openssl-custom 2.2.2

data/ext/openssl/ossl_ts.h

@@ -0,0 +1,16 @@
+/*
+ *
+ * Copyright (C) 2010 Martin Bosslet <Martin.Bosslet@googlemail.com>
+ * All rights reserved.
+ */
+/*
+ * This program is licenced under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+
+#if !defined(_OSSL_TS_H_)
+#define _OSSL_TS_H_
+
+void Init_ossl_ts(void);
+
+#endif

data/ext/openssl/ossl_x509.c

@@ -0,0 +1,262 @@
+/*
+ * 'OpenSSL for Ruby' project
+ * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
+ * All rights reserved.
+ */
+/*
+ * This program is licensed under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+#include "ossl.h"
+
+VALUE mX509;
+
+#define DefX509Const(x) rb_define_const(mX509, #x, INT2NUM(X509_##x))
+#define DefX509Default(x,i) \
+  rb_define_const(mX509, "DEFAULT_" #x, rb_str_new2(X509_get_default_##i()))
+
+ASN1_TIME *
+ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
+{
+    time_t sec;
+
+    int off_days;
+
+    ossl_time_split(time, &sec, &off_days);
+    return X509_time_adj_ex(s, off_days, 0, &sec);
+}
+
+void
+Init_ossl_x509(void)
+{
+#if 0
+    mOSSL = rb_define_module("OpenSSL");
+#endif
+
+    mX509 = rb_define_module_under(mOSSL, "X509");
+
+    Init_ossl_x509attr();
+    Init_ossl_x509cert();
+    Init_ossl_x509crl();
+    Init_ossl_x509ext();
+    Init_ossl_x509name();
+    Init_ossl_x509req();
+    Init_ossl_x509revoked();
+    Init_ossl_x509store();
+
+    /* Constants are up-to-date with 1.1.1. */
+
+    /* Certificate verification error code */
+    DefX509Const(V_OK);
+#if defined(X509_V_ERR_UNSPECIFIED) /* 1.0.1r, 1.0.2f, 1.1.0 */
+    DefX509Const(V_ERR_UNSPECIFIED);
+#endif
+    DefX509Const(V_ERR_UNABLE_TO_GET_ISSUER_CERT);
+    DefX509Const(V_ERR_UNABLE_TO_GET_CRL);
+    DefX509Const(V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE);
+    DefX509Const(V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE);
+    DefX509Const(V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY);
+    DefX509Const(V_ERR_CERT_SIGNATURE_FAILURE);
+    DefX509Const(V_ERR_CRL_SIGNATURE_FAILURE);
+    DefX509Const(V_ERR_CERT_NOT_YET_VALID);
+    DefX509Const(V_ERR_CERT_HAS_EXPIRED);
+    DefX509Const(V_ERR_CRL_NOT_YET_VALID);
+    DefX509Const(V_ERR_CRL_HAS_EXPIRED);
+    DefX509Const(V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD);
+    DefX509Const(V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD);
+    DefX509Const(V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD);
+    DefX509Const(V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
+    DefX509Const(V_ERR_OUT_OF_MEM);
+    DefX509Const(V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
+    DefX509Const(V_ERR_SELF_SIGNED_CERT_IN_CHAIN);
+    DefX509Const(V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY);
+    DefX509Const(V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE);
+    DefX509Const(V_ERR_CERT_CHAIN_TOO_LONG);
+    DefX509Const(V_ERR_CERT_REVOKED);
+    DefX509Const(V_ERR_INVALID_CA);
+    DefX509Const(V_ERR_PATH_LENGTH_EXCEEDED);
+    DefX509Const(V_ERR_INVALID_PURPOSE);
+    DefX509Const(V_ERR_CERT_UNTRUSTED);
+    DefX509Const(V_ERR_CERT_REJECTED);
+    DefX509Const(V_ERR_SUBJECT_ISSUER_MISMATCH);
+    DefX509Const(V_ERR_AKID_SKID_MISMATCH);
+    DefX509Const(V_ERR_AKID_ISSUER_SERIAL_MISMATCH);
+    DefX509Const(V_ERR_KEYUSAGE_NO_CERTSIGN);
+    DefX509Const(V_ERR_UNABLE_TO_GET_CRL_ISSUER);
+    DefX509Const(V_ERR_UNHANDLED_CRITICAL_EXTENSION);
+    DefX509Const(V_ERR_KEYUSAGE_NO_CRL_SIGN);
+    DefX509Const(V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION);
+    DefX509Const(V_ERR_INVALID_NON_CA);
+    DefX509Const(V_ERR_PROXY_PATH_LENGTH_EXCEEDED);
+    DefX509Const(V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE);
+    DefX509Const(V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED);
+    DefX509Const(V_ERR_INVALID_EXTENSION);
+    DefX509Const(V_ERR_INVALID_POLICY_EXTENSION);
+    DefX509Const(V_ERR_NO_EXPLICIT_POLICY);
+    DefX509Const(V_ERR_DIFFERENT_CRL_SCOPE);
+    DefX509Const(V_ERR_UNSUPPORTED_EXTENSION_FEATURE);
+    DefX509Const(V_ERR_UNNESTED_RESOURCE);
+    DefX509Const(V_ERR_PERMITTED_VIOLATION);
+    DefX509Const(V_ERR_EXCLUDED_VIOLATION);
+    DefX509Const(V_ERR_SUBTREE_MINMAX);
+    DefX509Const(V_ERR_APPLICATION_VERIFICATION);
+    DefX509Const(V_ERR_UNSUPPORTED_CONSTRAINT_TYPE);
+    DefX509Const(V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX);
+    DefX509Const(V_ERR_UNSUPPORTED_NAME_SYNTAX);
+    DefX509Const(V_ERR_CRL_PATH_VALIDATION_ERROR);
+#if defined(X509_V_ERR_PATH_LOOP)
+    DefX509Const(V_ERR_PATH_LOOP);
+#endif
+#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION)
+    DefX509Const(V_ERR_SUITE_B_INVALID_VERSION);
+    DefX509Const(V_ERR_SUITE_B_INVALID_ALGORITHM);
+    DefX509Const(V_ERR_SUITE_B_INVALID_CURVE);
+    DefX509Const(V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM);
+    DefX509Const(V_ERR_SUITE_B_LOS_NOT_ALLOWED);
+    DefX509Const(V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256);
+#endif
+#if defined(X509_V_ERR_HOSTNAME_MISMATCH)
+    DefX509Const(V_ERR_HOSTNAME_MISMATCH);
+    DefX509Const(V_ERR_EMAIL_MISMATCH);
+    DefX509Const(V_ERR_IP_ADDRESS_MISMATCH);
+#endif
+#if defined(X509_V_ERR_DANE_NO_MATCH)
+    DefX509Const(V_ERR_DANE_NO_MATCH);
+#endif
+#if defined(X509_V_ERR_EE_KEY_TOO_SMALL)
+    DefX509Const(V_ERR_EE_KEY_TOO_SMALL);
+    DefX509Const(V_ERR_CA_KEY_TOO_SMALL);
+    DefX509Const(V_ERR_CA_MD_TOO_WEAK);
+#endif
+#if defined(X509_V_ERR_INVALID_CALL)
+    DefX509Const(V_ERR_INVALID_CALL);
+#endif
+#if defined(X509_V_ERR_STORE_LOOKUP)
+    DefX509Const(V_ERR_STORE_LOOKUP);
+#endif
+#if defined(X509_V_ERR_NO_VALID_SCTS)
+    DefX509Const(V_ERR_NO_VALID_SCTS);
+#endif
+#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION)
+    DefX509Const(V_ERR_PROXY_SUBJECT_NAME_VIOLATION);
+#endif
+#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED)
+    DefX509Const(V_ERR_OCSP_VERIFY_NEEDED);
+    DefX509Const(V_ERR_OCSP_VERIFY_FAILED);
+    DefX509Const(V_ERR_OCSP_CERT_UNKNOWN);
+#endif
+
+    /* Certificate verify flags */
+    /* Set by Store#flags= and StoreContext#flags=. */
+    DefX509Const(V_FLAG_USE_CHECK_TIME);
+    /* Set by Store#flags= and StoreContext#flags=. Enables CRL checking for the
+     * certificate chain leaf. */
+    DefX509Const(V_FLAG_CRL_CHECK);
+    /* Set by Store#flags= and StoreContext#flags=. Enables CRL checking for all
+     * certificates in the certificate chain */
+    DefX509Const(V_FLAG_CRL_CHECK_ALL);
+    /* Set by Store#flags= and StoreContext#flags=. Disables critical extension
+     * checking. */
+    DefX509Const(V_FLAG_IGNORE_CRITICAL);
+    /* Set by Store#flags= and StoreContext#flags=. Disables workarounds for
+     * broken certificates. */
+    DefX509Const(V_FLAG_X509_STRICT);
+    /* Set by Store#flags= and StoreContext#flags=. Enables proxy certificate
+     * verification. */
+    DefX509Const(V_FLAG_ALLOW_PROXY_CERTS);
+    /* Set by Store#flags= and StoreContext#flags=. Enables certificate policy
+     * constraints checking. */
+    DefX509Const(V_FLAG_POLICY_CHECK);
+    /* Set by Store#flags= and StoreContext#flags=.
+     * Implies V_FLAG_POLICY_CHECK */
+    DefX509Const(V_FLAG_EXPLICIT_POLICY);
+    /* Set by Store#flags= and StoreContext#flags=.
+     * Implies V_FLAG_POLICY_CHECK */
+    DefX509Const(V_FLAG_INHIBIT_ANY);
+    /* Set by Store#flags= and StoreContext#flags=.
+     * Implies V_FLAG_POLICY_CHECK */
+    DefX509Const(V_FLAG_INHIBIT_MAP);
+    /* Set by Store#flags= and StoreContext#flags=. */
+    DefX509Const(V_FLAG_NOTIFY_POLICY);
+    /* Set by Store#flags= and StoreContext#flags=. Enables some additional
+     * features including support for indirect signed CRLs. */
+    DefX509Const(V_FLAG_EXTENDED_CRL_SUPPORT);
+    /* Set by Store#flags= and StoreContext#flags=. Uses delta CRLs. If not
+     * specified, deltas are ignored. */
+    DefX509Const(V_FLAG_USE_DELTAS);
+    /* Set by Store#flags= and StoreContext#flags=. Enables checking of the
+     * signature of the root self-signed CA. */
+    DefX509Const(V_FLAG_CHECK_SS_SIGNATURE);
+#if defined(X509_V_FLAG_TRUSTED_FIRST)
+    /* Set by Store#flags= and StoreContext#flags=. When constructing a
+     * certificate chain, search the Store first for the issuer certificate.
+     * Enabled by default in OpenSSL >= 1.1.0. */
+    DefX509Const(V_FLAG_TRUSTED_FIRST);
+#endif
+#if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY)
+    /* Set by Store#flags= and StoreContext#flags=.
+     * Enables Suite B 128 bit only mode. */
+    DefX509Const(V_FLAG_SUITEB_128_LOS_ONLY);
+#endif
+#if defined(X509_V_FLAG_SUITEB_192_LOS)
+    /* Set by Store#flags= and StoreContext#flags=.
+     * Enables Suite B 192 bit only mode. */
+    DefX509Const(V_FLAG_SUITEB_192_LOS);
+#endif
+#if defined(X509_V_FLAG_SUITEB_128_LOS)
+    /* Set by Store#flags= and StoreContext#flags=.
+     * Enables Suite B 128 bit mode allowing 192 bit algorithms. */
+    DefX509Const(V_FLAG_SUITEB_128_LOS);
+#endif
+#if defined(X509_V_FLAG_PARTIAL_CHAIN)
+    /* Set by Store#flags= and StoreContext#flags=.
+     * Allows partial chains if at least one certificate is in trusted store. */
+    DefX509Const(V_FLAG_PARTIAL_CHAIN);
+#endif
+#if defined(X509_V_FLAG_NO_ALT_CHAINS)
+    /* Set by Store#flags= and StoreContext#flags=. Suppresses searching for
+     * a alternative chain. No effect in OpenSSL >= 1.1.0. */
+    DefX509Const(V_FLAG_NO_ALT_CHAINS);
+#endif
+#if defined(X509_V_FLAG_NO_CHECK_TIME)
+    /* Set by Store#flags= and StoreContext#flags=. Suppresses checking the
+     * validity period of certificates and CRLs. No effect when the current
+     * time is explicitly set by Store#time= or StoreContext#time=. */
+    DefX509Const(V_FLAG_NO_CHECK_TIME);
+#endif
+
+    /* Set by Store#purpose=. SSL/TLS client. */
+    DefX509Const(PURPOSE_SSL_CLIENT);
+    /* Set by Store#purpose=. SSL/TLS server. */
+    DefX509Const(PURPOSE_SSL_SERVER);
+    /* Set by Store#purpose=. Netscape SSL server. */
+    DefX509Const(PURPOSE_NS_SSL_SERVER);
+    /* Set by Store#purpose=. S/MIME signing. */
+    DefX509Const(PURPOSE_SMIME_SIGN);
+    /* Set by Store#purpose=. S/MIME encryption. */
+    DefX509Const(PURPOSE_SMIME_ENCRYPT);
+    /* Set by Store#purpose=. CRL signing */
+    DefX509Const(PURPOSE_CRL_SIGN);
+    /* Set by Store#purpose=. No checks. */
+    DefX509Const(PURPOSE_ANY);
+    /* Set by Store#purpose=. OCSP helper. */
+    DefX509Const(PURPOSE_OCSP_HELPER);
+    /* Set by Store#purpose=. Time stamps signer. */
+    DefX509Const(PURPOSE_TIMESTAMP_SIGN);
+
+    DefX509Const(TRUST_COMPAT);
+    DefX509Const(TRUST_SSL_CLIENT);
+    DefX509Const(TRUST_SSL_SERVER);
+    DefX509Const(TRUST_EMAIL);
+    DefX509Const(TRUST_OBJECT_SIGN);
+    DefX509Const(TRUST_OCSP_SIGN);
+    DefX509Const(TRUST_OCSP_REQUEST);
+    DefX509Const(TRUST_TSA);
+
+    DefX509Default(CERT_AREA, cert_area);
+    DefX509Default(CERT_DIR, cert_dir);
+    DefX509Default(CERT_FILE, cert_file);
+    DefX509Default(CERT_DIR_ENV, cert_dir_env);
+    DefX509Default(CERT_FILE_ENV, cert_file_env);
+    DefX509Default(PRIVATE_DIR, private_dir);
+}

data/ext/openssl/ossl_x509.h

@@ -0,0 +1,115 @@
+/*
+ * 'OpenSSL for Ruby' project
+ * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
+ * All rights reserved.
+ */
+/*
+ * This program is licensed under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+#if !defined(_OSSL_X509_H_)
+#define _OSSL_X509_H_
+
+/*
+ * X509 main module
+ */
+extern VALUE mX509;
+
+/*
+ * Converts the VALUE into Integer and set it to the ASN1_TIME. This is a
+ * wrapper for X509_time_adj_ex() so passing NULL creates a new ASN1_TIME.
+ * Note that the caller must check the NULL return.
+ */
+ASN1_TIME *ossl_x509_time_adjust(ASN1_TIME *, VALUE);
+
+void Init_ossl_x509(void);
+
+/*
+ * X509Attr
+ */
+extern VALUE cX509Attr;
+extern VALUE eX509AttrError;
+
+VALUE ossl_x509attr_new(X509_ATTRIBUTE *);
+X509_ATTRIBUTE *GetX509AttrPtr(VALUE);
+void Init_ossl_x509attr(void);
+
+/*
+ * X509Cert
+ */
+extern VALUE cX509Cert;
+extern VALUE eX509CertError;
+
+VALUE ossl_x509_new(X509 *);
+X509 *GetX509CertPtr(VALUE);
+X509 *DupX509CertPtr(VALUE);
+void Init_ossl_x509cert(void);
+
+/*
+ * X509CRL
+ */
+extern VALUE cX509CRL;
+extern VALUE eX509CRLError;
+
+VALUE ossl_x509crl_new(X509_CRL *);
+X509_CRL *GetX509CRLPtr(VALUE);
+void Init_ossl_x509crl(void);
+
+/*
+ * X509Extension
+ */
+extern VALUE cX509Ext;
+extern VALUE cX509ExtFactory;
+extern VALUE eX509ExtError;
+
+VALUE ossl_x509ext_new(X509_EXTENSION *);
+X509_EXTENSION *GetX509ExtPtr(VALUE);
+void Init_ossl_x509ext(void);
+
+/*
+ * X509Name
+ */
+extern VALUE cX509Name;
+extern VALUE eX509NameError;
+
+VALUE ossl_x509name_new(X509_NAME *);
+X509_NAME *GetX509NamePtr(VALUE);
+void Init_ossl_x509name(void);
+
+/*
+ * X509Request
+ */
+extern VALUE cX509Req;
+extern VALUE eX509ReqError;
+
+X509_REQ *GetX509ReqPtr(VALUE);
+void Init_ossl_x509req(void);
+
+/*
+ * X509Revoked
+ */
+extern VALUE cX509Rev;
+extern VALUE eX509RevError;
+
+VALUE ossl_x509revoked_new(X509_REVOKED *);
+X509_REVOKED *DupX509RevokedPtr(VALUE);
+void Init_ossl_x509revoked(void);
+
+/*
+ * X509Store and X509StoreContext
+ */
+extern VALUE cX509Store;
+extern VALUE cX509StoreContext;
+extern VALUE eX509StoreError;
+
+X509_STORE *GetX509StorePtr(VALUE);
+
+void Init_ossl_x509store(void);
+
+/*
+ * Calls the verify callback Proc (the first parameter) with given pre-verify
+ * result and the X509_STORE_CTX.
+ */
+int ossl_verify_cb_call(VALUE, int, X509_STORE_CTX *);
+
+#endif /* _OSSL_X509_H_ */

data/ext/openssl/ossl_x509attr.c

@@ -0,0 +1,324 @@
+/*
+ * 'OpenSSL for Ruby' project
+ * Copyright (C) 2001 Michal Rokos <m.rokos@sh.cvut.cz>
+ * All rights reserved.
+ */
+/*
+ * This program is licensed under the same licence as Ruby.
+ * (See the file 'LICENCE'.)
+ */
+#include "ossl.h"
+
+#define NewX509Attr(klass) \
+    TypedData_Wrap_Struct((klass), &ossl_x509attr_type, 0)
+#define SetX509Attr(obj, attr) do { \
+    if (!(attr)) { \
+	ossl_raise(rb_eRuntimeError, "ATTR wasn't initialized!"); \
+    } \
+    RTYPEDDATA_DATA(obj) = (attr); \
+} while (0)
+#define GetX509Attr(obj, attr) do { \
+    TypedData_Get_Struct((obj), X509_ATTRIBUTE, &ossl_x509attr_type, (attr)); \
+    if (!(attr)) { \
+	ossl_raise(rb_eRuntimeError, "ATTR wasn't initialized!"); \
+    } \
+} while (0)
+
+/*
+ * Classes
+ */
+VALUE cX509Attr;
+VALUE eX509AttrError;
+
+static void
+ossl_x509attr_free(void *ptr)
+{
+    X509_ATTRIBUTE_free(ptr);
+}
+
+static const rb_data_type_t ossl_x509attr_type = {
+    "OpenSSL/X509/ATTRIBUTE",
+    {
+	0, ossl_x509attr_free,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
+};
+
+/*
+ * Public
+ */
+VALUE
+ossl_x509attr_new(X509_ATTRIBUTE *attr)
+{
+    X509_ATTRIBUTE *new;
+    VALUE obj;
+
+    obj = NewX509Attr(cX509Attr);
+    if (!attr) {
+	new = X509_ATTRIBUTE_new();
+    } else {
+	new = X509_ATTRIBUTE_dup(attr);
+    }
+    if (!new) {
+	ossl_raise(eX509AttrError, NULL);
+    }
+    SetX509Attr(obj, new);
+
+    return obj;
+}
+
+X509_ATTRIBUTE *
+GetX509AttrPtr(VALUE obj)
+{
+    X509_ATTRIBUTE *attr;
+
+    GetX509Attr(obj, attr);
+
+    return attr;
+}
+
+/*
+ * Private
+ */
+static VALUE
+ossl_x509attr_alloc(VALUE klass)
+{
+    X509_ATTRIBUTE *attr;
+    VALUE obj;
+
+    obj = NewX509Attr(klass);
+    if (!(attr = X509_ATTRIBUTE_new()))
+	ossl_raise(eX509AttrError, NULL);
+    SetX509Attr(obj, attr);
+
+    return obj;
+}
+
+/*
+ * call-seq:
+ *    Attribute.new(oid [, value]) => attr
+ */
+static VALUE
+ossl_x509attr_initialize(int argc, VALUE *argv, VALUE self)
+{
+    VALUE oid, value;
+    X509_ATTRIBUTE *attr, *x;
+    const unsigned char *p;
+
+    GetX509Attr(self, attr);
+    if(rb_scan_args(argc, argv, "11", &oid, &value) == 1){
+	oid = ossl_to_der_if_possible(oid);
+	StringValue(oid);
+	p = (unsigned char *)RSTRING_PTR(oid);
+	x = d2i_X509_ATTRIBUTE(&attr, &p, RSTRING_LEN(oid));
+	DATA_PTR(self) = attr;
+	if(!x){
+	    ossl_raise(eX509AttrError, NULL);
+	}
+	return self;
+    }
+    rb_funcall(self, rb_intern("oid="), 1, oid);
+    rb_funcall(self, rb_intern("value="), 1, value);
+
+    return self;
+}
+
+static VALUE
+ossl_x509attr_initialize_copy(VALUE self, VALUE other)
+{
+    X509_ATTRIBUTE *attr, *attr_other, *attr_new;
+
+    rb_check_frozen(self);
+    GetX509Attr(self, attr);
+    GetX509Attr(other, attr_other);
+
+    attr_new = X509_ATTRIBUTE_dup(attr_other);
+    if (!attr_new)
+	ossl_raise(eX509AttrError, "X509_ATTRIBUTE_dup");
+
+    SetX509Attr(self, attr_new);
+    X509_ATTRIBUTE_free(attr);
+
+    return self;
+}
+
+/*
+ * call-seq:
+ *    attr.oid = string => string
+ */
+static VALUE
+ossl_x509attr_set_oid(VALUE self, VALUE oid)
+{
+    X509_ATTRIBUTE *attr;
+    ASN1_OBJECT *obj;
+    char *s;
+
+    GetX509Attr(self, attr);
+    s = StringValueCStr(oid);
+    obj = OBJ_txt2obj(s, 0);
+    if(!obj) ossl_raise(eX509AttrError, NULL);
+    if (!X509_ATTRIBUTE_set1_object(attr, obj)) {
+	ASN1_OBJECT_free(obj);
+	ossl_raise(eX509AttrError, "X509_ATTRIBUTE_set1_object");
+    }
+    ASN1_OBJECT_free(obj);
+
+    return oid;
+}
+
+/*
+ * call-seq:
+ *    attr.oid => string
+ */
+static VALUE
+ossl_x509attr_get_oid(VALUE self)
+{
+    X509_ATTRIBUTE *attr;
+    ASN1_OBJECT *oid;
+    BIO *out;
+    VALUE ret;
+    int nid;
+
+    GetX509Attr(self, attr);
+    oid = X509_ATTRIBUTE_get0_object(attr);
+    if ((nid = OBJ_obj2nid(oid)) != NID_undef)
+	ret = rb_str_new2(OBJ_nid2sn(nid));
+    else{
+	if (!(out = BIO_new(BIO_s_mem())))
+	    ossl_raise(eX509AttrError, NULL);
+	i2a_ASN1_OBJECT(out, oid);
+	ret = ossl_membio2str(out);
+    }
+
+    return ret;
+}
+
+/*
+ * call-seq:
+ *    attr.value = asn1 => asn1
+ */
+static VALUE
+ossl_x509attr_set_value(VALUE self, VALUE value)
+{
+    X509_ATTRIBUTE *attr;
+    VALUE asn1_value;
+    int i, asn1_tag;
+
+    OSSL_Check_Kind(value, cASN1Data);
+    asn1_tag = NUM2INT(rb_attr_get(value, rb_intern("@tag")));
+    asn1_value = rb_attr_get(value, rb_intern("@value"));
+    if (asn1_tag != V_ASN1_SET)
+	ossl_raise(eASN1Error, "argument must be ASN1::Set");
+    if (!RB_TYPE_P(asn1_value, T_ARRAY))
+	ossl_raise(eASN1Error, "ASN1::Set has non-array value");
+
+    GetX509Attr(self, attr);
+    if (X509_ATTRIBUTE_count(attr)) { /* populated, reset first */
+	ASN1_OBJECT *obj = X509_ATTRIBUTE_get0_object(attr);
+	X509_ATTRIBUTE *new_attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, 0, NULL, -1);
+	if (!new_attr)
+	    ossl_raise(eX509AttrError, NULL);
+	SetX509Attr(self, new_attr);
+	X509_ATTRIBUTE_free(attr);
+	attr = new_attr;
+    }
+
+    for (i = 0; i < RARRAY_LEN(asn1_value); i++) {
+	ASN1_TYPE *a1type = ossl_asn1_get_asn1type(RARRAY_AREF(asn1_value, i));
+	if (!X509_ATTRIBUTE_set1_data(attr, ASN1_TYPE_get(a1type),
+				      a1type->value.ptr, -1)) {
+	    ASN1_TYPE_free(a1type);
+	    ossl_raise(eX509AttrError, NULL);
+	}
+	ASN1_TYPE_free(a1type);
+    }
+
+    return value;
+}
+
+/*
+ * call-seq:
+ *    attr.value => asn1
+ */
+static VALUE
+ossl_x509attr_get_value(VALUE self)
+{
+    X509_ATTRIBUTE *attr;
+    STACK_OF(ASN1_TYPE) *sk;
+    VALUE str;
+    int i, count, len;
+    unsigned char *p;
+
+    GetX509Attr(self, attr);
+    /* there is no X509_ATTRIBUTE_get0_set() :( */
+    if (!(sk = sk_ASN1_TYPE_new_null()))
+	ossl_raise(eX509AttrError, "sk_new");
+
+    count = X509_ATTRIBUTE_count(attr);
+    for (i = 0; i < count; i++)
+	sk_ASN1_TYPE_push(sk, X509_ATTRIBUTE_get0_type(attr, i));
+
+    if ((len = i2d_ASN1_SET_ANY(sk, NULL)) <= 0) {
+	sk_ASN1_TYPE_free(sk);
+	ossl_raise(eX509AttrError, NULL);
+    }
+    str = rb_str_new(0, len);
+    p = (unsigned char *)RSTRING_PTR(str);
+    if (i2d_ASN1_SET_ANY(sk, &p) <= 0) {
+	sk_ASN1_TYPE_free(sk);
+	ossl_raise(eX509AttrError, NULL);
+    }
+    ossl_str_adjust(str, p);
+    sk_ASN1_TYPE_free(sk);
+
+    return rb_funcall(mASN1, rb_intern("decode"), 1, str);
+}
+
+/*
+ * call-seq:
+ *    attr.to_der => string
+ */
+static VALUE
+ossl_x509attr_to_der(VALUE self)
+{
+    X509_ATTRIBUTE *attr;
+    VALUE str;
+    int len;
+    unsigned char *p;
+
+    GetX509Attr(self, attr);
+    if((len = i2d_X509_ATTRIBUTE(attr, NULL)) <= 0)
+	ossl_raise(eX509AttrError, NULL);
+    str = rb_str_new(0, len);
+    p = (unsigned char *)RSTRING_PTR(str);
+    if(i2d_X509_ATTRIBUTE(attr, &p) <= 0)
+	ossl_raise(eX509AttrError, NULL);
+    ossl_str_adjust(str, p);
+
+    return str;
+}
+
+/*
+ * X509_ATTRIBUTE init
+ */
+void
+Init_ossl_x509attr(void)
+{
+#if 0
+    mOSSL = rb_define_module("OpenSSL");
+    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+    mX509 = rb_define_module_under(mOSSL, "X509");
+#endif
+
+    eX509AttrError = rb_define_class_under(mX509, "AttributeError", eOSSLError);
+
+    cX509Attr = rb_define_class_under(mX509, "Attribute", rb_cObject);
+    rb_define_alloc_func(cX509Attr, ossl_x509attr_alloc);
+    rb_define_method(cX509Attr, "initialize", ossl_x509attr_initialize, -1);
+    rb_define_method(cX509Attr, "initialize_copy", ossl_x509attr_initialize_copy, 1);
+    rb_define_method(cX509Attr, "oid=", ossl_x509attr_set_oid, 1);
+    rb_define_method(cX509Attr, "oid", ossl_x509attr_get_oid, 0);
+    rb_define_method(cX509Attr, "value=", ossl_x509attr_set_value, 1);
+    rb_define_method(cX509Attr, "value", ossl_x509attr_get_value, 0);
+    rb_define_method(cX509Attr, "to_der", ossl_x509attr_to_der, 0);
+}