rubysl-openssl 1.0.2 → 2.0.0

data/ext/rubysl/openssl/ossl.h

@@ -1,5 +1,5 @@
 /*
- * $Id: ossl.h 28367 2010-06-21 09:18:59Z shyouhei $
+ * $Id$
  * 'OpenSSL for Ruby' project
  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
  * All rights reserved.
@@ -29,7 +29,8 @@ extern "C" {
 #  undef RFILE
 #endif
 #include <ruby.h>
-#include <rubyio.h>
+#include <ruby/io.h>
+#include <ruby/thread.h>
 
 /*
  * Check the OpenSSL version
@@ -45,12 +46,12 @@ extern "C" {
 #endif
 
 #if defined(_WIN32)
+#  include <openssl/e_os2.h>
 #  define OSSL_NO_CONF_API 1
-#  ifdef USE_WINSOCK2
-#    include <winsock2.h>
-#  else
-#    include <winsock.h>
+#  if !defined(OPENSSL_SYS_WIN32)
+#    define OPENSSL_SYS_WIN32 1
 #  endif
+#  include <winsock2.h>
 #endif
 #include <errno.h>
 #include <openssl/err.h>
@@ -74,6 +75,11 @@ extern "C" {
 #  include <openssl/ocsp.h>
 #endif
 
+/* OpenSSL requires passwords for PEM-encoded files to be at least four
+ * characters long
+ */
+#define OSSL_MIN_PWD_LEN 4
+
 /*
  * Common Module
  */
@@ -88,21 +94,21 @@ extern VALUE eOSSLError;
  * CheckTypes
  */
 #define OSSL_Check_Kind(obj, klass) do {\
-  if (!rb_obj_is_kind_of(obj, klass)) {\
+  if (!rb_obj_is_kind_of((obj), (klass))) {\
     ossl_raise(rb_eTypeError, "wrong argument (%s)! (Expected kind of %s)",\
                rb_obj_classname(obj), rb_class2name(klass));\
   }\
 } while (0)
 
 #define OSSL_Check_Instance(obj, klass) do {\
-  if (!rb_obj_is_instance_of(obj, klass)) {\
+  if (!rb_obj_is_instance_of((obj), (klass))) {\
     ossl_raise(rb_eTypeError, "wrong argument (%s)! (Expected instance of %s)",\
                rb_obj_classname(obj), rb_class2name(klass));\
   }\
 } while (0)
 
 #define OSSL_Check_Same_Class(obj1, obj2) do {\
-  if (!rb_obj_is_instance_of(obj1, rb_obj_class(obj2))) {\
+  if (!rb_obj_is_instance_of((obj1), rb_obj_class(obj2))) {\
     ossl_raise(rb_eTypeError, "wrong argument type");\
   }\
 } while (0)
@@ -117,7 +123,7 @@ extern VALUE eOSSLError;
 /*
  * String to HEXString conversion
  */
-int string2hex(char *, int, char **, int *);
+int string2hex(const unsigned char *, int, char **, int *);
 
 /*
  * Data Conversion
@@ -127,13 +133,14 @@ STACK_OF(X509) *ossl_x509_ary2sk(VALUE);
 STACK_OF(X509) *ossl_protect_x509_ary2sk(VALUE,int*);
 VALUE ossl_x509_sk2ary(STACK_OF(X509) *certs);
 VALUE ossl_x509crl_sk2ary(STACK_OF(X509_CRL) *crl);
+VALUE ossl_x509name_sk2ary(STACK_OF(X509_NAME) *names);
 VALUE ossl_buf2str(char *buf, int len);
 #define ossl_str_adjust(str, p) \
 do{\
-    int len = RSTRING_LEN(str);\
-    int newlen = (p) - (unsigned char*)RSTRING_PTR(str);\
+    int len = RSTRING_LENINT(str);\
+    int newlen = rb_long2int((p) - (unsigned char*)RSTRING_PTR(str));\
     assert(newlen <= len);\
-    rb_str_set_len(str, newlen);\
+    rb_str_set_len((str), newlen);\
 }while(0)
 
 /*
@@ -141,6 +148,13 @@ do{\
  */
 int ossl_pem_passwd_cb(char *, int, int, void *);
 
+/*
+ * Clear BIO* with this in PEM/DER fallback scenarios to avoid decoding
+ * errors piling up in OpenSSL::Errors
+ */
+#define OSSL_BIO_reset(bio)	(void)BIO_reset((bio)); \
+				ERR_clear_error();
+
 /*
  * ERRor messages
  */
@@ -184,13 +198,13 @@ extern VALUE dOSSL;
 } while (0)
 
 #define OSSL_Warning(fmt, ...) do { \
-  OSSL_Debug(fmt, ##__VA_ARGS__); \
-  rb_warning(fmt, ##__VA_ARGS__); \
+  OSSL_Debug((fmt), ##__VA_ARGS__); \
+  rb_warning((fmt), ##__VA_ARGS__); \
 } while (0)
 
 #define OSSL_Warn(fmt, ...) do { \
-  OSSL_Debug(fmt, ##__VA_ARGS__); \
-  rb_warn(fmt, ##__VA_ARGS__); \
+  OSSL_Debug((fmt), ##__VA_ARGS__); \
+  rb_warn((fmt), ##__VA_ARGS__); \
 } while (0)
 #else
 void ossl_debug(const char *, ...);

data/ext/rubysl/openssl/ossl_asn1.c

@@ -10,7 +10,20 @@
  */
 #include "ossl.h"
 
-#include <sys/time.h>
+#if defined(HAVE_SYS_TIME_H)
+#  include <sys/time.h>
+#elif !defined(NT) && !defined(_WIN32)
+struct timeval {
+    long tv_sec;	/* seconds */
+    long tv_usec;	/* and microseconds */
+};
+#endif
+
+static VALUE join_der(VALUE enumerable);
+static VALUE ossl_asn1_decode0(unsigned char **pp, long length, long *offset,
+			       int depth, int yield, long *num_read);
+static VALUE ossl_asn1_initialize(int argc, VALUE *argv, VALUE self);
+static VALUE ossl_asn1eoc_initialize(VALUE self);
 
 /*
  * DATE conversion
@@ -20,16 +33,16 @@ asn1time_to_time(ASN1_TIME *time)
 {
     struct tm tm;
     VALUE argv[6];
-    
+
     if (!time || !time->data) return Qnil;
     memset(&tm, 0, sizeof(struct tm));
-	
+
     switch (time->type) {
     case V_ASN1_UTCTIME:
-	if (sscanf(time->data, "%2d%2d%2d%2d%2d%2dZ", &tm.tm_year, &tm.tm_mon,
+	if (sscanf((const char *)time->data, "%2d%2d%2d%2d%2d%2dZ", &tm.tm_year, &tm.tm_mon,
     		&tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
 	    ossl_raise(rb_eTypeError, "bad UTCTIME format");
-	} 
+	}
 	if (tm.tm_year < 69) {
 	    tm.tm_year += 2000;
 	} else {
@@ -37,10 +50,10 @@ asn1time_to_time(ASN1_TIME *time)
 	}
 	break;
     case V_ASN1_GENERALIZEDTIME:
-	if (sscanf(time->data, "%4d%2d%2d%2d%2d%2dZ", &tm.tm_year, &tm.tm_mon,
+	if (sscanf((const char *)time->data, "%4d%2d%2d%2d%2d%2dZ", &tm.tm_year, &tm.tm_mon,
     		&tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
 	    ossl_raise(rb_eTypeError, "bad GENERALIZEDTIME format" );
-	} 
+	}
 	break;
     default:
 	rb_warning("unknown time format");
@@ -73,7 +86,7 @@ time_to_time_t(VALUE time)
 VALUE
 asn1str_to_str(ASN1_STRING *str)
 {
-    return rb_str_new(str->data, str->length);
+    return rb_str_new((const char *)str->data, str->length);
 }
 
 /*
@@ -136,11 +149,16 @@ num_to_asn1integer(VALUE obj, ASN1_INTEGER *ai)
 ASN1_INTEGER *
 num_to_asn1integer(VALUE obj, ASN1_INTEGER *ai)
 {
-    BIGNUM *bn = GetBNPtr(obj);
-    
-    if (!(ai = BN_to_ASN1_INTEGER(bn, ai))) {
+    BIGNUM *bn;
+
+    if (NIL_P(obj))
+	ossl_raise(rb_eTypeError, "Can't convert nil into Integer");
+
+    bn = GetBNPtr(obj);
+
+    if (!(ai = BN_to_ASN1_INTEGER(bn, ai)))
 	ossl_raise(eOSSLError, NULL);
-    }
+
     return ai;
 }
 #endif
@@ -149,15 +167,17 @@ num_to_asn1integer(VALUE obj, ASN1_INTEGER *ai)
 /*
  * ASN1 module
  */
-#define ossl_asn1_get_value(o)       rb_attr_get((o),rb_intern("@value"))
-#define ossl_asn1_get_tag(o)         rb_attr_get((o),rb_intern("@tag"))
-#define ossl_asn1_get_tagging(o)     rb_attr_get((o),rb_intern("@tagging"))
-#define ossl_asn1_get_tag_class(o)   rb_attr_get((o),rb_intern("@tag_class"))
-
-#define ossl_asn1_set_value(o,v)     rb_iv_set((o),"@value",(v))
-#define ossl_asn1_set_tag(o,v)       rb_iv_set((o),"@tag",(v))
-#define ossl_asn1_set_tagging(o,v)   rb_iv_set((o),"@tagging",(v))
-#define ossl_asn1_set_tag_class(o,v) rb_iv_set((o),"@tag_class",(v))
+#define ossl_asn1_get_value(o)           rb_attr_get((o),sivVALUE)
+#define ossl_asn1_get_tag(o)             rb_attr_get((o),sivTAG)
+#define ossl_asn1_get_tagging(o)         rb_attr_get((o),sivTAGGING)
+#define ossl_asn1_get_tag_class(o)       rb_attr_get((o),sivTAG_CLASS)
+#define ossl_asn1_get_infinite_length(o) rb_attr_get((o),sivINFINITE_LENGTH)
+
+#define ossl_asn1_set_value(o,v)           rb_ivar_set((o),sivVALUE,(v))
+#define ossl_asn1_set_tag(o,v)             rb_ivar_set((o),sivTAG,(v))
+#define ossl_asn1_set_tagging(o,v)         rb_ivar_set((o),sivTAGGING,(v))
+#define ossl_asn1_set_tag_class(o,v)       rb_ivar_set((o),sivTAG_CLASS,(v))
+#define ossl_asn1_set_infinite_length(o,v) rb_ivar_set((o),sivINFINITE_LENGTH,(v))
 
 VALUE mASN1;
 VALUE eASN1Error;
@@ -166,6 +186,7 @@ VALUE cASN1Data;
 VALUE cASN1Primitive;
 VALUE cASN1Constructive;
 
+VALUE cASN1EndOfContent;
 VALUE cASN1Boolean;                           /* BOOLEAN           */
 VALUE cASN1Integer, cASN1Enumerated;          /* INTEGER           */
 VALUE cASN1BitString;                         /* BIT STRING        */
@@ -182,6 +203,20 @@ VALUE cASN1Sequence, cASN1Set;                /* CONSTRUCTIVE      */
 
 static ID sIMPLICIT, sEXPLICIT;
 static ID sUNIVERSAL, sAPPLICATION, sCONTEXT_SPECIFIC, sPRIVATE;
+static ID sivVALUE, sivTAG, sivTAG_CLASS, sivTAGGING, sivINFINITE_LENGTH, sivUNUSED_BITS;
+
+/*
+ * We need to implement these for backward compatibility
+ * reasons, behavior of ASN1_put_object and ASN1_object_size
+ * for infinite length values is different in OpenSSL <= 0.9.7
+ */
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+#define ossl_asn1_object_size(cons, len, tag)		(cons) == 2 ? (len) + ASN1_object_size((cons), 0, (tag)) : ASN1_object_size((cons), (len), (tag))
+#define ossl_asn1_put_object(pp, cons, len, tag, xc)	(cons) == 2 ? ASN1_put_object((pp), (cons), 0, (tag), (xc)) : ASN1_put_object((pp), (cons), (len), (tag), (xc))
+#else
+#define ossl_asn1_object_size(cons, len, tag)		ASN1_object_size((cons), (len), (tag))
+#define ossl_asn1_put_object(pp, cons, len, tag, xc)	ASN1_put_object((pp), (cons), (len), (tag), (xc))
+#endif
 
 /*
  * Ruby to ASN1 converters
@@ -189,6 +224,9 @@ static ID sUNIVERSAL, sAPPLICATION, sCONTEXT_SPECIFIC, sPRIVATE;
 static ASN1_BOOLEAN
 obj_to_asn1bool(VALUE obj)
 {
+    if (NIL_P(obj))
+	ossl_raise(rb_eTypeError, "Can't convert nil into Boolean");
+
 #if OPENSSL_VERSION_NUMBER < 0x00907000L
      return RTEST(obj) ? 0xff : 0x100;
 #else
@@ -211,7 +249,7 @@ obj_to_asn1bstr(VALUE obj, long unused_bits)
     StringValue(obj);
     if(!(bstr = ASN1_BIT_STRING_new()))
 	ossl_raise(eASN1Error, NULL);
-    ASN1_BIT_STRING_set(bstr, RSTRING_PTR(obj), RSTRING_LEN(obj));
+    ASN1_BIT_STRING_set(bstr, (unsigned char *)RSTRING_PTR(obj), RSTRING_LENINT(obj));
     bstr->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
     bstr->flags |= ASN1_STRING_FLAG_BITS_LEFT|(unused_bits&0x07);
 
@@ -226,7 +264,7 @@ obj_to_asn1str(VALUE obj)
     StringValue(obj);
     if(!(str = ASN1_STRING_new()))
 	ossl_raise(eASN1Error, NULL);
-    ASN1_STRING_set(str, RSTRING_PTR(obj), RSTRING_LEN(obj));
+    ASN1_STRING_set(str, RSTRING_PTR(obj), RSTRING_LENINT(obj));
 
     return str;
 }
@@ -292,7 +330,7 @@ obj_to_asn1derstr(VALUE obj)
     str = ossl_to_der(obj);
     if(!(a1str = ASN1_STRING_new()))
 	ossl_raise(eASN1Error, NULL);
-    ASN1_STRING_set(a1str, RSTRING_PTR(str), RSTRING_LEN(str));
+    ASN1_STRING_set(a1str, RSTRING_PTR(str), RSTRING_LENINT(str));
 
     return a1str;
 }
@@ -301,10 +339,10 @@ obj_to_asn1derstr(VALUE obj)
  * DER to Ruby converters
  */
 static VALUE
-decode_bool(unsigned char* der, int length)
+decode_bool(unsigned char* der, long length)
 {
     int val;
-    unsigned const char *p;
+    const unsigned char *p;
 
     p = der;
     if((val = d2i_ASN1_BOOLEAN(NULL, &p, length)) < 0)
@@ -314,11 +352,11 @@ decode_bool(unsigned char* der, int length)
 }
 
 static VALUE
-decode_int(unsigned char* der, int length)
+decode_int(unsigned char* der, long length)
 {
     ASN1_INTEGER *ai;
-    unsigned const char *p;
-    VALUE ret; 
+    const unsigned char *p;
+    VALUE ret;
     int status = 0;
 
     p = der;
@@ -333,7 +371,7 @@ decode_int(unsigned char* der, int length)
 }
 
 static VALUE
-decode_bstr(unsigned char* der, int length, long *unused_bits)
+decode_bstr(unsigned char* der, long length, long *unused_bits)
 {
     ASN1_BIT_STRING *bstr;
     const unsigned char *p;
@@ -354,11 +392,11 @@ decode_bstr(unsigned char* der, int length, long *unused_bits)
 }
 
 static VALUE
-decode_enum(unsigned char* der, int length)
+decode_enum(unsigned char* der, long length)
 {
     ASN1_ENUMERATED *ai;
-    unsigned const char *p;
-    VALUE ret; 
+    const unsigned char *p;
+    VALUE ret;
     int status = 0;
 
     p = der;
@@ -373,10 +411,10 @@ decode_enum(unsigned char* der, int length)
 }
 
 static VALUE
-decode_null(unsigned char* der, int length)
+decode_null(unsigned char* der, long length)
 {
     ASN1_NULL *null;
-    unsigned char const *p;
+    const unsigned char *p;
 
     p = der;
     if(!(null = d2i_ASN1_NULL(NULL, &p, length)))
@@ -387,10 +425,10 @@ decode_null(unsigned char* der, int length)
 }
 
 static VALUE
-decode_obj(unsigned char* der, int length)
+decode_obj(unsigned char* der, long length)
 {
     ASN1_OBJECT *obj;
-    unsigned const char *p;
+    const unsigned char *p;
     VALUE ret;
     int nid;
     BIO *bio;
@@ -416,10 +454,10 @@ decode_obj(unsigned char* der, int length)
 }
 
 static VALUE
-decode_time(unsigned char* der, int length)
+decode_time(unsigned char* der, long length)
 {
     ASN1_TIME *time;
-    unsigned const char *p;
+    const unsigned char *p;
     VALUE ret;
     int status = 0;
 
@@ -434,6 +472,15 @@ decode_time(unsigned char* der, int length)
     return ret;
 }
 
+static VALUE
+decode_eoc(unsigned char *der, long length)
+{
+    if (length != 2 || !(der[0] == 0x00 && der[1] == 0x00))
+	ossl_raise(eASN1Error, NULL);
+
+    return rb_str_new("", 0);
+}
+
 /********/
 
 typedef struct {
@@ -442,7 +489,7 @@ typedef struct {
 } ossl_asn1_info_t;
 
 static ossl_asn1_info_t ossl_asn1_info[] = {
-    { "EOC",               NULL,                  },  /*  0 */
+    { "EOC",               &cASN1EndOfContent,    },  /*  0 */
     { "BOOLEAN",           &cASN1Boolean,         },  /*  1 */
     { "INTEGER",           &cASN1Integer,         },  /*  2 */
     { "BIT_STRING",        &cASN1BitString,       },  /*  3 */
@@ -477,6 +524,8 @@ static ossl_asn1_info_t ossl_asn1_info[] = {
 
 int ossl_asn1_info_size = (sizeof(ossl_asn1_info)/sizeof(ossl_asn1_info[0]));
 
+static VALUE class_tag_map;
+
 static int ossl_asn1_default_tag(VALUE obj);
 
 ASN1_TYPE*
@@ -486,7 +535,7 @@ ossl_asn1_get_asn1type(VALUE obj)
     VALUE value, rflag;
     void *ptr;
     void (*free_func)();
-    long tag, flag;
+    int tag, flag;
 
     tag = ossl_asn1_default_tag(obj);
     value = ossl_asn1_get_value(obj);
@@ -501,7 +550,7 @@ ossl_asn1_get_asn1type(VALUE obj)
 	free_func = ASN1_INTEGER_free;
 	break;
     case V_ASN1_BIT_STRING:
-        rflag = rb_attr_get(obj, rb_intern("@unused_bits"));
+        rflag = rb_attr_get(obj, sivUNUSED_BITS);
         flag = NIL_P(rflag) ? -1 : NUM2INT(rflag);
 	ptr = obj_to_asn1bstr(value, flag);
 	free_func = ASN1_BIT_STRING_free;
@@ -521,7 +570,7 @@ ossl_asn1_get_asn1type(VALUE obj)
     case V_ASN1_ISO64STRING:     /* FALLTHROUGH */
     case V_ASN1_GENERALSTRING:   /* FALLTHROUGH */
     case V_ASN1_UNIVERSALSTRING: /* FALLTHROUGH */
-    case V_ASN1_BMPSTRING:   
+    case V_ASN1_BMPSTRING:
 	ptr = obj_to_asn1str(value);
 	free_func = ASN1_STRING_free;
 	break;
@@ -558,13 +607,15 @@ ossl_asn1_get_asn1type(VALUE obj)
 static int
 ossl_asn1_default_tag(VALUE obj)
 {
-    int i;
-
-    for(i = 0; i < ossl_asn1_info_size; i++){
-	if(ossl_asn1_info[i].klass &&
-	   rb_obj_is_kind_of(obj, *ossl_asn1_info[i].klass)){
-	    return i;
-	}
+    VALUE tmp_class, tag;
+
+    tmp_class = CLASS_OF(obj);
+    while (tmp_class) {
+	tag = rb_hash_lookup(class_tag_map, tmp_class);
+	if (tag != Qnil) {
+       	    return NUM2INT(tag);
+      	}
+    	tmp_class = rb_class_superclass(tmp_class);
     }
     ossl_raise(eASN1Error, "universal tag for %s not found",
 	       rb_class2name(CLASS_OF(obj)));
@@ -643,6 +694,22 @@ ossl_asn1_class2sym(int tc)
 	return ID2SYM(sUNIVERSAL);
 }
 
+/*
+ * call-seq:
+ *    OpenSSL::ASN1::ASN1Data.new(value, tag, tag_class) => ASN1Data
+ *
+ * +value+: Please have a look at Constructive and Primitive to see how Ruby
+ * types are mapped to ASN.1 types and vice versa.
+ *
+ * +tag+: A +Number+ indicating the tag number.
+ *
+ * +tag_class+: A +Symbol+ indicating the tag class. Please cf. ASN1 for
+ * possible values.
+ *
+ * == Example
+ *   asn1_int = OpenSSL::ASN1Data.new(42, 2, :UNIVERSAL) # => Same as OpenSSL::ASN1::Integer.new(42)
+ *   tagged_int = OpenSSL::ASN1Data.new(42, 0, :CONTEXT_SPECIFIC) # implicitly 0-tagged INTEGER
+ */
 static VALUE
 ossl_asn1data_initialize(VALUE self, VALUE value, VALUE tag, VALUE tag_class)
 {
@@ -653,12 +720,13 @@ ossl_asn1data_initialize(VALUE self, VALUE value, VALUE tag, VALUE tag_class)
     ossl_asn1_set_tag(self, tag);
     ossl_asn1_set_value(self, value);
     ossl_asn1_set_tag_class(self, tag_class);
+    ossl_asn1_set_infinite_length(self, Qfalse);
 
     return self;
 }
 
-static VALUE 
-join_der_i(VALUE i, VALUE str) 
+static VALUE
+join_der_i(VALUE i, VALUE str)
 {
     i = ossl_to_der_if_possible(i);
     StringValue(i);
@@ -674,10 +742,19 @@ join_der(VALUE enumerable)
     return str;
 }
 
+/*
+ * call-seq:
+ *    asn1.to_der => DER-encoded String
+ *
+ * Encodes this ASN1Data into a DER-encoded String value. The result is
+ * DER-encoded except for the possibility of infinite length encodings.
+ * Infinite length encodings are not allowed in strict DER, so strictly
+ * speaking the result of such an encoding would be a BER-encoding.
+ */
 static VALUE
 ossl_asn1data_to_der(VALUE self)
 {
-    VALUE value, der;
+    VALUE value, der, inf_length;
     int tag, tag_class, is_cons = 0;
     long length;
     unsigned char *p;
@@ -691,11 +768,15 @@ ossl_asn1data_to_der(VALUE self)
 
     tag = ossl_asn1_tag(self);
     tag_class = ossl_asn1_tag_class(self);
-    if((length = ASN1_object_size(1, RSTRING_LEN(value), tag)) <= 0)
+    inf_length = ossl_asn1_get_infinite_length(self);
+    if (inf_length == Qtrue) {
+	is_cons = 2;
+    }
+    if((length = ossl_asn1_object_size(is_cons, RSTRING_LENINT(value), tag)) <= 0)
 	ossl_raise(eASN1Error, NULL);
     der = rb_str_new(0, length);
-    p = RSTRING_PTR(der);
-    ASN1_put_object(&p, is_cons, RSTRING_LEN(value), tag, tag_class);
+    p = (unsigned char *)RSTRING_PTR(der);
+    ossl_asn1_put_object(&p, is_cons, RSTRING_LENINT(value), tag, tag_class);
     memcpy(p, RSTRING_PTR(value), RSTRING_LEN(value));
     p += RSTRING_LEN(value);
     ossl_str_adjust(der, p);
@@ -704,157 +785,345 @@ ossl_asn1data_to_der(VALUE self)
 }
 
 static VALUE
-ossl_asn1_decode0(unsigned char **pp, long length, long *offset, long depth,
-		  int once, int yield)
+int_ossl_asn1_decode0_prim(unsigned char **pp, long length, long hlen, int tag,
+			   VALUE tc, long *num_read)
 {
-    unsigned char *start, *p;
-    long len, off = *offset;
-    int hlen, tag, tc, j;
-    VALUE ary, asn1data, value, tag_class;
+    VALUE value, asn1data;
+    unsigned char *p;
+    long flag = 0;
 
-    ary = rb_ary_new();
     p = *pp;
-    while(length > 0){
-	start = p;
-	j = ASN1_get_object((const unsigned char**)&p, &len, &tag, &tc, length);
-	if(j & 0x80) ossl_raise(eASN1Error, NULL);
-	hlen = p - start;
-	if(yield){
-	    VALUE arg = rb_ary_new();
-	    rb_ary_push(arg, LONG2NUM(depth));
-	    rb_ary_push(arg, LONG2NUM(off));
-	    rb_ary_push(arg, LONG2NUM(hlen));
-	    rb_ary_push(arg, LONG2NUM(len));
-	    rb_ary_push(arg, (j & V_ASN1_CONSTRUCTED) ? Qtrue : Qfalse);
-	    rb_ary_push(arg, ossl_asn1_class2sym(tc));
-	    rb_ary_push(arg, INT2NUM(tag));
-	    rb_yield(arg);
+
+    if(tc == sUNIVERSAL && tag < ossl_asn1_info_size) {
+	switch(tag){
+	case V_ASN1_EOC:
+	    value = decode_eoc(p, hlen+length);
+	    break;
+	case V_ASN1_BOOLEAN:
+	    value = decode_bool(p, hlen+length);
+	    break;
+	case V_ASN1_INTEGER:
+	    value = decode_int(p, hlen+length);
+	    break;
+	case V_ASN1_BIT_STRING:
+	    value = decode_bstr(p, hlen+length, &flag);
+	    break;
+	case V_ASN1_NULL:
+	    value = decode_null(p, hlen+length);
+	    break;
+	case V_ASN1_ENUMERATED:
+	    value = decode_enum(p, hlen+length);
+	    break;
+	case V_ASN1_OBJECT:
+	    value = decode_obj(p, hlen+length);
+	    break;
+	case V_ASN1_UTCTIME:           /* FALLTHROUGH */
+	case V_ASN1_GENERALIZEDTIME:
+	    value = decode_time(p, hlen+length);
+	    break;
+	default:
+	    /* use original value */
+	    p += hlen;
+	    value = rb_str_new((const char *)p, length);
+	    break;
 	}
-	length -= hlen;
-	off += hlen; 
-	if(len > length) ossl_raise(eASN1Error, "value is too short");
-	if((tc & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
-	    tag_class = sPRIVATE;
-	else if((tc & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC)
-	    tag_class = sCONTEXT_SPECIFIC;
-	else if((tc & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
-	    tag_class = sAPPLICATION;
-	else
-	    tag_class = sUNIVERSAL;
-	if(j & V_ASN1_CONSTRUCTED){
-	    /* TODO: if j == 0x21 it is indefinite length object. */
-	    if((j == 0x21) && (len == 0)){
-		long lastoff = off;
-		value = ossl_asn1_decode0(&p, length, &off, depth+1, 0, yield);
-		len = off - lastoff;
-	    }
-	    else value = ossl_asn1_decode0(&p, len, &off, depth+1, 0, yield);
+    }
+    else {
+	p += hlen;
+	value = rb_str_new((const char *)p, length);
+    }
+
+    *pp += hlen + length;
+    *num_read = hlen + length;
+
+    if (tc == sUNIVERSAL && tag < ossl_asn1_info_size && ossl_asn1_info[tag].klass) {
+	VALUE klass = *ossl_asn1_info[tag].klass;
+	VALUE args[4];
+	args[0] = value;
+	args[1] = INT2NUM(tag);
+	args[2] = Qnil;
+	args[3] = ID2SYM(tc);
+	asn1data = rb_obj_alloc(klass);
+	ossl_asn1_initialize(4, args, asn1data);
+	if(tag == V_ASN1_BIT_STRING){
+	    rb_ivar_set(asn1data, sivUNUSED_BITS, LONG2NUM(flag));
 	}
-	else{
-	    value = rb_str_new(p, len);
-	    p += len;
-	    off += len;
+    }
+    else {
+	asn1data = rb_obj_alloc(cASN1Data);
+	ossl_asn1data_initialize(asn1data, value, INT2NUM(tag), ID2SYM(tc));
+    }
+
+    return asn1data;
+}
+
+static VALUE
+int_ossl_asn1_decode0_cons(unsigned char **pp, long max_len, long length,
+			   long *offset, int depth, int yield, int j,
+			   int tag, VALUE tc, long *num_read)
+{
+    VALUE value, asn1data, ary;
+    int infinite;
+    long off = *offset;
+
+    infinite = (j == 0x21);
+    ary = rb_ary_new();
+
+    while (length > 0 || infinite) {
+	long inner_read = 0;
+	value = ossl_asn1_decode0(pp, max_len, &off, depth + 1, yield, &inner_read);
+	*num_read += inner_read;
+	max_len -= inner_read;
+	rb_ary_push(ary, value);
+	if (length > 0)
+	    length -= inner_read;
+
+	if (infinite &&
+	    NUM2INT(ossl_asn1_get_tag(value)) == V_ASN1_EOC &&
+	    SYM2ID(ossl_asn1_get_tag_class(value)) == sUNIVERSAL) {
+	    break;
 	}
-	if(tag_class == sUNIVERSAL &&
-	   tag < ossl_asn1_info_size && ossl_asn1_info[tag].klass){
-	    VALUE klass = *ossl_asn1_info[tag].klass;
-	    long flag = 0;
-	    if(!rb_obj_is_kind_of(value, rb_cArray)){
-		switch(tag){
-		case V_ASN1_BOOLEAN:
-		    value = decode_bool(start, hlen+len);
-		    break;
-		case V_ASN1_INTEGER:
-		    value = decode_int(start, hlen+len);
-		    break;
-		case V_ASN1_BIT_STRING:
-		    value = decode_bstr(start, hlen+len, &flag);
-		    break;
-		case V_ASN1_NULL:
-		    value = decode_null(start, hlen+len);
-		    break;
-		case V_ASN1_ENUMERATED:
-		    value = decode_enum(start, hlen+len);
-		    break;
-		case V_ASN1_OBJECT:
-		    value = decode_obj(start, hlen+len);
-		    break;
-		case V_ASN1_UTCTIME:           /* FALLTHROUGH */
-		case V_ASN1_GENERALIZEDTIME:
-		    value = decode_time(start, hlen+len);
-		    break;
-		default:
-		    /* use original value */
-		    break;
-		}
+    }
+
+    if (tc == sUNIVERSAL) {
+	VALUE args[4];
+	int not_sequence_or_set;
+
+	not_sequence_or_set = tag != V_ASN1_SEQUENCE && tag != V_ASN1_SET;
+
+	if (not_sequence_or_set) {
+	    if (infinite) {
+		asn1data = rb_obj_alloc(cASN1Constructive);
 	    }
-	    asn1data = rb_funcall(klass, rb_intern("new"), 1, value);
-	    if(tag == V_ASN1_BIT_STRING){
-		rb_iv_set(asn1data, "@unused_bits", LONG2NUM(flag));
+	    else {
+		ossl_raise(eASN1Error, "invalid non-infinite tag");
+		return Qnil;
 	    }
 	}
-	else{
-	    asn1data = rb_funcall(cASN1Data, rb_intern("new"), 3,
-				  value, INT2NUM(tag), ID2SYM(tag_class));
+	else {
+	    VALUE klass = *ossl_asn1_info[tag].klass;
+	    asn1data = rb_obj_alloc(klass);
 	}
-	rb_ary_push(ary, asn1data);
-	length -= len;
-        if(once) break;
+	args[0] = ary;
+	args[1] = INT2NUM(tag);
+	args[2] = Qnil;
+	args[3] = ID2SYM(tc);
+	ossl_asn1_initialize(4, args, asn1data);
+    }
+    else {
+	asn1data = rb_obj_alloc(cASN1Data);
+	ossl_asn1data_initialize(asn1data, ary, INT2NUM(tag), ID2SYM(tc));
+    }
+
+    if (infinite)
+	ossl_asn1_set_infinite_length(asn1data, Qtrue);
+    else
+	ossl_asn1_set_infinite_length(asn1data, Qfalse);
+
+    *offset = off;
+    return asn1data;
+}
+
+static VALUE
+ossl_asn1_decode0(unsigned char **pp, long length, long *offset, int depth,
+		  int yield, long *num_read)
+{
+    unsigned char *start, *p;
+    const unsigned char *p0;
+    long len = 0, inner_read = 0, off = *offset, hlen;
+    int tag, tc, j;
+    VALUE asn1data, tag_class;
+
+    p = *pp;
+    start = p;
+    p0 = p;
+    j = ASN1_get_object(&p0, &len, &tag, &tc, length);
+    p = (unsigned char *)p0;
+    if(j & 0x80) ossl_raise(eASN1Error, NULL);
+    if(len > length) ossl_raise(eASN1Error, "value is too short");
+    if((tc & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
+	tag_class = sPRIVATE;
+    else if((tc & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC)
+	tag_class = sCONTEXT_SPECIFIC;
+    else if((tc & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
+	tag_class = sAPPLICATION;
+    else
+	tag_class = sUNIVERSAL;
+
+    hlen = p - start;
+
+    if(yield) {
+	VALUE arg = rb_ary_new();
+	rb_ary_push(arg, LONG2NUM(depth));
+	rb_ary_push(arg, LONG2NUM(*offset));
+	rb_ary_push(arg, LONG2NUM(hlen));
+	rb_ary_push(arg, LONG2NUM(len));
+	rb_ary_push(arg, (j & V_ASN1_CONSTRUCTED) ? Qtrue : Qfalse);
+	rb_ary_push(arg, ossl_asn1_class2sym(tc));
+	rb_ary_push(arg, INT2NUM(tag));
+	rb_yield(arg);
+    }
+
+    if(j & V_ASN1_CONSTRUCTED) {
+	*pp += hlen;
+	off += hlen;
+	asn1data = int_ossl_asn1_decode0_cons(pp, length, len, &off, depth, yield, j, tag, tag_class, &inner_read);
+	inner_read += hlen;
+    }
+    else {
+    	if ((j & 0x01) && (len == 0)) ossl_raise(eASN1Error, "Infinite length for primitive value");
+	asn1data = int_ossl_asn1_decode0_prim(pp, len, hlen, tag, tag_class, &inner_read);
+	off += hlen + len;
+    }
+    if (num_read)
+	*num_read = inner_read;
+    if (len != 0 && inner_read != hlen + len) {
+	ossl_raise(eASN1Error,
+		   "Type mismatch. Bytes read: %ld Bytes available: %ld",
+		   inner_read, hlen + len);
     }
-    *pp = p;
+
     *offset = off;
+    return asn1data;
+}
 
-    return ary;
+static void
+int_ossl_decode_sanity_check(long len, long read, long offset)
+{
+    if (len != 0 && (read != len || offset != len)) {
+	ossl_raise(eASN1Error,
+		   "Type mismatch. Total bytes read: %ld Bytes available: %ld Offset: %ld",
+		   read, len, offset);
+    }
 }
 
+/*
+ * call-seq:
+ *    OpenSSL::ASN1.traverse(asn1) -> nil
+ *
+ * If a block is given, it prints out each of the elements encountered.
+ * Block parameters are (in that order):
+ * * depth: The recursion depth, plus one with each constructed value being encountered (Number)
+ * * offset: Current byte offset (Number)
+ * * header length: Combined length in bytes of the Tag and Length headers. (Number)
+ * * length: The overall remaining length of the entire data (Number)
+ * * constructed: Whether this value is constructed or not (Boolean)
+ * * tag_class: Current tag class (Symbol)
+ * * tag: The current tag (Number)
+ *
+ * == Example
+ *   der = File.binread('asn1data.der')
+ *   OpenSSL::ASN1.traverse(der) do | depth, offset, header_len, length, constructed, tag_class, tag|
+ *     puts "Depth: #{depth} Offset: #{offset} Length: #{length}"
+ *     puts "Header length: #{header_len} Tag: #{tag} Tag class: #{tag_class} Constructed: #{constructed}"
+ *   end
+ */
 static VALUE
 ossl_asn1_traverse(VALUE self, VALUE obj)
 {
     unsigned char *p;
-    long offset = 0;
     volatile VALUE tmp;
+    long len, read = 0, offset = 0;
 
     obj = ossl_to_der_if_possible(obj);
     tmp = rb_str_new4(StringValue(obj));
-    p = RSTRING_PTR(tmp);
-    ossl_asn1_decode0(&p, RSTRING_LEN(tmp), &offset, 0, 0, 1);
-
+    p = (unsigned char *)RSTRING_PTR(tmp);
+    len = RSTRING_LEN(tmp);
+    ossl_asn1_decode0(&p, len, &offset, 0, 1, &read);
+    int_ossl_decode_sanity_check(len, read, offset);
     return Qnil;
 }
 
+/*
+ * call-seq:
+ *    OpenSSL::ASN1.decode(der) -> ASN1Data
+ *
+ * Decodes a BER- or DER-encoded value and creates an ASN1Data instance. +der+
+ * may be a +String+ or any object that features a +#to_der+ method transforming
+ * it into a BER-/DER-encoded +String+.
+ *
+ * == Example
+ *   der = File.binread('asn1data')
+ *   asn1 = OpenSSL::ASN1.decode(der)
+ */
 static VALUE
 ossl_asn1_decode(VALUE self, VALUE obj)
 {
-    VALUE ret, ary;
+    VALUE ret;
     unsigned char *p;
-    long offset = 0;
     volatile VALUE tmp;
+    long len, read = 0, offset = 0;
 
     obj = ossl_to_der_if_possible(obj);
     tmp = rb_str_new4(StringValue(obj));
-    p = RSTRING_PTR(tmp);
-    ary = ossl_asn1_decode0(&p, RSTRING_LEN(tmp), &offset, 0, 1, 0);
-    ret = rb_ary_entry(ary, 0);
-
+    p = (unsigned char *)RSTRING_PTR(tmp);
+    len = RSTRING_LEN(tmp);
+    ret = ossl_asn1_decode0(&p, len, &offset, 0, 0, &read);
+    int_ossl_decode_sanity_check(len, read, offset);
     return ret;
 }
 
+/*
+ * call-seq:
+ *    OpenSSL::ASN1.decode_all(der) -> Array of ASN1Data
+ *
+ * Similar to +decode+ with the difference that +decode+ expects one
+ * distinct value represented in +der+. +decode_all+ on the contrary
+ * decodes a sequence of sequential BER/DER values lined up in +der+
+ * and returns them as an array.
+ *
+ * == Example
+ *   ders = File.binread('asn1data_seq')
+ *   asn1_ary = OpenSSL::ASN1.decode_all(ders)
+ */
 static VALUE
 ossl_asn1_decode_all(VALUE self, VALUE obj)
 {
-    VALUE ret;
+    VALUE ary, val;
     unsigned char *p;
-    long offset = 0;
+    long len, tmp_len = 0, read = 0, offset = 0;
     volatile VALUE tmp;
 
     obj = ossl_to_der_if_possible(obj);
     tmp = rb_str_new4(StringValue(obj));
-    p = RSTRING_PTR(tmp);
-    ret = ossl_asn1_decode0(&p, RSTRING_LEN(tmp), &offset, 0, 0, 0);
-
-    return ret;
+    p = (unsigned char *)RSTRING_PTR(tmp);
+    len = RSTRING_LEN(tmp);
+    tmp_len = len;
+    ary = rb_ary_new();
+    while (tmp_len > 0) {
+	long tmp_read = 0;
+	val = ossl_asn1_decode0(&p, tmp_len, &offset, 0, 0, &tmp_read);
+	rb_ary_push(ary, val);
+	read += tmp_read;
+	tmp_len -= tmp_read;
+    }
+    int_ossl_decode_sanity_check(len, read, offset);
+    return ary;
 }
 
+/*
+ * call-seq:
+ *    OpenSSL::ASN1::Primitive.new( value [, tag, tagging, tag_class ]) => Primitive
+ *
+ * +value+: is mandatory.
+ *
+ * +tag+: optional, may be specified for tagged values. If no +tag+ is
+ * specified, the UNIVERSAL tag corresponding to the Primitive sub-class
+ * is used by default.
+ *
+ * +tagging+: may be used as an encoding hint to encode a value either
+ * explicitly or implicitly, see ASN1 for possible values.
+ *
+ * +tag_class+: if +tag+ and +tagging+ are +nil+ then this is set to
+ * +:UNIVERSAL+ by default. If either +tag+ or +tagging+ are set then
+ * +:CONTEXT_SPECIFIC+ is used as the default. For possible values please
+ * cf. ASN1.
+ *
+ * == Example
+ *   int = OpenSSL::ASN1::Integer.new(42)
+ *   zero_tagged_int = OpenSSL::ASN1::Integer.new(42, 0, :IMPLICIT)
+ *   private_explicit_zero_tagged_int = OpenSSL::ASN1::Integer.new(42, 0, :EXPLICIT, :PRIVATE)
+ */
 static VALUE
 ossl_asn1_initialize(int argc, VALUE *argv, VALUE self)
 {
@@ -864,12 +1133,14 @@ ossl_asn1_initialize(int argc, VALUE *argv, VALUE self)
     if(argc > 1){
 	if(NIL_P(tag))
 	    ossl_raise(eASN1Error, "must specify tag number");
-        if(NIL_P(tagging))
-	    tagging = ID2SYM(sEXPLICIT);
-	if(!SYMBOL_P(tagging))
-	    ossl_raise(eASN1Error, "invalid tag default");
-	if(NIL_P(tag_class))
-	    tag_class = ID2SYM(sCONTEXT_SPECIFIC);
+	if(!NIL_P(tagging) && !SYMBOL_P(tagging))
+	    ossl_raise(eASN1Error, "invalid tagging method");
+	if(NIL_P(tag_class)) {
+	    if (NIL_P(tagging))
+		tag_class = ID2SYM(sUNIVERSAL);
+	    else
+		tag_class = ID2SYM(sCONTEXT_SPECIFIC);
+	}
 	if(!SYMBOL_P(tag_class))
 	    ossl_raise(eASN1Error, "invalid tag class");
 	if(SYM2ID(tagging) == sIMPLICIT && NUM2INT(tag) > 31)
@@ -877,17 +1148,33 @@ ossl_asn1_initialize(int argc, VALUE *argv, VALUE self)
     }
     else{
 	tag = INT2NUM(ossl_asn1_default_tag(self));
-        tagging = Qnil;
+	tagging = Qnil;
 	tag_class = ID2SYM(sUNIVERSAL);
     }
     ossl_asn1_set_tag(self, tag);
     ossl_asn1_set_value(self, value);
     ossl_asn1_set_tagging(self, tagging);
     ossl_asn1_set_tag_class(self, tag_class);
+    ossl_asn1_set_infinite_length(self, Qfalse);
 
     return self;
 }
 
+static VALUE
+ossl_asn1eoc_initialize(VALUE self) {
+    VALUE tag, tagging, tag_class, value;
+    tag = INT2NUM(ossl_asn1_default_tag(self));
+    tagging = Qnil;
+    tag_class = ID2SYM(sUNIVERSAL);
+    value = rb_str_new("", 0);
+    ossl_asn1_set_tag(self, tag);
+    ossl_asn1_set_value(self, value);
+    ossl_asn1_set_tagging(self, tagging);
+    ossl_asn1_set_tag_class(self, tag_class);
+    ossl_asn1_set_infinite_length(self, Qfalse);
+    return self;
+}
+
 static int
 ossl_i2d_ASN1_TYPE(ASN1_TYPE *a, unsigned char **pp)
 {
@@ -912,6 +1199,12 @@ ossl_ASN1_TYPE_free(ASN1_TYPE *a)
     ASN1_TYPE_free(a);
 }
 
+/*
+ * call-seq:
+ *    asn1.to_der => DER-encoded String
+ *
+ * See ASN1Data#to_der for details. *
+ */
 static VALUE
 ossl_asn1prim_to_der(VALUE self)
 {
@@ -926,7 +1219,7 @@ ossl_asn1prim_to_der(VALUE self)
     explicit = ossl_asn1_is_explicit(self);
     asn1 = ossl_asn1_get_asn1type(self);
 
-    len = ASN1_object_size(1, ossl_i2d_ASN1_TYPE(asn1, NULL), tn);
+    len = ossl_asn1_object_size(1, ossl_i2d_ASN1_TYPE(asn1, NULL), tn);
     if(!(buf = OPENSSL_malloc(len))){
 	ossl_ASN1_TYPE_free(asn1);
 	ossl_raise(eASN1Error, "cannot alloc buffer");
@@ -935,7 +1228,7 @@ ossl_asn1prim_to_der(VALUE self)
     if (tc == V_ASN1_UNIVERSAL) {
         ossl_i2d_ASN1_TYPE(asn1, &p);
     } else if (explicit) {
-        ASN1_put_object(&p, 1, ossl_i2d_ASN1_TYPE(asn1, NULL), tn, tc);
+        ossl_asn1_put_object(&p, 1, ossl_i2d_ASN1_TYPE(asn1, NULL), tn, tc);
         ossl_i2d_ASN1_TYPE(asn1, &p);
     } else {
         ossl_i2d_ASN1_TYPE(asn1, &p);
@@ -944,45 +1237,113 @@ ossl_asn1prim_to_der(VALUE self)
     ossl_ASN1_TYPE_free(asn1);
     reallen = p - buf;
     assert(reallen <= len);
-    str = ossl_buf2str(buf, reallen); /* buf will be free in ossl_buf2str */
+    str = ossl_buf2str((char *)buf, rb_long2int(reallen)); /* buf will be free in ossl_buf2str */
 
     return str;
 }
 
+/*
+ * call-seq:
+ *    asn1.to_der => DER-encoded String
+ *
+ * See ASN1Data#to_der for details.
+ */
 static VALUE
 ossl_asn1cons_to_der(VALUE self)
 {
-    int tag, tn, tc, explicit;
-    long seq_len, length;
+    int tag, tn, tc, explicit, constructed = 1;
+    int found_prim = 0, seq_len;
+    long length;
     unsigned char *p;
-    VALUE value, str;
+    VALUE value, str, inf_length;
 
-    tag = ossl_asn1_default_tag(self);
     tn = NUM2INT(ossl_asn1_get_tag(self));
     tc = ossl_asn1_tag_class(self);
+    inf_length = ossl_asn1_get_infinite_length(self);
+    if (inf_length == Qtrue) {
+	VALUE ary, example;
+	constructed = 2;
+	if (CLASS_OF(self) == cASN1Sequence ||
+	    CLASS_OF(self) == cASN1Set) {
+	    tag = ossl_asn1_default_tag(self);
+	}
+	else { /* must be a constructive encoding of a primitive value */
+	    ary = ossl_asn1_get_value(self);
+	    if (!rb_obj_is_kind_of(ary, rb_cArray))
+		ossl_raise(eASN1Error, "Constructive value must be an Array");
+	    /* Recursively descend until a primitive value is found.
+	    The overall value of the entire constructed encoding
+	    is of the type of the first primitive encoding to be
+	    found. */
+	    while (!found_prim){
+		example = rb_ary_entry(ary, 0);
+		if (rb_obj_is_kind_of(example, cASN1Primitive)){
+		    found_prim = 1;
+		}
+		else {
+		    /* example is another ASN1Constructive */
+		    if (!rb_obj_is_kind_of(example, cASN1Constructive)){
+			ossl_raise(eASN1Error, "invalid constructed encoding");
+			return Qnil; /* dummy */
+		    }
+		    ary = ossl_asn1_get_value(example);
+		}
+	    }
+	    tag = ossl_asn1_default_tag(example);
+	}
+    }
+    else {
+	if (CLASS_OF(self) == cASN1Constructive)
+	    ossl_raise(eASN1Error, "Constructive shall only be used with infinite length");
+	tag = ossl_asn1_default_tag(self);
+    }
     explicit = ossl_asn1_is_explicit(self);
     value = join_der(ossl_asn1_get_value(self));
 
-    seq_len = ASN1_object_size(1, RSTRING_LEN(value), tag);
-    length = ASN1_object_size(1, seq_len, tn);
+    seq_len = ossl_asn1_object_size(constructed, RSTRING_LENINT(value), tag);
+    length = ossl_asn1_object_size(constructed, seq_len, tn);
     str = rb_str_new(0, length);
-    p = RSTRING_PTR(str);
+    p = (unsigned char *)RSTRING_PTR(str);
     if(tc == V_ASN1_UNIVERSAL)
-	ASN1_put_object(&p, 1, RSTRING_LEN(value), tn, tc);
+	ossl_asn1_put_object(&p, constructed, RSTRING_LENINT(value), tn, tc);
     else{
 	if(explicit){
-	    ASN1_put_object(&p, 1, seq_len, tn, tc);
-	    ASN1_put_object(&p, 1, RSTRING_LEN(value), tag, V_ASN1_UNIVERSAL);
+	    ossl_asn1_put_object(&p, constructed, seq_len, tn, tc);
+	    ossl_asn1_put_object(&p, constructed, RSTRING_LENINT(value), tag, V_ASN1_UNIVERSAL);
+	}
+	else{
+	    ossl_asn1_put_object(&p, constructed, RSTRING_LENINT(value), tn, tc);
 	}
-	else ASN1_put_object(&p, 1, RSTRING_LEN(value), tn, tc);
     }
     memcpy(p, RSTRING_PTR(value), RSTRING_LEN(value));
     p += RSTRING_LEN(value);
+
+    /* In this case we need an additional EOC (one for the explicit part and
+     * one for the Constructive itself. The EOC for the Constructive is
+     * supplied by the user, but that for the "explicit wrapper" must be
+     * added here.
+     */
+    if (explicit && inf_length == Qtrue) {
+	ASN1_put_eoc(&p);
+    }
     ossl_str_adjust(str, p);
 
     return str;
 }
 
+/*
+ * call-seq:
+ *    asn1_ary.each { |asn1| block } => asn1_ary
+ *
+ * Calls <i>block</i> once for each element in +self+, passing that element
+ * as parameter +asn1+. If no block is given, an enumerator is returned
+ * instead.
+ *
+ * == Example
+ *   asn1_ary.each do |asn1|
+ *     puts asn1
+ *   end
+ */
 static VALUE
 ossl_asn1cons_each(VALUE self)
 {
@@ -1070,6 +1431,7 @@ OSSL_ASN1_IMPL_FACTORY_METHOD(UTCTime)
 OSSL_ASN1_IMPL_FACTORY_METHOD(GeneralizedTime)
 OSSL_ASN1_IMPL_FACTORY_METHOD(Sequence)
 OSSL_ASN1_IMPL_FACTORY_METHOD(Set)
+OSSL_ASN1_IMPL_FACTORY_METHOD(EndOfContent)
 
 void
 Init_ossl_asn1()
@@ -1077,8 +1439,8 @@ Init_ossl_asn1()
     VALUE ary;
     int i;
 
-#if 0 /* let rdoc know about mOSSL */
-    mOSSL = rb_define_module("OpenSSL");
+#if 0
+    mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
 #endif
 
     sUNIVERSAL = rb_intern("UNIVERSAL");
@@ -1088,12 +1450,155 @@ Init_ossl_asn1()
     sEXPLICIT = rb_intern("EXPLICIT");
     sIMPLICIT = rb_intern("IMPLICIT");
 
+    sivVALUE = rb_intern("@value");
+    sivTAG = rb_intern("@tag");
+    sivTAGGING = rb_intern("@tagging");
+    sivTAG_CLASS = rb_intern("@tag_class");
+    sivINFINITE_LENGTH = rb_intern("@infinite_length");
+    sivUNUSED_BITS = rb_intern("@unused_bits");
+
+    /*
+     * Document-module: OpenSSL::ASN1
+     *
+     * Abstract Syntax Notation One (or ASN.1) is a notation syntax to
+     * describe data structures and is defined in ITU-T X.680. ASN.1 itself
+     * does not mandate any encoding or parsing rules, but usually ASN.1 data
+     * structures are encoded using the Distinguished Encoding Rules (DER) or
+     * less often the Basic Encoding Rules (BER) described in ITU-T X.690. DER
+     * and BER encodings are binary Tag-Length-Value (TLV) encodings that are
+     * quite concise compared to other popular data description formats such
+     * as XML, JSON etc.
+     * ASN.1 data structures are very common in cryptographic applications,
+     * e.g. X.509 public key certificates or certificate revocation lists
+     * (CRLs) are all defined in ASN.1 and DER-encoded. ASN.1, DER and BER are
+     * the building blocks of applied cryptography.
+     * The ASN1 module provides the necessary classes that allow generation
+     * of ASN.1 data structures and the methods to encode them using a DER
+     * encoding. The decode method allows parsing arbitrary BER-/DER-encoded
+     * data to a Ruby object that can then be modified and re-encoded at will.
+     *
+     * == ASN.1 class hierarchy
+     *
+     * The base class representing ASN.1 structures is ASN1Data. ASN1Data offers
+     * attributes to read and set the +tag+, the +tag_class+ and finally the
+     * +value+ of a particular ASN.1 item. Upon parsing, any tagged values
+     * (implicit or explicit) will be represented by ASN1Data instances because
+     * their "real type" can only be determined using out-of-band information
+     * from the ASN.1 type declaration. Since this information is normally
+     * known when encoding a type, all sub-classes of ASN1Data offer an
+     * additional attribute +tagging+ that allows to encode a value implicitly
+     * (+:IMPLICIT+) or explicitly (+:EXPLICIT+).
+     *
+     * === Constructive
+     *
+     * Constructive is, as its name implies, the base class for all
+     * constructed encodings, i.e. those that consist of several values,
+     * opposed to "primitive" encodings with just one single value.
+     * Primitive values that are encoded with "infinite length" are typically
+     * constructed (their values come in multiple chunks) and are therefore
+     * represented by instances of Constructive. The value of an Constructive
+     * is always an Array.
+     *
+     * ==== ASN1::Set and ASN1::Sequence
+     *
+     * The most common constructive encodings are SETs and SEQUENCEs, which is
+     * why there are two sub-classes of Constructive representing each of
+     * them.
+     *
+     * === Primitive
+     *
+     * This is the super class of all primitive values. Primitive
+     * itself is not used when parsing ASN.1 data, all values are either
+     * instances of a corresponding sub-class of Primitive or they are
+     * instances of ASN1Data if the value was tagged implicitly or explicitly.
+     * Please cf. Primitive documentation for details on sub-classes and
+     * their respective mappings of ASN.1 data types to Ruby objects.
+     *
+     * == Possible values for +tagging+
+     *
+     * When constructing an ASN1Data object the ASN.1 type definition may
+     * require certain elements to be either implicitly or explicitly tagged.
+     * This can be achieved by setting the +tagging+ attribute manually for
+     * sub-classes of ASN1Data. Use the symbol +:IMPLICIT+ for implicit
+     * tagging and +:EXPLICIT+ if the element requires explicit tagging.
+     *
+     * == Possible values for +tag_class+
+     *
+     * It is possible to create arbitrary ASN1Data objects that also support
+     * a PRIVATE or APPLICATION tag class. Possible values for the +tag_class+
+     * attribute are:
+     * * +:UNIVERSAL+ (the default for untagged values)
+     * * +:CONTEXT_SPECIFIC+ (the default for tagged values)
+     * * +:APPLICATION+
+     * * +:PRIVATE+
+     *
+     * == Tag constants
+     *
+     * There is a constant defined for each universal tag:
+     * * OpenSSL::ASN1::EOC (0)
+     * * OpenSSL::ASN1::BOOLEAN (1)
+     * * OpenSSL::ASN1::INTEGER (2)
+     * * OpenSSL::ASN1::BIT_STRING (3)
+     * * OpenSSL::ASN1::OCTET_STRING (4)
+     * * OpenSSL::ASN1::NULL (5)
+     * * OpenSSL::ASN1::OBJECT (6)
+     * * OpenSSL::ASN1::ENUMERATED (10)
+     * * OpenSSL::ASN1::UTF8STRING (12)
+     * * OpenSSL::ASN1::SEQUENCE (16)
+     * * OpenSSL::ASN1::SET (17)
+     * * OpenSSL::ASN1::NUMERICSTRING (18)
+     * * OpenSSL::ASN1::PRINTABLESTRING (19)
+     * * OpenSSL::ASN1::T61STRING (20)
+     * * OpenSSL::ASN1::VIDEOTEXSTRING (21)
+     * * OpenSSL::ASN1::IA5STRING (22)
+     * * OpenSSL::ASN1::UTCTIME (23)
+     * * OpenSSL::ASN1::GENERALIZEDTIME (24)
+     * * OpenSSL::ASN1::GRAPHICSTRING (25)
+     * * OpenSSL::ASN1::ISO64STRING (26)
+     * * OpenSSL::ASN1::GENERALSTRING (27)
+     * * OpenSSL::ASN1::UNIVERSALSTRING (28)
+     * * OpenSSL::ASN1::BMPSTRING (30)
+     *
+     * == UNIVERSAL_TAG_NAME constant
+     *
+     * An Array that stores the name of a given tag number. These names are
+     * the same as the name of the tag constant that is additionally defined,
+     * e.g. UNIVERSAL_TAG_NAME[2] = "INTEGER" and OpenSSL::ASN1::INTEGER = 2.
+     *
+     * == Example usage
+     *
+     * === Decoding and viewing a DER-encoded file
+     *   require 'openssl'
+     *   require 'pp'
+     *   der = File.binread('data.der')
+     *   asn1 = OpenSSL::ASN1.decode(der)
+     *   pp der
+     *
+     * === Creating an ASN.1 structure and DER-encoding it
+     *   require 'openssl'
+     *   version = OpenSSL::ASN1::Integer.new(1)
+     *   # Explicitly 0-tagged implies context-specific tag class
+     *   serial = OpenSSL::ASN1::Integer.new(12345, 0, :EXPLICIT, :CONTEXT_SPECIFIC)
+     *   name = OpenSSL::ASN1::PrintableString.new('Data 1')
+     *   sequence = OpenSSL::ASN1::Sequence.new( [ version, serial, name ] )
+     *   der = sequence.to_der
+     */
     mASN1 = rb_define_module_under(mOSSL, "ASN1");
+
+    /* Document-class: OpenSSL::ASN1::ASN1Error
+     *
+     * Generic error class for all errors raised in ASN1 and any of the
+     * classes defined in it.
+     */
     eASN1Error = rb_define_class_under(mASN1, "ASN1Error", eOSSLError);
     rb_define_module_function(mASN1, "traverse", ossl_asn1_traverse, 1);
     rb_define_module_function(mASN1, "decode", ossl_asn1_decode, 1);
     rb_define_module_function(mASN1, "decode_all", ossl_asn1_decode_all, 1);
     ary = rb_ary_new();
+
+    /*
+     * Array storing tag names at the tag's index.
+     */
     rb_define_const(mASN1, "UNIVERSAL_TAG_NAME", ary);
     for(i = 0; i < ossl_asn1_info_size; i++){
 	if(ossl_asn1_info[i].name[0] == '[') continue;
@@ -1101,20 +1606,272 @@ Init_ossl_asn1()
 	rb_ary_store(ary, i, rb_str_new2(ossl_asn1_info[i].name));
     }
 
+    /* Document-class: OpenSSL::ASN1::ASN1Data
+     *
+     * The top-level class representing any ASN.1 object. When parsed by
+     * ASN1.decode, tagged values are always represented by an instance
+     * of ASN1Data.
+     *
+     * == The role of ASN1Data for parsing tagged values
+     *
+     * When encoding an ASN.1 type it is inherently clear what original
+     * type (e.g. INTEGER, OCTET STRING etc.) this value has, regardless
+     * of its tagging.
+     * But opposed to the time an ASN.1 type is to be encoded, when parsing
+     * them it is not possible to deduce the "real type" of tagged
+     * values. This is why tagged values are generally parsed into ASN1Data
+     * instances, but with a different outcome for implicit and explicit
+     * tagging.
+     *
+     * === Example of a parsed implicitly tagged value
+     *
+     * An implicitly 1-tagged INTEGER value will be parsed as an
+     * ASN1Data with
+     * * +tag+ equal to 1
+     * * +tag_class+ equal to +:CONTEXT_SPECIFIC+
+     * * +value+ equal to a +String+ that carries the raw encoding
+     *   of the INTEGER.
+     * This implies that a subsequent decoding step is required to
+     * completely decode implicitly tagged values.
+     *
+     * === Example of a parsed explicitly tagged value
+     *
+     * An explicitly 1-tagged INTEGER value will be parsed as an
+     * ASN1Data with
+     * * +tag+ equal to 1
+     * * +tag_class+ equal to +:CONTEXT_SPECIFIC+
+     * * +value+ equal to an +Array+ with one single element, an
+     *   instance of OpenSSL::ASN1::Integer, i.e. the inner element
+     *   is the non-tagged primitive value, and the tagging is represented
+     *   in the outer ASN1Data
+     *
+     * == Example - Decoding an implicitly tagged INTEGER
+     *   int = OpenSSL::ASN1::Integer.new(1, 0, :IMPLICIT) # implicit 0-tagged
+     *   seq = OpenSSL::ASN1::Sequence.new( [int] )
+     *   der = seq.to_der
+     *   asn1 = OpenSSL::ASN1.decode(der)
+     *   # pp asn1 => #<OpenSSL::ASN1::Sequence:0x87326e0
+     *   #              @infinite_length=false,
+     *   #              @tag=16,
+     *   #              @tag_class=:UNIVERSAL,
+     *   #              @tagging=nil,
+     *   #              @value=
+     *   #                [#<OpenSSL::ASN1::ASN1Data:0x87326f4
+     *   #                   @infinite_length=false,
+     *   #                   @tag=0,
+     *   #                   @tag_class=:CONTEXT_SPECIFIC,
+     *   #                   @value="\x01">]>
+     *   raw_int = asn1.value[0]
+     *   # manually rewrite tag and tag class to make it an UNIVERSAL value
+     *   raw_int.tag = OpenSSL::ASN1::INTEGER
+     *   raw_int.tag_class = :UNIVERSAL
+     *   int2 = OpenSSL::ASN1.decode(raw_int)
+     *   puts int2.value # => 1
+     *
+     * == Example - Decoding an explicitly tagged INTEGER
+     *   int = OpenSSL::ASN1::Integer.new(1, 0, :EXPLICIT) # explicit 0-tagged
+     *   seq = OpenSSL::ASN1::Sequence.new( [int] )
+     *   der = seq.to_der
+     *   asn1 = OpenSSL::ASN1.decode(der)
+     *   # pp asn1 => #<OpenSSL::ASN1::Sequence:0x87326e0
+     *   #              @infinite_length=false,
+     *   #              @tag=16,
+     *   #              @tag_class=:UNIVERSAL,
+     *   #              @tagging=nil,
+     *   #              @value=
+     *   #                [#<OpenSSL::ASN1::ASN1Data:0x87326f4
+     *   #                   @infinite_length=false,
+     *   #                   @tag=0,
+     *   #                   @tag_class=:CONTEXT_SPECIFIC,
+     *   #                   @value=
+     *   #                     [#<OpenSSL::ASN1::Integer:0x85bf308
+     *   #                        @infinite_length=false,
+     *   #                        @tag=2,
+     *   #                        @tag_class=:UNIVERSAL
+     *   #                        @tagging=nil,
+     *   #                        @value=1>]>]>
+     *   int2 = asn1.value[0].value[0]
+     *   puts int2.value # => 1
+     */
     cASN1Data = rb_define_class_under(mASN1, "ASN1Data", rb_cObject);
+    /*
+     * Carries the value of a ASN.1 type.
+     * Please confer Constructive and Primitive for the mappings between
+     * ASN.1 data types and Ruby classes.
+     */
     rb_attr(cASN1Data, rb_intern("value"), 1, 1, 0);
+    /*
+     * A +Number+ representing the tag number of this ASN1Data. Never +nil+.
+     */
     rb_attr(cASN1Data, rb_intern("tag"), 1, 1, 0);
+    /*
+     * A +Symbol+ representing the tag class of this ASN1Data. Never +nil+.
+     * See ASN1Data for possible values.
+     */
     rb_attr(cASN1Data, rb_intern("tag_class"), 1, 1, 0);
+    /*
+     * Never +nil+. A +Boolean+ indicating whether the encoding was infinite
+     * length (in the case of parsing) or whether an infinite length encoding
+     * shall be used (in the encoding case).
+     * In DER, every value has a finite length associated with it. But in
+     * scenarios where large amounts of data need to be transferred it
+     * might be desirable to have some kind of streaming support available.
+     * For example, huge OCTET STRINGs are preferably sent in smaller-sized
+     * chunks, each at a time.
+     * This is possible in BER by setting the length bytes of an encoding
+     * to zero and by this indicating that the following value will be
+     * sent in chunks. Infinite length encodings are always constructed.
+     * The end of such a stream of chunks is indicated by sending a EOC
+     * (End of Content) tag. SETs and SEQUENCEs may use an infinite length
+     * encoding, but also primitive types such as e.g. OCTET STRINGS or
+     * BIT STRINGS may leverage this functionality (cf. ITU-T X.690).
+     */
+    rb_attr(cASN1Data, rb_intern("infinite_length"), 1, 1, 0);
     rb_define_method(cASN1Data, "initialize", ossl_asn1data_initialize, 3);
     rb_define_method(cASN1Data, "to_der", ossl_asn1data_to_der, 0);
 
+    /* Document-class: OpenSSL::ASN1::Primitive
+     *
+     * The parent class for all primitive encodings. Attributes are the same as
+     * for ASN1Data, with the addition of +tagging+.
+     * Primitive values can never be infinite length encodings, thus it is not
+     * possible to set the +infinite_length+ attribute for Primitive and its
+     * sub-classes.
+     *
+     * == Primitive sub-classes and their mapping to Ruby classes
+     * * OpenSSL::ASN1::EndOfContent    <=> +value+ is always +nil+
+     * * OpenSSL::ASN1::Boolean         <=> +value+ is a +Boolean+
+     * * OpenSSL::ASN1::Integer         <=> +value+ is a +Number+
+     * * OpenSSL::ASN1::BitString       <=> +value+ is a +String+
+     * * OpenSSL::ASN1::OctetString     <=> +value+ is a +String+
+     * * OpenSSL::ASN1::Null            <=> +value+ is always +nil+
+     * * OpenSSL::ASN1::Object          <=> +value+ is a +String+
+     * * OpenSSL::ASN1::Enumerated      <=> +value+ is a +Number+
+     * * OpenSSL::ASN1::UTF8String      <=> +value+ is a +String+
+     * * OpenSSL::ASN1::NumericString   <=> +value+ is a +String+
+     * * OpenSSL::ASN1::PrintableString <=> +value+ is a +String+
+     * * OpenSSL::ASN1::T61String       <=> +value+ is a +String+
+     * * OpenSSL::ASN1::VideotexString  <=> +value+ is a +String+
+     * * OpenSSL::ASN1::IA5String       <=> +value+ is a +String+
+     * * OpenSSL::ASN1::UTCTime         <=> +value+ is a +Time+
+     * * OpenSSL::ASN1::GeneralizedTime <=> +value+ is a +Time+
+     * * OpenSSL::ASN1::GraphicString   <=> +value+ is a +String+
+     * * OpenSSL::ASN1::ISO64String     <=> +value+ is a +String+
+     * * OpenSSL::ASN1::GeneralString   <=> +value+ is a +String+
+     * * OpenSSL::ASN1::UniversalString <=> +value+ is a +String+
+     * * OpenSSL::ASN1::BMPString       <=> +value+ is a +String+
+     *
+     * == OpenSSL::ASN1::BitString
+     *
+     * === Additional attributes
+     * +unused_bits+: if the underlying BIT STRING's
+     * length is a multiple of 8 then +unused_bits+ is 0. Otherwise
+     * +unused_bits+ indicates the number of bits that are to be ignored in
+     * the final octet of the +BitString+'s +value+.
+     *
+     * == OpenSSL::ASN1::ObjectId
+     *
+     * === Additional attributes
+     * * +sn+: the short name as defined in <openssl/objects.h>.
+     * * +ln+: the long name as defined in <openssl/objects.h>.
+     * * +oid+: the object identifier as a +String+, e.g. "1.2.3.4.5"
+     * * +short_name+: alias for +sn+.
+     * * +long_name+: alias for +ln+.
+     *
+     * == Examples
+     * With the Exception of OpenSSL::ASN1::EndOfContent, each Primitive class
+     * constructor takes at least one parameter, the +value+.
+     *
+     * === Creating EndOfContent
+     *   eoc = OpenSSL::ASN1::EndOfContent.new
+     *
+     * === Creating any other Primitive
+     *   prim = <class>.new(value) # <class> being one of the sub-classes except EndOfContent
+     *   prim_zero_tagged_implicit = <class>.new(value, 0, :IMPLICIT)
+     *   prim_zero_tagged_explicit = <class>.new(value, 0, :EXPLICIT)
+     */
     cASN1Primitive = rb_define_class_under(mASN1, "Primitive", cASN1Data);
+    /*
+     * May be used as a hint for encoding a value either implicitly or
+     * explicitly by setting it either to +:IMPLICIT+ or to +:EXPLICIT+.
+     * +tagging+ is not set when a ASN.1 structure is parsed using
+     * OpenSSL::ASN1.decode.
+     */
     rb_attr(cASN1Primitive, rb_intern("tagging"), 1, 1, Qtrue);
+    rb_undef_method(cASN1Primitive, "infinite_length=");
     rb_define_method(cASN1Primitive, "initialize", ossl_asn1_initialize, -1);
     rb_define_method(cASN1Primitive, "to_der", ossl_asn1prim_to_der, 0);
 
+    /* Document-class: OpenSSL::ASN1::Constructive
+     *
+     * The parent class for all constructed encodings. The +value+ attribute
+     * of a Constructive is always an +Array+. Attributes are the same as
+     * for ASN1Data, with the addition of +tagging+.
+     *
+     * == SET and SEQUENCE
+     *
+     * Most constructed encodings come in the form of a SET or a SEQUENCE.
+     * These encodings are represented by one of the two sub-classes of
+     * Constructive:
+     * * OpenSSL::ASN1::Set
+     * * OpenSSL::ASN1::Sequence
+     * Please note that tagged sequences and sets are still parsed as
+     * instances of ASN1Data. Find further details on tagged values
+     * there.
+     *
+     * === Example - constructing a SEQUENCE
+     *   int = OpenSSL::ASN1::Integer.new(1)
+     *   str = OpenSSL::ASN1::PrintableString.new('abc')
+     *   sequence = OpenSSL::ASN1::Sequence.new( [ int, str ] )
+     *
+     * === Example - constructing a SET
+     *   int = OpenSSL::ASN1::Integer.new(1)
+     *   str = OpenSSL::ASN1::PrintableString.new('abc')
+     *   set = OpenSSL::ASN1::Set.new( [ int, str ] )
+     *
+     * == Infinite length primitive values
+     *
+     * The only case where Constructive is used directly is for infinite
+     * length encodings of primitive values. These encodings are always
+     * constructed, with the contents of the +value+ +Array+ being either
+     * UNIVERSAL non-infinite length partial encodings of the actual value
+     * or again constructive encodings with infinite length (i.e. infinite
+     * length primitive encodings may be constructed recursively with another
+     * infinite length value within an already infinite length value). Each
+     * partial encoding must be of the same UNIVERSAL type as the overall
+     * encoding. The value of the overall encoding consists of the
+     * concatenation of each partial encoding taken in sequence. The +value+
+     * array of the outer infinite length value must end with a
+     * OpenSSL::ASN1::EndOfContent instance.
+     *
+     * Please note that it is not possible to encode Constructive without
+     * the +infinite_length+ attribute being set to +true+, use
+     * OpenSSL::ASN1::Sequence or OpenSSL::ASN1::Set in these cases instead.
+     *
+     * === Example - Infinite length OCTET STRING
+     *   partial1 = OpenSSL::ASN1::OctetString.new("\x01")
+     *   partial2 = OpenSSL::ASN1::OctetString.new("\x02")
+     *   inf_octets = OpenSSL::ASN1::Constructive.new( [ partial1,
+     *                                                   partial2,
+     *                                                   OpenSSL::ASN1::EndOfContent.new ],
+     *                                                 OpenSSL::ASN1::OCTET_STRING,
+     *                                                 nil,
+     *                                                 :UNIVERSAL )
+     *   # The real value of inf_octets is "\x01\x02", i.e. the concatenation
+     *   # of partial1 and partial2
+     *   inf_octets.infinite_length = true
+     *   der = inf_octets.to_der
+     *   asn1 = OpenSSL::ASN1.decode(der)
+     *   puts asn1.infinite_length # => true
+     */
     cASN1Constructive = rb_define_class_under(mASN1,"Constructive", cASN1Data);
     rb_include_module(cASN1Constructive, rb_mEnumerable);
+    /*
+     * May be used as a hint for encoding a value either implicitly or
+     * explicitly by setting it either to +:IMPLICIT+ or to +:EXPLICIT+.
+     * +tagging+ is not set when a ASN.1 structure is parsed using
+     * OpenSSL::ASN1.decode.
+     */
     rb_attr(cASN1Constructive, rb_intern("tagging"), 1, 1, Qtrue);
     rb_define_method(cASN1Constructive, "initialize", ossl_asn1_initialize, -1);
     rb_define_method(cASN1Constructive, "to_der", ossl_asn1cons_to_der, 0);
@@ -1150,6 +1907,12 @@ do{\
     OSSL_ASN1_DEFINE_CLASS(Sequence, Constructive);
     OSSL_ASN1_DEFINE_CLASS(Set, Constructive);
 
+    OSSL_ASN1_DEFINE_CLASS(EndOfContent, Data);
+
+
+#if 0
+    cASN1ObjectId = rb_define_class_under(mASN1, "ObjectId", cASN1Primitive);  /* let rdoc know */
+#endif
     rb_define_singleton_method(cASN1ObjectId, "register", ossl_asn1obj_s_register, 3);
     rb_define_method(cASN1ObjectId, "sn", ossl_asn1obj_get_sn, 0);
     rb_define_method(cASN1ObjectId, "ln", ossl_asn1obj_get_ln, 0);
@@ -1157,4 +1920,32 @@ do{\
     rb_define_alias(cASN1ObjectId, "short_name", "sn");
     rb_define_alias(cASN1ObjectId, "long_name", "ln");
     rb_attr(cASN1BitString, rb_intern("unused_bits"), 1, 1, 0);
+
+    rb_define_method(cASN1EndOfContent, "initialize", ossl_asn1eoc_initialize, 0);
+
+    class_tag_map = rb_hash_new();
+    rb_hash_aset(class_tag_map, cASN1EndOfContent, INT2NUM(V_ASN1_EOC));
+    rb_hash_aset(class_tag_map, cASN1Boolean, INT2NUM(V_ASN1_BOOLEAN));
+    rb_hash_aset(class_tag_map, cASN1Integer, INT2NUM(V_ASN1_INTEGER));
+    rb_hash_aset(class_tag_map, cASN1BitString, INT2NUM(V_ASN1_BIT_STRING));
+    rb_hash_aset(class_tag_map, cASN1OctetString, INT2NUM(V_ASN1_OCTET_STRING));
+    rb_hash_aset(class_tag_map, cASN1Null, INT2NUM(V_ASN1_NULL));
+    rb_hash_aset(class_tag_map, cASN1ObjectId, INT2NUM(V_ASN1_OBJECT));
+    rb_hash_aset(class_tag_map, cASN1Enumerated, INT2NUM(V_ASN1_ENUMERATED));
+    rb_hash_aset(class_tag_map, cASN1UTF8String, INT2NUM(V_ASN1_UTF8STRING));
+    rb_hash_aset(class_tag_map, cASN1Sequence, INT2NUM(V_ASN1_SEQUENCE));
+    rb_hash_aset(class_tag_map, cASN1Set, INT2NUM(V_ASN1_SET));
+    rb_hash_aset(class_tag_map, cASN1NumericString, INT2NUM(V_ASN1_NUMERICSTRING));
+    rb_hash_aset(class_tag_map, cASN1PrintableString, INT2NUM(V_ASN1_PRINTABLESTRING));
+    rb_hash_aset(class_tag_map, cASN1T61String, INT2NUM(V_ASN1_T61STRING));
+    rb_hash_aset(class_tag_map, cASN1VideotexString, INT2NUM(V_ASN1_VIDEOTEXSTRING));
+    rb_hash_aset(class_tag_map, cASN1IA5String, INT2NUM(V_ASN1_IA5STRING));
+    rb_hash_aset(class_tag_map, cASN1UTCTime, INT2NUM(V_ASN1_UTCTIME));
+    rb_hash_aset(class_tag_map, cASN1GeneralizedTime, INT2NUM(V_ASN1_GENERALIZEDTIME));
+    rb_hash_aset(class_tag_map, cASN1GraphicString, INT2NUM(V_ASN1_GRAPHICSTRING));
+    rb_hash_aset(class_tag_map, cASN1ISO64String, INT2NUM(V_ASN1_ISO64STRING));
+    rb_hash_aset(class_tag_map, cASN1GeneralString, INT2NUM(V_ASN1_GENERALSTRING));
+    rb_hash_aset(class_tag_map, cASN1UniversalString, INT2NUM(V_ASN1_UNIVERSALSTRING));
+    rb_hash_aset(class_tag_map, cASN1BMPString, INT2NUM(V_ASN1_BMPSTRING));
+    rb_global_variable(&class_tag_map);
 }