c
index 136d2d43459f..5ac0beb7bf91 100644
--- a/lib/hx509/ks_null.c
+++ b/lib/hx509/ks_null.c
@@ -87,7 +87,10 @@ struct hx509_keyset_ops keyset_null = {
     NULL,
     null_iter_start,
     null_iter,
-    null_iter_end
+    null_iter_end,
+    NULL,
+    NULL,
+    NULL
 };
 
 void
diff --git a/lib/hx509/ks_p11.c b/lib/hx509/ks_p11.c
index 120bf43ef437..1b2309e20d50 100644
--- a/lib/hx509/ks_p11.c
+++ b/lib/hx509/ks_p11.c
@@ -38,7 +38,7 @@
 
 #ifdef HAVE_DLOPEN
 
-#include "pkcs11.h"
+#include "ref/pkcs11.h"
 
 struct p11_slot {
     int flags;
@@ -65,6 +65,7 @@ struct p11_module {
     CK_FUNCTION_LIST_PTR funcs;
     CK_ULONG num_slots;
     unsigned int ref;
+    unsigned int selected_slot;
     struct p11_slot *slot;
 };
 
@@ -226,6 +227,7 @@ static const RSA_METHOD p11_rsa_pkcs1_method = {
     0,
     NULL,
     NULL,
+    NULL,
     NULL
 };
 
@@ -330,8 +332,10 @@ p11_init_slot(hx509_context context,
 	break;
     }
 
-    asprintf(&slot->name, "%.*s",
-	     (int)i, slot_info.slotDescription);
+    ret = asprintf(&slot->name, "%.*s", (int)i,
+		   slot_info.slotDescription);
+    if (ret == -1)
+	return ENOMEM;
 
     if ((slot_info.flags & CKF_TOKEN_PRESENT) == 0)
 	return 0;
@@ -340,7 +344,7 @@ p11_init_slot(hx509_context context,
     if (ret) {
 	hx509_set_error_string(context, 0, HX509_PKCS11_NO_TOKEN,
 			       "Failed to init PKCS11 slot %d "
-			       "with error 0x08x",
+			       "with error 0x%08x",
 			       num, ret);
 	return HX509_PKCS11_NO_TOKEN;
     }
@@ -422,7 +426,12 @@ p11_get_session(hx509_context context,
 
 	    memset(&prompt, 0, sizeof(prompt));
 
-	    asprintf(&str, "PIN code for %s: ", slot->name);
+	    ret = asprintf(&str, "PIN code for %s: ", slot->name);
+	    if (ret == -1 || str == NULL) {
+		if (context)
+		    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+		return ENOMEM;
+	    }
 	    prompt.prompt = str;
 	    prompt.type = HX509_PROMPT_TYPE_PASSWORD;
 	    prompt.reply.data = pin;
@@ -451,7 +460,18 @@ p11_get_session(hx509_context context,
 				       "Failed to login on slot id %d "
 				       "with error: 0x%08x",
 				       (int)slot->id, ret);
-	    return HX509_PKCS11_LOGIN;
+	    switch(ret) {
+	        case CKR_PIN_LOCKED:
+	            return HX509_PKCS11_PIN_LOCKED;
+	        case CKR_PIN_EXPIRED:
+	            return HX509_PKCS11_PIN_EXPIRED;
+	        case CKR_PIN_INCORRECT:
+	            return HX509_PKCS11_PIN_INCORRECT;
+	        case CKR_USER_PIN_NOT_INITIALIZED:
+	            return HX509_PKCS11_PIN_NOT_INITIALIZED;
+	        default:
+	            return HX509_PKCS11_LOGIN;
+	    }
 	} else
 	    slot->flags |= P11_LOGIN_DONE;
 
@@ -680,6 +700,7 @@ collect_cert(hx509_context context,
 	     void *ptr, CK_ATTRIBUTE *query, int num_query)
 {
     struct hx509_collector *collector = ptr;
+    heim_error_t error = NULL;
     hx509_cert cert;
     int ret;
 
@@ -689,10 +710,13 @@ collect_cert(hx509_context context,
 	return 0;
     }
 
-    ret = hx509_cert_init_data(context, query[1].pValue,
-			       query[1].ulValueLen, &cert);
-    if (ret)
+    cert = hx509_cert_init_data(context, query[1].pValue,
+			       query[1].ulValueLen, &error);
+    if (cert == NULL) {
+	ret = heim_error_get_code(error);
+	heim_release(error);
 	return ret;
+    }
 
     if (p->ref == 0)
 	_hx509_abort("pkcs11 ref == 0 on alloc");
@@ -717,9 +741,9 @@ collect_cert(hx509_context context,
     if ((CK_LONG)query[2].ulValueLen != -1) {
 	char *str;
 
-	asprintf(&str, "%.*s",
-		 (int)query[2].ulValueLen, (char *)query[2].pValue);
-	if (str) {
+	ret = asprintf(&str, "%.*s",
+		       (int)query[2].ulValueLen, (char *)query[2].pValue);
+	if (ret != -1 && str) {
 	    hx509_cert_set_friendly_name(cert, str);
 	    free(str);
 	}
@@ -810,6 +834,7 @@ p11_init(hx509_context context,
     }
 
     p->ref = 1;
+    p->selected_slot = 0;
 
     str = strchr(list, ',');
     if (str)
@@ -819,15 +844,12 @@ p11_init(hx509_context context,
 	strnext = strchr(str, ',');
 	if (strnext)
 	    *strnext++ = '\0';
-#if 0
 	if (strncasecmp(str, "slot=", 5) == 0)
 	    p->selected_slot = atoi(str + 5);
-#endif
 	str = strnext;
     }
 
     p->dl_handle = dlopen(list, RTLD_NOW);
-    free(list);
     if (p->dl_handle == NULL) {
 	ret = HX509_PKCS11_LOAD;
 	hx509_set_error_string(context, 0, ret,
@@ -908,11 +930,13 @@ p11_init(hx509_context context,
 	}
 
 	for (i = 0; i < p->num_slots; i++) {
+	    if ((p->selected_slot != 0) && (slot_ids[i] != (p->selected_slot - 1)))
+		continue;
 	    ret = p11_init_slot(context, p, lock, slot_ids[i], i, &p->slot[i]);
-	    if (ret)
-		break;
-	    if (p->slot[i].flags & P11_TOKEN_PRESENT)
-		num_tokens++;
+	    if (!ret) {
+	        if (p->slot[i].flags & P11_TOKEN_PRESENT)
+	            num_tokens++;
+	    }
 	}
 	free(slot_ids);
 	if (ret)
@@ -923,10 +947,14 @@ p11_init(hx509_context context,
 	}
     }
 
+    free(list);
+
     *data = p;
 
     return 0;
  out:
+    if (list)
+	free(list);
     p11_release_module(p);
     return ret;
 }
@@ -1176,7 +1204,9 @@ static struct hx509_keyset_ops keyset_pkcs11 = {
     p11_iter_start,
     p11_iter,
     p11_iter_end,
-    p11_printinfo
+    p11_printinfo,
+    NULL,
+    NULL
 };
 
 #endif /* HAVE_DLOPEN */
diff --git a/lib/hx509/ks_p12.c b/lib/hx509/ks_p12.c
index 0ca13de1eb34..b7df0be32aca 100644
--- a/lib/hx509/ks_p12.c
+++ b/lib/hx509/ks_p12.c
@@ -130,6 +130,7 @@ certBag_parser(hx509_context context,
 	       const void *data, size_t length,
 	       const PKCS12_Attributes *attrs)
 {
+    heim_error_t error = NULL;
     heim_octet_string os;
     hx509_cert cert;
     PKCS12_CertBag cb;
@@ -152,10 +153,13 @@ certBag_parser(hx509_context context,
     if (ret)
 	return ret;
 
-    ret = hx509_cert_init_data(context, os.data, os.length, &cert);
+    cert = hx509_cert_init_data(context, os.data, os.length, &error);
     der_free_octet_string(&os);
-    if (ret)
+    if (cert == NULL) {
+	ret = heim_error_get_code(error);
+	heim_release(error);
 	return ret;
+    }
 
     ret = _hx509_collector_certs_add(context, c, cert);
     if (ret) {
@@ -697,7 +701,10 @@ static struct hx509_keyset_ops keyset_pkcs12 = {
     NULL,
     p12_iter_start,
     p12_iter,
-    p12_iter_end
+    p12_iter_end,
+    NULL,
+    NULL,
+    NULL
 };
 
 void
diff --git a/lib/hx509/libhx509-exports.def b/lib/hx509/libhx509-exports.def
index f8973a091396..f4417730158c 100644
--- a/lib/hx509/libhx509-exports.def
+++ b/lib/hx509/libhx509-exports.def
@@ -1,3 +1,4 @@
+
 EXPORTS
 	_hx509_cert_assign_key
 	_hx509_cert_private_key
@@ -51,6 +52,7 @@ EXPORTS
 	hx509_ca_tbs_set_notBefore
 	hx509_ca_tbs_set_proxy
 	hx509_ca_tbs_set_serialnumber
+	hx509_ca_tbs_set_signature_algorithm
 	hx509_ca_tbs_set_spki
 	hx509_ca_tbs_set_subject
 	hx509_ca_tbs_set_template
@@ -196,6 +198,7 @@ EXPORTS
 	hx509_revoke_free
 	hx509_revoke_init
 	hx509_revoke_ocsp_print
+	hx509_revoke_print
 	hx509_revoke_verify
 	hx509_set_error_string
 	hx509_set_error_stringv
diff --git a/lib/hx509/lock.c b/lib/hx509/lock.c
index b72d45962b62..52f72dba1b71 100644
--- a/lib/hx509/lock.c
+++ b/lib/hx509/lock.c
@@ -47,7 +47,10 @@ struct hx509_lock_data {
 };
 
 static struct hx509_lock_data empty_lock_data = {
-    { 0, NULL }
+    { 0, NULL },
+    NULL,
+    NULL,
+    NULL
 };
 
 hx509_lock _hx509_empty_lock = &empty_lock_data;
diff --git a/lib/hx509/name.c b/lib/hx509/name.c
index efd7b703422f..ee192e593a90 100644
--- a/lib/hx509/name.c
+++ b/lib/hx509/name.c
@@ -238,15 +238,22 @@ _hx509_Name_to_string(const Name *n, char **str)
 		size_t k;
 
 		ret = wind_ucs2utf8_length(bmp, bmplen, &k);
-		if (ret)
+		if (ret) {
+                    free(oidname);
+                    free(*str);
+                    *str = NULL;
 		    return ret;
+                }
 
 		ss = malloc(k + 1);
 		if (ss == NULL)
 		    _hx509_abort("allocation failure"); /* XXX */
 		ret = wind_ucs2utf8(bmp, bmplen, ss, NULL);
 		if (ret) {
+                    free(oidname);
 		    free(ss);
+                    free(*str);
+                    *str = NULL;
 		    return ret;
 		}
 		ss[k] = '\0';
@@ -263,8 +270,12 @@ _hx509_Name_to_string(const Name *n, char **str)
 		size_t k;
 
 		ret = wind_ucs4utf8_length(uni, unilen, &k);
-		if (ret)
+		if (ret) {
+                    free(oidname);
+                    free(*str);
+                    *str = NULL;
 		    return ret;
+                }
 
 		ss = malloc(k + 1);
 		if (ss == NULL)
@@ -272,6 +283,9 @@ _hx509_Name_to_string(const Name *n, char **str)
 		ret = wind_ucs4utf8(uni, unilen, ss, NULL);
 		if (ret) {
 		    free(ss);
+                    free(oidname);
+                    free(*str);
+                    *str = NULL;
 		    return ret;
 		}
 		ss[k] = '\0';
@@ -966,7 +980,7 @@ hx509_general_name_unparse(GeneralName *name, char **str)
 	char *s;
 	int ret;
 	memset(&dir, 0, sizeof(dir));
-	dir.element = name->u.directoryName.element;
+	dir.element = (enum Name_enum)name->u.directoryName.element;
 	dir.u.rdnSequence = name->u.directoryName.u.rdnSequence;
 	ret = _hx509_unparse_Name(&dir, &s);
 	if (ret)
diff --git a/lib/hx509/print.c b/lib/hx509/print.c
index 1e8bcabfa7e9..4d2c3e2a421d 100644
--- a/lib/hx509/print.c
+++ b/lib/hx509/print.c
@@ -969,7 +969,7 @@ hx509_validate_cert(hx509_context context,
 	    }
 	    validate_print(ctx,
 			   HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
-			   "checking extention: %s\n",
+			   "checking extension: %s\n",
 			   check_extension[j].name);
 	    (*check_extension[j].func)(ctx,
 				       &status,
@@ -977,7 +977,7 @@ hx509_validate_cert(hx509_context context,
 				       &t->extensions->val[i]);
 	}
     } else
-	validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n");
+	validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extensions\n");
 
     if (status.isca) {
 	if (!status.haveSKI)
diff --git a/lib/hx509/ref/pkcs11.h b/lib/hx509/ref/pkcs11.h
index 2e6a1e3ed307..a294c5e94e5c 100644
--- a/lib/hx509/ref/pkcs11.h
+++ b/lib/hx509/ref/pkcs11.h
@@ -64,8 +64,9 @@ extern "C" {
    (you may use a macro with a different name to keep track of your
    versions).  */
 #define CRYPTOKI_VERSION_MAJOR		2
-#define CRYPTOKI_VERSION_MINOR		20
-#define CRYPTOKI_VERSION_REVISION	6
+#define CRYPTOKI_VERSION_MINOR		30
+#define CRYPTOKI_VERSION_REVISION	0
+#define CRYPTOKI_VERSION_AMENDMENT	0
 
 
 /* Compatibility interface is default, unless CRYPTOKI_GNU is
@@ -91,7 +92,11 @@ extern "C" {
 
 #else
 
+#if defined(CRYPTOKI_VISIBILITY) && defined(CRYPTOKI_EXPORTS)
+#define CK_SPEC __attribute__((visibility("default")))
+#else
 #define CK_SPEC
+#endif
 
 #endif
 
@@ -162,6 +167,34 @@ extern "C" {
 #define min_key_size ulMinKeySize
 #define max_key_size ulMaxKeySize
 
+#define hash_alg hashAlg
+#define source_data pSourceData
+#define source_data_len ulSourceDataLen
+
+#define slen sLen
+
+#define ck_ec_kdf_type_t CK_EC_KDF_TYPE
+
+#define shared_data_len ulSharedDataLen
+#define shared_data pSharedData
+#define public_data_len ulPublicDataLen
+#define public_data pPublicData
+
+#define private_data_len ulPrivateDataLen
+#define private_data hPrivateData
+#define public_data_len2 ulPublicDataLen2
+#define public_data2 pPublicData2
+
+#define public_key publicKey
+
+#define ck_x9_42_dh_kdf_type_t CK_X9_42_DH_KDF_TYPE
+
+#define other_info_len ulOtherInfoLen
+#define other_info pOtherInfo
+
+#define data pData
+#define len ulLen
+
 #define ck_rv_t CK_RV
 #define ck_notify_t CK_NOTIFY
 
@@ -205,7 +238,7 @@ struct ck_info
 typedef unsigned long ck_notification_t;
 
 #define CKN_SURRENDER	(0)
-
+#define CKN_OTP_CHANGED	(1)
 
 typedef unsigned long ck_slot_id_t;
 
@@ -267,6 +300,7 @@ struct ck_token_info
 #define CKF_SO_PIN_FINAL_TRY			(1 << 21)
 #define CKF_SO_PIN_LOCKED			(1 << 22)
 #define CKF_SO_PIN_TO_BE_CHANGED		(1 << 23)
+#define CKF_ERROR_STATE				(1 << 24)
 
 #define CK_UNAVAILABLE_INFORMATION	((unsigned long) -1)
 #define CK_EFFECTIVELY_INFINITE		(0)
@@ -318,7 +352,8 @@ typedef unsigned long ck_object_class_t;
 #define CKO_HW_FEATURE		(5)
 #define CKO_DOMAIN_PARAMETERS	(6)
 #define CKO_MECHANISM		(7)
-#define CKO_VENDOR_DEFINED	((unsigned long) (1 << 31))
+#define CKO_OTP_KEY		(8)
+#define CKO_VENDOR_DEFINED	((unsigned long) (1ul << 31))
 
 
 typedef unsigned long ck_hw_feature_type_t;
@@ -326,7 +361,7 @@ typedef unsigned long ck_hw_feature_type_t;
 #define CKH_MONOTONIC_COUNTER	(1)
 #define CKH_CLOCK		(2)
 #define CKH_USER_INTERFACE	(3)
-#define CKH_VENDOR_DEFINED	((unsigned long) (1 << 31))
+#define CKH_VENDOR_DEFINED	((unsigned long) (1ul << 31))
 
 
 typedef unsigned long ck_key_type_t;
@@ -346,6 +381,7 @@ typedef unsigned long ck_key_type_t;
 #define CKK_DES3		(0x15)
 #define CKK_CAST		(0x16)
 #define CKK_CAST3		(0x17)
+#define CKK_CAST5		(0x18)
 #define CKK_CAST128		(0x18)
 #define CKK_RC5			(0x19)
 #define CKK_IDEA		(0x1a)
@@ -356,7 +392,24 @@ typedef unsigned long ck_key_type_t;
 #define CKK_AES			(0x1f)
 #define CKK_BLOWFISH		(0x20)
 #define CKK_TWOFISH		(0x21)
-#define CKK_VENDOR_DEFINED	((unsigned long) (1 << 31))
+#define CKK_SECURID		(0x22)
+#define CKK_HOTP		(0x23)
+#define CKK_ACTI		(0x24)
+#define CKK_CAMELLIA		(0x25)
+#define CKK_ARIA		(0x26)
+#define CKK_MD5_HMAC		(0x27)
+#define CKK_SHA_1_HMAC		(0x28)
+#define CKK_RIPEMD128_HMAC	(0x29)
+#define CKK_RIPEMD160_HMAC	(0x2A)
+#define CKK_SHA256_HMAC		(0x2B)
+#define CKK_SHA384_HMAC		(0x2C)
+#define CKK_SHA512_HMAC		(0x2D)
+#define CKK_SHA224_HMAC		(0x2E)
+#define CKK_SEED		(0x2F)
+#define CKK_GOSTR3410		(0x30)
+#define CKK_GOSTR3411		(0x31)
+#define CKK_GOST28147		(0x32)
+#define CKK_VENDOR_DEFINED	((unsigned long) (1ul << 31))
 
 
 typedef unsigned long ck_certificate_type_t;
@@ -364,8 +417,17 @@ typedef unsigned long ck_certificate_type_t;
 #define CKC_X_509		(0)
 #define CKC_X_509_ATTR_CERT	(1)
 #define CKC_WTLS		(2)
-#define CKC_VENDOR_DEFINED	((unsigned long) (1 << 31))
+#define CKC_VENDOR_DEFINED	((unsigned long) (1ul << 31))
+#define CKC_OPENPGP		(CKC_VENDOR_DEFINED|0x00504750)
+
+#define CK_OTP_FORMAT_DECIMAL		(0)
+#define CK_OTP_FORMAT_HEXADECIMAL	(1)
+#define CK_OTP_FORMAT_ALPHANUMERIC	(2)
+#define CK_OTP_FORMAT_BINARY		(3)
 
+#define CK_OTP_PARAM_IGNORED		(0)
+#define CK_OTP_PARAM_OPTIONAL		(1)
+#define CK_OTP_PARAM_MANDATORY		(2)
 
 typedef unsigned long ck_attribute_type_t;
 
@@ -388,6 +450,7 @@ typedef unsigned long ck_attribute_type_t;
 #define CKA_URL				(0x89)
 #define CKA_HASH_OF_SUBJECT_PUBLIC_KEY	(0x8a)
 #define CKA_HASH_OF_ISSUER_PUBLIC_KEY	(0x8b)
+#define CKA_NAME_HASH_ALGORITHM		(0x8c)
 #define CKA_CHECK_VALUE			(0x90)
 #define CKA_KEY_TYPE			(0x100)
 #define CKA_SUBJECT			(0x101)
@@ -418,6 +481,7 @@ typedef unsigned long ck_attribute_type_t;
 #define CKA_BASE			(0x132)
 #define CKA_PRIME_BITS			(0x133)
 #define CKA_SUB_PRIME_BITS		(0x134)
+#define CKA_SUBPRIME_BITS		(0x134)
 #define CKA_VALUE_BITS			(0x160)
 #define CKA_VALUE_LEN			(0x161)
 #define CKA_EXTRACTABLE			(0x162)
@@ -426,6 +490,7 @@ typedef unsigned long ck_attribute_type_t;
 #define CKA_ALWAYS_SENSITIVE		(0x165)
 #define CKA_KEY_GEN_MECHANISM		(0x166)
 #define CKA_MODIFIABLE			(0x170)
+#define CKA_COPYABLE			(0x171)
 #define CKA_ECDSA_PARAMS		(0x180)
 #define CKA_EC_PARAMS			(0x180)
 #define CKA_EC_POINT			(0x181)
@@ -433,6 +498,23 @@ typedef unsigned long ck_attribute_type_t;
 #define CKA_AUTH_PIN_FLAGS		(0x201)
 #define CKA_ALWAYS_AUTHENTICATE		(0x202)
 #define CKA_WRAP_WITH_TRUSTED		(0x210)
+#define CKA_OTP_FORMAT			(0x220)
+#define CKA_OTP_LENGTH			(0x221)
+#define CKA_OTP_TIME_INTERVAL		(0x222)
+#define CKA_OTP_USER_FRIENDLY_MODE	(0x223)
+#define CKA_OTP_CHALLENGE_REQUIREMENT	(0x224)
+#define CKA_OTP_TIME_REQUIREMENT	(0x225)
+#define CKA_OTP_COUNTER_REQUIREMENT	(0x226)
+#define CKA_OTP_PIN_REQUIREMENT		(0x227)
+#define CKA_OTP_COUNTER			(0x22E)
+#define CKA_OTP_TIME			(0x22F)
+#define CKA_OTP_USER_IDENTIFIER		(0x22A)
+#define CKA_OTP_SERVICE_IDENTIFIER	(0x22B)
+#define CKA_OTP_SERVICE_LOGO		(0x22C)
+#define CKA_OTP_SERVICE_LOGO_TYPE	(0x22D)
+#define CKA_GOSTR3410_PARAMS		(0x250)
+#define CKA_GOSTR3411_PARAMS		(0x251)
+#define CKA_GOST28147_PARAMS		(0x252)
 #define CKA_HW_FEATURE_TYPE		(0x300)
 #define CKA_RESET_ON_INIT		(0x301)
 #define CKA_HAS_RESET			(0x302)
@@ -452,8 +534,9 @@ typedef unsigned long ck_attribute_type_t;
 #define CKA_SUPPORTED_CMS_ATTRIBUTES	(0x503)
 #define CKA_WRAP_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x211)
 #define CKA_UNWRAP_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x212)
+#define CKA_DERIVE_TEMPLATE		(CKF_ARRAY_ATTRIBUTE | 0x213)
 #define CKA_ALLOWED_MECHANISMS		(CKF_ARRAY_ATTRIBUTE | 0x600)
-#define CKA_VENDOR_DEFINED		((unsigned long) (1 << 31))
+#define CKA_VENDOR_DEFINED		((unsigned long) (1ul << 31))
 
 
 struct ck_attribute
@@ -492,6 +575,10 @@ typedef unsigned long ck_mechanism_type_t;
 #define CKM_DSA_KEY_PAIR_GEN		(0x10)
 #define	CKM_DSA				(0x11)
 #define CKM_DSA_SHA1			(0x12)
+#define CKM_DSA_SHA224			(0x13)
+#define CKM_DSA_SHA256			(0x14)
+#define CKM_DSA_SHA384			(0x15)
+#define CKM_DSA_SHA512			(0x16)
 #define CKM_DH_PKCS_KEY_PAIR_GEN	(0x20)
 #define CKM_DH_PKCS_DERIVE		(0x21)
 #define	CKM_X9_42_DH_KEY_PAIR_GEN	(0x30)
@@ -504,6 +591,8 @@ typedef unsigned long ck_mechanism_type_t;
 #define CKM_SHA256_RSA_PKCS_PSS		(0x43)
 #define CKM_SHA384_RSA_PKCS_PSS		(0x44)
 #define CKM_SHA512_RSA_PKCS_PSS		(0x45)
+#define CKM_SHA224_RSA_PKCS		(0x46)
+#define CKM_SHA224_RSA_PKCS_PSS		(0x47)
 #define CKM_RC2_KEY_GEN			(0x100)
 #define CKM_RC2_ECB			(0x101)
 #define	CKM_RC2_CBC			(0x102)
@@ -525,12 +614,18 @@ typedef unsigned long ck_mechanism_type_t;
 #define CKM_DES3_MAC			(0x134)
 #define CKM_DES3_MAC_GENERAL		(0x135)
 #define CKM_DES3_CBC_PAD		(0x136)
+#define CKM_DES3_CMAC_GENERAL		(0x137)
+#define CKM_DES3_CMAC			(0x138)
 #define CKM_CDMF_KEY_GEN		(0x140)
 #define CKM_CDMF_ECB			(0x141)
 #define CKM_CDMF_CBC			(0x142)
 #define CKM_CDMF_MAC			(0x143)
 #define CKM_CDMF_MAC_GENERAL		(0x144)
 #define CKM_CDMF_CBC_PAD		(0x145)
+#define CKM_DES_OFB64			(0x150)
+#define CKM_DES_OFB8			(0x151)
+#define CKM_DES_CFB64			(0x152)
+#define CKM_DES_CFB8			(0x153)
 #define CKM_MD2				(0x200)
 #define CKM_MD2_HMAC			(0x201)
 #define CKM_MD2_HMAC_GENERAL		(0x202)
@@ -549,12 +644,21 @@ typedef unsigned long ck_mechanism_type_t;
 #define CKM_SHA256			(0x250)
 #define CKM_SHA256_HMAC			(0x251)
 #define CKM_SHA256_HMAC_GENERAL		(0x252)
+#define CKM_SHA224			(0x255)
+#define CKM_SHA224_HMAC			(0x256)
+#define CKM_SHA224_HMAC_GENERAL		(0x257)
 #define CKM_SHA384			(0x260)
 #define CKM_SHA384_HMAC			(0x261)
 #define CKM_SHA384_HMAC_GENERAL		(0x262)
 #define CKM_SHA512			(0x270)
 #define CKM_SHA512_HMAC			(0x271)
 #define CKM_SHA512_HMAC_GENERAL		(0x272)
+#define CKM_SECURID_KEY_GEN		(0x280)
+#define CKM_SECURID			(0x282)
+#define CKM_HOTP_KEY_GEN		(0x290)
+#define CKM_HOTP			(0x291)
+#define CKM_ACTI			(0x2A0)
+#define CKM_ACTI_KEY_GEN		(0x2A1)
 #define CKM_CAST_KEY_GEN		(0x300)
 #define CKM_CAST_ECB			(0x301)
 #define CKM_CAST_CBC			(0x302)
@@ -605,11 +709,16 @@ typedef unsigned long ck_mechanism_type_t;
 #define CKM_TLS_MASTER_KEY_DERIVE	(0x375)
 #define CKM_TLS_KEY_AND_MAC_DERIVE	(0x376)
 #define CKM_TLS_MASTER_KEY_DERIVE_DH	(0x377)
+#define CKM_TLS_PRF			(0x378)
 #define CKM_SSL3_MD5_MAC		(0x380)
 #define CKM_SSL3_SHA1_MAC		(0x381)
 #define CKM_MD5_KEY_DERIVATION		(0x390)
 #define CKM_MD2_KEY_DERIVATION		(0x391)
 #define CKM_SHA1_KEY_DERIVATION		(0x392)
+#define CKM_SHA256_KEY_DERIVATION	(0x393)
+#define CKM_SHA384_KEY_DERIVATION	(0x394)
+#define CKM_SHA512_KEY_DERIVATION	(0x395)
+#define CKM_SHA224_KEY_DERIVATION	(0x396)
 #define CKM_PBE_MD2_DES_CBC		(0x3a0)
 #define CKM_PBE_MD5_DES_CBC		(0x3a1)
 #define CKM_PBE_MD5_CAST_CBC		(0x3a2)
@@ -626,8 +735,43 @@ typedef unsigned long ck_mechanism_type_t;
 #define CKM_PBE_SHA1_RC2_40_CBC		(0x3ab)
 #define CKM_PKCS5_PBKD2			(0x3b0)
 #define CKM_PBA_SHA1_WITH_SHA1_HMAC	(0x3c0)
+#define CKM_WTLS_PRE_MASTER_KEY_GEN	(0x3d0)
+#define CKM_WTLS_MASTER_KEY_DERIVE	(0x3d1)
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC (0x3d2)
+#define CKM_WTLS_PRF			(0x3d3)
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE (0x3d4)
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE (0x3d5)
 #define CKM_KEY_WRAP_LYNKS		(0x400)
 #define CKM_KEY_WRAP_SET_OAEP		(0x401)
+#define CKM_CMS_SIG			(0x500)
+#define CKM_KIP_DERIVE			(0x510)
+#define CKM_KIP_WRAP			(0x511)
+#define CKM_KIP_MAC			(0x512)
+#define CKM_CAMELLIA_KEY_GEN		(0x550)
+#define CKM_CAMELLIA_ECB		(0x551)
+#define CKM_CAMELLIA_CBC		(0x552)
+#define CKM_CAMELLIA_MAC		(0x553)
+#define CKM_CAMELLIA_MAC_GENERAL	(0x554)
+#define CKM_CAMELLIA_CBC_PAD		(0x555)
+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA	(0x556)
+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA	(0x557)
+#define CKM_CAMELLIA_CTR		(0x558)
+#define CKM_ARIA_KEY_GEN		(0x560)
+#define CKM_ARIA_ECB			(0x561)
+#define CKM_ARIA_CBC			(0x562)
+#define CKM_ARIA_MAC			(0x563)
+#define CKM_ARIA_MAC_GENERAL		(0x564)
+#define CKM_ARIA_CBC_PAD		(0x565)
+#define CKM_ARIA_ECB_ENCRYPT_DATA	(0x566)
+#define CKM_ARIA_CBC_ENCRYPT_DATA	(0x567)
+#define CKM_SEED_KEY_GEN		(0x650)
+#define CKM_SEED_ECB			(0x651)
+#define CKM_SEED_CBC			(0x652)
+#define CKM_SEED_MAC			(0x653)
+#define CKM_SEED_MAC_GENERAL		(0x654)
+#define CKM_SEED_CBC_PAD		(0x655)
+#define CKM_SEED_ECB_ENCRYPT_DATA	(0x656)
+#define CKM_SEED_CBC_ENCRYPT_DATA	(0x657)
 #define CKM_SKIPJACK_KEY_GEN		(0x1000)
 #define CKM_SKIPJACK_ECB64		(0x1001)
 #define CKM_SKIPJACK_CBC64		(0x1002)
@@ -653,6 +797,10 @@ typedef unsigned long ck_mechanism_type_t;
 #define CKM_EC_KEY_PAIR_GEN		(0x1040)
 #define CKM_ECDSA			(0x1041)
 #define CKM_ECDSA_SHA1			(0x1042)
+#define CKM_ECDSA_SHA224		(0x1043)
+#define CKM_ECDSA_SHA256		(0x1044)
+#define CKM_ECDSA_SHA384		(0x1045)
+#define CKM_ECDSA_SHA512		(0x1046)
 #define CKM_ECDH1_DERIVE		(0x1050)
 #define CKM_ECDH1_COFACTOR_DERIVE	(0x1051)
 #define CKM_ECMQV_DERIVE		(0x1052)
@@ -669,10 +817,48 @@ typedef unsigned long ck_mechanism_type_t;
 #define CKM_AES_MAC			(0x1083)
 #define CKM_AES_MAC_GENERAL		(0x1084)
 #define CKM_AES_CBC_PAD			(0x1085)
+#define CKM_AES_CTR			(0x1086)
+#define CKM_AES_GCM			(0x1087)
+#define CKM_AES_CCM			(0x1088)
+#define CKM_AES_CTS			(0x1089)
+#define CKM_AES_CMAC			(0x108a)
+#define CKM_AES_CMAC_GENERAL		(0x108b)
+#define CKM_BLOWFISH_KEY_GEN		(0x1090)
+#define CKM_BLOWFISH_CBC		(0x1091)
+#define CKM_TWOFISH_KEY_GEN		(0x1092)
+#define CKM_TWOFISH_CBC			(0x1093)
+#define CKM_BLOWFISH_CBC_PAD		(0x1094)
+#define CKM_TWOFISH_CBC_PAD		(0x1095)
+#define CKM_DES_ECB_ENCRYPT_DATA	(0x1100)
+#define CKM_DES_CBC_ENCRYPT_DATA	(0x1101)
+#define CKM_DES3_ECB_ENCRYPT_DATA	(0x1102)
+#define CKM_DES3_CBC_ENCRYPT_DATA	(0x1103)
+#define CKM_AES_ECB_ENCRYPT_DATA	(0x1104)
+#define CKM_AES_CBC_ENCRYPT_DATA	(0x1105)
+#define CKM_GOSTR3410_KEY_PAIR_GEN	(0x1200)
+#define CKM_GOSTR3410			(0x1201)
+#define CKM_GOSTR3410_WITH_GOSTR3411	(0x1202)
+#define CKM_GOSTR3410_KEY_WRAP		(0x1203)
+#define CKM_GOSTR3410_DERIVE		(0x1204)
+#define CKM_GOSTR3411			(0x1210)
+#define CKM_GOSTR3411_HMAC		(0x1211)
+#define CKM_GOST28147_KEY_GEN		(0x1220)
+#define CKM_GOST28147_ECB		(0x1221)
+#define CKM_GOST28147			(0x1222)
+#define CKM_GOST28147_MAC		(0x1223)
+#define CKM_GOST28147_KEY_WRAP		(0x1224)
 #define CKM_DSA_PARAMETER_GEN		(0x2000)
 #define CKM_DH_PKCS_PARAMETER_GEN	(0x2001)
 #define CKM_X9_42_DH_PARAMETER_GEN	(0x2002)
-#define CKM_VENDOR_DEFINED		((unsigned long) (1 << 31))
+#define CKM_AES_OFB			(0x2104)
+#define CKM_AES_CFB64			(0x2105)
+#define CKM_AES_CFB8			(0x2106)
+#define CKM_AES_CFB128			(0x2107)
+#define CKM_AES_KEY_WRAP		(0x2109)
+#define CKM_AES_KEY_WRAP_PAD		(0x210a)
+#define CKM_RSA_PKCS_TPM_1_1		(0x4001)
+#define CKM_RSA_PKCS_OAEPTPM_1_1	(0x4002)
+#define CKM_VENDOR_DEFINED		((unsigned long) (1ul << 31))
 
 
 struct ck_mechanism
@@ -703,8 +889,137 @@ struct ck_mechanism_info
 #define CKF_WRAP		(1 << 17)
 #define CKF_UNWRAP		(1 << 18)
 #define CKF_DERIVE		(1 << 19)
-#define CKF_EXTENSION		((unsigned long) (1 << 31))
+#define CKF_EC_F_P		(1 << 20)
+#define CKF_EC_F_2M		(1 << 21)
+#define CKF_EC_ECPARAMETERS	(1 << 22)
+#define CKF_EC_NAMEDCURVE	(1 << 23)
+#define CKF_EC_UNCOMPRESS	(1 << 24)
+#define CKF_EC_COMPRESS		(1 << 25)
+#define CKF_EXTENSION		((unsigned long) (1ul << 31))
+
+
+/* The following MGFs are defined */
+#define CKG_MGF1_SHA1         (0x00000001)
+#define CKG_MGF1_SHA256       (0x00000002)
+#define CKG_MGF1_SHA384       (0x00000003)
+#define CKG_MGF1_SHA512       (0x00000004)
+#define CKG_MGF1_SHA224       (0x00000005)
+
+#define CKZ_DATA_SPECIFIED    (0x00000001)
+
+struct ck_rsa_pkcs_oaep_params {
+  ck_mechanism_type_t hash_alg;
+  unsigned long mgf;
+  unsigned long source;
+  void *source_data;
+  unsigned long source_data_len;
+};
+
+struct ck_rsa_pkcs_pss_params {
+  ck_mechanism_type_t hash_alg;
+  unsigned long mgf;
+  unsigned long slen;
+};
+
+typedef unsigned long ck_ec_kdf_type_t;
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL                       (0x00000001)
+#define CKD_SHA1_KDF                   (0x00000002)
+
+struct ck_ecdh1_derive_params {
+  ck_ec_kdf_type_t kdf;
+  unsigned long shared_data_len;
+  unsigned char *shared_data;
+  unsigned long public_data_len;
+  unsigned char *public_data;
+};
+
+struct ck_ecdh2_derive_params {
+  ck_ec_kdf_type_t kdf;
+  unsigned long shared_data_len;
+  unsigned char *shared_data;
+  unsigned long public_data_len;
+  unsigned char *public_data;
+  unsigned long private_data_len;
+  ck_object_handle_t private_data;
+  unsigned long public_data_len2;
+  unsigned char *public_data2;
+};
+
+struct ck_ecmqv_derive_params {
+  ck_ec_kdf_type_t kdf;
+  unsigned long shared_data_len;
+  unsigned char *shared_data;
+  unsigned long public_data_len;
+  unsigned char *public_data;
+  unsigned long private_data_len;
+  ck_object_handle_t private_data;
+  unsigned long public_data_len2;
+  unsigned char *public_data2;
+  ck_object_handle_t public_key;
+};
 
+typedef unsigned long ck_x9_42_dh_kdf_type_t;
+
+/* The following X9.42 DH key derivation functions are defined */
+#define CKD_SHA1_KDF_ASN1              (0x00000003)
+#define CKD_SHA1_KDF_CONCATENATE       (0x00000004)
+#define CKD_SHA224_KDF                 (0x00000005)
+#define CKD_SHA256_KDF                 (0x00000006)
+#define CKD_SHA384_KDF                 (0x00000007)
+#define CKD_SHA512_KDF                 (0x00000008)
+#define CKD_CPDIVERSIFY_KDF            (0x00000009)
+
+struct ck_x9_42_dh1_derive_params {
+  ck_x9_42_dh_kdf_type_t kdf;
+  unsigned long other_info_len;
+  unsigned char *other_info;
+  unsigned long public_data_len;
+  unsigned char *public_data;
+};
+
+struct ck_x9_42_dh2_derive_params {
+  ck_x9_42_dh_kdf_type_t kdf;
+  unsigned long other_info_len;
+  unsigned char *other_info;
+  unsigned long public_data_len;
+  unsigned char *public_data;
+  unsigned long private_data_len;
+  ck_object_handle_t private_data;
+  unsigned long public_data_len2;
+  unsigned char *public_data2;
+};
+
+struct ck_x9_42_mqv_derive_params {
+  ck_x9_42_dh_kdf_type_t kdf;
+  unsigned long other_info_len;
+  unsigned char *other_info;
+  unsigned long public_data_len;
+  unsigned char *public_data;
+  unsigned long private_data_len;
+  ck_object_handle_t private_data;
+  unsigned long public_data_len2;
+  unsigned char *public_data2;
+  ck_object_handle_t public_key;
+};
+
+struct ck_des_cbc_encrypt_data_params {
+  unsigned char iv[8];
+  unsigned char *data;
+  unsigned long length;
+};
+
+struct ck_aes_cbc_encrypt_data_params {
+  unsigned char iv[16];
+  unsigned char *data;
+  unsigned long length;
+};
+
+struct ck_key_derivation_string_data {
+  unsigned char *data;
+  unsigned long len;
+};
 
 /* Flags for C_WaitForSlotEvent.  */
 #define CKF_DONT_BLOCK				(1)
@@ -1108,6 +1423,7 @@ struct ck_c_initialize_args
 #define CKR_ATTRIBUTE_SENSITIVE			(0x11)
 #define CKR_ATTRIBUTE_TYPE_INVALID		(0x12)
 #define CKR_ATTRIBUTE_VALUE_INVALID		(0x13)
+#define CKR_COPY_PROHIBITED			(0x1A)
 #define CKR_DATA_INVALID			(0x20)
 #define CKR_DATA_LEN_RANGE			(0x21)
 #define CKR_DEVICE_ERROR			(0x30)
@@ -1178,8 +1494,15 @@ struct ck_c_initialize_args
 #define CKR_CRYPTOKI_ALREADY_INITIALIZED	(0x191)
 #define CKR_MUTEX_BAD				(0x1a0)
 #define CKR_MUTEX_NOT_LOCKED			(0x1a1)
+#define CKR_NEW_PIN_MODE			(0x1b0)
+#define CKR_NEXT_OTP				(0x1b1)
+#define CKR_EXCEEDED_MAX_ITERATIONS		(0x1b5)
+#define CKR_FIPS_SELF_TEST_FAILED		(0x1b6)
+#define CKR_LIBRARY_LOAD_FAILED			(0x1b7)
+#define CKR_PIN_TOO_WEAK			(0x1b8)
+#define CKR_PUBLIC_KEY_INVALID			(0x1b9)
 #define CKR_FUNCTION_REJECTED			(0x200)
-#define CKR_VENDOR_DEFINED			((unsigned long) (1 << 31))
+#define CKR_VENDOR_DEFINED			((unsigned long) (1ul << 31))
 
 
 
@@ -1253,6 +1576,24 @@ typedef struct ck_mechanism *CK_MECHANISM_PTR;
 typedef struct ck_mechanism_info CK_MECHANISM_INFO;
 typedef struct ck_mechanism_info *CK_MECHANISM_INFO_PTR;
 
+typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
+typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+typedef struct ck_rsa_pkcs_pss_params CK_RSA_PKCS_PSS_PARAMS;
+typedef struct ck_rsa_pkcs_pss_params *CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+typedef struct ck_ecdh1_derive_params CK_ECDH1_DERIVE_PARAMS;
+typedef struct ck_ecdh1_derive_params *CK_ECDH1_DERIVE_PARAMS_PTR;
+
+typedef struct ck_des_cbc_encrypt_data_params CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+typedef struct ck_des_cbc_encrypt_data_params *CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct ck_aes_cbc_encrypt_data_params CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+typedef struct ck_aes_cbc_encrypt_data_params *CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct ck_key_derivation_string_data CK_KEY_DERIVATION_STRING_DATA;
+typedef struct ck_key_derivation_string_data *CK_KEY_DERIVATION_STRING_DATA_PTR;
+
 typedef struct ck_function_list CK_FUNCTION_LIST;
 typedef struct ck_function_list *CK_FUNCTION_LIST_PTR;
 typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
@@ -1325,6 +1666,30 @@ typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
 #undef min_key_size
 #undef max_key_size
 
+#undef ck_rsa_pkcs_oaep_params
+#undef hash_alg
+#undef source_data
+#undef source_data_len
+#undef slen
+
+#undef ck_ec_kdf_type_t
+#undef shared_data_len
+#undef shared_data
+#undef public_data_len
+#undef public_data
+#undef private_data_len
+#undef private_data
+#undef public_data_len2
+#undef public_data2
+#undef public_key
+
+#undef ck_x9_42_dh_kdf_type_t
+#undef other_info_len
+#undef other_info
+
+#undef data
+#undef len
+
 #undef ck_rv_t
 #undef ck_notify_t
 
diff --git a/lib/hx509/revoke.c b/lib/hx509/revoke.c
index 29322807487c..a777226db29e 100644
--- a/lib/hx509/revoke.c
+++ b/lib/hx509/revoke.c
@@ -337,8 +337,10 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
 	return ret;
 
     ret = stat(ocsp->path, &sb);
-    if (ret)
+    if (ret) {
+        rk_xfree(data);
 	return errno;
+    }
 
     ret = parse_ocsp_basic(data, length, &basic);
     rk_xfree(data);
@@ -361,8 +363,8 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
 	for (i = 0; i < basic.certs->len; i++) {
 	    hx509_cert c;
 
-	    ret = hx509_cert_init(context, &basic.certs->val[i], &c);
-	    if (ret)
+	    c = hx509_cert_init(context, &basic.certs->val[i], NULL);
+	    if (c == NULL)
 		continue;
 
 	    ret = hx509_certs_add(context, certs, c);
@@ -561,36 +563,65 @@ out:
 }
 
 static int
-load_crl(const char *path, time_t *t, CRLCertificateList *crl)
+crl_parser(hx509_context context, const char *type,
+	   const hx509_pem_header *header,
+	   const void *data, size_t len, void *ctx)
 {
-    size_t length, size;
-    struct stat sb;
-    void *data;
+    CRLCertificateList *crl = (CRLCertificateList *)ctx;
+    size_t size;
     int ret;
 
-    memset(crl, 0, sizeof(*crl));
+    if (strcasecmp("X509 CRL", type) != 0)
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
 
-    ret = rk_undumpdata(path, &data, &length);
+    ret = decode_CRLCertificateList(data, len, crl, &size);
     if (ret)
 	return ret;
 
+    /* check signature is aligned */
+    if (crl->signatureValue.length & 7) {
+	free_CRLCertificateList(crl);
+	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    }
+
+    return 0;
+}
+
+static int
+load_crl(hx509_context context, const char *path, time_t *t, CRLCertificateList *crl)
+{
+    struct stat sb;
+    size_t length;
+    void *data;
+    FILE *f;
+    int ret;
+
+    memset(crl, 0, sizeof(*crl));
+
     ret = stat(path, &sb);
     if (ret)
 	return errno;
-
+    
     *t = sb.st_mtime;
+	
+    if ((f = fopen(path, "r")) == NULL)
+	return errno;
 
-    ret = decode_CRLCertificateList(data, length, crl, &size);
-    rk_xfree(data);
-    if (ret)
-	return ret;
+    rk_cloexec_file(f);
 
-    /* check signature is aligned */
-    if (crl->signatureValue.length & 7) {
-	free_CRLCertificateList(crl);
-	return HX509_CRYPTO_SIG_INVALID_FORMAT;
+    ret = hx509_pem_read(context, f, crl_parser, crl);
+    fclose(f);
+
+    if (ret == HX509_PARSING_KEY_FAILED) {
+
+	ret = rk_undumpdata(path, &data, &length);
+	if (ret)
+	    return ret;
+
+	ret = crl_parser(context, "X509 CRL", NULL, data, length, crl);
+	rk_xfree(data);
     }
-    return 0;
+    return ret;
 }
 
 /**
@@ -624,7 +655,7 @@ hx509_revoke_add_crl(hx509_context context,
     path += 5;
 
     for (i = 0; i < ctx->crls.len; i++) {
-	if (strcmp(ctx->crls.val[0].path, path) == 0)
+	if (strcmp(ctx->crls.val[i].path, path) == 0)
 	    return 0;
     }
 
@@ -644,7 +675,8 @@ hx509_revoke_add_crl(hx509_context context,
 	return ENOMEM;
     }
 
-    ret = load_crl(path,
+    ret = load_crl(context,
+		   path,
 		   &ctx->crls.val[ctx->crls.len].last_modfied,
 		   &ctx->crls.val[ctx->crls.len].crl);
     if (ret) {
@@ -674,7 +706,6 @@ hx509_revoke_add_crl(hx509_context context,
  * @ingroup hx509_revoke
  */
 
-
 int
 hx509_revoke_verify(hx509_context context,
 		    hx509_revoke_ctx ctx,
@@ -781,7 +812,7 @@ hx509_revoke_verify(hx509_context context,
 	if (ret == 0 && crl->last_modfied != sb.st_mtime) {
 	    CRLCertificateList cl;
 
-	    ret = load_crl(crl->path, &crl->last_modfied, &cl);
+	    ret = load_crl(context, crl->path, &crl->last_modfied, &cl);
 	    if (ret == 0) {
 		free_CRLCertificateList(&crl->crl);
 		crl->crl = cl;
@@ -1064,47 +1095,23 @@ printable_time(time_t t)
     return s;
 }
 
-/**
- * Print the OCSP reply stored in a file.
- *
- * @param context a hx509 context
- * @param path path to a file with a OCSP reply
- * @param out the out FILE descriptor to print the reply on
- *
- * @return An hx509 error code, see hx509_get_error_string().
+/*
  *
- * @ingroup hx509_revoke
  */
 
-int
-hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
+static int
+print_ocsp(hx509_context context, struct revoke_ocsp *ocsp, FILE *out)
 {
-    struct revoke_ocsp ocsp;
-    int ret;
+    int ret = 0;
     size_t i;
 
-    if (out == NULL)
-	out = stdout;
-
-    memset(&ocsp, 0, sizeof(ocsp));
-
-    ocsp.path = strdup(path);
-    if (ocsp.path == NULL)
-	return ENOMEM;
-
-    ret = load_ocsp(context, &ocsp);
-    if (ret) {
-	free_ocsp(&ocsp);
-	return ret;
-    }
-
     fprintf(out, "signer: ");
 
-    switch(ocsp.ocsp.tbsResponseData.responderID.element) {
+    switch(ocsp->ocsp.tbsResponseData.responderID.element) {
     case choice_OCSPResponderID_byName: {
 	hx509_name n;
 	char *s;
-	_hx509_name_from_Name(&ocsp.ocsp.tbsResponseData.responderID.u.byName, &n);
+	_hx509_name_from_Name(&ocsp->ocsp.tbsResponseData.responderID.u.byName, &n);
 	hx509_name_to_string(n, &s);
 	hx509_name_free(&n);
 	fprintf(out, " byName: %s\n", s);
@@ -1113,8 +1120,8 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
     }
     case choice_OCSPResponderID_byKey: {
 	char *s;
-	hex_encode(ocsp.ocsp.tbsResponseData.responderID.u.byKey.data,
-		   ocsp.ocsp.tbsResponseData.responderID.u.byKey.length,
+	hex_encode(ocsp->ocsp.tbsResponseData.responderID.u.byKey.data,
+		   ocsp->ocsp.tbsResponseData.responderID.u.byKey.length,
 		   &s);
 	fprintf(out, " byKey: %s\n", s);
 	free(s);
@@ -1126,13 +1133,13 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
     }
 
     fprintf(out, "producedAt: %s\n",
-	    printable_time(ocsp.ocsp.tbsResponseData.producedAt));
+	    printable_time(ocsp->ocsp.tbsResponseData.producedAt));
 
-    fprintf(out, "replies: %d\n", ocsp.ocsp.tbsResponseData.responses.len);
+    fprintf(out, "replies: %d\n", ocsp->ocsp.tbsResponseData.responses.len);
 
-    for (i = 0; i < ocsp.ocsp.tbsResponseData.responses.len; i++) {
+    for (i = 0; i < ocsp->ocsp.tbsResponseData.responses.len; i++) {
 	const char *status;
-	switch (ocsp.ocsp.tbsResponseData.responses.val[i].certStatus.element) {
+	switch (ocsp->ocsp.tbsResponseData.responses.val[i].certStatus.element) {
 	case choice_OCSPCertStatus_good:
 	    status = "good";
 	    break;
@@ -1146,19 +1153,116 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
 	    status = "element unknown";
 	}
 
-	fprintf(out, "\t%zu. status: %s\n", i, status);
+	fprintf(out, "\t%llu. status: %s\n", (unsigned long long)i, status);
 
 	fprintf(out, "\tthisUpdate: %s\n",
-		printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate));
-	if (ocsp.ocsp.tbsResponseData.responses.val[i].nextUpdate)
+		printable_time(ocsp->ocsp.tbsResponseData.responses.val[i].thisUpdate));
+	if (ocsp->ocsp.tbsResponseData.responses.val[i].nextUpdate)
 	    fprintf(out, "\tproducedAt: %s\n",
-		    printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate));
+		    printable_time(ocsp->ocsp.tbsResponseData.responses.val[i].thisUpdate));
 
     }
 
     fprintf(out, "appended certs:\n");
-    if (ocsp.certs)
-	ret = hx509_certs_iter_f(context, ocsp.certs, hx509_ci_print_names, out);
+    if (ocsp->certs)
+	ret = hx509_certs_iter_f(context, ocsp->certs, hx509_ci_print_names, out);
+
+    return ret;
+}
+	   
+static int
+print_crl(hx509_context context, struct revoke_crl *crl, FILE *out)
+{
+    {
+	hx509_name n;
+	char *s;
+	_hx509_name_from_Name(&crl->crl.tbsCertList.issuer, &n);
+	hx509_name_to_string(n, &s);
+	hx509_name_free(&n);
+	fprintf(out, " issuer: %s\n", s);
+	free(s);
+    }
+
+    fprintf(out, " thisUpdate: %s\n", 
+	    printable_time(_hx509_Time2time_t(&crl->crl.tbsCertList.thisUpdate)));
+
+    return 0;
+}
+
+
+/*
+ *
+ */
+
+int
+hx509_revoke_print(hx509_context context,
+		   hx509_revoke_ctx ctx,
+		   FILE *out)
+{
+    int saved_ret = 0, ret;
+    size_t n;
+
+    for (n = 0; n < ctx->ocsps.len; n++) {
+	struct revoke_ocsp *ocsp = &ctx->ocsps.val[n];
+
+	fprintf(out, "OCSP %s\n", ocsp->path);
+
+	ret = print_ocsp(context, ocsp, out);
+	if (ret) {
+	    fprintf(out, "failure printing OCSP: %d\n", ret);
+	    saved_ret = ret;
+	}
+    }
+
+    for (n = 0; n < ctx->crls.len; n++) {
+	struct revoke_crl *crl = &ctx->crls.val[n];
+
+	fprintf(out, "CRL %s\n", crl->path);
+
+	ret = print_crl(context, crl, out);
+	if (ret) {
+	    fprintf(out, "failure printing CRL: %d\n", ret);
+	    saved_ret = ret;
+	}
+    }
+    return saved_ret;
+
+}
+
+/**
+ * Print the OCSP reply stored in a file.
+ *
+ * @param context a hx509 context
+ * @param path path to a file with a OCSP reply
+ * @param out the out FILE descriptor to print the reply on
+ *
+ * @return An hx509 error code, see hx509_get_error_string().
+ *
+ * @ingroup hx509_revoke
+ */
+
+int
+hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
+{
+    struct revoke_ocsp ocsp;
+    int ret;
+
+    if (out == NULL)
+	out = stdout;
+
+    memset(&ocsp, 0, sizeof(ocsp));
+
+    ocsp.path = strdup(path);
+    if (ocsp.path == NULL)
+	return ENOMEM;
+
+    ret = load_ocsp(context, &ocsp);
+    if (ret) {
+	free_ocsp(&ocsp);
+	return ret;
+    }
+
+    ret = print_ocsp(context, &ocsp, out);
 
     free_ocsp(&ocsp);
     return ret;
diff --git a/lib/hx509/sel-gram.c b/lib/hx509/sel-gram.c
index 70d83d645db6..4d60c918f794 100644
--- a/lib/hx509/sel-gram.c
+++ b/lib/hx509/sel-gram.c
@@ -101,6 +101,18 @@
 #include <stdlib.h>
 #include <hx_locl.h>
 
+#if !defined(yylex)
+#define yylex   _hx509_sel_yylex
+#define yywrap  _hx509_sel_yywrap
+#endif
+#if !defined(yyparse)
+#define yyparse _hx509_sel_yyparse
+#define yyerror _hx509_sel_yyerror
+#define yylval  _hx509_sel_yylval
+#define yychar  _hx509_sel_yychar
+#define yydebug _hx509_sel_yydebug
+#define yynerrs _hx509_sel_yynerrs
+#endif
 
 
 
@@ -124,13 +136,13 @@
 
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 typedef union YYSTYPE
-#line 45 "sel-gram.y"
+#line 57 "sel-gram.y"
 {
     char *string;
     struct hx_expr *expr;
 }
 /* Line 193 of yacc.c.  */
-#line 134 "sel-gram.c"
+#line 146 "sel-gram.c"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
@@ -143,7 +155,7 @@ typedef union YYSTYPE
 
 
 /* Line 216 of yacc.c.  */
-#line 147 "sel-gram.c"
+#line 159 "sel-gram.c"
 
 #ifdef short
 # undef short
@@ -435,9 +447,9 @@ static const yytype_int8 yyrhs[] =
 /* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
 static const yytype_uint8 yyrline[] =
 {
-       0,    73,    73,    75,    76,    77,    78,    79,    80,    81,
-      84,    85,    88,    89,    90,    91,    92,    95,    96,    97,
-      98,   101,   102,   104,   107,   110,   112
+       0,    85,    85,    87,    88,    89,    90,    91,    92,    93,
+      96,    97,   100,   101,   102,   103,   104,   107,   108,   109,
+     110,   113,   114,   116,   119,   122,   124
 };
 #endif
 
@@ -1367,136 +1379,136 @@ yyreduce:
   switch (yyn)
     {
         case 2:
-#line 73 "sel-gram.y"
+#line 85 "sel-gram.y"
     { _hx509_expr_input.expr = (yyvsp[(1) - (1)].expr); }
     break;
 
   case 3:
-#line 75 "sel-gram.y"
+#line 87 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(op_TRUE, NULL, NULL); }
     break;
 
   case 4:
-#line 76 "sel-gram.y"
+#line 88 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(op_FALSE, NULL, NULL); }
     break;
 
   case 5:
-#line 77 "sel-gram.y"
+#line 89 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(op_NOT, (yyvsp[(2) - (2)].expr), NULL); }
     break;
 
   case 6:
-#line 78 "sel-gram.y"
+#line 90 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(op_AND, (yyvsp[(1) - (3)].expr), (yyvsp[(3) - (3)].expr)); }
     break;
 
   case 7:
-#line 79 "sel-gram.y"
+#line 91 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(op_OR, (yyvsp[(1) - (3)].expr), (yyvsp[(3) - (3)].expr)); }
     break;
 
   case 8:
-#line 80 "sel-gram.y"
+#line 92 "sel-gram.y"
     { (yyval.expr) = (yyvsp[(2) - (3)].expr); }
     break;
 
   case 9:
-#line 81 "sel-gram.y"
+#line 93 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(op_COMP, (yyvsp[(1) - (1)].expr), NULL); }
     break;
 
   case 10:
-#line 84 "sel-gram.y"
+#line 96 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(expr_WORDS, (yyvsp[(1) - (1)].expr), NULL); }
     break;
 
   case 11:
-#line 85 "sel-gram.y"
+#line 97 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(expr_WORDS, (yyvsp[(1) - (3)].expr), (yyvsp[(3) - (3)].expr)); }
     break;
 
   case 12:
-#line 88 "sel-gram.y"
+#line 100 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(comp_EQ, (yyvsp[(1) - (4)].expr), (yyvsp[(4) - (4)].expr)); }
     break;
 
   case 13:
-#line 89 "sel-gram.y"
+#line 101 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(comp_NE, (yyvsp[(1) - (4)].expr), (yyvsp[(4) - (4)].expr)); }
     break;
 
   case 14:
-#line 90 "sel-gram.y"
+#line 102 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(comp_TAILEQ, (yyvsp[(1) - (3)].expr), (yyvsp[(3) - (3)].expr)); }
     break;
 
   case 15:
-#line 91 "sel-gram.y"
+#line 103 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(comp_IN, (yyvsp[(1) - (5)].expr), (yyvsp[(4) - (5)].expr)); }
     break;
 
   case 16:
-#line 92 "sel-gram.y"
+#line 104 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(comp_IN, (yyvsp[(1) - (3)].expr), (yyvsp[(3) - (3)].expr)); }
     break;
 
   case 17:
-#line 95 "sel-gram.y"
+#line 107 "sel-gram.y"
     { (yyval.expr) = (yyvsp[(1) - (1)].expr); }
     break;
 
   case 18:
-#line 96 "sel-gram.y"
+#line 108 "sel-gram.y"
     { (yyval.expr) = (yyvsp[(1) - (1)].expr); }
     break;
 
   case 19:
-#line 97 "sel-gram.y"
+#line 109 "sel-gram.y"
     { (yyval.expr) = (yyvsp[(1) - (1)].expr); }
     break;
 
   case 20:
-#line 98 "sel-gram.y"
+#line 110 "sel-gram.y"
     { (yyval.expr) = (yyvsp[(1) - (1)].expr); }
     break;
 
   case 21:
-#line 101 "sel-gram.y"
+#line 113 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(expr_NUMBER, (yyvsp[(1) - (1)].string), NULL); }
     break;
 
   case 22:
-#line 102 "sel-gram.y"
+#line 114 "sel-gram.y"
     { (yyval.expr) = _hx509_make_expr(expr_STRING, (yyvsp[(1) - (1)].string), NULL); }
     break;
 
   case 23:
-#line 104 "sel-gram.y"
+#line 116 "sel-gram.y"
     {
 			(yyval.expr) = _hx509_make_expr(expr_FUNCTION, (yyvsp[(1) - (4)].string), (yyvsp[(3) - (4)].expr)); }
     break;
 
   case 24:
-#line 107 "sel-gram.y"
+#line 119 "sel-gram.y"
     { (yyval.expr) = (yyvsp[(3) - (4)].expr); }
     break;
 
   case 25:
-#line 110 "sel-gram.y"
+#line 122 "sel-gram.y"
     {
 			(yyval.expr) = _hx509_make_expr(expr_VAR, (yyvsp[(1) - (3)].string), (yyvsp[(3) - (3)].expr)); }
     break;
 
   case 26:
-#line 112 "sel-gram.y"
+#line 124 "sel-gram.y"
     {
 			(yyval.expr) = _hx509_make_expr(expr_VAR, (yyvsp[(1) - (1)].string), NULL); }
     break;
 
 
 /* Line 1267 of yacc.c.  */
-#line 1500 "sel-gram.c"
+#line 1512 "sel-gram.c"
       default: break;
     }
   YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
diff --git a/lib/hx509/sel-gram.h b/lib/hx509/sel-gram.h
index 13be3f9ab19c..9642ac7fdb12 100644
--- a/lib/hx509/sel-gram.h
+++ b/lib/hx509/sel-gram.h
@@ -66,7 +66,7 @@
 
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 typedef union YYSTYPE
-#line 45 "sel-gram.y"
+#line 57 "sel-gram.y"
 {
     char *string;
     struct hx_expr *expr;
diff --git a/lib/hx509/sel-gram.y b/lib/hx509/sel-gram.y
index 7f7c9980e03b..7e9d4f26d9c2 100644
--- a/lib/hx509/sel-gram.y
+++ b/lib/hx509/sel-gram.y
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008 Kungliga Tekniska Högskolan
+ * Copyright (c) 2017 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -39,6 +39,18 @@
 #include <stdlib.h>
 #include <hx_locl.h>
 
+#if !defined(yylex)
+#define yylex   _hx509_sel_yylex
+#define yywrap  _hx509_sel_yywrap
+#endif
+#if !defined(yyparse)
+#define yyparse _hx509_sel_yyparse
+#define yyerror _hx509_sel_yyerror
+#define yylval  _hx509_sel_yylval
+#define yychar  _hx509_sel_yychar
+#define yydebug _hx509_sel_yydebug
+#define yynerrs _hx509_sel_yynerrs
+#endif
 
 %}
 
diff --git a/lib/hx509/sel-lex.c b/lib/hx509/sel-lex.c
index 51f1e8407807..c2044a435dc8 100644
--- a/lib/hx509/sel-lex.c
+++ b/lib/hx509/sel-lex.c
@@ -46,6 +46,7 @@ typedef int16_t flex_int16_t;
 typedef uint16_t flex_uint16_t;
 typedef int32_t flex_int32_t;
 typedef uint32_t flex_uint32_t;
+typedef uint64_t flex_uint64_t;
 #else
 typedef signed char flex_int8_t;
 typedef short int flex_int16_t;
@@ -354,7 +355,7 @@ static void yy_fatal_error (yyconst char msg[]  );
  */
 #define YY_DO_BEFORE_ACTION \
 	(yytext_ptr) = yy_bp; \
-	yyleng = (size_t) (yy_cp - yy_bp); \
+	yyleng = (yy_size_t) (yy_cp - yy_bp); \
 	(yy_hold_char) = *yy_cp; \
 	*yy_cp = '\0'; \
 	(yy_c_buf_p) = yy_cp;
@@ -470,7 +471,7 @@ char *yytext;
 #line 1 "sel-lex.l"
 #line 2 "sel-lex.l"
 /*
- * Copyright (c) 2004, 2008 Kungliga Tekniska Högskolan
+ * Copyright (c) 2004 - 2017 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -504,6 +505,11 @@ char *yytext;
 
 /* $Id$ */
 
+#ifdef __GNUC__
+#pragma GCC diagnostic ignored "-Wunused-function"
+#endif
+
+
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
@@ -520,7 +526,6 @@ unsigned lineno = 1;
 
 static char * handle_string(void);
 static int lex_input(char *, int);
-static int lex_classic_input(void);
 
 struct hx_expr_input _hx509_expr_input;
 
@@ -535,7 +540,7 @@ struct hx_expr_input _hx509_expr_input;
 
 #undef ECHO
 
-#line 539 "sel-lex.c"
+#line 544 "sel-lex.c"
 
 #define INITIAL 0
 
@@ -717,10 +722,10 @@ YY_DECL
 	register char *yy_cp, *yy_bp;
 	register int yy_act;
     
-#line 69 "sel-lex.l"
+#line 73 "sel-lex.l"
 
 
-#line 724 "sel-lex.c"
+#line 729 "sel-lex.c"
 
 	if ( !(yy_init) )
 		{
@@ -805,37 +810,37 @@ do_action:	/* This label is used only to access EOF actions. */
 
 case 1:
 YY_RULE_SETUP
-#line 71 "sel-lex.l"
+#line 75 "sel-lex.l"
 { return kw_TRUE; }
 	YY_BREAK
 case 2:
 YY_RULE_SETUP
-#line 72 "sel-lex.l"
+#line 76 "sel-lex.l"
 { return kw_FALSE; }
 	YY_BREAK
 case 3:
 YY_RULE_SETUP
-#line 73 "sel-lex.l"
+#line 77 "sel-lex.l"
 { return kw_AND; }
 	YY_BREAK
 case 4:
 YY_RULE_SETUP
-#line 74 "sel-lex.l"
+#line 78 "sel-lex.l"
 { return kw_OR; }
 	YY_BREAK
 case 5:
 YY_RULE_SETUP
-#line 75 "sel-lex.l"
+#line 79 "sel-lex.l"
 { return kw_IN; }
 	YY_BREAK
 case 6:
 YY_RULE_SETUP
-#line 76 "sel-lex.l"
+#line 80 "sel-lex.l"
 { return kw_TAILMATCH; }
 	YY_BREAK
 case 7:
 YY_RULE_SETUP
-#line 78 "sel-lex.l"
+#line 82 "sel-lex.l"
 {
 			  yylval.string = strdup ((const char *)yytext);
 			  return IDENTIFIER;
@@ -843,31 +848,31 @@ YY_RULE_SETUP
 	YY_BREAK
 case 8:
 YY_RULE_SETUP
-#line 82 "sel-lex.l"
+#line 86 "sel-lex.l"
 { yylval.string = handle_string(); return STRING; }
 	YY_BREAK
 case 9:
 /* rule 9 can match eol */
 YY_RULE_SETUP
-#line 83 "sel-lex.l"
+#line 87 "sel-lex.l"
 { ++lineno; }
 	YY_BREAK
 case 10:
 YY_RULE_SETUP
-#line 84 "sel-lex.l"
+#line 88 "sel-lex.l"
 { return *yytext; }
 	YY_BREAK
 case 11:
 YY_RULE_SETUP
-#line 85 "sel-lex.l"
+#line 89 "sel-lex.l"
 ;
 	YY_BREAK
 case 12:
 YY_RULE_SETUP
-#line 86 "sel-lex.l"
+#line 90 "sel-lex.l"
 ECHO;
 	YY_BREAK
-#line 871 "sel-lex.c"
+#line 876 "sel-lex.c"
 case YY_STATE_EOF(INITIAL):
 	yyterminate();
 
@@ -1864,7 +1869,7 @@ void yyfree (void * ptr )
 
 #define YYTABLES_NAME "yytables"
 
-#line 86 "sel-lex.l"
+#line 90 "sel-lex.l"
 
 
 
@@ -1899,6 +1904,10 @@ handle_string(void)
     return strdup(x);
 }
 
+#if !defined(yywrap)
+#define yywrap  _hx509_sel_yywrap
+#endif
+
 int
 yywrap ()
 {
diff --git a/lib/hx509/sel-lex.l b/lib/hx509/sel-lex.l
index bb7e8374c7d1..f401e40e3601 100644
--- a/lib/hx509/sel-lex.l
+++ b/lib/hx509/sel-lex.l
@@ -1,6 +1,6 @@
 %{
 /*
- * Copyright (c) 2004, 2008 Kungliga Tekniska Högskolan
+ * Copyright (c) 2004 - 2017 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -34,6 +34,11 @@
 
 /* $Id$ */
 
+#ifdef __GNUC__
+#pragma GCC diagnostic ignored "-Wunused-function"
+#endif
+
+
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
@@ -50,7 +55,6 @@ unsigned lineno = 1;
 
 static char * handle_string(void);
 static int lex_input(char *, int);
-static int lex_classic_input(void);
 
 struct hx_expr_input _hx509_expr_input;
 
@@ -116,6 +120,10 @@ handle_string(void)
     return strdup(x);
 }
 
+#if !defined(yywrap)
+#define yywrap  _hx509_sel_yywrap
+#endif
+
 int
 yywrap ()
 {
diff --git a/lib/hx509/sel.h b/lib/hx509/sel.h
index 177ec0a65b27..52a84d31c5ae 100644
--- a/lib/hx509/sel.h
+++ b/lib/hx509/sel.h
@@ -67,14 +67,18 @@ struct hx_expr_input {
 
 extern struct hx_expr_input _hx509_expr_input;
 
-#define yyparse _hx509_sel_yyparse
+#if !defined(yylex)
 #define yylex   _hx509_sel_yylex
+#define yywrap  _hx509_sel_yywrap
+#endif
+#if !defined(yyparse)
+#define yyparse _hx509_sel_yyparse
 #define yyerror _hx509_sel_yyerror
 #define yylval  _hx509_sel_yylval
 #define yychar  _hx509_sel_yychar
 #define yydebug _hx509_sel_yydebug
 #define yynerrs _hx509_sel_yynerrs
-#define yywrap  _hx509_sel_yywrap
+#endif
 
 int  _hx509_sel_yyparse(void);
 int  _hx509_sel_yylex(void);
diff --git a/lib/hx509/softp11.c b/lib/hx509/softp11.c
index 38f587e0fea2..f93863b7c980 100644
--- a/lib/hx509/softp11.c
+++ b/lib/hx509/softp11.c
@@ -34,7 +34,7 @@
 #define CRYPTOKI_EXPORTS 1
 
 #include "hx_locl.h"
-#include "pkcs11.h"
+#include "ref/pkcs11.h"
 
 #define OBJECT_ID_MASK		0xfff
 #define HANDLE_OBJECT_ID(h)	((h) & OBJECT_ID_MASK)
@@ -543,6 +543,8 @@ add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
 	CK_FLAGS flags;
 
 	type = CKO_PRIVATE_KEY;
+
+        /* Note to static analyzers: `o' is still referred to via globals */
 	o = add_st_object();
 	if (o == NULL) {
 	    ret = CKR_DEVICE_MEMORY;
@@ -593,6 +595,7 @@ add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
     hx509_xfree(issuer_data.data);
     hx509_xfree(subject_data.data);
 
+    /* Note to static analyzers: `o' is still referred to via globals */
     return 0;
 }
 
@@ -615,7 +618,11 @@ add_certificate(const char *cert_file,
 
     if (pin) {
 	char *str;
-	asprintf(&str, "PASS:%s", pin);
+	ret = asprintf(&str, "PASS:%s", pin);
+	if (ret == -1 || !str) {
+	    st_logf("failed to allocate memory\n");
+	    return CKR_GENERAL_ERROR;
+	}
 
 	hx509_lock_init(context, &lock);
 	hx509_lock_command_string(lock, str);
@@ -815,6 +822,7 @@ get_config_file_for_user(void)
 
 #ifndef _WIN32
     char *home = NULL;
+    int ret;
 
     if (!issuid()) {
         fn = getenv("SOFTPKCS11RC");
@@ -828,9 +836,11 @@ get_config_file_for_user(void)
             home = pw->pw_dir;
     }
     if (fn == NULL) {
-        if (home)
-            asprintf(&fn, "%s/.soft-token.rc", home);
-        else
+        if (home) {
+            ret = asprintf(&fn, "%s/.soft-token.rc", home);
+	    if (ret == -1)
+		fn = NULL;
+        } else
             fn = strdup("/etc/soft-token.rc");
     }
 #else  /* Windows */
@@ -1077,7 +1087,7 @@ C_GetMechanismList(CK_SLOT_ID slotID,
     *pulCount = 1;
     if (pMechanismList == NULL_PTR)
 	return CKR_OK;
-    pMechanismList[1] = CKM_RSA_PKCS;
+    pMechanismList[0] = CKM_RSA_PKCS;
 
     return CKR_OK;
 }
@@ -1205,8 +1215,13 @@ C_Login(CK_SESSION_HANDLE hSession,
     VERIFY_SESSION_HANDLE(hSession, NULL);
 
     if (pPin != NULL_PTR) {
-	asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
-	st_logf("type: %d password: %s\n", (int)userType, pin);
+	int aret;
+
+	aret = asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
+	if (aret != -1 && pin)
+		st_logf("type: %d password: %s\n", (int)userType, pin);
+	else
+		st_logf("memory error: asprintf failed\n");
     }
 
     /*
diff --git a/lib/hx509/test_ca.in b/lib/hx509/test_ca.in
index 2ca294ea79e9..0264116bbe69 100644
--- a/lib/hx509/test_ca.in
+++ b/lib/hx509/test_ca.in
@@ -421,4 +421,32 @@ ${hxtool} verify --missing-revoke \
 	cert:FILE:cert-ee.pem \
 	anchor:FILE:cert-ca.pem > /dev/null || exit 1
 
+echo "+++++++++++ test sigalg"
+
+echo "issue cert with sha256"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+          --signature-algorithm=rsa-with-sha256 \
+	  --subject="cn=foo" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "verify certificate"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
+echo "issue cert with sha1"
+${hxtool} issue-certificate \
+	  --ca-certificate=FILE:cert-ca.pem \
+          --signature-algorithm=rsa-with-sha1 \
+	  --subject="cn=foo" \
+	  --req="PKCS10:pkcs10-request.der" \
+	  --certificate="FILE:cert-ee.pem" || exit 1
+
+echo "verify certificate"
+${hxtool} verify --missing-revoke \
+	cert:FILE:cert-ee.pem \
+	anchor:FILE:cert-ca.pem > /dev/null || exit 1
+
 exit 0
diff --git a/lib/hx509/test_cert.in b/lib/hx509/test_cert.in
index 6cbf21bf0571..5fa14d0f8397 100644
--- a/lib/hx509/test_cert.in
+++ b/lib/hx509/test_cert.in
@@ -46,7 +46,7 @@ if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
 fi
 
 echo "print DIR"
-${hxtool} print --content DIR:$srcdir/data > /dev/null || exit 1
+${hxtool} print --content DIR:$srcdir/data > /dev/null 2>/dev/null || exit 1
 
 echo "print FILE"
 for a in $srcdir/data/*.crt; do 
diff --git a/lib/hx509/test_chain.in b/lib/hx509/test_chain.in
index df551d9c0a93..b8c8cf527684 100644
--- a/lib/hx509/test_chain.in
+++ b/lib/hx509/test_chain.in
@@ -192,13 +192,13 @@ if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
 else
     echo "eccert -> root"
     ${hxtool} verify --missing-revoke \
-    	cert:FILE:$srcdir/data/secp160r2TestServer.cert.pem \
-    	anchor:FILE:$srcdir/data/secp160r1TestCA.cert.pem > /dev/null || exit 1
+	cert:FILE:$srcdir/data/secp256r2TestServer.cert.pem \
+	anchor:FILE:$srcdir/data/secp256r1TestCA.cert.pem > /dev/null || exit 1
     
     echo "eccert -> root"
     ${hxtool} verify --missing-revoke \
-    	cert:FILE:$srcdir/data/secp160r2TestClient.cert.pem \
-    	anchor:FILE:$srcdir/data/secp160r1TestCA.cert.pem > /dev/null || exit 1
+	cert:FILE:$srcdir/data/secp256r2TestClient.cert.pem \
+	anchor:FILE:$srcdir/data/secp256r1TestCA.cert.pem > /dev/null || exit 1
 fi
 
 echo "proxy cert"
diff --git a/lib/hx509/test_cms.in b/lib/hx509/test_cms.in
index d519d25a22b2..8b3de76efd6b 100644
--- a/lib/hx509/test_cms.in
+++ b/lib/hx509/test_cms.in
@@ -53,15 +53,15 @@ if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
 else
     echo "create signed data (ec)"
     ${hxtool} cms-create-sd \
-    	--certificate=FILE:$srcdir/data/secp160r2TestClient.pem \
-    	"$srcdir/test_chain.in" \
-    	sd.data > /dev/null || exit 1
+	--certificate=FILE:$srcdir/data/secp256r2TestClient.pem \
+	"$srcdir/test_chain.in" \
+	sd.data > /dev/null || exit 1
     
     echo "verify signed data (ec)"
     ${hxtool} cms-verify-sd \
-    	--missing-revoke \
-    	--anchors=FILE:$srcdir/data/secp160r1TestCA.cert.pem \
-    	sd.data sd.data.out > /dev/null || exit 1
+	--missing-revoke \
+	--anchors=FILE:$srcdir/data/secp256r1TestCA.cert.pem \
+	sd.data sd.data.out > /dev/null || exit 1
     cmp "$srcdir/test_chain.in" sd.data.out || exit 1
 fi
     
diff --git a/lib/hx509/test_name.c b/lib/hx509/test_name.c
index d932221ddf04..9d21a7f65b03 100644
--- a/lib/hx509/test_name.c
+++ b/lib/hx509/test_name.c
@@ -319,14 +319,14 @@ test_compare(hx509_context context)
 
     /* check transative properties of name compare function */
 
-    ret = hx509_cert_init_data(context, certdata1, sizeof(certdata1) - 1, &c1);
-    if (ret) return 1;
-
-    ret = hx509_cert_init_data(context, certdata2, sizeof(certdata2) - 1, &c2);
-    if (ret) return 1;
-
-    ret = hx509_cert_init_data(context, certdata3, sizeof(certdata3) - 1, &c3);
-    if (ret) return 1;
+    c1 = hx509_cert_init_data(context, certdata1, sizeof(certdata1) - 1, NULL);
+    if (c1 == NULL) return 1;
+
+    c2 = hx509_cert_init_data(context, certdata2, sizeof(certdata2) - 1, NULL);
+    if (c2 == NULL) return 1;
+    
+    c3 = hx509_cert_init_data(context, certdata3, sizeof(certdata3) - 1, NULL);
+    if (c3 == NULL) return 1;
 
     ret = compare_subject(c1, c1, &l0);
     if (ret) return 1;
diff --git a/lib/hx509/test_soft_pkcs11.c b/lib/hx509/test_soft_pkcs11.c
index c8fc2448ee76..cdffcf803b0e 100644
--- a/lib/hx509/test_soft_pkcs11.c
+++ b/lib/hx509/test_soft_pkcs11.c
@@ -32,7 +32,7 @@
  */
 
 #include "hx_locl.h"
-#include "pkcs11.h"
+#include "ref/pkcs11.h"
 #include <err.h>
 
 static CK_FUNCTION_LIST_PTR func;
diff --git a/lib/hx509/version-script.map b/lib/hx509/version-script.map
index b05198c42c5d..f040cd834496 100644
--- a/lib/hx509/version-script.map
+++ b/lib/hx509/version-script.map
@@ -23,7 +23,6 @@ HEIMDAL_X509_1.2 {
 		_hx509_request_print;
 		_hx509_request_set_email;
 		_hx509_request_to_pkcs10;
-		_hx509_request_to_pkcs10;
 		_hx509_unmap_file_os;
 		_hx509_write_file;
 		hx509_bitstring_print;
@@ -209,6 +208,7 @@ HEIMDAL_X509_1.2 {
 		hx509_revoke_init;
 		hx509_revoke_ocsp_print;
 		hx509_revoke_verify;
+		hx509_revoke_print;
 		hx509_set_error_string;
 		hx509_set_error_stringv;
 		hx509_signature_md5;
@@ -248,3 +248,8 @@ HEIMDAL_X509_1.2 {
 		*;
 };
 
+HEIMDAL_X509_1.3 {
+	global:
+		hx509_ca_tbs_set_signature_algorithm;
+};
+