rubysl-openssl 2.10 → 2.11

data/ext/rubysl/openssl/ossl_x509.h

@@ -15,6 +15,13 @@
  */
 extern VALUE mX509;
 
+/*
+ * Converts the VALUE into Integer and set it to the ASN1_TIME. This is a
+ * wrapper for X509_time_adj_ex() so passing NULL creates a new ASN1_TIME.
+ * Note that the caller must check the NULL return.
+ */
+ASN1_TIME *ossl_x509_time_adjust(ASN1_TIME *, VALUE);
+
 void Init_ossl_x509(void);
 
 /*
@@ -24,7 +31,7 @@ extern VALUE cX509Attr;
 extern VALUE eX509AttrError;
 
 VALUE ossl_x509attr_new(X509_ATTRIBUTE *);
-X509_ATTRIBUTE *DupX509AttrPtr(VALUE);
+X509_ATTRIBUTE *GetX509AttrPtr(VALUE);
 void Init_ossl_x509attr(void);
 
 /*
@@ -59,7 +66,6 @@ extern VALUE eX509ExtError;
 
 VALUE ossl_x509ext_new(X509_EXTENSION *);
 X509_EXTENSION *GetX509ExtPtr(VALUE);
-X509_EXTENSION *DupX509ExtPtr(VALUE);
 void Init_ossl_x509ext(void);
 
 /*
@@ -104,10 +110,13 @@ VALUE ossl_x509store_new(X509_STORE *);
 X509_STORE *GetX509StorePtr(VALUE);
 X509_STORE *DupX509StorePtr(VALUE);
 
-VALUE ossl_x509stctx_new(X509_STORE_CTX *);
-VALUE ossl_x509stctx_clear_ptr(VALUE);
 X509_STORE_CTX *GetX509StCtxtPtr(VALUE);
-
 void Init_ossl_x509store(void);
 
+/*
+ * Calls the verify callback Proc (the first parameter) with given pre-verify
+ * result and the X509_STORE_CTX.
+ */
+int ossl_verify_cb_call(VALUE, int, X509_STORE_CTX *);
+
 #endif /* _OSSL_X509_H_ */

data/ext/rubysl/openssl/ossl_x509attr.c

@@ -127,6 +127,25 @@ ossl_x509attr_initialize(int argc, VALUE *argv, VALUE self)
     return self;
 }
 
+static VALUE
+ossl_x509attr_initialize_copy(VALUE self, VALUE other)
+{
+    X509_ATTRIBUTE *attr, *attr_other, *attr_new;
+
+    rb_check_frozen(self);
+    GetX509Attr(self, attr);
+    SafeGetX509Attr(other, attr_other);
+
+    attr_new = X509_ATTRIBUTE_dup(attr_other);
+    if (!attr_new)
+	ossl_raise(eX509AttrError, "X509_ATTRIBUTE_dup");
+
+    SetX509Attr(self, attr_new);
+    X509_ATTRIBUTE_free(attr);
+
+    return self;
+}
+
 /*
  * call-seq:
  *    attr.oid = string => string
@@ -178,14 +197,6 @@ ossl_x509attr_get_oid(VALUE self)
     return ret;
 }
 
-#if defined(HAVE_ST_X509_ATTRIBUTE_SINGLE) || defined(HAVE_ST_SINGLE)
-#  define OSSL_X509ATTR_IS_SINGLE(attr)  ((attr)->single)
-#  define OSSL_X509ATTR_SET_SINGLE(attr) ((attr)->single = 1)
-#else
-#  define OSSL_X509ATTR_IS_SINGLE(attr)  (!(attr)->value.set)
-#  define OSSL_X509ATTR_SET_SINGLE(attr) ((attr)->value.set = 0)
-#endif
-
 /*
  * call-seq:
  *    attr.value = asn1 => asn1
@@ -194,21 +205,37 @@ static VALUE
 ossl_x509attr_set_value(VALUE self, VALUE value)
 {
     X509_ATTRIBUTE *attr;
-    ASN1_TYPE *a1type;
+    VALUE asn1_value;
+    int i, asn1_tag;
+
+    OSSL_Check_Kind(value, cASN1Data);
+    asn1_tag = NUM2INT(rb_attr_get(value, rb_intern("@tag")));
+    asn1_value = rb_attr_get(value, rb_intern("@value"));
+    if (asn1_tag != V_ASN1_SET)
+	ossl_raise(eASN1Error, "argument must be ASN1::Set");
+    if (!RB_TYPE_P(asn1_value, T_ARRAY))
+	ossl_raise(eASN1Error, "ASN1::Set has non-array value");
 
-    if(!(a1type = ossl_asn1_get_asn1type(value)))
-	ossl_raise(eASN1Error, "could not get ASN1_TYPE");
-    if(ASN1_TYPE_get(a1type) == V_ASN1_SEQUENCE){
-	ASN1_TYPE_free(a1type);
-	ossl_raise(eASN1Error, "couldn't set SEQUENCE for attribute value.");
-    }
     GetX509Attr(self, attr);
-    if(attr->value.set){
-	if(OSSL_X509ATTR_IS_SINGLE(attr)) ASN1_TYPE_free(attr->value.single);
-	else sk_ASN1_TYPE_free(attr->value.set);
+    if (X509_ATTRIBUTE_count(attr)) { /* populated, reset first */
+	ASN1_OBJECT *obj = X509_ATTRIBUTE_get0_object(attr);
+	X509_ATTRIBUTE *new_attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, 0, NULL, -1);
+	if (!new_attr)
+	    ossl_raise(eX509AttrError, NULL);
+	SetX509Attr(self, new_attr);
+	X509_ATTRIBUTE_free(attr);
+	attr = new_attr;
+    }
+
+    for (i = 0; i < RARRAY_LEN(asn1_value); i++) {
+	ASN1_TYPE *a1type = ossl_asn1_get_asn1type(RARRAY_AREF(asn1_value, i));
+	if (!X509_ATTRIBUTE_set1_data(attr, ASN1_TYPE_get(a1type),
+				      a1type->value.ptr, -1)) {
+	    ASN1_TYPE_free(a1type);
+	    ossl_raise(eX509AttrError, NULL);
+	}
+	ASN1_TYPE_free(a1type);
     }
-    OSSL_X509ATTR_SET_SINGLE(attr);
-    attr->value.single = a1type;
 
     return value;
 }
@@ -221,32 +248,34 @@ static VALUE
 ossl_x509attr_get_value(VALUE self)
 {
     X509_ATTRIBUTE *attr;
-    VALUE str, asn1;
-    long length;
+    STACK_OF(ASN1_TYPE) *sk;
+    VALUE str;
+    int i, count, len;
     unsigned char *p;
 
     GetX509Attr(self, attr);
-    if(attr->value.ptr == NULL) return Qnil;
-    if(OSSL_X509ATTR_IS_SINGLE(attr)){
-	length = i2d_ASN1_TYPE(attr->value.single, NULL);
-	str = rb_str_new(0, length);
-	p = (unsigned char *)RSTRING_PTR(str);
-	i2d_ASN1_TYPE(attr->value.single, &p);
-	ossl_str_adjust(str, p);
+    /* there is no X509_ATTRIBUTE_get0_set() :( */
+    if (!(sk = sk_ASN1_TYPE_new_null()))
+	ossl_raise(eX509AttrError, "sk_new");
+
+    count = X509_ATTRIBUTE_count(attr);
+    for (i = 0; i < count; i++)
+	sk_ASN1_TYPE_push(sk, X509_ATTRIBUTE_get0_type(attr, i));
+
+    if ((len = i2d_ASN1_SET_ANY(sk, NULL)) <= 0) {
+	sk_ASN1_TYPE_free(sk);
+	ossl_raise(eX509AttrError, NULL);
     }
-    else{
-	length = i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set,
-			(unsigned char **) NULL, i2d_ASN1_TYPE,
-			V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
-	str = rb_str_new(0, length);
-	p = (unsigned char *)RSTRING_PTR(str);
-	i2d_ASN1_SET_OF_ASN1_TYPE(attr->value.set, &p,
-			i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0);
-	ossl_str_adjust(str, p);
+    str = rb_str_new(0, len);
+    p = (unsigned char *)RSTRING_PTR(str);
+    if (i2d_ASN1_SET_ANY(sk, &p) <= 0) {
+	sk_ASN1_TYPE_free(sk);
+	ossl_raise(eX509AttrError, NULL);
     }
-    asn1 = rb_funcall(mASN1, rb_intern("decode"), 1, str);
+    ossl_str_adjust(str, p);
+    sk_ASN1_TYPE_free(sk);
 
-    return asn1;
+    return rb_funcall(mASN1, rb_intern("decode"), 1, str);
 }
 
 /*
@@ -268,7 +297,7 @@ ossl_x509attr_to_der(VALUE self)
     p = (unsigned char *)RSTRING_PTR(str);
     if(i2d_X509_ATTRIBUTE(attr, &p) <= 0)
 	ossl_raise(eX509AttrError, NULL);
-    rb_str_set_len(str, p - (unsigned char*)RSTRING_PTR(str));
+    ossl_str_adjust(str, p);
 
     return str;
 }
@@ -279,11 +308,18 @@ ossl_x509attr_to_der(VALUE self)
 void
 Init_ossl_x509attr(void)
 {
+#if 0
+    mOSSL = rb_define_module("OpenSSL");
+    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+    mX509 = rb_define_module_under(mOSSL, "X509");
+#endif
+
     eX509AttrError = rb_define_class_under(mX509, "AttributeError", eOSSLError);
 
     cX509Attr = rb_define_class_under(mX509, "Attribute", rb_cObject);
     rb_define_alloc_func(cX509Attr, ossl_x509attr_alloc);
     rb_define_method(cX509Attr, "initialize", ossl_x509attr_initialize, -1);
+    rb_define_copy_func(cX509Attr, ossl_x509attr_initialize_copy);
     rb_define_method(cX509Attr, "oid=", ossl_x509attr_set_oid, 1);
     rb_define_method(cX509Attr, "oid", ossl_x509attr_get_oid, 0);
     rb_define_method(cX509Attr, "value=", ossl_x509attr_set_value, 1);

data/ext/rubysl/openssl/ossl_x509cert.c

@@ -78,9 +78,9 @@ ossl_x509_new_from_file(VALUE filename)
     FILE *fp;
     VALUE obj;
 
-    SafeStringValue(filename);
+    rb_check_safe_obj(filename);
     obj = NewX509(cX509Cert);
-    if (!(fp = fopen(RSTRING_PTR(filename), "r"))) {
+    if (!(fp = fopen(StringValueCStr(filename), "r"))) {
 	ossl_raise(eX509CertError, "%s", strerror(errno));
     }
     rb_fd_fix_cloexec(fileno(fp));
@@ -122,7 +122,7 @@ DupX509CertPtr(VALUE obj)
 
     SafeGetX509(obj, x509);
 
-    CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(x509);
 
     return x509;
 }
@@ -161,7 +161,7 @@ ossl_x509_initialize(int argc, VALUE *argv, VALUE self)
 	return self;
     }
     arg = ossl_to_der_if_possible(arg);
-    in = ossl_obj2bio(arg);
+    in = ossl_obj2bio(&arg);
     x509 = PEM_read_bio_X509(in, &x, NULL, NULL);
     DATA_PTR(self) = x;
     if (!x509) {
@@ -349,9 +349,7 @@ ossl_x509_set_serial(VALUE self, VALUE num)
     X509 *x509;
 
     GetX509(self, x509);
-
-    x509->cert_info->serialNumber =
-	num_to_asn1integer(num, X509_get_serialNumber(x509));
+    X509_set_serialNumber(x509, num_to_asn1integer(num, X509_get_serialNumber(x509)));
 
     return num;
 }
@@ -371,7 +369,7 @@ ossl_x509_get_signature_algorithm(VALUE self)
     out = BIO_new(BIO_s_mem());
     if (!out) ossl_raise(eX509CertError, NULL);
 
-    if (!i2a_ASN1_OBJECT(out, x509->cert_info->signature->algorithm)) {
+    if (!i2a_ASN1_OBJECT(out, X509_get0_tbs_sigalg(x509)->algorithm)) {
 	BIO_free(out);
 	ossl_raise(eX509CertError, NULL);
     }
@@ -458,10 +456,10 @@ static VALUE
 ossl_x509_get_not_before(VALUE self)
 {
     X509 *x509;
-    ASN1_UTCTIME *asn1time;
+    const ASN1_TIME *asn1time;
 
     GetX509(self, x509);
-    if (!(asn1time = X509_get_notBefore(x509))) { /* NO DUP - don't free! */
+    if (!(asn1time = X509_get0_notBefore(x509))) {
 	ossl_raise(eX509CertError, NULL);
     }
 
@@ -476,13 +474,15 @@ static VALUE
 ossl_x509_set_not_before(VALUE self, VALUE time)
 {
     X509 *x509;
-    time_t sec;
+    ASN1_TIME *asn1time;
 
-    sec = time_to_time_t(time);
     GetX509(self, x509);
-    if (!X509_time_adj(X509_get_notBefore(x509), 0, &sec)) {
-	ossl_raise(eX509CertError, NULL);
+    asn1time = ossl_x509_time_adjust(NULL, time);
+    if (!X509_set_notBefore(x509, asn1time)) {
+	ASN1_TIME_free(asn1time);
+	ossl_raise(eX509CertError, "X509_set_notBefore");
     }
+    ASN1_TIME_free(asn1time);
 
     return time;
 }
@@ -495,10 +495,10 @@ static VALUE
 ossl_x509_get_not_after(VALUE self)
 {
     X509 *x509;
-    ASN1_TIME *asn1time;
+    const ASN1_TIME *asn1time;
 
     GetX509(self, x509);
-    if (!(asn1time = X509_get_notAfter(x509))) { /* NO DUP - don't free! */
+    if (!(asn1time = X509_get0_notAfter(x509))) {
 	ossl_raise(eX509CertError, NULL);
     }
 
@@ -513,13 +513,15 @@ static VALUE
 ossl_x509_set_not_after(VALUE self, VALUE time)
 {
     X509 *x509;
-    time_t sec;
+    ASN1_TIME *asn1time;
 
-    sec = time_to_time_t(time);
     GetX509(self, x509);
-    if (!X509_time_adj(X509_get_notAfter(x509), 0, &sec)) {
-	ossl_raise(eX509CertError, NULL);
+    asn1time = ossl_x509_time_adjust(NULL, time);
+    if (!X509_set_notAfter(x509, asn1time)) {
+	ASN1_TIME_free(asn1time);
+	ossl_raise(eX509CertError, "X509_set_notAfter");
     }
+    ASN1_TIME_free(asn1time);
 
     return time;
 }
@@ -544,18 +546,19 @@ ossl_x509_get_public_key(VALUE self)
 
 /*
  * call-seq:
- *    cert.public_key = key => key
+ *    cert.public_key = key
  */
 static VALUE
 ossl_x509_set_public_key(VALUE self, VALUE key)
 {
     X509 *x509;
+    EVP_PKEY *pkey;
 
     GetX509(self, x509);
-    if (!X509_set_pubkey(x509, GetPKeyPtr(key))) { /* DUPs pkey */
-	ossl_raise(eX509CertError, NULL);
-    }
-
+    pkey = GetPKeyPtr(key);
+    ossl_pkey_check_public_key(pkey);
+    if (!X509_set_pubkey(x509, pkey))
+	ossl_raise(eX509CertError, "X509_set_pubkey");
     return key;
 }
 
@@ -591,18 +594,19 @@ ossl_x509_verify(VALUE self, VALUE key)
 {
     X509 *x509;
     EVP_PKEY *pkey;
-    int i;
 
-    pkey = GetPKeyPtr(key); /* NO NEED TO DUP */
     GetX509(self, x509);
-    if ((i = X509_verify(x509, pkey)) < 0) {
-	ossl_raise(eX509CertError, NULL);
-    }
-    if (i > 0) {
+    pkey = GetPKeyPtr(key);
+    ossl_pkey_check_public_key(pkey);
+    switch (X509_verify(x509, pkey)) {
+      case 1:
 	return Qtrue;
+      case 0:
+	ossl_clear_error();
+	return Qfalse;
+      default:
+	ossl_raise(eX509CertError, NULL);
     }
-
-    return Qfalse;
 }
 
 /*
@@ -621,7 +625,7 @@ ossl_x509_check_private_key(VALUE self, VALUE key)
     pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
     GetX509(self, x509);
     if (!X509_check_private_key(x509, pkey)) {
-	OSSL_Warning("Check private key:%s", OSSL_ErrMsg());
+	ossl_clear_error();
 	return Qfalse;
     }
 
@@ -671,16 +675,13 @@ ossl_x509_set_extensions(VALUE self, VALUE ary)
 	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
     }
     GetX509(self, x509);
-    sk_X509_EXTENSION_pop_free(x509->cert_info->extensions, X509_EXTENSION_free);
-    x509->cert_info->extensions = NULL;
+    while ((ext = X509_delete_ext(x509, 0)))
+	X509_EXTENSION_free(ext);
     for (i=0; i<RARRAY_LEN(ary); i++) {
-	ext = DupX509ExtPtr(RARRAY_AREF(ary, i));
-
-	if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext - FREE it */
-	    X509_EXTENSION_free(ext);
+	ext = GetX509ExtPtr(RARRAY_AREF(ary, i));
+	if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext */
 	    ossl_raise(eX509CertError, NULL);
 	}
-	X509_EXTENSION_free(ext);
     }
 
     return ary;
@@ -697,12 +698,10 @@ ossl_x509_add_extension(VALUE self, VALUE extension)
     X509_EXTENSION *ext;
 
     GetX509(self, x509);
-    ext = DupX509ExtPtr(extension);
+    ext = GetX509ExtPtr(extension);
     if (!X509_add_ext(x509, ext, -1)) { /* DUPs ext - FREE it */
-	X509_EXTENSION_free(ext);
 	ossl_raise(eX509CertError, NULL);
     }
-    X509_EXTENSION_free(ext);
 
     return extension;
 }
@@ -727,9 +726,9 @@ ossl_x509_inspect(VALUE self)
 void
 Init_ossl_x509cert(void)
 {
-
 #if 0
-    mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+    mOSSL = rb_define_module("OpenSSL");
+    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
     mX509 = rb_define_module_under(mOSSL, "X509");
 #endif
 

data/ext/rubysl/openssl/ossl_x509crl.c

@@ -67,7 +67,7 @@ DupX509CRLPtr(VALUE obj)
     X509_CRL *crl;
 
     SafeGetX509CRL(obj, crl);
-    CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
+    X509_CRL_up_ref(crl);
 
     return crl;
 }
@@ -115,7 +115,7 @@ ossl_x509crl_initialize(int argc, VALUE *argv, VALUE self)
 	return self;
     }
     arg = ossl_to_der_if_possible(arg);
-    in = ossl_obj2bio(arg);
+    in = ossl_obj2bio(&arg);
     crl = PEM_read_bio_X509_CRL(in, &x, NULL, NULL);
     DATA_PTR(self) = x;
     if (!crl) {
@@ -180,22 +180,20 @@ static VALUE
 ossl_x509crl_get_signature_algorithm(VALUE self)
 {
     X509_CRL *crl;
+    const X509_ALGOR *alg;
     BIO *out;
-    BUF_MEM *buf;
-    VALUE str;
 
     GetX509CRL(self, crl);
     if (!(out = BIO_new(BIO_s_mem()))) {
 	ossl_raise(eX509CRLError, NULL);
     }
-    if (!i2a_ASN1_OBJECT(out, crl->sig_alg->algorithm)) {
+    X509_CRL_get0_signature(crl, NULL, &alg);
+    if (!i2a_ASN1_OBJECT(out, alg->algorithm)) {
 	BIO_free(out);
 	ossl_raise(eX509CRLError, NULL);
     }
-    BIO_get_mem_ptr(out, &buf);
-    str = rb_str_new(buf->data, buf->length);
-    BIO_free(out);
-    return str;
+
+    return ossl_membio2str(out);
 }
 
 static VALUE
@@ -228,20 +226,22 @@ ossl_x509crl_get_last_update(VALUE self)
 
     GetX509CRL(self, crl);
 
-    return asn1time_to_time(X509_CRL_get_lastUpdate(crl));
+    return asn1time_to_time(X509_CRL_get0_lastUpdate(crl));
 }
 
 static VALUE
 ossl_x509crl_set_last_update(VALUE self, VALUE time)
 {
     X509_CRL *crl;
-    time_t sec;
+    ASN1_TIME *asn1time;
 
-    sec = time_to_time_t(time);
     GetX509CRL(self, crl);
-    if (!X509_time_adj(crl->crl->lastUpdate, 0, &sec)) {
-	ossl_raise(eX509CRLError, NULL);
+    asn1time = ossl_x509_time_adjust(NULL, time);
+    if (!X509_CRL_set_lastUpdate(crl, asn1time)) {
+	ASN1_TIME_free(asn1time);
+	ossl_raise(eX509CRLError, "X509_CRL_set_lastUpdate");
     }
+    ASN1_TIME_free(asn1time);
 
     return time;
 }
@@ -253,21 +253,22 @@ ossl_x509crl_get_next_update(VALUE self)
 
     GetX509CRL(self, crl);
 
-    return asn1time_to_time(X509_CRL_get_nextUpdate(crl));
+    return asn1time_to_time(X509_CRL_get0_nextUpdate(crl));
 }
 
 static VALUE
 ossl_x509crl_set_next_update(VALUE self, VALUE time)
 {
     X509_CRL *crl;
-    time_t sec;
+    ASN1_TIME *asn1time;
 
-    sec = time_to_time_t(time);
     GetX509CRL(self, crl);
-    /* This must be some thinko in OpenSSL */
-    if (!(crl->crl->nextUpdate = X509_time_adj(crl->crl->nextUpdate, 0, &sec))){
-	ossl_raise(eX509CRLError, NULL);
+    asn1time = ossl_x509_time_adjust(NULL, time);
+    if (!X509_CRL_set_nextUpdate(crl, asn1time)) {
+	ASN1_TIME_free(asn1time);
+	ossl_raise(eX509CRLError, "X509_CRL_set_nextUpdate");
     }
+    ASN1_TIME_free(asn1time);
 
     return time;
 }
@@ -302,6 +303,7 @@ ossl_x509crl_set_revoked(VALUE self, VALUE ary)
 {
     X509_CRL *crl;
     X509_REVOKED *rev;
+    STACK_OF(X509_REVOKED) *sk;
     long i;
 
     Check_Type(ary, T_ARRAY);
@@ -310,8 +312,10 @@ ossl_x509crl_set_revoked(VALUE self, VALUE ary)
 	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Rev);
     }
     GetX509CRL(self, crl);
-    sk_X509_REVOKED_pop_free(crl->crl->revoked, X509_REVOKED_free);
-    crl->crl->revoked = NULL;
+    if ((sk = X509_CRL_get_REVOKED(crl))) {
+	while ((rev = sk_X509_REVOKED_pop(sk)))
+	    X509_REVOKED_free(rev);
+    }
     for (i=0; i<RARRAY_LEN(ary); i++) {
 	rev = DupX509RevokedPtr(RARRAY_AREF(ary, i));
 	if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
@@ -362,17 +366,20 @@ static VALUE
 ossl_x509crl_verify(VALUE self, VALUE key)
 {
     X509_CRL *crl;
-    int ret;
+    EVP_PKEY *pkey;
 
     GetX509CRL(self, crl);
-    if ((ret = X509_CRL_verify(crl, GetPKeyPtr(key))) < 0) {
-	ossl_raise(eX509CRLError, NULL);
-    }
-    if (ret == 1) {
+    pkey = GetPKeyPtr(key);
+    ossl_pkey_check_public_key(pkey);
+    switch (X509_CRL_verify(crl, pkey)) {
+      case 1:
 	return Qtrue;
+      case 0:
+	ossl_clear_error();
+	return Qfalse;
+      default:
+	ossl_raise(eX509CRLError, NULL);
     }
-
-    return Qfalse;
 }
 
 static VALUE
@@ -380,8 +387,6 @@ ossl_x509crl_to_der(VALUE self)
 {
     X509_CRL *crl;
     BIO *out;
-    BUF_MEM *buf;
-    VALUE str;
 
     GetX509CRL(self, crl);
     if (!(out = BIO_new(BIO_s_mem()))) {
@@ -391,11 +396,8 @@ ossl_x509crl_to_der(VALUE self)
 	BIO_free(out);
 	ossl_raise(eX509CRLError, NULL);
     }
-    BIO_get_mem_ptr(out, &buf);
-    str = rb_str_new(buf->data, buf->length);
-    BIO_free(out);
 
-    return str;
+    return ossl_membio2str(out);
 }
 
 static VALUE
@@ -403,8 +405,6 @@ ossl_x509crl_to_pem(VALUE self)
 {
     X509_CRL *crl;
     BIO *out;
-    BUF_MEM *buf;
-    VALUE str;
 
     GetX509CRL(self, crl);
     if (!(out = BIO_new(BIO_s_mem()))) {
@@ -414,11 +414,8 @@ ossl_x509crl_to_pem(VALUE self)
 	BIO_free(out);
 	ossl_raise(eX509CRLError, NULL);
     }
-    BIO_get_mem_ptr(out, &buf);
-    str = rb_str_new(buf->data, buf->length);
-    BIO_free(out);
 
-    return str;
+    return ossl_membio2str(out);
 }
 
 static VALUE
@@ -426,8 +423,6 @@ ossl_x509crl_to_text(VALUE self)
 {
     X509_CRL *crl;
     BIO *out;
-    BUF_MEM *buf;
-    VALUE str;
 
     GetX509CRL(self, crl);
     if (!(out = BIO_new(BIO_s_mem()))) {
@@ -437,11 +432,8 @@ ossl_x509crl_to_text(VALUE self)
 	BIO_free(out);
 	ossl_raise(eX509CRLError, NULL);
     }
-    BIO_get_mem_ptr(out, &buf);
-    str = rb_str_new(buf->data, buf->length);
-    BIO_free(out);
 
-    return str;
+    return ossl_membio2str(out);
 }
 
 /*
@@ -486,15 +478,13 @@ ossl_x509crl_set_extensions(VALUE self, VALUE ary)
 	OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Ext);
     }
     GetX509CRL(self, crl);
-    sk_X509_EXTENSION_pop_free(crl->crl->extensions, X509_EXTENSION_free);
-    crl->crl->extensions = NULL;
+    while ((ext = X509_CRL_delete_ext(crl, 0)))
+	X509_EXTENSION_free(ext);
     for (i=0; i<RARRAY_LEN(ary); i++) {
-	ext = DupX509ExtPtr(RARRAY_AREF(ary, i));
-	if(!X509_CRL_add_ext(crl, ext, -1)) { /* DUPs ext - FREE it */
-	    X509_EXTENSION_free(ext);
+	ext = GetX509ExtPtr(RARRAY_AREF(ary, i)); /* NO NEED TO DUP */
+	if (!X509_CRL_add_ext(crl, ext, -1)) {
 	    ossl_raise(eX509CRLError, NULL);
 	}
-	X509_EXTENSION_free(ext);
     }
 
     return ary;
@@ -507,12 +497,10 @@ ossl_x509crl_add_extension(VALUE self, VALUE extension)
     X509_EXTENSION *ext;
 
     GetX509CRL(self, crl);
-    ext = DupX509ExtPtr(extension);
-    if (!X509_CRL_add_ext(crl, ext, -1)) { /* DUPs ext - FREE it */
-	X509_EXTENSION_free(ext);
+    ext = GetX509ExtPtr(extension);
+    if (!X509_CRL_add_ext(crl, ext, -1)) {
 	ossl_raise(eX509CRLError, NULL);
     }
-    X509_EXTENSION_free(ext);
 
     return extension;
 }
@@ -523,6 +511,12 @@ ossl_x509crl_add_extension(VALUE self, VALUE extension)
 void
 Init_ossl_x509crl(void)
 {
+#if 0
+    mOSSL = rb_define_module("OpenSSL");
+    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
+    mX509 = rb_define_module_under(mOSSL, "X509");
+#endif
+
     eX509CRLError = rb_define_class_under(mX509, "CRLError", eOSSLError);
 
     cX509CRL = rb_define_class_under(mX509, "CRL", rb_cObject);