am e25247b8: Merge "NativeCrypto: add OpenSSL X.509 certificate/CRLs"

* commit 'e25247b8960b324ef5d961fe9c8e4a7057c047b2':
  NativeCrypto: add OpenSSL X.509 certificate/CRLs
diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
index ed712df..ad14653 100644
--- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
+++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
@@ -30,6 +30,7 @@
 import java.security.cert.X509Certificate;
 import java.security.interfaces.ECPrivateKey;
 import java.util.ArrayList;
+import java.util.Calendar;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.List;
@@ -338,6 +339,183 @@
             throw new AssertionError(e);
         }
     }
+
+    public static native String X509_NAME_print_ex(long x509nameCtx, long flags);
+
+    // --- X509 ----------------------------------------------------------------
+
+    /** Used to request get_X509_GENERAL_NAME_stack get the "altname" field. */
+    public static final int GN_STACK_SUBJECT_ALT_NAME = 1;
+
+    /**
+     * Used to request get_X509_GENERAL_NAME_stack get the issuerAlternativeName
+     * extension.
+     */
+    public static final int GN_STACK_ISSUER_ALT_NAME = 2;
+
+    /**
+     * Used to request only non-critical types in get_X509*_ext_oids.
+     */
+    public static final int EXTENSION_TYPE_NON_CRITICAL = 0;
+
+    /**
+     * Used to request only critical types in get_X509*_ext_oids.
+     */
+    public static final int EXTENSION_TYPE_CRITICAL = 1;
+
+    public static native long d2i_X509_bio(long bioCtx);
+
+    public static native long PEM_read_bio_X509(long bioCtx);
+
+    public static native byte[] i2d_X509(long x509ctx);
+
+    /** Takes an X509 context not an X509_PUBKEY context. */
+    public static native byte[] i2d_X509_PUBKEY(long x509ctx);
+
+    public static native void X509_free(long x509ctx);
+
+    public static native int X509_cmp(long x509ctx1, long x509ctx2);
+
+    public static native int get_X509_hashCode(long x509ctx);
+
+    public static native void X509_print_ex(long bioCtx, long x509ctx, long nmflag, long certflag);
+
+    public static native byte[] X509_get_issuer_name(long x509ctx);
+
+    public static native byte[] X509_get_subject_name(long x509ctx);
+
+    public static native String get_X509_sig_alg_oid(long x509ctx);
+
+    public static native byte[] get_X509_sig_alg_parameter(long x509ctx);
+
+    public static native boolean[] get_X509_issuerUID(long x509ctx);
+
+    public static native boolean[] get_X509_subjectUID(long x509ctx);
+
+    public static native long X509_get_pubkey(long x509ctx) throws NoSuchAlgorithmException;
+
+    public static native String get_X509_pubkey_oid(long x509ctx);
+
+    public static native byte[] X509_get_ext_oid(long x509ctx, String oid);
+
+    public static native String[] get_X509_ext_oids(long x509ctx, int critical);
+
+    public static native Object[][] get_X509_GENERAL_NAME_stack(long x509ctx, int type);
+
+    public static native boolean[] get_X509_ex_kusage(long x509ctx);
+
+    public static native String[] get_X509_ex_xkusage(long x509ctx);
+
+    public static native int X509_check_ca(long x509ctx);
+
+    public static native int get_X509_ex_pathlen(long x509ctx);
+
+    public static native long X509_get_notBefore(long x509ctx);
+
+    public static native long X509_get_notAfter(long x509ctx);
+
+    public static native long X509_get_version(long x509ctx);
+
+    public static native byte[] X509_get_serialNumber(long x509ctx);
+
+    public static native void X509_verify(long x509ctx, long pkeyCtx);
+
+    public static native byte[] get_X509_cert_info_enc(long x509ctx);
+
+    public static native byte[] get_X509_signature(long x509ctx);
+
+    public static native int get_X509_ex_flags(long x509ctx);
+
+    // --- X509 EXFLAG ---------------------------------------------------------
+
+    public static final int EXFLAG_CRITICAL = 0x200;
+
+    // --- PKCS7 ---------------------------------------------------------------
+
+    /** Used as the "which" field in d2i_PKCS7_bio and PEM_read_bio_PKCS7. */
+    public static final int PKCS7_CERTS = 1;
+
+    /** Used as the "which" field in d2i_PKCS7_bio and PEM_read_bio_PKCS7. */
+    public static final int PKCS7_CRLS = 2;
+
+    /** Returns an array of X509 or X509_CRL pointers. */
+    public static native long[] d2i_PKCS7_bio(long bioCtx, int which);
+
+    /** Returns an array of X509 or X509_CRL pointers. */
+    public static native long[] PEM_read_bio_PKCS7(long bioCtx, int which);
+
+    // --- X509_CRL ------------------------------------------------------------
+
+    public static native long d2i_X509_CRL_bio(long bioCtx);
+
+    public static native long PEM_read_bio_X509_CRL(long bioCtx);
+
+    public static native byte[] i2d_X509_CRL(long x509CrlCtx);
+
+    public static native void X509_CRL_free(long x509CrlCtx);
+
+    public static native void X509_CRL_print(long bioCtx, long x509CrlCtx);
+
+    public static native String get_X509_CRL_sig_alg_oid(long x509CrlCtx);
+
+    public static native byte[] get_X509_CRL_sig_alg_parameter(long x509CrlCtx);
+
+    public static native byte[] X509_CRL_get_issuer_name(long x509CrlCtx);
+
+    /** Returns X509_REVOKED reference that is not duplicated! */
+    public static native long X509_CRL_get0_by_cert(long x509CrlCtx, long x509Ctx);
+
+    /** Returns X509_REVOKED reference that is not duplicated! */
+    public static native long X509_CRL_get0_by_serial(long x509CrlCtx, byte[] serial);
+
+    /** Returns an array of X509_REVOKED that are owned by the caller. */
+    public static native long[] X509_CRL_get_REVOKED(long x509CrlCtx);
+
+    public static native String[] get_X509_CRL_ext_oids(long x509ctx, int critical);
+
+    public static native byte[] X509_CRL_get_ext_oid(long x509CrlCtx, String oid);
+
+    public static native long X509_CRL_get_version(long x509CrlCtx);
+
+    public static native long X509_CRL_get_ext(long x509CrlCtx, String oid);
+
+    public static native byte[] get_X509_CRL_signature(long x509ctx);
+
+    public static native void X509_CRL_verify(long x509CrlCtx, long pkeyCtx);
+
+    public static native byte[] get_X509_CRL_crl_enc(long x509CrlCtx);
+
+    public static native long X509_CRL_get_lastUpdate(long x509CrlCtx);
+
+    public static native long X509_CRL_get_nextUpdate(long x509CrlCtx);
+
+    // --- X509_REVOKED --------------------------------------------------------
+
+    public static native long X509_REVOKED_dup(long x509RevokedCtx);
+
+    public static native byte[] i2d_X509_REVOKED(long x509RevokedCtx);
+
+    public static native String[] get_X509_REVOKED_ext_oids(long x509ctx, int critical);
+
+    public static native byte[] X509_REVOKED_get_ext_oid(long x509RevokedCtx, String oid);
+
+    public static native byte[] X509_REVOKED_get_serialNumber(long x509RevokedCtx);
+
+    public static native long X509_REVOKED_get_ext(long x509RevokedCtx, String oid);
+
+    /** Returns ASN1_TIME reference. */
+    public static native long get_X509_REVOKED_revocationDate(long x509RevokedCtx);
+
+    public static native void X509_REVOKED_print(long bioRef, long x509RevokedCtx);
+
+    // --- X509_EXTENSION ------------------------------------------------------
+
+    public static native int X509_supported_extension(long x509ExtensionRef);
+
+    // --- ASN1_TIME -----------------------------------------------------------
+
+    public static native void ASN1_TIME_to_Calendar(long asn1TimeCtx, Calendar cal);
+
     // --- BIO stream creation -------------------------------------------------
 
     public static native long create_BIO_InputStream(OpenSSLBIOInputStream is);
diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLBIOInputStream.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLBIOInputStream.java
index c2109b6..823d30a 100644
--- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLBIOInputStream.java
+++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLBIOInputStream.java
@@ -38,20 +38,29 @@
         return ctx;
     }
 
-    public int readLine(byte[] buffer) throws IOException {
+    /**
+     * Similar to a {@code readLine} method, but matches what OpenSSL expects
+     * from a {@code BIO_gets} method.
+     */
+    public int gets(byte[] buffer) throws IOException {
         if (buffer == null || buffer.length == 0) {
             return 0;
         }
 
         int offset = 0;
-        int inputByte = read();
-        while (offset < buffer.length && inputByte != '\n' && inputByte != -1) {
-            buffer[offset++] = (byte) inputByte;
+        int inputByte = 0;
+        while (offset < buffer.length) {
             inputByte = read();
-        }
+            if (inputByte == '\n' || inputByte == -1) {
+                if (offset == 0) {
+                    // If we haven't read anything yet, ignore CRLF.
+                    continue;
+                } else {
+                    break;
+                }
+            }
 
-        if (inputByte == '\n') {
-            buffer[offset++] = '\n';
+            buffer[offset++] = (byte) inputByte;
         }
 
         return offset;
diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLProvider.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLProvider.java
index 1c6a86e..7ac4022 100644
--- a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLProvider.java
+++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLProvider.java
@@ -226,5 +226,10 @@
         put("Alg.Alias.Mac.1.2.840.113549.2.11", "HmacSHA512");
         put("Alg.Alias.Mac.HMAC-SHA512", "HmacSHA512");
         put("Alg.Alias.Mac.HMAC/SHA512", "HmacSHA512");
+
+        /* === Certificate === */
+
+        put("CertificateFactory.X509", OpenSSLX509CertificateFactory.class.getName());
+        put("Alg.Alias.CertificateFactory.X.509", "X509");
     }
 }
diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLX509CRL.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLX509CRL.java
new file mode 100644
index 0000000..9d6b6b8
--- /dev/null
+++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLX509CRL.java
@@ -0,0 +1,393 @@
+/*
+ * Copyright (C) 2013 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.harmony.xnet.provider.jsse;
+
+import org.apache.harmony.security.utils.AlgNameMapper;
+import org.apache.harmony.xnet.provider.jsse.OpenSSLX509CertificateFactory.ParsingException;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Principal;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.cert.CRLException;
+import java.security.cert.Certificate;
+import java.security.cert.X509CRL;
+import java.security.cert.X509CRLEntry;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.TimeZone;
+
+import javax.security.auth.x500.X500Principal;
+
+public class OpenSSLX509CRL extends X509CRL {
+    private final long mContext;
+
+    private OpenSSLX509CRL(long ctx) {
+        mContext = ctx;
+    }
+
+    public static OpenSSLX509CRL fromX509DerInputStream(InputStream is) throws ParsingException {
+        final OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(is);
+
+        try {
+            final long crlCtx = NativeCrypto.d2i_X509_CRL_bio(bis.getBioContext());
+            if (crlCtx == 0) {
+                return null;
+            }
+            return new OpenSSLX509CRL(crlCtx);
+        } catch (Exception e) {
+            throw new ParsingException(e);
+        } finally {
+            NativeCrypto.BIO_free(bis.getBioContext());
+        }
+    }
+
+    public static List<OpenSSLX509CRL> fromPkcs7DerInputStream(InputStream is)
+            throws ParsingException {
+        OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(is);
+
+        final long[] certRefs;
+        try {
+            certRefs = NativeCrypto.d2i_PKCS7_bio(bis.getBioContext(), NativeCrypto.PKCS7_CRLS);
+        } catch (Exception e) {
+            throw new ParsingException(e);
+        } finally {
+            NativeCrypto.BIO_free(bis.getBioContext());
+        }
+
+        final List<OpenSSLX509CRL> certs = new ArrayList<OpenSSLX509CRL>(certRefs.length);
+        for (int i = 0; i < certRefs.length; i++) {
+            if (certRefs[i] == 0) {
+                continue;
+            }
+            certs.add(new OpenSSLX509CRL(certRefs[i]));
+        }
+        return certs;
+    }
+
+    public static OpenSSLX509CRL fromX509PemInputStream(InputStream is) throws ParsingException {
+        final OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(is);
+
+        try {
+            final long crlCtx = NativeCrypto.PEM_read_bio_X509_CRL(bis.getBioContext());
+            if (crlCtx == 0) {
+                return null;
+            }
+            return new OpenSSLX509CRL(crlCtx);
+        } catch (Exception e) {
+            throw new ParsingException(e);
+        } finally {
+            NativeCrypto.BIO_free(bis.getBioContext());
+        }
+    }
+
+    public static List<OpenSSLX509CRL> fromPkcs7PemInputStream(InputStream is)
+            throws ParsingException {
+        OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(is);
+
+        final long[] certRefs;
+        try {
+            certRefs = NativeCrypto.PEM_read_bio_PKCS7(bis.getBioContext(),
+                    NativeCrypto.PKCS7_CRLS);
+        } catch (Exception e) {
+            throw new ParsingException(e);
+        } finally {
+            NativeCrypto.BIO_free(bis.getBioContext());
+        }
+
+        final List<OpenSSLX509CRL> certs = new ArrayList<OpenSSLX509CRL>(certRefs.length);
+        for (int i = 0; i < certRefs.length; i++) {
+            if (certRefs[i] == 0) {
+                continue;
+            }
+            certs.add(new OpenSSLX509CRL(certRefs[i]));
+        }
+        return certs;
+    }
+
+    @Override
+    public Set<String> getCriticalExtensionOIDs() {
+        String[] critOids =
+                NativeCrypto.get_X509_CRL_ext_oids(mContext, NativeCrypto.EXTENSION_TYPE_CRITICAL);
+
+        /*
+         * This API has a special case that if there are no extensions, we
+         * should return null. So if we have no critical extensions, we'll check
+         * non-critical extensions.
+         */
+        if ((critOids.length == 0)
+                && (NativeCrypto.get_X509_CRL_ext_oids(mContext,
+                        NativeCrypto.EXTENSION_TYPE_NON_CRITICAL).length == 0)) {
+            return null;
+        }
+
+        return new HashSet<String>(Arrays.asList(critOids));
+    }
+
+    @Override
+    public byte[] getExtensionValue(String oid) {
+        return NativeCrypto.X509_CRL_get_ext_oid(mContext, oid);
+    }
+
+    @Override
+    public Set<String> getNonCriticalExtensionOIDs() {
+        String[] nonCritOids =
+                NativeCrypto.get_X509_CRL_ext_oids(mContext,
+                        NativeCrypto.EXTENSION_TYPE_NON_CRITICAL);
+
+        /*
+         * This API has a special case that if there are no extensions, we
+         * should return null. So if we have no non-critical extensions, we'll
+         * check critical extensions.
+         */
+        if ((nonCritOids.length == 0)
+                && (NativeCrypto.get_X509_CRL_ext_oids(mContext,
+                        NativeCrypto.EXTENSION_TYPE_CRITICAL).length == 0)) {
+            return null;
+        }
+
+        return new HashSet<String>(Arrays.asList(nonCritOids));
+    }
+
+    @Override
+    public boolean hasUnsupportedCriticalExtension() {
+        final String[] criticalOids =
+                NativeCrypto.get_X509_CRL_ext_oids(mContext, NativeCrypto.EXTENSION_TYPE_CRITICAL);
+        for (String oid : criticalOids) {
+            final long extensionRef = NativeCrypto.X509_CRL_get_ext(mContext, oid);
+            if (NativeCrypto.X509_supported_extension(extensionRef) != 1) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    @Override
+    public byte[] getEncoded() throws CRLException {
+        return NativeCrypto.i2d_X509_CRL(mContext);
+    }
+
+    private void verifyOpenSSL(OpenSSLKey pkey) throws CRLException, NoSuchAlgorithmException,
+            InvalidKeyException, NoSuchProviderException, SignatureException {
+        NativeCrypto.X509_CRL_verify(mContext, pkey.getPkeyContext());
+    }
+
+    private void verifyInternal(PublicKey key, String sigProvider) throws CRLException,
+            NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException,
+            SignatureException {
+        String sigAlg = getSigAlgName();
+        if (sigAlg == null) {
+            sigAlg = getSigAlgOID();
+        }
+
+        final Signature sig;
+        if (sigProvider == null) {
+            sig = Signature.getInstance(sigAlg);
+        } else {
+            sig = Signature.getInstance(sigAlg, sigProvider);
+        }
+
+        sig.initVerify(key);
+        sig.update(getTBSCertList());
+        if (!sig.verify(getSignature())) {
+            throw new SignatureException("signature did not verify");
+        }
+    }
+
+    @Override
+    public void verify(PublicKey key) throws CRLException, NoSuchAlgorithmException,
+            InvalidKeyException, NoSuchProviderException, SignatureException {
+        if (key instanceof OpenSSLKeyHolder) {
+            OpenSSLKey pkey = ((OpenSSLKeyHolder) key).getOpenSSLKey();
+            verifyOpenSSL(pkey);
+            return;
+        }
+
+        verifyInternal(key, null);
+    }
+
+    @Override
+    public void verify(PublicKey key, String sigProvider) throws CRLException,
+            NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException,
+            SignatureException {
+        verifyInternal(key, sigProvider);
+    }
+
+    @Override
+    public int getVersion() {
+        return (int) NativeCrypto.X509_CRL_get_version(mContext) + 1;
+    }
+
+    @Override
+    public Principal getIssuerDN() {
+        return getIssuerX500Principal();
+    }
+
+    @Override
+    public X500Principal getIssuerX500Principal() {
+        final byte[] issuer = NativeCrypto.X509_CRL_get_issuer_name(mContext);
+        return new X500Principal(issuer);
+    }
+
+    @Override
+    public Date getThisUpdate() {
+        Calendar calendar = Calendar.getInstance();
+        calendar.setTimeZone(TimeZone.getTimeZone("UTC"));
+        NativeCrypto.ASN1_TIME_to_Calendar(NativeCrypto.X509_CRL_get_lastUpdate(mContext),
+                calendar);
+        return calendar.getTime();
+    }
+
+    @Override
+    public Date getNextUpdate() {
+        Calendar calendar = Calendar.getInstance();
+        calendar.setTimeZone(TimeZone.getTimeZone("UTC"));
+        NativeCrypto.ASN1_TIME_to_Calendar(NativeCrypto.X509_CRL_get_nextUpdate(mContext),
+                calendar);
+        return calendar.getTime();
+    }
+
+    @Override
+    public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
+        final long revokedRef = NativeCrypto.X509_CRL_get0_by_serial(mContext,
+                serialNumber.toByteArray());
+        if (revokedRef == 0) {
+            return null;
+        }
+
+        return new OpenSSLX509CRLEntry(NativeCrypto.X509_REVOKED_dup(revokedRef));
+    }
+
+    @Override
+    public X509CRLEntry getRevokedCertificate(X509Certificate certificate) {
+        if (certificate instanceof OpenSSLX509Certificate) {
+            OpenSSLX509Certificate osslCert = (OpenSSLX509Certificate) certificate;
+            final long x509RevokedRef = NativeCrypto.X509_CRL_get0_by_cert(mContext,
+                    osslCert.getContext());
+
+            if (x509RevokedRef == 0) {
+                return null;
+            }
+
+            return new OpenSSLX509CRLEntry(NativeCrypto.X509_REVOKED_dup(x509RevokedRef));
+        }
+
+        return getRevokedCertificate(certificate.getSerialNumber());
+    }
+
+    @Override
+    public Set<? extends X509CRLEntry> getRevokedCertificates() {
+        final long[] entryRefs = NativeCrypto.X509_CRL_get_REVOKED(mContext);
+        if (entryRefs == null || entryRefs.length == 0) {
+            return null;
+        }
+
+        final Set<OpenSSLX509CRLEntry> crlSet = new HashSet<OpenSSLX509CRLEntry>();
+        for (long entryRef : entryRefs) {
+            crlSet.add(new OpenSSLX509CRLEntry(entryRef));
+        }
+
+        return crlSet;
+    }
+
+    @Override
+    public byte[] getTBSCertList() throws CRLException {
+        return NativeCrypto.get_X509_CRL_crl_enc(mContext);
+    }
+
+    @Override
+    public byte[] getSignature() {
+        return NativeCrypto.get_X509_CRL_signature(mContext);
+    }
+
+    @Override
+    public String getSigAlgName() {
+        return AlgNameMapper.map2AlgName(getSigAlgOID());
+    }
+
+    @Override
+    public String getSigAlgOID() {
+        return NativeCrypto.get_X509_CRL_sig_alg_oid(mContext);
+    }
+
+    @Override
+    public byte[] getSigAlgParams() {
+        return NativeCrypto.get_X509_CRL_sig_alg_parameter(mContext);
+    }
+
+    @Override
+    public boolean isRevoked(Certificate cert) {
+        if (!(cert instanceof X509Certificate)) {
+            return false;
+        }
+
+        final OpenSSLX509Certificate osslCert;
+        if (cert instanceof OpenSSLX509Certificate) {
+            osslCert = (OpenSSLX509Certificate) cert;
+        } else {
+            try {
+                osslCert = OpenSSLX509Certificate.fromX509DerInputStream(new ByteArrayInputStream(
+                        cert.getEncoded()));
+            } catch (Exception e) {
+                throw new RuntimeException("cannot convert certificate", e);
+            }
+        }
+
+        final long x509RevokedRef = NativeCrypto.X509_CRL_get0_by_cert(mContext,
+                osslCert.getContext());
+
+        return x509RevokedRef != 0;
+    }
+
+    @Override
+    public String toString() {
+        ByteArrayOutputStream os = new ByteArrayOutputStream();
+        final long bioCtx = NativeCrypto.create_BIO_OutputStream(os);
+        try {
+            NativeCrypto.X509_CRL_print(bioCtx, mContext);
+            return os.toString();
+        } finally {
+            NativeCrypto.BIO_free(bioCtx);
+        }
+    }
+
+    @Override
+    protected void finalize() throws Throwable {
+        try {
+            if (mContext != 0) {
+                NativeCrypto.X509_CRL_free(mContext);
+            }
+        } finally {
+            super.finalize();
+        }
+    }
+
+}
diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLX509CRLEntry.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLX509CRLEntry.java
new file mode 100644
index 0000000..3655338
--- /dev/null
+++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLX509CRLEntry.java
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) 2013 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.harmony.xnet.provider.jsse;
+
+import java.io.ByteArrayOutputStream;
+import java.math.BigInteger;
+import java.security.cert.CRLException;
+import java.security.cert.X509CRLEntry;
+import java.util.Arrays;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.TimeZone;
+
+public class OpenSSLX509CRLEntry extends X509CRLEntry {
+    private final long mContext;
+
+    OpenSSLX509CRLEntry(long ctx) {
+        mContext = ctx;
+    }
+
+    @Override
+    public Set<String> getCriticalExtensionOIDs() {
+        String[] critOids =
+                NativeCrypto.get_X509_REVOKED_ext_oids(mContext,
+                        NativeCrypto.EXTENSION_TYPE_CRITICAL);
+
+        /*
+         * This API has a special case that if there are no extensions, we
+         * should return null. So if we have no critical extensions, we'll check
+         * non-critical extensions.
+         */
+        if ((critOids.length == 0)
+                && (NativeCrypto.get_X509_REVOKED_ext_oids(mContext,
+                        NativeCrypto.EXTENSION_TYPE_NON_CRITICAL).length == 0)) {
+            return null;
+        }
+
+        return new HashSet<String>(Arrays.asList(critOids));
+    }
+
+    @Override
+    public byte[] getExtensionValue(String oid) {
+        return NativeCrypto.X509_REVOKED_get_ext_oid(mContext, oid);
+    }
+
+    @Override
+    public Set<String> getNonCriticalExtensionOIDs() {
+        String[] critOids =
+                NativeCrypto.get_X509_REVOKED_ext_oids(mContext,
+                        NativeCrypto.EXTENSION_TYPE_NON_CRITICAL);
+
+        /*
+         * This API has a special case that if there are no extensions, we
+         * should return null. So if we have no non-critical extensions, we'll
+         * check critical extensions.
+         */
+        if ((critOids.length == 0)
+                && (NativeCrypto.get_X509_REVOKED_ext_oids(mContext,
+                        NativeCrypto.EXTENSION_TYPE_CRITICAL).length == 0)) {
+            return null;
+        }
+
+        return new HashSet<String>(Arrays.asList(critOids));
+    }
+
+    @Override
+    public boolean hasUnsupportedCriticalExtension() {
+        final String[] criticalOids =
+                NativeCrypto.get_X509_REVOKED_ext_oids(mContext,
+                        NativeCrypto.EXTENSION_TYPE_CRITICAL);
+        for (String oid : criticalOids) {
+            final long extensionRef = NativeCrypto.X509_REVOKED_get_ext(mContext, oid);
+            if (NativeCrypto.X509_supported_extension(extensionRef) != 1) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    @Override
+    public byte[] getEncoded() throws CRLException {
+        return NativeCrypto.i2d_X509_REVOKED(mContext);
+    }
+
+    @Override
+    public BigInteger getSerialNumber() {
+        return new BigInteger(NativeCrypto.X509_REVOKED_get_serialNumber(mContext));
+    }
+
+    @Override
+    public Date getRevocationDate() {
+        Calendar calendar = Calendar.getInstance();
+        calendar.setTimeZone(TimeZone.getTimeZone("UTC"));
+        NativeCrypto.ASN1_TIME_to_Calendar(NativeCrypto.get_X509_REVOKED_revocationDate(mContext),
+                calendar);
+        return calendar.getTime();
+    }
+
+    @Override
+    public boolean hasExtensions() {
+        return (NativeCrypto.get_X509_REVOKED_ext_oids(mContext,
+                NativeCrypto.EXTENSION_TYPE_NON_CRITICAL).length != 0)
+                || (NativeCrypto.get_X509_REVOKED_ext_oids(mContext,
+                        NativeCrypto.EXTENSION_TYPE_CRITICAL).length != 0);
+    }
+
+    @Override
+    public String toString() {
+        ByteArrayOutputStream os = new ByteArrayOutputStream();
+        long bioCtx = NativeCrypto.create_BIO_OutputStream(os);
+        try {
+            NativeCrypto.X509_REVOKED_print(bioCtx, mContext);
+            return os.toString();
+        } finally {
+            NativeCrypto.BIO_free(bioCtx);
+        }
+    }
+}
diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLX509Certificate.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLX509Certificate.java
new file mode 100644
index 0000000..bd7f2b2
--- /dev/null
+++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLX509Certificate.java
@@ -0,0 +1,476 @@
+/*
+ * Copyright (C) 2012 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.harmony.xnet.provider.jsse;
+
+import org.apache.harmony.security.utils.AlgNameMapper;
+import org.apache.harmony.security.x509.X509PublicKey;
+import org.apache.harmony.xnet.provider.jsse.OpenSSLX509CertificateFactory.ParsingException;
+
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Principal;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Calendar;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.TimeZone;
+
+import javax.security.auth.x500.X500Principal;
+
+public class OpenSSLX509Certificate extends X509Certificate {
+    private final long mContext;
+
+    private OpenSSLX509Certificate(long ctx) {
+        mContext = ctx;
+    }
+
+    public static OpenSSLX509Certificate fromX509DerInputStream(InputStream is)
+            throws ParsingException {
+        final OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(is);
+
+        try {
+            final long certCtx = NativeCrypto.d2i_X509_bio(bis.getBioContext());
+            if (certCtx == 0) {
+                return null;
+            }
+            return new OpenSSLX509Certificate(certCtx);
+        } catch (Exception e) {
+            throw new ParsingException(e);
+        } finally {
+            NativeCrypto.BIO_free(bis.getBioContext());
+        }
+    }
+
+    public static List<OpenSSLX509Certificate> fromPkcs7DerInputStream(InputStream is)
+            throws ParsingException {
+        OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(is);
+
+        final long[] certRefs;
+        try {
+            certRefs = NativeCrypto.d2i_PKCS7_bio(bis.getBioContext(), NativeCrypto.PKCS7_CERTS);
+        } catch (Exception e) {
+            throw new ParsingException(e);
+        } finally {
+            NativeCrypto.BIO_free(bis.getBioContext());
+        }
+
+        final List<OpenSSLX509Certificate> certs = new ArrayList<OpenSSLX509Certificate>(
+                certRefs.length);
+        for (int i = 0; i < certRefs.length; i++) {
+            if (certRefs[i] == 0) {
+                continue;
+            }
+            certs.add(new OpenSSLX509Certificate(certRefs[i]));
+        }
+        return certs;
+    }
+
+    public static OpenSSLX509Certificate fromX509PemInputStream(InputStream is)
+            throws ParsingException {
+        final OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(is);
+
+        try {
+            final long certCtx = NativeCrypto.PEM_read_bio_X509(bis.getBioContext());
+            if (certCtx == 0L) {
+                return null;
+            }
+            return new OpenSSLX509Certificate(certCtx);
+        } catch (Exception e) {
+            throw new ParsingException(e);
+        } finally {
+            NativeCrypto.BIO_free(bis.getBioContext());
+        }
+    }
+
+    public static List<OpenSSLX509Certificate> fromPkcs7PemInputStream(InputStream is)
+            throws ParsingException {
+        OpenSSLBIOInputStream bis = new OpenSSLBIOInputStream(is);
+
+        final long[] certRefs;
+        try {
+            certRefs = NativeCrypto.PEM_read_bio_PKCS7(bis.getBioContext(),
+                    NativeCrypto.PKCS7_CERTS);
+        } catch (Exception e) {
+            throw new ParsingException(e);
+        } finally {
+            NativeCrypto.BIO_free(bis.getBioContext());
+        }
+
+        final List<OpenSSLX509Certificate> certs = new ArrayList<OpenSSLX509Certificate>(
+                certRefs.length);
+        for (int i = 0; i < certRefs.length; i++) {
+            if (certRefs[i] == 0) {
+                continue;
+            }
+            certs.add(new OpenSSLX509Certificate(certRefs[i]));
+        }
+        return certs;
+    }
+
+    @Override
+    public Set<String> getCriticalExtensionOIDs() {
+        String[] critOids =
+                NativeCrypto.get_X509_ext_oids(mContext, NativeCrypto.EXTENSION_TYPE_CRITICAL);
+
+        /*
+         * This API has a special case that if there are no extensions, we
+         * should return null. So if we have no critical extensions, we'll check
+         * non-critical extensions.
+         */
+        if ((critOids.length == 0)
+                && (NativeCrypto.get_X509_ext_oids(mContext,
+                        NativeCrypto.EXTENSION_TYPE_NON_CRITICAL).length == 0)) {
+            return null;
+        }
+
+        return new HashSet<String>(Arrays.asList(critOids));
+    }
+
+    @Override
+    public byte[] getExtensionValue(String oid) {
+        return NativeCrypto.X509_get_ext_oid(mContext, oid);
+    }
+
+    @Override
+    public Set<String> getNonCriticalExtensionOIDs() {
+        String[] nonCritOids =
+                NativeCrypto.get_X509_ext_oids(mContext, NativeCrypto.EXTENSION_TYPE_NON_CRITICAL);
+
+        /*
+         * This API has a special case that if there are no extensions, we
+         * should return null. So if we have no non-critical extensions, we'll
+         * check critical extensions.
+         */
+        if ((nonCritOids.length == 0)
+                && (NativeCrypto.get_X509_ext_oids(mContext,
+                        NativeCrypto.EXTENSION_TYPE_CRITICAL).length == 0)) {
+            return null;
+        }
+
+        return new HashSet<String>(Arrays.asList(nonCritOids));
+    }
+
+    @Override
+    public boolean hasUnsupportedCriticalExtension() {
+        return (NativeCrypto.get_X509_ex_flags(mContext) & NativeCrypto.EXFLAG_CRITICAL) != 0;
+    }
+
+    @Override
+    public void checkValidity() throws CertificateExpiredException,
+            CertificateNotYetValidException {
+        checkValidity(new Date());
+    }
+
+    @Override
+    public void checkValidity(Date date) throws CertificateExpiredException,
+            CertificateNotYetValidException {
+        if (getNotBefore().compareTo(date) > 0) {
+            throw new CertificateNotYetValidException();
+        }
+
+        if (getNotAfter().compareTo(date) < 0) {
+            throw new CertificateExpiredException();
+        }
+    }
+
+    @Override
+    public int getVersion() {
+        return (int) NativeCrypto.X509_get_version(mContext) + 1;
+    }
+
+    @Override
+    public BigInteger getSerialNumber() {
+        return new BigInteger(NativeCrypto.X509_get_serialNumber(mContext));
+    }
+
+    @Override
+    public Principal getIssuerDN() {
+        return getIssuerX500Principal();
+    }
+
+    @Override
+    public Principal getSubjectDN() {
+        return getSubjectX500Principal();
+    }
+
+    @Override
+    public Date getNotBefore() {
+        Calendar calendar = Calendar.getInstance();
+        calendar.setTimeZone(TimeZone.getTimeZone("UTC"));
+        NativeCrypto.ASN1_TIME_to_Calendar(NativeCrypto.X509_get_notBefore(mContext), calendar);
+        return calendar.getTime();
+    }
+
+    @Override
+    public Date getNotAfter() {
+        Calendar calendar = Calendar.getInstance();
+        calendar.setTimeZone(TimeZone.getTimeZone("UTC"));
+        NativeCrypto.ASN1_TIME_to_Calendar(NativeCrypto.X509_get_notAfter(mContext), calendar);
+        return calendar.getTime();
+    }
+
+    @Override
+    public byte[] getTBSCertificate() throws CertificateEncodingException {
+        return NativeCrypto.get_X509_cert_info_enc(mContext);
+    }
+
+    @Override
+    public byte[] getSignature() {
+        return NativeCrypto.get_X509_signature(mContext);
+    }
+
+    @Override
+    public String getSigAlgName() {
+        return AlgNameMapper.map2AlgName(getSigAlgOID());
+    }
+
+    @Override
+    public String getSigAlgOID() {
+        return NativeCrypto.get_X509_sig_alg_oid(mContext);
+    }
+
+    @Override
+    public byte[] getSigAlgParams() {
+        return NativeCrypto.get_X509_sig_alg_parameter(mContext);
+    }
+
+    @Override
+    public boolean[] getIssuerUniqueID() {
+        return NativeCrypto.get_X509_issuerUID(mContext);
+    }
+
+    @Override
+    public boolean[] getSubjectUniqueID() {
+        return NativeCrypto.get_X509_subjectUID(mContext);
+    }
+
+    @Override
+    public boolean[] getKeyUsage() {
+        final boolean[] kusage = NativeCrypto.get_X509_ex_kusage(mContext);
+        if (kusage.length >= 9) {
+            return kusage;
+        }
+
+        final boolean resized[] = new boolean[9];
+        System.arraycopy(kusage, 0, resized, 0, kusage.length);
+        return resized;
+    }
+
+    @Override
+    public int getBasicConstraints() {
+        if (NativeCrypto.X509_check_ca(mContext) != 1) {
+            return -1;
+        }
+
+        final int pathLen = NativeCrypto.get_X509_ex_pathlen(mContext);
+        if (pathLen == -1) {
+            return Integer.MAX_VALUE;
+        }
+
+        return pathLen;
+    }
+
+    @Override
+    public byte[] getEncoded() throws CertificateEncodingException {
+        return NativeCrypto.i2d_X509(mContext);
+    }
+
+    private void verifyOpenSSL(OpenSSLKey pkey) throws CertificateException,
+            NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException,
+            SignatureException {
+        NativeCrypto.X509_verify(mContext, pkey.getPkeyContext());
+    }
+
+    private void verifyInternal(PublicKey key, String sigProvider) throws CertificateException,
+            NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException,
+            SignatureException {
+        String sigAlg = getSigAlgName();
+        if (sigAlg == null) {
+            sigAlg = getSigAlgOID();
+        }
+
+        final Signature sig;
+        if (sigProvider == null) {
+            sig = Signature.getInstance(sigAlg);
+        } else {
+            sig = Signature.getInstance(sigAlg, sigProvider);
+        }
+
+        sig.initVerify(key);
+        sig.update(getTBSCertificate());
+        if (!sig.verify(getSignature())) {
+            throw new SignatureException("signature did not verify");
+        }
+    }
+
+    @Override
+    public void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException,
+            InvalidKeyException, NoSuchProviderException, SignatureException {
+        if (key instanceof OpenSSLKeyHolder) {
+            OpenSSLKey pkey = ((OpenSSLKeyHolder) key).getOpenSSLKey();
+            verifyOpenSSL(pkey);
+            return;
+        }
+
+        verifyInternal(key, null);
+    }
+
+    @Override
+    public void verify(PublicKey key, String sigProvider) throws CertificateException,
+            NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException,
+            SignatureException {
+        verifyInternal(key, sigProvider);
+    }
+
+    @Override
+    public String toString() {
+        ByteArrayOutputStream os = new ByteArrayOutputStream();
+        long bioCtx = NativeCrypto.create_BIO_OutputStream(os);
+        try {
+            NativeCrypto.X509_print_ex(bioCtx, mContext, 0, 0);
+            return os.toString();
+        } finally {
+            NativeCrypto.BIO_free(bioCtx);
+        }
+    }
+
+    @Override
+    public PublicKey getPublicKey() {
+        /* First try to generate the key from supported OpenSSL key types. */
+        try {
+            OpenSSLKey pkey = new OpenSSLKey(NativeCrypto.X509_get_pubkey(mContext));
+            return pkey.getPublicKey();
+        } catch (NoSuchAlgorithmException ignored) {
+        }
+
+        /* Try generating the key using other Java providers. */
+        String oid = NativeCrypto.get_X509_pubkey_oid(mContext);
+        byte[] encoded = NativeCrypto.i2d_X509_PUBKEY(mContext);
+        try {
+            KeyFactory kf = KeyFactory.getInstance(oid);
+            return kf.generatePublic(new X509EncodedKeySpec(encoded));
+        } catch (NoSuchAlgorithmException ignored) {
+        } catch (InvalidKeySpecException ignored) {
+        }
+
+        /*
+         * We couldn't find anything else, so just return a nearly-unusable
+         * X.509-encoded key.
+         */
+        return new X509PublicKey(oid, encoded, null);
+    }
+
+    @Override
+    public X500Principal getIssuerX500Principal() {
+        final byte[] issuer = NativeCrypto.X509_get_issuer_name(mContext);
+        return new X500Principal(issuer);
+    }
+
+    @Override
+    public X500Principal getSubjectX500Principal() {
+        final byte[] subject = NativeCrypto.X509_get_subject_name(mContext);
+        return new X500Principal(subject);
+    }
+
+    @Override
+    public List<String> getExtendedKeyUsage() throws CertificateParsingException {
+        String[] extUsage = NativeCrypto.get_X509_ex_xkusage(mContext);
+        if (extUsage == null) {
+            return null;
+        }
+
+        return Arrays.asList(extUsage);
+    }
+
+    private static Collection<List<?>> alternativeNameArrayToList(Object[][] altNameArray) {
+        if (altNameArray == null) {
+            return null;
+        }
+
+        Collection<List<?>> coll = new ArrayList<List<?>>(altNameArray.length);
+        for (int i = 0; i < altNameArray.length; i++) {
+            coll.add(Collections.unmodifiableList(Arrays.asList(altNameArray[i])));
+        }
+
+        return Collections.unmodifiableCollection(coll);
+    }
+
+    @Override
+    public Collection<List<?>> getSubjectAlternativeNames() throws CertificateParsingException {
+        return alternativeNameArrayToList(NativeCrypto.get_X509_GENERAL_NAME_stack(mContext,
+                NativeCrypto.GN_STACK_SUBJECT_ALT_NAME));
+    }
+
+    @Override
+    public Collection<List<?>> getIssuerAlternativeNames() throws CertificateParsingException {
+        return alternativeNameArrayToList(NativeCrypto.get_X509_GENERAL_NAME_stack(mContext,
+                NativeCrypto.GN_STACK_ISSUER_ALT_NAME));
+    }
+
+    @Override
+    public boolean equals(Object other) {
+        if (other instanceof OpenSSLX509Certificate) {
+            OpenSSLX509Certificate o = (OpenSSLX509Certificate) other;
+
+            return NativeCrypto.X509_cmp(mContext, o.mContext) == 0;
+        }
+
+        return super.equals(other);
+    }
+
+    @Override
+    public int hashCode() {
+        /* Make this faster since we might be in hash-based structures. */
+        return NativeCrypto.get_X509_hashCode(mContext);
+    }
+
+    long getContext() {
+        return mContext;
+    }
+
+    @Override
+    protected void finalize() throws Throwable {
+        try {
+            if (mContext != 0) {
+                NativeCrypto.X509_free(mContext);
+            }
+        } finally {
+            super.finalize();
+        }
+    }
+}
diff --git a/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLX509CertificateFactory.java b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLX509CertificateFactory.java
new file mode 100644
index 0000000..29b1d25
--- /dev/null
+++ b/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLX509CertificateFactory.java
@@ -0,0 +1,295 @@
+/*
+ * Copyright (C) 2012 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.harmony.xnet.provider.jsse;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PushbackInputStream;
+import java.security.cert.CRL;
+import java.security.cert.CRLException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactorySpi;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+
+public class OpenSSLX509CertificateFactory extends CertificateFactorySpi {
+    private static final byte[] PKCS7_MARKER = "-----BEGIN PKCS7".getBytes();
+
+    private static final int PUSHBACK_SIZE = 64;
+
+    static class ParsingException extends Exception {
+        private static final long serialVersionUID = 8390802697728301325L;
+
+        public ParsingException(String message) {
+            super(message);
+        }
+
+        public ParsingException(Exception cause) {
+            super(cause);
+        }
+
+        public ParsingException(String message, Exception cause) {
+            super(message, cause);
+        }
+    }
+
+    /**
+     * The code for X509 Certificates and CRL is pretty much the same. We use
+     * this abstract class to share the code between them. This makes it ugly,
+     * but it's already written in this language anyway.
+     */
+    private static abstract class Parser<T> {
+        public T generateItem(InputStream inStream) throws ParsingException {
+            final boolean markable = inStream.markSupported();
+            if (markable) {
+                inStream.mark(PKCS7_MARKER.length);
+            }
+
+            final PushbackInputStream pbis = new PushbackInputStream(inStream, PUSHBACK_SIZE);
+            try {
+                final byte[] buffer = new byte[PKCS7_MARKER.length];
+
+                final int len = pbis.read(buffer);
+                if (len < 0) {
+                    /* No need to reset here. The stream was empty or EOF. */
+                    throw new ParsingException("inStream is empty");
+                }
+                pbis.unread(buffer, 0, len);
+
+                if (buffer[0] == '-') {
+                    if (len == PKCS7_MARKER.length && Arrays.equals(PKCS7_MARKER, buffer)) {
+                        List<? extends T> items = fromPkcs7PemInputStream(pbis);
+                        if (items.size() == 0) {
+                            return null;
+                        }
+                        items.get(0);
+                    } else {
+                        return fromX509PemInputStream(pbis);
+                    }
+                }
+
+                /* PKCS#7 bags have a byte 0x06 at position 4 in the stream. */
+                if (buffer[4] == 0x06) {
+                    List<? extends T> certs = fromPkcs7DerInputStream(pbis);
+                    if (certs.size() == 0) {
+                        return null;
+                    }
+                    return certs.get(0);
+                } else {
+                    return fromX509DerInputStream(pbis);
+                }
+            } catch (Exception e) {
+                if (markable) {
+                    try {
+                        inStream.reset();
+                    } catch (IOException ignored) {
+                    }
+                }
+                throw new ParsingException(e);
+            }
+        }
+
+        public Collection<? extends T> generateItems(InputStream inStream)
+                throws ParsingException {
+            try {
+                if (inStream == null || inStream.available() == 0) {
+                    return Collections.emptyList();
+                }
+            } catch (IOException e) {
+                throw new ParsingException("Problem reading input stream", e);
+            }
+
+            final boolean markable = inStream.markSupported();
+            if (markable) {
+                inStream.mark(PUSHBACK_SIZE);
+            }
+
+            /* Attempt to see if this is a PKCS#7 bag. */
+            final PushbackInputStream pbis = new PushbackInputStream(inStream, PUSHBACK_SIZE);
+            try {
+                final byte[] buffer = new byte[PKCS7_MARKER.length];
+
+                final int len = pbis.read(buffer);
+                if (len < 0) {
+                    /* No need to reset here. The stream was empty or EOF. */
+                    throw new ParsingException("inStream is empty");
+                }
+                pbis.unread(buffer, 0, len);
+
+                if (len == PKCS7_MARKER.length && Arrays.equals(PKCS7_MARKER, buffer)) {
+                    return fromPkcs7PemInputStream(pbis);
+                }
+
+                /* PKCS#7 bags have a byte 0x06 at position 4 in the stream. */
+                if (buffer[4] == 0x06) {
+                    return fromPkcs7DerInputStream(pbis);
+                }
+            } catch (Exception e) {
+                if (markable) {
+                    try {
+                        inStream.reset();
+                    } catch (IOException ignored) {
+                    }
+                }
+                throw new ParsingException(e);
+            }
+
+            /*
+             * It wasn't, so just try to keep grabbing certificates until we
+             * can't anymore.
+             */
+            final List<T> coll = new ArrayList<T>();
+            T c = null;
+            do {
+                /*
+                 * If this stream supports marking, try to mark here in case
+                 * there is an error during certificate generation.
+                 */
+                if (markable) {
+                    inStream.mark(PUSHBACK_SIZE);
+                }
+
+                try {
+                    c = generateItem(pbis);
+                    coll.add(c);
+                } catch (ParsingException e) {
+                    /*
+                     * If this stream supports marking, attempt to reset it to
+                     * the mark before the failure.
+                     */
+                    if (markable) {
+                        try {
+                            inStream.reset();
+                        } catch (IOException ignored) {
+                        }
+                    }
+
+                    c = null;
+                }
+            } while (c != null);
+
+            return coll;
+        }
+
+        protected abstract T fromX509PemInputStream(InputStream pbis) throws ParsingException;
+
+        protected abstract T fromX509DerInputStream(InputStream pbis) throws ParsingException;
+
+        protected abstract List<? extends T> fromPkcs7PemInputStream(InputStream is)
+                throws ParsingException;
+
+        protected abstract List<? extends T> fromPkcs7DerInputStream(InputStream is)
+                throws ParsingException;
+    }
+
+    private Parser<OpenSSLX509Certificate> certificateParser =
+            new Parser<OpenSSLX509Certificate>() {
+                @Override
+                public OpenSSLX509Certificate fromX509PemInputStream(InputStream is)
+                        throws ParsingException {
+                    return OpenSSLX509Certificate.fromX509PemInputStream(is);
+                }
+
+                @Override
+                public OpenSSLX509Certificate fromX509DerInputStream(InputStream is)
+                        throws ParsingException {
+                    return OpenSSLX509Certificate.fromX509DerInputStream(is);
+                }
+
+                @Override
+                public List<? extends OpenSSLX509Certificate>
+                        fromPkcs7PemInputStream(InputStream is) throws ParsingException {
+                    return OpenSSLX509Certificate.fromPkcs7PemInputStream(is);
+                }
+
+                @Override
+                public List<? extends OpenSSLX509Certificate>
+                        fromPkcs7DerInputStream(InputStream is) throws ParsingException {
+                    return OpenSSLX509Certificate.fromPkcs7DerInputStream(is);
+                }
+            };
+
+    private Parser<OpenSSLX509CRL> crlParser =
+            new Parser<OpenSSLX509CRL>() {
+                @Override
+                public OpenSSLX509CRL fromX509PemInputStream(InputStream is)
+                        throws ParsingException {
+                    return OpenSSLX509CRL.fromX509PemInputStream(is);
+                }
+
+                @Override
+                public OpenSSLX509CRL fromX509DerInputStream(InputStream is)
+                        throws ParsingException {
+                    return OpenSSLX509CRL.fromX509DerInputStream(is);
+                }
+
+                @Override
+                public List<? extends OpenSSLX509CRL> fromPkcs7PemInputStream(InputStream is)
+                        throws ParsingException {
+                    return OpenSSLX509CRL.fromPkcs7PemInputStream(is);
+                }
+
+                @Override
+                public List<? extends OpenSSLX509CRL> fromPkcs7DerInputStream(InputStream is)
+                        throws ParsingException {
+                    return OpenSSLX509CRL.fromPkcs7DerInputStream(is);
+                }
+            };
+
+    @Override
+    public Certificate engineGenerateCertificate(InputStream inStream) throws CertificateException {
+        try {
+            return certificateParser.generateItem(inStream);
+        } catch (ParsingException e) {
+            throw new CertificateException(e);
+        }
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public Collection<? extends Certificate> engineGenerateCertificates(
+            InputStream inStream) throws CertificateException {
+        try {
+            return certificateParser.generateItems(inStream);
+        } catch (ParsingException e) {
+            throw new CertificateException(e);
+        }
+    }
+
+    @Override
+    public CRL engineGenerateCRL(InputStream inStream) throws CRLException {
+        try {
+            return crlParser.generateItem(inStream);
+        } catch (ParsingException e) {
+            throw new CRLException(e);
+        }
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public Collection<? extends CRL> engineGenerateCRLs(InputStream inStream) throws CRLException {
+        try {
+            return crlParser.generateItems(inStream);
+        } catch (ParsingException e) {
+            throw new CRLException(e);
+        }
+    }
+}
diff --git a/luni/src/main/native/JniConstants.cpp b/luni/src/main/native/JniConstants.cpp
index b88eba9..6b3c7bd 100644
--- a/luni/src/main/native/JniConstants.cpp
+++ b/luni/src/main/native/JniConstants.cpp
@@ -24,6 +24,7 @@
 jclass JniConstants::booleanClass;
 jclass JniConstants::byteArrayClass;
 jclass JniConstants::byteClass;
+jclass JniConstants::calendarClass;
 jclass JniConstants::charsetICUClass;
 jclass JniConstants::constructorClass;
 jclass JniConstants::deflaterClass;
@@ -44,6 +45,8 @@
 jclass JniConstants::methodClass;
 jclass JniConstants::mutableIntClass;
 jclass JniConstants::mutableLongClass;
+jclass JniConstants::objectClass;
+jclass JniConstants::objectArrayClass;
 jclass JniConstants::outputStreamClass;
 jclass JniConstants::parsePositionClass;
 jclass JniConstants::patternSyntaxExceptionClass;
@@ -78,6 +81,7 @@
     booleanClass = findClass(env, "java/lang/Boolean");
     byteClass = findClass(env, "java/lang/Byte");
     byteArrayClass = findClass(env, "[B");
+    calendarClass = findClass(env, "java/util/Calendar");
     charsetICUClass = findClass(env, "java/nio/charset/CharsetICU");
     constructorClass = findClass(env, "java/lang/reflect/Constructor");
     deflaterClass = findClass(env, "java/util/zip/Deflater");
@@ -98,6 +102,8 @@
     methodClass = findClass(env, "java/lang/reflect/Method");
     mutableIntClass = findClass(env, "libcore/util/MutableInt");
     mutableLongClass = findClass(env, "libcore/util/MutableLong");
+    objectClass = findClass(env, "java/lang/Object");
+    objectArrayClass = findClass(env, "[Ljava/lang/Object;");
     outputStreamClass = findClass(env, "java/io/OutputStream");
     parsePositionClass = findClass(env, "java/text/ParsePosition");
     patternSyntaxExceptionClass = findClass(env, "java/util/regex/PatternSyntaxException");
diff --git a/luni/src/main/native/JniConstants.h b/luni/src/main/native/JniConstants.h
index bb5aebb..414cef8 100644
--- a/luni/src/main/native/JniConstants.h
+++ b/luni/src/main/native/JniConstants.h
@@ -45,6 +45,7 @@
     static jclass booleanClass;
     static jclass byteArrayClass;
     static jclass byteClass;
+    static jclass calendarClass;
     static jclass charsetICUClass;
     static jclass constructorClass;
     static jclass deflaterClass;
@@ -65,6 +66,8 @@
     static jclass methodClass;
     static jclass mutableIntClass;
     static jclass mutableLongClass;
+    static jclass objectClass;
+    static jclass objectArrayClass;
     static jclass outputStreamClass;
     static jclass parsePositionClass;
     static jclass patternSyntaxExceptionClass;
diff --git a/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp b/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
index 1b68077..ec962d8 100644
--- a/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
+++ b/luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
@@ -36,6 +36,7 @@
 #include <openssl/rand.h>
 #include <openssl/rsa.h>
 #include <openssl/ssl.h>
+#include <openssl/x509v3.h>
 
 #include "AsynchronousSocketCloseMonitor.h"
 #include "JNIHelp.h"
@@ -68,7 +69,9 @@
 static JavaVM* gJavaVM;
 static jclass openSslOutputStreamClass;
 
+static jmethodID calendar_setMethod;
 static jmethodID inputStream_readMethod;
+static jmethodID integer_valueOfMethod;
 static jmethodID openSslInputStream_readLineMethod;
 static jmethodID outputStream_writeMethod;
 static jmethodID outputStream_flushMethod;
@@ -87,6 +90,13 @@
 };
 typedef UniquePtr<BIGNUM, BIGNUM_Delete> Unique_BIGNUM;
 
+struct ASN1_INTEGER_Delete {
+    void operator()(ASN1_INTEGER* p) const {
+        ASN1_INTEGER_free(p);
+    }
+};
+typedef UniquePtr<ASN1_INTEGER, ASN1_INTEGER_Delete> Unique_ASN1_INTEGER;
+
 struct DH_Delete {
     void operator()(DH* p) const {
         DH_free(p);
@@ -157,6 +167,13 @@
 };
 typedef UniquePtr<RSA, RSA_Delete> Unique_RSA;
 
+struct ASN1_BIT_STRING_Delete {
+    void operator()(ASN1_BIT_STRING* p) const {
+        ASN1_BIT_STRING_free(p);
+    }
+};
+typedef UniquePtr<ASN1_BIT_STRING, ASN1_BIT_STRING_Delete> Unique_ASN1_BIT_STRING;
+
 struct ASN1_OBJECT_Delete {
     void operator()(ASN1_OBJECT* p) const {
         ASN1_OBJECT_free(p);
@@ -164,6 +181,13 @@
 };
 typedef UniquePtr<ASN1_OBJECT, ASN1_OBJECT_Delete> Unique_ASN1_OBJECT;
 
+struct ASN1_GENERALIZEDTIME_Delete {
+    void operator()(ASN1_GENERALIZEDTIME* p) const {
+        ASN1_GENERALIZEDTIME_free(p);
+    }
+};
+typedef UniquePtr<ASN1_GENERALIZEDTIME, ASN1_GENERALIZEDTIME_Delete> Unique_ASN1_GENERALIZEDTIME;
+
 struct SSL_Delete {
     void operator()(SSL* p) const {
         SSL_free(p);
@@ -221,6 +245,13 @@
 };
 typedef UniquePtr<X509_NAME, X509_NAME_Delete> Unique_X509_NAME;
 
+struct PKCS7_Delete {
+    void operator()(PKCS7* p) const {
+        PKCS7_free(p);
+    }
+};
+typedef UniquePtr<PKCS7, PKCS7_Delete> Unique_PKCS7;
+
 struct sk_SSL_CIPHER_Delete {
     void operator()(STACK_OF(SSL_CIPHER)* p) const {
         sk_SSL_CIPHER_free(p);
@@ -242,6 +273,20 @@
 };
 typedef UniquePtr<STACK_OF(X509_NAME), sk_X509_NAME_Delete> Unique_sk_X509_NAME;
 
+struct sk_ASN1_OBJECT_Delete {
+    void operator()(STACK_OF(ASN1_OBJECT)* p) const {
+        sk_ASN1_OBJECT_free(p);
+    }
+};
+typedef UniquePtr<STACK_OF(ASN1_OBJECT), sk_ASN1_OBJECT_Delete> Unique_sk_ASN1_OBJECT;
+
+struct sk_GENERAL_NAME_Delete {
+    void operator()(STACK_OF(GENERAL_NAME)* p) const {
+        sk_GENERAL_NAME_free(p);
+    }
+};
+typedef UniquePtr<STACK_OF(GENERAL_NAME), sk_GENERAL_NAME_Delete> Unique_sk_GENERAL_NAME;
+
 /**
  * Many OpenSSL APIs take ownership of an argument on success but don't free the argument
  * on failure. This means we need to tell our scoped pointers when we've transferred ownership,
@@ -280,6 +325,14 @@
 }
 
 /**
+ * Throws a InvalidKeyException with the given string as a message.
+ */
+static void throwInvalidKeyException(JNIEnv* env, const char* message) {
+    JNI_TRACE("throwInvalidKeyException %s", message);
+    jniThrowException(env, "java/security/InvalidKeyException", message);
+}
+
+/**
  * Throws a SignatureException with the given string as a message.
  */
 static void throwIllegalBlockSizeException(JNIEnv* env, const char* message) {
@@ -287,6 +340,14 @@
     jniThrowException(env, "javax/crypto/IllegalBlockSizeException", message);
 }
 
+/**
+ * Throws a NoSuchAlgorithmException with the given string as a message.
+ */
+static void throwNoSuchAlgorithmException(JNIEnv* env, const char* message) {
+    JNI_TRACE("throwUnknownAlgorithmException %s", message);
+    jniThrowException(env, "java/security/NoSuchAlgorithmException", message);
+}
+
 /*
  * Checks this thread's OpenSSL error queue and throws a RuntimeException if
  * necessary.
@@ -315,10 +376,18 @@
             throwBadPaddingException(env, message);
         } else if (library == ERR_LIB_RSA && reason == RSA_R_DATA_GREATER_THAN_MOD_LEN) {
             throwSignatureException(env, message);
+        } else if (library == ERR_LIB_RSA && reason == RSA_R_WRONG_SIGNATURE_LENGTH) {
+            throwSignatureException(env, message);
+        } else if (library == ERR_LIB_DSA && reason == DSA_R_PARAMETER_ENCODING_ERROR) {
+            throwInvalidKeyException(env, message);
+        } else if (library == ERR_LIB_ASN1 && reason == ASN1_R_WRONG_PUBLIC_KEY_TYPE) {
+            throwInvalidKeyException(env, message);
         } else if (library == ERR_LIB_EVP && reason == EVP_R_BAD_DECRYPT) {
             throwBadPaddingException(env, message);
         } else if (library == ERR_LIB_EVP && reason == EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH) {
             throwIllegalBlockSizeException(env, message);
+        } else if (library == ERR_LIB_X509 && reason == X509_R_UNSUPPORTED_ALGORITHM) {
+            throwNoSuchAlgorithmException(env, message);
         } else {
             jniThrowRuntimeException(env, message);
         }
@@ -585,8 +654,14 @@
  * inside. The "i2d_func" function pointer is a function of the "i2d_<TYPE>"
  * from the OpenSSL ASN.1 API.
  */
-template<typename T>
-jbyteArray ASN1ToByteArray(JNIEnv* env, T* obj, int (*i2d_func)(T*, unsigned char**)) {
+template<typename T, int (*i2d_func)(T*, unsigned char**)>
+jbyteArray ASN1ToByteArray(JNIEnv* env, T* obj) {
+    if (obj == NULL) {
+        jniThrowNullPointerException(env, "ASN1 input == null");
+        JNI_TRACE("ASN1ToByteArray(%p) => null input", obj);
+        return NULL;
+    }
+
     int derLen = i2d_func(obj, NULL);
     if (derLen < 0) {
         throwExceptionIfNecessary(env, "ASN1ToByteArray");
@@ -619,6 +694,28 @@
 }
 
 /**
+ * Converts ASN.1 BIT STRING to a jbooleanArray.
+ */
+jbooleanArray ASN1BitStringToBooleanArray(JNIEnv* env, ASN1_BIT_STRING* bitStr) {
+    int size = bitStr->length * 8;
+    if (bitStr->flags & ASN1_STRING_FLAG_BITS_LEFT) {
+        size -= bitStr->flags & 0x07;
+    }
+
+    ScopedLocalRef<jbooleanArray> bitsRef(env, env->NewBooleanArray(size));
+    if (bitsRef.get() == NULL) {
+        return NULL;
+    }
+
+    ScopedBooleanArrayRW bitsArray(env, bitsRef.get());
+    for (int i = 0; i < static_cast<int>(bitsArray.size()); i++) {
+        bitsArray[i] = ASN1_BIT_STRING_get_bit(bitStr, i);
+    }
+
+    return bitsRef.release();
+}
+
+/**
  * BIO for InputStream
  */
 class BIO_Stream {
@@ -689,6 +786,10 @@
     }
 
     int gets(char *buf, int len) {
+        if (len > PEM_LINE_LENGTH) {
+            len = PEM_LINE_LENGTH;
+        }
+
         int read = read_internal(buf, len - 1, openSslInputStream_readLineMethod);
         buf[read] = '\0';
         JNI_TRACE("BIO::gets \"%s\"", buf);
@@ -725,6 +826,10 @@
 
         return read;
     }
+
+public:
+    /** Length of PEM-encoded line (64) plus CR plus NULL */
+    static const int PEM_LINE_LENGTH = 66;
 };
 
 class BIO_OutputStream : public BIO_Stream {
@@ -1471,7 +1576,7 @@
         return NULL;
     }
 
-    return ASN1ToByteArray<PKCS8_PRIV_KEY_INFO>(env, pkcs8.get(), i2d_PKCS8_PRIV_KEY_INFO);
+    return ASN1ToByteArray<PKCS8_PRIV_KEY_INFO, i2d_PKCS8_PRIV_KEY_INFO>(env, pkcs8.get());
 }
 
 /*
@@ -1511,13 +1616,7 @@
 static jbyteArray NativeCrypto_i2d_PUBKEY(JNIEnv* env, jclass, jlong pkeyRef) {
     EVP_PKEY* pkey = reinterpret_cast<EVP_PKEY*>(pkeyRef);
     JNI_TRACE("i2d_PUBKEY(%p)", pkey);
-
-    if (pkey == NULL) {
-        jniThrowNullPointerException(env, NULL);
-        return NULL;
-    }
-
-    return ASN1ToByteArray<EVP_PKEY>(env, pkey, i2d_PUBKEY);
+    return ASN1ToByteArray<EVP_PKEY, i2d_PUBKEY>(env, pkey);
 }
 
 /*
@@ -2072,7 +2171,7 @@
 
     int nid = EC_GROUP_get_curve_name(group);
     if (nid == NID_undef) {
-        JNI_TRACE("EC_GROUP_get_curve_name(%p) => unnamed curve", group, nid);
+        JNI_TRACE("EC_GROUP_get_curve_name(%p) => unnamed curve", group);
         return NULL;
     }
 
@@ -3398,45 +3497,23 @@
     return env->NewStringUTF(longName);
 }
 
-static jstring NativeCrypto_OBJ_txt2nid_oid(JNIEnv* env, jclass, jstring oidStr) {
-    JNI_TRACE("OBJ_txt2nid_oid(%p)", oidStr);
-
-    ScopedUtfChars oid(env, oidStr);
-    if (oid.c_str() == NULL) {
-        return NULL;
-    }
-
-    JNI_TRACE("OBJ_txt2nid_oid(%s)", oid.c_str());
-
-    int nid = OBJ_txt2nid(oid.c_str());
-    if (nid == NID_undef) {
-        JNI_TRACE("OBJ_txt2nid_oid(%s) => NID_undef", oid.c_str());
-        freeOpenSslErrorState();
-        return NULL;
-    }
-
-    Unique_ASN1_OBJECT obj(OBJ_nid2obj(nid));
-    if (obj.get() == NULL) {
-        throwExceptionIfNecessary(env, "OBJ_nid2obj");
-        return NULL;
-    }
-
+static jstring ASN1_OBJECT_to_OID_string(JNIEnv* env, ASN1_OBJECT* obj) {
     /*
      * The OBJ_obj2txt API doesn't "measure" if you pass in NULL as the buffer.
      * Just make a buffer that's large enough here. The documentation recommends
      * 80 characters.
      */
     char output[128];
-    int ret = OBJ_obj2txt(output, sizeof(output), obj.get(), 1);
+    int ret = OBJ_obj2txt(output, sizeof(output), obj, 1);
     if (ret < 0) {
-        throwExceptionIfNecessary(env, "OBJ_obj2txt");
+        throwExceptionIfNecessary(env, "ASN1_OBJECT_to_OID_string");
         return NULL;
     } else if (size_t(ret) >= sizeof(output)) {
-        jniThrowRuntimeException(env, "OBJ_obj2txt buffer too small");
+        jniThrowRuntimeException(env, "ASN1_OBJECT_to_OID_string buffer too small");
         return NULL;
     }
 
-    JNI_TRACE("OBJ_txt2nid_oid(%s) => %s", oid.c_str(), output);
+    JNI_TRACE("ASN1_OBJECT_to_OID_string(%p) => %s", obj, output);
     return env->NewStringUTF(output);
 }
 
@@ -3561,6 +3638,1358 @@
     BIO_free(bio);
 }
 
+static jstring X509_NAME_to_jstring(JNIEnv* env, X509_NAME* name, unsigned long flags) {
+    JNI_TRACE("X509_NAME_to_jstring(%p)", name);
+
+    Unique_BIO buffer(BIO_new(BIO_s_mem()));
+    if (buffer.get() == NULL) {
+        jniThrowOutOfMemoryError(env, "Unable to allocate BIO");
+        JNI_TRACE("X509_NAME_to_jstring(%p) => threw error", name);
+        return NULL;
+    }
+
+    /* Don't interpret the string. */
+    flags &= ~(ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_ESC_MSB);
+
+    /* Write in given format and null terminate. */
+    X509_NAME_print_ex(buffer.get(), name, 0, flags);
+    BIO_write(buffer.get(), "\0", 1);
+
+    char *tmp;
+    BIO_get_mem_data(buffer.get(), &tmp);
+    JNI_TRACE("X509_NAME_to_jstring(%p) => \"%s\"", name, tmp);
+    return env->NewStringUTF(tmp);
+}
+
+
+/**
+ * Converts GENERAL_NAME items to the output format expected in
+ * X509Certificate#getSubjectAlternativeNames and
+ * X509Certificate#getIssuerAlternativeNames return.
+ */
+static jobject GENERAL_NAME_to_jobject(JNIEnv* env, GENERAL_NAME* gen) {
+    switch (gen->type) {
+    case GEN_EMAIL:
+    case GEN_DNS:
+    case GEN_URI:
+        return env->NewStringUTF(reinterpret_cast<char*>(ASN1_STRING_data(gen->d.ia5)));
+    case GEN_DIRNAME:
+        /* Write in RFC 2253 format */
+        return X509_NAME_to_jstring(env, gen->d.directoryName, XN_FLAG_RFC2253);
+    case GEN_IPADD: {
+        const void *ip = reinterpret_cast<const void *>(gen->d.ip->data);
+        if (gen->d.ip->length == 4) {
+            // IPv4
+            UniquePtr<char[]> buffer(new char[INET_ADDRSTRLEN]);
+            if (inet_ntop(AF_INET, ip, buffer.get(), INET_ADDRSTRLEN) != NULL) {
+                JNI_TRACE("GENERAL_NAME_to_jobject(%p) => IPv4 %s", gen, buffer.get());
+                return env->NewStringUTF(buffer.get());
+            } else {
+                JNI_TRACE("GENERAL_NAME_to_jobject(%p) => IPv4 failed %s", gen, strerror(errno));
+            }
+        } else if (gen->d.ip->length == 16) {
+            // IPv6
+            UniquePtr<char[]> buffer(new char[INET6_ADDRSTRLEN]);
+            if (inet_ntop(AF_INET6, ip, buffer.get(), INET6_ADDRSTRLEN) != NULL) {
+                JNI_TRACE("GENERAL_NAME_to_jobject(%p) => IPv6 %s", gen, buffer.get());
+                return env->NewStringUTF(buffer.get());
+            } else {
+                JNI_TRACE("GENERAL_NAME_to_jobject(%p) => IPv6 failed %s", gen, strerror(errno));
+            }
+        }
+        break;
+    }
+    case GEN_RID:
+        return ASN1_OBJECT_to_OID_string(env, gen->d.registeredID);
+    case GEN_OTHERNAME:
+    case GEN_X400:
+    default:
+        return ASN1ToByteArray<GENERAL_NAME, i2d_GENERAL_NAME>(env, gen);
+    }
+
+    return NULL;
+}
+
+#define GN_STACK_SUBJECT_ALT_NAME 1
+#define GN_STACK_ISSUER_ALT_NAME 2
+
+static jobjectArray NativeCrypto_get_X509_GENERAL_NAME_stack(JNIEnv* env, jclass, jlong x509Ref,
+        jint type) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509_GENERAL_NAME_stack(%p, %d)", x509, type);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("get_X509_GENERAL_NAME_stack(%p, %d) => x509 == null", x509, type);
+        return NULL;
+    }
+
+    X509_check_ca(x509);
+
+    STACK_OF(GENERAL_NAME)* gn_stack;
+    Unique_sk_GENERAL_NAME stackHolder;
+    if (type == GN_STACK_SUBJECT_ALT_NAME) {
+        gn_stack = x509->altname;
+    } else if (type == GN_STACK_ISSUER_ALT_NAME) {
+        stackHolder.reset(
+                static_cast<STACK_OF(GENERAL_NAME)*>(X509_get_ext_d2i(x509, NID_issuer_alt_name,
+                        NULL, NULL)));
+        gn_stack = stackHolder.get();
+    } else {
+        JNI_TRACE("get_X509_GENERAL_NAME_stack(%p, %d) => unknown type", x509, type);
+        return NULL;
+    }
+
+    int count = sk_GENERAL_NAME_num(gn_stack);
+    if (count <= 0) {
+        JNI_TRACE("get_X509_GENERAL_NAME_stack(%p, %d) => null (no entries)", x509, type);
+        return NULL;
+    }
+
+    /*
+     * Keep track of how many originally so we can ignore any invalid
+     * values later.
+     */
+    const int origCount = count;
+
+    ScopedLocalRef<jobjectArray> joa(env, env->NewObjectArray(count,
+            JniConstants::objectArrayClass, NULL));
+    for (int i = 0, j = 0; i < origCount; i++, j++) {
+        GENERAL_NAME* gen = sk_GENERAL_NAME_value(gn_stack, i);
+        ScopedLocalRef<jobject> val(env, GENERAL_NAME_to_jobject(env, gen));
+
+        /*
+         * If it's NULL, we'll have to skip this, reduce the number of total
+         * entries, and fix up the array later.
+         */
+        if (val.get() == NULL) {
+            j--;
+            count--;
+            continue;
+        }
+
+        ScopedLocalRef<jobjectArray> item(env, env->NewObjectArray(2, JniConstants::objectClass,
+                NULL));
+
+        ScopedLocalRef<jobject> type(env, env->CallStaticObjectMethod(JniConstants::integerClass,
+                integer_valueOfMethod, gen->type));
+        env->SetObjectArrayElement(item.get(), 0, type.get());
+        env->SetObjectArrayElement(item.get(), 1, val.get());
+
+        env->SetObjectArrayElement(joa.get(), j, item.get());
+    }
+
+    if (count == 0) {
+        JNI_TRACE("get_X509_GENERAL_NAME_stack(%p, %d) shrunk from %d to 0; returning NULL",
+                x509, type, origCount);
+        joa.reset(NULL);
+    } else if (origCount != count) {
+        JNI_TRACE("get_X509_GENERAL_NAME_stack(%p, %d) shrunk from %d to %d", x509, type,
+                origCount, count);
+
+        ScopedLocalRef<jobjectArray> joa_copy(env, env->NewObjectArray(count,
+                JniConstants::objectArrayClass, NULL));
+
+        for (int i = 0; i < count; i++) {
+            ScopedLocalRef<jobject> item(env, env->GetObjectArrayElement(joa.get(), i));
+            env->SetObjectArrayElement(joa_copy.get(), i, item.get());
+        }
+
+        joa.reset(joa_copy.release());
+    }
+
+    JNI_TRACE("get_X509_GENERAL_NAME_stack(%p, %d) => %d entries", x509, type, count);
+    return joa.release();
+}
+
+static jlong NativeCrypto_X509_get_notBefore(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("X509_get_notBefore(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("X509_get_notBefore(%p) => x509 == null", x509);
+        return 0;
+    }
+
+    ASN1_TIME* notBefore = X509_get_notBefore(x509);
+    JNI_TRACE("X509_get_notBefore(%p) => %p", x509, notBefore);
+    return reinterpret_cast<uintptr_t>(notBefore);
+}
+
+static jlong NativeCrypto_X509_get_notAfter(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("X509_get_notAfter(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("X509_get_notAfter(%p) => x509 == null", x509);
+        return 0;
+    }
+
+    ASN1_TIME* notAfter = X509_get_notAfter(x509);
+    JNI_TRACE("X509_get_notAfter(%p) => %p", x509, notAfter);
+    return reinterpret_cast<uintptr_t>(notAfter);
+}
+
+static long NativeCrypto_X509_get_version(JNIEnv*, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("X509_get_version(%p)", x509);
+
+    long version = X509_get_version(x509);
+    JNI_TRACE("X509_get_version(%p) => %ld", x509, version);
+    return version;
+}
+
+template<typename T>
+static jbyteArray get_X509Type_serialNumber(JNIEnv* env, T* x509Type, ASN1_INTEGER* (*get_serial_func)(T*)) {
+    JNI_TRACE("get_X509Type_serialNumber(%p)", x509Type);
+
+    if (x509Type == NULL) {
+        jniThrowNullPointerException(env, "x509Type == null");
+        JNI_TRACE("get_X509Type_serialNumber(%p) => x509Type == null", x509Type);
+        return NULL;
+    }
+
+    ASN1_INTEGER* serialNumber = get_serial_func(x509Type);
+    Unique_BIGNUM serialBn(ASN1_INTEGER_to_BN(serialNumber, NULL));
+    if (serialBn.get() == NULL) {
+        JNI_TRACE("X509_get_serialNumber(%p) => threw exception", x509Type);
+        return NULL;
+    }
+
+    ScopedLocalRef<jbyteArray> serialArray(env, bignumToArray(env, serialBn.get(), "serialBn"));
+    if (env->ExceptionCheck()) {
+        JNI_TRACE("X509_get_serialNumber(%p) => threw exception", x509Type);
+        return NULL;
+    }
+
+    JNI_TRACE("X509_get_serialNumber(%p) => %p", x509Type, serialArray.get());
+    return serialArray.release();
+}
+
+/* OpenSSL includes set_serialNumber but not get. */
+#if !defined(X509_REVOKED_get_serialNumber)
+static ASN1_INTEGER* X509_REVOKED_get_serialNumber(X509_REVOKED* x) {
+    return x->serialNumber;
+}
+#endif
+
+static jbyteArray NativeCrypto_X509_get_serialNumber(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("X509_get_serialNumber(%p)", x509);
+    return get_X509Type_serialNumber<X509>(env, x509, X509_get_serialNumber);
+}
+
+static jbyteArray NativeCrypto_X509_REVOKED_get_serialNumber(JNIEnv* env, jclass, jlong x509RevokedRef) {
+    X509_REVOKED* revoked = reinterpret_cast<X509_REVOKED*>(static_cast<uintptr_t>(x509RevokedRef));
+    JNI_TRACE("X509_REVOKED_get_serialNumber(%p)", revoked);
+    return get_X509Type_serialNumber<X509_REVOKED>(env, revoked, X509_REVOKED_get_serialNumber);
+}
+
+static void NativeCrypto_X509_verify(JNIEnv* env, jclass, jlong x509Ref, jlong pkeyRef) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    EVP_PKEY* pkey = reinterpret_cast<EVP_PKEY*>(pkeyRef);
+    JNI_TRACE("X509_verify(%p, %p)", x509, pkey);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("X509_verify(%p, %p) => x509 == null", x509, pkey);
+        return;
+    }
+
+    if (pkey == NULL) {
+        jniThrowNullPointerException(env, "pkey == null");
+        JNI_TRACE("X509_verify(%p, %p) => pkey == null", x509, pkey);
+        return;
+    }
+
+    if (X509_verify(x509, pkey) != 1) {
+        throwExceptionIfNecessary(env, "X509_verify");
+        JNI_TRACE("X509_verify(%p, %p) => verify failure", x509, pkey);
+    } else {
+        JNI_TRACE("X509_verify(%p, %p) => verify success", x509, pkey);
+    }
+}
+
+static jbyteArray NativeCrypto_get_X509_cert_info_enc(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509_cert_info_enc(%p)", x509);
+    return ASN1ToByteArray<X509_CINF, i2d_X509_CINF>(env, x509->cert_info);
+}
+
+static jint NativeCrypto_get_X509_ex_flags(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509_ex_flags(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("get_X509_ex_flags(%p) => x509 == null", x509);
+        return 0;
+    }
+
+    X509_check_ca(x509);
+
+    return x509->ex_flags;
+}
+
+static void get_X509_signature(X509 *x509, ASN1_BIT_STRING** signature) {
+    *signature = x509->signature;
+}
+
+static void get_X509_CRL_signature(X509_CRL *crl, ASN1_BIT_STRING** signature) {
+    *signature = crl->signature;
+}
+
+template<typename T>
+static jbyteArray get_X509Type_signature(JNIEnv* env, T* x509Type, void (*get_signature_func)(T*, ASN1_BIT_STRING**)) {
+    JNI_TRACE("get_X509Type_signature(%p)", x509Type);
+
+    if (x509Type == NULL) {
+        jniThrowNullPointerException(env, "x509Type == null");
+        JNI_TRACE("get_X509Type_signature(%p) => x509Type == null", x509Type);
+        return NULL;
+    }
+
+    ASN1_BIT_STRING* signature;
+    get_signature_func(x509Type, &signature);
+
+    ScopedLocalRef<jbyteArray> signatureArray(env, env->NewByteArray(signature->length));
+    if (env->ExceptionCheck()) {
+        JNI_TRACE("get_X509Type_signature(%p) => threw exception", x509Type);
+        return NULL;
+    }
+
+    ScopedByteArrayRW signatureBytes(env, signatureArray.get());
+    if (signatureBytes.get() == NULL) {
+        JNI_TRACE("get_X509Type_signature(%p) => using byte array failed", x509Type);
+        return NULL;
+    }
+
+    memcpy(signatureBytes.get(), signature->data, signature->length);
+
+    JNI_TRACE("get_X509Type_signature(%p) => %p (%d bytes)", x509Type, signatureArray.get(),
+            signature->length);
+    return signatureArray.release();
+}
+
+static jbyteArray NativeCrypto_get_X509_signature(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509_signature(%p)", x509);
+    return get_X509Type_signature<X509>(env, x509, get_X509_signature);
+}
+
+static jbyteArray NativeCrypto_get_X509_CRL_signature(JNIEnv* env, jclass, jlong x509CrlRef) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("get_X509_CRL_signature(%p)", crl);
+    return get_X509Type_signature<X509_CRL>(env, crl, get_X509_CRL_signature);
+}
+
+static jlong NativeCrypto_X509_CRL_get0_by_cert(JNIEnv* env, jclass, jlong x509crlRef, jlong x509Ref) {
+    X509_CRL* x509crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509crlRef));
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("X509_CRL_get0_by_cert(%p, %p)", x509crl, x509);
+
+    if (x509crl == NULL) {
+        jniThrowNullPointerException(env, "x509crl == null");
+        JNI_TRACE("X509_CRL_get0_by_cert(%p, %p) => x509crl == null", x509crl, x509);
+        return 0;
+    } else if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("X509_CRL_get0_by_cert(%p, %p) => x509 == null", x509crl, x509);
+        return 0;
+    }
+
+    X509_REVOKED* revoked = NULL;
+    int ret = X509_CRL_get0_by_cert(x509crl, &revoked, x509);
+    if (ret == 0) {
+        JNI_TRACE("X509_CRL_get0_by_cert(%p, %p) => none", x509crl, x509);
+        return 0;
+    }
+
+    JNI_TRACE("X509_CRL_get0_by_cert(%p, %p) => %p", x509crl, x509, revoked);
+    return reinterpret_cast<uintptr_t>(revoked);
+}
+
+static jlong NativeCrypto_X509_CRL_get0_by_serial(JNIEnv* env, jclass, jlong x509crlRef, jbyteArray serialArray) {
+    X509_CRL* x509crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509crlRef));
+    JNI_TRACE("X509_CRL_get0_by_serial(%p, %p)", x509crl, serialArray);
+
+    if (x509crl == NULL) {
+        jniThrowNullPointerException(env, "x509crl == null");
+        JNI_TRACE("X509_CRL_get0_by_serial(%p, %p) => crl == null", x509crl, serialArray);
+        return 0;
+    }
+
+    Unique_BIGNUM serialBn(BN_new());
+    if (serialBn.get() == NULL) {
+        JNI_TRACE("X509_CRL_get0_by_serial(%p, %p) => BN allocation failed", x509crl, serialArray);
+        return 0;
+    }
+
+    BIGNUM* serialBare = serialBn.get();
+    if (!arrayToBignum(env, serialArray, &serialBare)) {
+        if (!env->ExceptionCheck()) {
+            jniThrowNullPointerException(env, "serial == null");
+        }
+        JNI_TRACE("X509_CRL_get0_by_serial(%p, %p) => BN conversion failed", x509crl, serialArray);
+        return 0;
+    }
+
+    Unique_ASN1_INTEGER serialInteger(BN_to_ASN1_INTEGER(serialBn.get(), NULL));
+    if (serialInteger.get() == NULL) {
+        JNI_TRACE("X509_CRL_get0_by_serial(%p, %p) => BN conversion failed", x509crl, serialArray);
+        return 0;
+    }
+
+    X509_REVOKED* revoked = NULL;
+    int ret = X509_CRL_get0_by_serial(x509crl, &revoked, serialInteger.get());
+    if (ret == 0) {
+        JNI_TRACE("X509_CRL_get0_by_serial(%p, %p) => none", x509crl, serialArray);
+        return 0;
+    }
+
+    JNI_TRACE("X509_CRL_get0_by_cert(%p, %p) => %p", x509crl, serialArray, revoked);
+    return reinterpret_cast<uintptr_t>(revoked);
+}
+
+
+/* This appears to be missing from OpenSSL. */
+#if !defined(X509_REVOKED_dup)
+X509_REVOKED* X509_REVOKED_dup(X509_REVOKED* x) {
+    return reinterpret_cast<X509_REVOKED*>(ASN1_item_dup(ASN1_ITEM_rptr(X509_REVOKED), x));
+}
+#endif
+
+static jlongArray NativeCrypto_X509_CRL_get_REVOKED(JNIEnv* env, jclass, jlong x509CrlRef) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("X509_CRL_get_REVOKED(%p)", crl);
+
+    if (crl == NULL) {
+        jniThrowNullPointerException(env, "crl == null");
+        return NULL;
+    }
+
+    STACK_OF(X509_REVOKED)* stack = X509_CRL_get_REVOKED(crl);
+    if (stack == NULL) {
+        JNI_TRACE("X509_CRL_get_REVOKED(%p) => stack is null", crl);
+        return NULL;
+    }
+
+    size_t size = sk_X509_REVOKED_num(stack);
+
+    ScopedLocalRef<jlongArray> revokedArray(env, env->NewLongArray(size));
+    ScopedLongArrayRW revoked(env, revokedArray.get());
+    for (size_t i = 0; i < size; i++) {
+        X509_REVOKED* item = reinterpret_cast<X509_REVOKED*>(sk_X509_REVOKED_value(stack, i));
+        revoked[i] = reinterpret_cast<uintptr_t>(X509_REVOKED_dup(item));
+    }
+
+    JNI_TRACE("X509_CRL_get_REVOKED(%p) => %p [size=%d]", stack, revokedArray.get(), size);
+    return revokedArray.release();
+}
+
+static jbyteArray NativeCrypto_i2d_X509_CRL(JNIEnv* env, jclass, jlong x509CrlRef) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("i2d_X509_CRL(%p)", crl);
+    return ASN1ToByteArray<X509_CRL, i2d_X509_CRL>(env, crl);
+}
+
+static void NativeCrypto_X509_CRL_free(JNIEnv* env, jclass, jlong x509CrlRef) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("X509_CRL_free(%p)", crl);
+
+    if (crl == NULL) {
+        jniThrowNullPointerException(env, "crl == null");
+        JNI_TRACE("X509_CRL_free(%p) => crl == null", crl);
+        return;
+    }
+
+    X509_CRL_free(crl);
+}
+
+static void NativeCrypto_X509_CRL_print(JNIEnv* env, jclass, jlong bioRef, jlong x509CrlRef) {
+    BIO* bio = reinterpret_cast<BIO*>(static_cast<uintptr_t>(bioRef));
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("X509_CRL_print(%p, %p)", bio, crl);
+
+    if (bio == NULL) {
+        jniThrowNullPointerException(env, "bio == null");
+        JNI_TRACE("X509_CRL_print(%p, %p) => bio == null", bio, crl);
+        return;
+    }
+
+    if (crl == NULL) {
+        jniThrowNullPointerException(env, "crl == null");
+        JNI_TRACE("X509_CRL_print(%p, %p) => crl == null", bio, crl);
+        return;
+    }
+
+    X509_CRL_print(bio, crl);
+    JNI_TRACE("X509_CRL_print(%p, %p) => success", bio, crl);
+}
+
+static jstring NativeCrypto_get_X509_CRL_sig_alg_oid(JNIEnv* env, jclass, jlong x509CrlRef) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("get_X509_CRL_sig_alg_oid(%p)", crl);
+
+    if (crl == NULL || crl->sig_alg == NULL) {
+        jniThrowNullPointerException(env, "crl == NULL || crl->sig_alg == NULL");
+        JNI_TRACE("get_X509_CRL_sig_alg_oid(%p) => crl == NULL", crl);
+        return NULL;
+    }
+
+    return ASN1_OBJECT_to_OID_string(env, crl->sig_alg->algorithm);
+}
+
+static jbyteArray NativeCrypto_get_X509_CRL_sig_alg_parameter(JNIEnv* env, jclass, jlong x509CrlRef) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("get_X509_CRL_sig_alg_parameter(%p)", crl);
+
+    if (crl == NULL) {
+        jniThrowNullPointerException(env, "crl == null");
+        JNI_TRACE("get_X509_CRL_sig_alg_parameter(%p) => crl == null", crl);
+        return NULL;
+    }
+
+    if (crl->sig_alg->parameter == NULL) {
+        JNI_TRACE("get_X509_CRL_sig_alg_parameter(%p) => null", crl);
+        return NULL;
+    }
+
+    return ASN1ToByteArray<ASN1_TYPE, i2d_ASN1_TYPE>(env, crl->sig_alg->parameter);
+}
+
+static jbyteArray NativeCrypto_X509_CRL_get_issuer_name(JNIEnv* env, jclass, jlong x509CrlRef) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("X509_CRL_get_issuer_name(%p)", crl);
+    return ASN1ToByteArray<X509_NAME, i2d_X509_NAME>(env, X509_CRL_get_issuer(crl));
+}
+
+static long NativeCrypto_X509_CRL_get_version(JNIEnv*, jclass, jlong x509CrlRef) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("X509_CRL_get_version(%p)", crl);
+
+    long version = X509_CRL_get_version(crl);
+    JNI_TRACE("X509_CRL_get_version(%p) => %ld", crl, version);
+    return version;
+}
+
+template<typename T, int (*get_ext_by_OBJ_func)(T*, ASN1_OBJECT*, int),
+        X509_EXTENSION* (*get_ext_func)(T*, int)>
+static X509_EXTENSION *X509Type_get_ext(JNIEnv* env, T* x509Type, jstring oidString) {
+    JNI_TRACE("X509Type_get_ext(%p)", x509Type);
+
+    if (x509Type == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        return NULL;
+    }
+
+    ScopedUtfChars oid(env, oidString);
+    if (oid.c_str() == NULL) {
+        return NULL;
+    }
+
+    Unique_ASN1_OBJECT asn1(OBJ_txt2obj(oid.c_str(), 1));
+    if (asn1.get() == NULL) {
+        JNI_TRACE("X509Type_get_ext(%p, %s) => oid conversion failed", x509Type, oid.c_str());
+        freeOpenSslErrorState();
+        return NULL;
+    }
+
+    int extIndex = get_ext_by_OBJ_func(x509Type, asn1.get(), -1);
+    if (extIndex == -1) {
+        JNI_TRACE("X509Type_get_ext(%p, %s) => ext not found", x509Type, oid.c_str());
+        return NULL;
+    }
+
+    X509_EXTENSION* ext = get_ext_func(x509Type, extIndex);
+    JNI_TRACE("X509Type_get_ext(%p, %s) => %p", x509Type, oid.c_str(), ext);
+    return ext;
+}
+
+template<typename T, int (*get_ext_by_OBJ_func)(T*, ASN1_OBJECT*, int),
+        X509_EXTENSION* (*get_ext_func)(T*, int)>
+static jbyteArray X509Type_get_ext_oid(JNIEnv* env, T* x509Type, jstring oidString) {
+    X509_EXTENSION* ext = X509Type_get_ext<T, get_ext_by_OBJ_func, get_ext_func>(env, x509Type,
+            oidString);
+    if (ext == NULL) {
+        JNI_TRACE("X509Type_get_ext_oid(%p, %p) => fetching extension failed", x509Type, oidString);
+        return NULL;
+    }
+
+    JNI_TRACE("X509Type_get_ext_oid(%p, %p) => fetching extension failed", x509Type, oidString);
+    return ASN1ToByteArray<ASN1_OCTET_STRING, i2d_ASN1_OCTET_STRING>(env, ext->value);
+}
+
+static jint NativeCrypto_X509_CRL_get_ext(JNIEnv* env, jclass, jlong x509CrlRef, jstring oid) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("X509_CRL_get_ext(%p, %p)", crl, oid);
+    X509_EXTENSION* ext = X509Type_get_ext<X509_CRL, X509_CRL_get_ext_by_OBJ, X509_CRL_get_ext>(
+            env, crl, oid);
+    JNI_TRACE("X509_CRL_get_ext(%p, %p) => %p", crl, oid, ext);
+    return reinterpret_cast<uintptr_t>(ext);
+}
+
+static jint NativeCrypto_X509_REVOKED_get_ext(JNIEnv* env, jclass, jlong x509RevokedRef,
+        jstring oid) {
+    X509_REVOKED* revoked = reinterpret_cast<X509_REVOKED*>(static_cast<uintptr_t>(x509RevokedRef));
+    JNI_TRACE("X509_REVOKED_get_ext(%p, %p)", revoked, oid);
+    X509_EXTENSION* ext = X509Type_get_ext<X509_REVOKED, X509_REVOKED_get_ext_by_OBJ,
+            X509_REVOKED_get_ext>(env, revoked, oid);
+    JNI_TRACE("X509_REVOKED_get_ext(%p, %p) => %p", revoked, oid, ext);
+    return reinterpret_cast<uintptr_t>(ext);
+}
+
+static jlong NativeCrypto_X509_REVOKED_dup(JNIEnv* env, jclass, jlong x509RevokedRef) {
+    X509_REVOKED* revoked = reinterpret_cast<X509_REVOKED*>(static_cast<uintptr_t>(x509RevokedRef));
+    JNI_TRACE("X509_REVOKED_dup(%p)", revoked);
+
+    if (revoked == NULL) {
+        jniThrowNullPointerException(env, "revoked == null");
+        JNI_TRACE("X509_REVOKED_dup(%p) => revoked == null", revoked);
+        return 0;
+    }
+
+    X509_REVOKED* dup = X509_REVOKED_dup(revoked);
+    JNI_TRACE("X509_REVOKED_dup(%p) => %p", revoked, dup);
+    return reinterpret_cast<uintptr_t>(dup);
+}
+
+static jlong NativeCrypto_get_X509_REVOKED_revocationDate(JNIEnv* env, jclass, jlong x509RevokedRef) {
+    X509_REVOKED* revoked = reinterpret_cast<X509_REVOKED*>(static_cast<uintptr_t>(x509RevokedRef));
+    JNI_TRACE("get_X509_REVOKED_revocationDate(%p)", revoked);
+
+    if (revoked == NULL) {
+        jniThrowNullPointerException(env, "revoked == null");
+        JNI_TRACE("get_X509_REVOKED_revocationDate(%p) => revoked == null", revoked);
+        return 0;
+    }
+
+    JNI_TRACE("get_X509_REVOKED_revocationDate(%p) => %p", revoked, revoked->revocationDate);
+    return reinterpret_cast<uintptr_t>(revoked->revocationDate);
+}
+
+static void NativeCrypto_X509_REVOKED_print(JNIEnv* env, jclass, jlong bioRef, jlong x509RevokedRef) {
+    BIO* bio = reinterpret_cast<BIO*>(static_cast<uintptr_t>(bioRef));
+    X509_REVOKED* revoked = reinterpret_cast<X509_REVOKED*>(static_cast<uintptr_t>(x509RevokedRef));
+    JNI_TRACE("X509_REVOKED_print(%p, %p)", bio, revoked);
+
+    if (bio == NULL) {
+        jniThrowNullPointerException(env, "bio == null");
+        JNI_TRACE("X509_REVOKED_print(%p, %p) => bio == null", bio, revoked);
+        return;
+    }
+
+    if (revoked == NULL) {
+        jniThrowNullPointerException(env, "revoked == null");
+        JNI_TRACE("X509_REVOKED_print(%p, %p) => revoked == null", bio, revoked);
+        return;
+    }
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wwrite-strings"
+    BIO_printf(bio, "Serial Number: ");
+    i2a_ASN1_INTEGER(bio, revoked->serialNumber);
+    BIO_printf(bio, "\nRevocation Date: ");
+    ASN1_TIME_print(bio, revoked->revocationDate);
+    BIO_printf(bio, "\n");
+    X509V3_extensions_print(bio, "CRL entry extensions", revoked->extensions, 0, 0);
+#pragma GCC diagnostic pop
+}
+
+static jbyteArray NativeCrypto_get_X509_CRL_crl_enc(JNIEnv* env, jclass, jlong x509CrlRef) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("get_X509_CRL_crl_enc(%p)", crl);
+    return ASN1ToByteArray<X509_CRL_INFO, i2d_X509_CRL_INFO>(env, crl->crl);
+}
+
+static void NativeCrypto_X509_CRL_verify(JNIEnv* env, jclass, jlong x509CrlRef, jlong pkeyRef) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    EVP_PKEY* pkey = reinterpret_cast<EVP_PKEY*>(pkeyRef);
+    JNI_TRACE("X509_CRL_verify(%p, %p)", crl, pkey);
+
+    if (crl == NULL) {
+        jniThrowNullPointerException(env, "crl == null");
+        JNI_TRACE("X509_CRL_verify(%p, %p) => crl == null", crl, pkey);
+        return;
+    }
+
+    if (pkey == NULL) {
+        jniThrowNullPointerException(env, "pkey == null");
+        JNI_TRACE("X509_CRL_verify(%p, %p) => pkey == null", crl, pkey);
+        return;
+    }
+
+    if (X509_CRL_verify(crl, pkey) != 1) {
+        throwExceptionIfNecessary(env, "X509_CRL_verify");
+        JNI_TRACE("X509_CRL_verify(%p, %p) => verify failure", crl, pkey);
+    } else {
+        JNI_TRACE("X509_CRL_verify(%p, %p) => verify success", crl, pkey);
+    }
+}
+
+static jlong NativeCrypto_X509_CRL_get_lastUpdate(JNIEnv* env, jclass, jlong x509CrlRef) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("X509_CRL_get_lastUpdate(%p)", crl);
+
+    if (crl == NULL) {
+        jniThrowNullPointerException(env, "crl == null");
+        JNI_TRACE("X509_CRL_get_lastUpdate(%p) => crl == null", crl);
+        return 0;
+    }
+
+    ASN1_TIME* lastUpdate = X509_CRL_get_lastUpdate(crl);
+    JNI_TRACE("X509_CRL_get_lastUpdate(%p) => %p", crl, lastUpdate);
+    return reinterpret_cast<uintptr_t>(lastUpdate);
+}
+
+static jlong NativeCrypto_X509_CRL_get_nextUpdate(JNIEnv* env, jclass, jlong x509CrlRef) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("X509_CRL_get_nextUpdate(%p)", crl);
+
+    if (crl == NULL) {
+        jniThrowNullPointerException(env, "crl == null");
+        JNI_TRACE("X509_CRL_get_nextUpdate(%p) => crl == null", crl);
+        return 0;
+    }
+
+    ASN1_TIME* nextUpdate = X509_CRL_get_nextUpdate(crl);
+    JNI_TRACE("X509_CRL_get_nextUpdate(%p) => %p", crl, nextUpdate);
+    return reinterpret_cast<uintptr_t>(nextUpdate);
+}
+
+static jbyteArray NativeCrypto_i2d_X509_REVOKED(JNIEnv* env, jclass, jlong x509RevokedRef) {
+    X509_REVOKED* x509Revoked =
+            reinterpret_cast<X509_REVOKED*>(static_cast<uintptr_t>(x509RevokedRef));
+    JNI_TRACE("i2d_X509_REVOKED(%p)", x509Revoked);
+    return ASN1ToByteArray<X509_REVOKED, i2d_X509_REVOKED>(env, x509Revoked);
+}
+
+static jint NativeCrypto_X509_supported_extension(JNIEnv* env, jclass, jlong x509ExtensionRef) {
+    X509_EXTENSION* ext = reinterpret_cast<X509_EXTENSION*>(static_cast<uintptr_t>(x509ExtensionRef));
+
+    if (ext == NULL) {
+        jniThrowNullPointerException(env, "ext == NULL");
+        return 0;
+    }
+
+    return X509_supported_extension(ext);
+}
+
+static inline void get_ASN1_TIME_data(char **data, int* output, size_t len) {
+    char c = **data;
+    **data = '\0';
+    *data -= len;
+    *output = atoi(*data);
+    *(*data + len) = c;
+}
+
+static void NativeCrypto_ASN1_TIME_to_Calendar(JNIEnv* env, jclass, jlong asn1TimeRef, jobject calendar) {
+    ASN1_TIME* asn1Time = reinterpret_cast<ASN1_TIME*>(static_cast<uintptr_t>(asn1TimeRef));
+    JNI_TRACE("ASN1_TIME_to_Calendar(%p, %p)", asn1Time, calendar);
+
+    if (asn1Time == NULL) {
+        jniThrowNullPointerException(env, "asn1Time == null");
+        return;
+    }
+
+    Unique_ASN1_GENERALIZEDTIME gen(ASN1_TIME_to_generalizedtime(asn1Time, NULL));
+    if (gen.get() == NULL) {
+        jniThrowNullPointerException(env, "asn1Time == null");
+        return;
+    }
+
+    if (gen->length < 14 || gen->data == NULL) {
+        jniThrowNullPointerException(env, "gen->length < 14 || gen->data == NULL");
+        return;
+    }
+
+    int sec, min, hour, mday, mon, year;
+
+    char *p = (char*) &gen->data[14];
+
+    get_ASN1_TIME_data(&p, &sec, 2);
+    get_ASN1_TIME_data(&p, &min, 2);
+    get_ASN1_TIME_data(&p, &hour, 2);
+    get_ASN1_TIME_data(&p, &mday, 2);
+    get_ASN1_TIME_data(&p, &mon, 2);
+    get_ASN1_TIME_data(&p, &year, 4);
+
+    env->CallVoidMethod(calendar, calendar_setMethod, year, mon - 1, mday, hour, min, sec);
+}
+
+static jstring NativeCrypto_OBJ_txt2nid_oid(JNIEnv* env, jclass, jstring oidStr) {
+    JNI_TRACE("OBJ_txt2nid_oid(%p)", oidStr);
+
+    ScopedUtfChars oid(env, oidStr);
+    if (oid.c_str() == NULL) {
+        return NULL;
+    }
+
+    JNI_TRACE("OBJ_txt2nid_oid(%s)", oid.c_str());
+
+    int nid = OBJ_txt2nid(oid.c_str());
+    if (nid == NID_undef) {
+        JNI_TRACE("OBJ_txt2nid_oid(%s) => NID_undef", oid.c_str());
+        freeOpenSslErrorState();
+        return NULL;
+    }
+
+    Unique_ASN1_OBJECT obj(OBJ_nid2obj(nid));
+    if (obj.get() == NULL) {
+        throwExceptionIfNecessary(env, "OBJ_nid2obj");
+        return NULL;
+    }
+
+    ScopedLocalRef<jstring> ouputStr(env, ASN1_OBJECT_to_OID_string(env, obj.get()));
+    JNI_TRACE("OBJ_txt2nid_oid(%s) => %p", oid.c_str(), ouputStr.get());
+    return ouputStr.release();
+}
+
+static jstring NativeCrypto_X509_NAME_print_ex(JNIEnv* env, jclass, jlong x509NameRef, jlong jflags) {
+    X509_NAME* x509name = reinterpret_cast<X509_NAME*>(static_cast<uintptr_t>(x509NameRef));
+    unsigned long flags = static_cast<unsigned long>(jflags);
+    JNI_TRACE("X509_NAME_print_ex(%p, %ld)", x509name, flags);
+
+    if (x509name == NULL) {
+        jniThrowNullPointerException(env, "x509name == null");
+        JNI_TRACE("X509_NAME_print_ex(%p, %ld) => x509name == null", x509name, flags);
+        return NULL;
+    }
+
+    return X509_NAME_to_jstring(env, x509name, flags);
+}
+
+template <typename T, T* (*d2i_func)(BIO*, T**)>
+static jlong d2i_ASN1Object_to_jlong(JNIEnv* env, jlong bioRef) {
+    BIO* bio = reinterpret_cast<BIO*>(static_cast<uintptr_t>(bioRef));
+    JNI_TRACE("d2i_ASN1Object_to_jlong(%p)", bio);
+
+    if (bio == NULL) {
+        jniThrowNullPointerException(env, "bio == null");
+        return 0;
+    }
+
+    T* x = d2i_func(bio, NULL);
+    if (x == NULL) {
+        throwExceptionIfNecessary(env, "d2i_ASN1Object_to_jlong");
+        return 0;
+    }
+
+    return reinterpret_cast<uintptr_t>(x);
+}
+
+static jlong NativeCrypto_d2i_X509_CRL_bio(JNIEnv* env, jclass, jlong bioRef) {
+    return d2i_ASN1Object_to_jlong<X509_CRL, d2i_X509_CRL_bio>(env, bioRef);
+}
+
+static jlong NativeCrypto_d2i_X509_bio(JNIEnv* env, jclass, jlong bioRef) {
+    return d2i_ASN1Object_to_jlong<X509, d2i_X509_bio>(env, bioRef);
+}
+
+static jbyteArray NativeCrypto_i2d_X509(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("i2d_X509(%p)", x509);
+    return ASN1ToByteArray<X509, i2d_X509>(env, x509);
+}
+
+template<typename T, T* (*PEM_read_func)(BIO*, T**, pem_password_cb*, void*)>
+static jlong PEM_ASN1Object_to_jlong(JNIEnv* env, jlong bioRef) {
+    BIO* bio = reinterpret_cast<BIO*>(static_cast<uintptr_t>(bioRef));
+    JNI_TRACE("PEM_ASN1Object_to_jlong(%p)", bio);
+
+    if (bio == NULL) {
+        jniThrowNullPointerException(env, "bio == null");
+        JNI_TRACE("PEM_ASN1Object_to_jlong(%p) => bio == null", bio);
+        return 0;
+    }
+
+    T* x = PEM_read_func(bio, NULL, NULL, NULL);
+    if (x == NULL) {
+        throwExceptionIfNecessary(env, "PEM_ASN1Object_to_jlong");
+        JNI_TRACE("PEM_ASN1Object_to_jlong(%p) => threw exception", bio);
+        return 0;
+    }
+
+    JNI_TRACE("PEM_ASN1Object_to_jlong(%p) => %p", bio, x);
+    return reinterpret_cast<uintptr_t>(x);
+}
+
+static jlong NativeCrypto_PEM_read_bio_X509(JNIEnv* env, jclass, jlong bioRef) {
+    JNI_TRACE("PEM_read_bio_X509(0x%llx)", bioRef);
+    return PEM_ASN1Object_to_jlong<X509, PEM_read_bio_X509>(env, bioRef);
+}
+
+static jlong NativeCrypto_PEM_read_bio_X509_CRL(JNIEnv* env, jclass, jlong bioRef) {
+    JNI_TRACE("PEM_read_bio_X509_CRL(0x%llx)", bioRef);
+    return PEM_ASN1Object_to_jlong<X509_CRL, PEM_read_bio_X509_CRL>(env, bioRef);
+}
+
+static STACK_OF(X509)* PKCS7_get_certs(PKCS7* pkcs7) {
+    if (PKCS7_type_is_signed(pkcs7)) {
+        return pkcs7->d.sign->cert;
+    } else if (PKCS7_type_is_signedAndEnveloped(pkcs7)) {
+        return pkcs7->d.signed_and_enveloped->cert;
+    } else {
+        JNI_TRACE("PKCS7_get_certs(%p) => unknown PKCS7 type", pkcs7);
+        return NULL;
+    }
+}
+
+static STACK_OF(X509_CRL)* PKCS7_get_CRLs(PKCS7* pkcs7) {
+    if (PKCS7_type_is_signed(pkcs7)) {
+        return pkcs7->d.sign->crl;
+    } else if (PKCS7_type_is_signedAndEnveloped(pkcs7)) {
+        return pkcs7->d.signed_and_enveloped->crl;
+    } else {
+        JNI_TRACE("PKCS7_get_CRLs(%p) => unknown PKCS7 type", pkcs7);
+        return NULL;
+    }
+}
+
+template <typename T, typename T_stack>
+static jlongArray PKCS7_to_ItemArray(JNIEnv* env, T_stack* stack, T* (*dup_func)(T*))
+{
+    if (stack == NULL) {
+        return NULL;
+    }
+
+    ScopedLocalRef<jlongArray> ref_array(env, NULL);
+    size_t size = sk_num(reinterpret_cast<_STACK*>(stack));
+    ref_array.reset(env->NewLongArray(size));
+    ScopedLongArrayRW items(env, ref_array.get());
+    for (size_t i = 0; i < size; i++) {
+        T* item = reinterpret_cast<T*>(sk_value(reinterpret_cast<_STACK*>(stack), i));
+        items[i] = reinterpret_cast<uintptr_t>(dup_func(item));
+    }
+
+    JNI_TRACE("PKCS7_to_ItemArray(%p) => %p [size=%d]", stack, ref_array.get(), size);
+    return ref_array.release();
+}
+
+#define PKCS7_CERTS 1
+#define PKCS7_CRLS 2
+
+static jlongArray NativeCrypto_PEM_read_bio_PKCS7(JNIEnv* env, jclass, jlong bioRef, jint which) {
+    BIO* bio = reinterpret_cast<BIO*>(static_cast<uintptr_t>(bioRef));
+    JNI_TRACE("PEM_read_bio_PKCS7_CRLs(%p)", bio);
+
+    if (bio == NULL) {
+        jniThrowNullPointerException(env, "bio == null");
+        JNI_TRACE("PEM_read_bio_PKCS7_CRLs(%p) => bio == null", bio);
+        return 0;
+    }
+
+    Unique_PKCS7 pkcs7(PEM_read_bio_PKCS7(bio, NULL, NULL, NULL));
+    if (pkcs7.get() == NULL) {
+        throwExceptionIfNecessary(env, "PEM_read_bio_PKCS7_CRLs");
+        JNI_TRACE("PEM_read_bio_PKCS7_CRLs(%p) => threw exception", bio);
+        return 0;
+    }
+
+    switch (which) {
+    case PKCS7_CERTS:
+        return PKCS7_to_ItemArray<X509, STACK_OF(X509)>(env, PKCS7_get_certs(pkcs7.get()), X509_dup);
+    case PKCS7_CRLS:
+        return PKCS7_to_ItemArray<X509_CRL, STACK_OF(X509_CRL)>(env, PKCS7_get_CRLs(pkcs7.get()),
+                X509_CRL_dup);
+    default:
+        jniThrowRuntimeException(env, "unknown PKCS7 field");
+        return NULL;
+    }
+}
+
+static jlongArray NativeCrypto_d2i_PKCS7_bio(JNIEnv* env, jclass, jlong bioRef, jint which) {
+    BIO* bio = reinterpret_cast<BIO*>(static_cast<uintptr_t>(bioRef));
+    JNI_TRACE("d2i_PKCS7_bio_certs(%p)", bio);
+
+    if (bio == NULL) {
+        jniThrowNullPointerException(env, "bio == null");
+        JNI_TRACE("d2i_PKCS7_bio_certs(%p) => bio == null", bio);
+        return 0;
+    }
+
+    Unique_PKCS7 pkcs7(d2i_PKCS7_bio(bio, NULL));
+    if (pkcs7.get() == NULL) {
+        throwExceptionIfNecessary(env, "d2i_PKCS7_bio_certs");
+        JNI_TRACE("d2i_PKCS7_bio_certs(%p) => threw exception", bio);
+        return 0;
+    }
+
+    switch (which) {
+    case PKCS7_CERTS:
+        return PKCS7_to_ItemArray<X509, STACK_OF(X509)>(env, PKCS7_get_certs(pkcs7.get()), X509_dup);
+    case PKCS7_CRLS:
+        return PKCS7_to_ItemArray<X509_CRL, STACK_OF(X509_CRL)>(env, PKCS7_get_CRLs(pkcs7.get()),
+                X509_CRL_dup);
+    default:
+        jniThrowRuntimeException(env, "unknown PKCS7 field");
+        return NULL;
+    }}
+
+static void NativeCrypto_X509_free(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("X509_free(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("X509_free(%p) => x509 == null", x509);
+        return;
+    }
+
+    X509_free(x509);
+}
+
+static jint NativeCrypto_X509_cmp(JNIEnv* env, jclass, jlong x509Ref1, jlong x509Ref2) {
+    X509* x509_1 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref1));
+    X509* x509_2 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref2));
+    JNI_TRACE("X509_cmp(%p, %p)", x509_1, x509_2);
+
+    if (x509_1 == NULL) {
+        jniThrowNullPointerException(env, "x509_1 == null");
+        JNI_TRACE("X509_cmp(%p, %p) => x509_1 == null", x509_1, x509_2);
+        return -1;
+    }
+
+    if (x509_2 == NULL) {
+        jniThrowNullPointerException(env, "x509_2 == null");
+        JNI_TRACE("X509_cmp(%p, %p) => x509_2 == null", x509_1, x509_2);
+        return -1;
+    }
+
+    int ret = X509_cmp(x509_1, x509_2);
+    JNI_TRACE("X509_cmp(%p, %p) => %d", x509_1, x509_2, ret);
+    return ret;
+}
+
+static jint NativeCrypto_get_X509_hashCode(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("get_X509_hashCode(%p) => x509 == null", x509);
+        return 0;
+    }
+
+    // Force caching extensions.
+    X509_check_ca(x509);
+
+    jint hashCode = 0L;
+    for (int i = 0; i < SHA_DIGEST_LENGTH; i++) {
+        hashCode = 31 * hashCode + x509->sha1_hash[i];
+    }
+    return hashCode;
+}
+
+static void NativeCrypto_X509_print_ex(JNIEnv* env, jclass, jlong bioRef, jlong x509Ref,
+        jlong nmflagJava, jlong certflagJava) {
+    BIO* bio = reinterpret_cast<BIO*>(static_cast<uintptr_t>(bioRef));
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    long nmflag = static_cast<long>(nmflagJava);
+    long certflag = static_cast<long>(certflagJava);
+    JNI_TRACE("X509_print_ex(%p, %p, %ld, %ld)", bio, x509, nmflag, certflag);
+
+    if (bio == NULL) {
+        jniThrowNullPointerException(env, "bio == null");
+        JNI_TRACE("X509_print_ex(%p, %p, %ld, %ld) => bio == null", bio, x509, nmflag, certflag);
+        return;
+    }
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("X509_print_ex(%p, %p, %ld, %ld) => x509 == null", bio, x509, nmflag, certflag);
+        return;
+    }
+
+    X509_print_ex(bio, x509, nmflag, certflag);
+    JNI_TRACE("X509_print_ex(%p, %p, %ld, %ld) => success", bio, x509, nmflag, certflag);
+}
+
+static jlong NativeCrypto_X509_get_pubkey(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("X509_get_pubkey(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("X509_get_pubkey(%p) => x509 == null", x509);
+        return 0;
+    }
+
+    Unique_EVP_PKEY pkey(X509_get_pubkey(x509));
+    if (pkey.get() == NULL) {
+        throwExceptionIfNecessary(env, "X509_get_pubkey");
+        return 0;
+    }
+
+    return reinterpret_cast<uintptr_t>(pkey.release());
+}
+
+static jbyteArray NativeCrypto_X509_get_issuer_name(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("X509_get_issuer_name(%p)", x509);
+    return ASN1ToByteArray<X509_NAME, i2d_X509_NAME>(env, X509_get_issuer_name(x509));
+}
+
+static jbyteArray NativeCrypto_X509_get_subject_name(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("X509_get_subject_name(%p)", x509);
+    return ASN1ToByteArray<X509_NAME, i2d_X509_NAME>(env, X509_get_subject_name(x509));
+}
+
+static jstring NativeCrypto_get_X509_pubkey_oid(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509_pubkey_oid(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("get_X509_pubkey_oid(%p) => x509 == null", x509);
+        return NULL;
+    }
+
+    X509_PUBKEY* pubkey = X509_get_X509_PUBKEY(x509);
+    return ASN1_OBJECT_to_OID_string(env, pubkey->algor->algorithm);
+}
+
+static jstring NativeCrypto_get_X509_sig_alg_oid(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509_sig_alg_oid(%p)", x509);
+
+    if (x509 == NULL || x509->sig_alg == NULL) {
+        jniThrowNullPointerException(env, "x509 == NULL || x509->sig_alg == NULL");
+        JNI_TRACE("get_X509_sig_alg_oid(%p) => x509 == NULL", x509);
+        return NULL;
+    }
+
+    return ASN1_OBJECT_to_OID_string(env, x509->sig_alg->algorithm);
+}
+
+static jbyteArray NativeCrypto_get_X509_sig_alg_parameter(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509_sig_alg_parameter(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("get_X509_sig_alg_parameter(%p) => x509 == null", x509);
+        return NULL;
+    }
+
+    if (x509->sig_alg->parameter == NULL) {
+        JNI_TRACE("get_X509_sig_alg_parameter(%p) => null", x509);
+        return NULL;
+    }
+
+    return ASN1ToByteArray<ASN1_TYPE, i2d_ASN1_TYPE>(env, x509->sig_alg->parameter);
+}
+
+static jbooleanArray NativeCrypto_get_X509_issuerUID(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509_issuerUID(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("get_X509_issuerUID(%p) => x509 == null", x509);
+        return NULL;
+    }
+
+    if (x509->cert_info->issuerUID == NULL) {
+        JNI_TRACE("get_X509_issuerUID(%p) => null", x509);
+        return NULL;
+    }
+
+    return ASN1BitStringToBooleanArray(env, x509->cert_info->issuerUID);
+}
+static jbooleanArray NativeCrypto_get_X509_subjectUID(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509_subjectUID(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("get_X509_subjectUID(%p) => x509 == null", x509);
+        return NULL;
+    }
+
+    if (x509->cert_info->subjectUID == NULL) {
+        JNI_TRACE("get_X509_subjectUID(%p) => null", x509);
+        return NULL;
+    }
+
+    return ASN1BitStringToBooleanArray(env, x509->cert_info->subjectUID);
+}
+
+static jbooleanArray NativeCrypto_get_X509_ex_kusage(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509_ex_kusage(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("get_X509_ex_kusage(%p) => x509 == null", x509);
+        return NULL;
+    }
+
+    Unique_ASN1_BIT_STRING bitStr(static_cast<ASN1_BIT_STRING*>(
+            X509_get_ext_d2i(x509, NID_key_usage, NULL, NULL)));
+    if (bitStr.get() == NULL) {
+        JNI_TRACE("get_X509_ex_kusage(%p) => conversion to bitstring failed", x509);
+        return NULL;
+    }
+
+    return ASN1BitStringToBooleanArray(env, bitStr.get());
+}
+
+static jobjectArray NativeCrypto_get_X509_ex_xkusage(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509_ex_xkusage(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("get_X509_ex_xkusage(%p) => x509 == null", x509);
+        return NULL;
+    }
+
+    Unique_sk_ASN1_OBJECT objArray(static_cast<STACK_OF(ASN1_OBJECT)*>(
+            X509_get_ext_d2i(x509, NID_ext_key_usage, NULL, NULL)));
+    if (objArray.get() == NULL) {
+        JNI_TRACE("get_X509_ex_xkusage(%p) => null", x509);
+        return NULL;
+    }
+
+    size_t size = sk_ASN1_OBJECT_num(objArray.get());
+    ScopedLocalRef<jobjectArray> exKeyUsage(env, env->NewObjectArray(size,
+            JniConstants::stringClass, NULL));
+    if (exKeyUsage.get() == NULL) {
+        return NULL;
+    }
+
+    for (size_t i = 0; i < size; i++) {
+        ScopedLocalRef<jstring> oidStr(env, ASN1_OBJECT_to_OID_string(env,
+                sk_ASN1_OBJECT_value(objArray.get(), i)));
+        env->SetObjectArrayElement(exKeyUsage.get(), i, oidStr.get());
+    }
+
+    JNI_TRACE("get_X509_ex_xkusage(%p) => success (%d entries)", x509, size);
+    return exKeyUsage.release();
+}
+
+static jint NativeCrypto_X509_check_ca(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("X509_check_ca(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("X509_check_ca(%p) => x509 == null", x509);
+        return 0;
+    }
+
+    int ret = X509_check_ca(x509);
+    JNI_TRACE("X509_check_ca(%p) => %d", x509, ret);
+    return ret;
+}
+
+static jint NativeCrypto_get_X509_ex_pathlen(JNIEnv* env, jclass, jlong x509Ref) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509_ex_pathlen(%p)", x509);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("get_X509_ex_pathlen(%p) => x509 == null", x509);
+        return 0;
+    }
+
+    /* Just need to do this to cache the ex_* values. */
+    X509_check_ca(x509);
+
+    JNI_TRACE("get_X509_ex_pathlen(%p) => %ld", x509, x509->ex_pathlen);
+    return x509->ex_pathlen;
+}
+
+static jbyteArray NativeCrypto_X509_get_ext_oid(JNIEnv* env, jclass, jlong x509Ref,
+        jstring oidString) {
+    X509* x509 = reinterpret_cast<X509*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("X509_get_ext_oid(%p, %p)", x509, oidString);
+    return X509Type_get_ext_oid<X509, X509_get_ext_by_OBJ, X509_get_ext>(env, x509, oidString);
+}
+
+static jbyteArray NativeCrypto_X509_CRL_get_ext_oid(JNIEnv* env, jclass, jlong x509CrlRef,
+        jstring oidString) {
+    X509_CRL* crl = reinterpret_cast<X509_CRL*>(static_cast<uintptr_t>(x509CrlRef));
+    JNI_TRACE("X509_CRL_get_ext_oid(%p, %p)", crl, oidString);
+    return X509Type_get_ext_oid<X509_CRL, X509_CRL_get_ext_by_OBJ, X509_CRL_get_ext>(env, crl,
+            oidString);
+}
+
+static jbyteArray NativeCrypto_X509_REVOKED_get_ext_oid(JNIEnv* env, jclass, jlong x509RevokedRef,
+        jstring oidString) {
+    X509_REVOKED* revoked = reinterpret_cast<X509_REVOKED*>(static_cast<uintptr_t>(x509RevokedRef));
+    JNI_TRACE("X509_REVOKED_get_ext_oid(%p, %p)", revoked, oidString);
+    return X509Type_get_ext_oid<X509_REVOKED, X509_REVOKED_get_ext_by_OBJ, X509_REVOKED_get_ext>(
+            env, revoked, oidString);
+}
+
+template<typename T, int (*get_ext_by_critical_func)(T*, int, int), X509_EXTENSION* (*get_ext_func)(T*, int)>
+static jobjectArray get_X509Type_ext_oids(JNIEnv* env, jlong x509Ref, jint critical) {
+    T* x509 = reinterpret_cast<T*>(static_cast<uintptr_t>(x509Ref));
+    JNI_TRACE("get_X509Type_ext_oids(%p, %d)", x509, critical);
+
+    if (x509 == NULL) {
+        jniThrowNullPointerException(env, "x509 == null");
+        JNI_TRACE("get_X509Type_ext_oids(%p, %d) => x509 == null", x509, critical);
+        return NULL;
+    }
+
+    int lastPos = -1;
+    int count = 0;
+    while ((lastPos = get_ext_by_critical_func(x509, critical, lastPos)) != -1) {
+        count++;
+    }
+
+    JNI_TRACE("get_X509Type_ext_oids(%p, %d) has %d entries", x509, critical, count);
+
+    ScopedLocalRef<jobjectArray> joa(env, env->NewObjectArray(count, JniConstants::stringClass, NULL));
+    if (joa.get() == NULL) {
+        JNI_TRACE("get_X509Type_ext_oids(%p, %d) => fail to allocate result array", x509, critical);
+        return NULL;
+    }
+
+    lastPos = -1;
+    count = 0;
+    while ((lastPos = get_ext_by_critical_func(x509, critical, lastPos)) != -1) {
+        X509_EXTENSION* ext = get_ext_func(x509, lastPos);
+
+        ScopedLocalRef<jstring> extOid(env, ASN1_OBJECT_to_OID_string(env, ext->object));
+        if (extOid.get() == NULL) {
+            JNI_TRACE("get_X509Type_ext_oids(%p) => couldn't get OID", x509);
+            return NULL;
+        }
+
+        env->SetObjectArrayElement(joa.get(), count++, extOid.get());
+    }
+
+    JNI_TRACE("get_X509Type_ext_oids(%p, %d) => success", x509, critical);
+    return joa.release();
+}
+
+static jobjectArray NativeCrypto_get_X509_ext_oids(JNIEnv* env, jclass, jlong x509Ref,
+        jint critical) {
+    JNI_TRACE("get_X509_ext_oids(0x%llx, %d)", x509Ref, critical);
+    return get_X509Type_ext_oids<X509, X509_get_ext_by_critical, X509_get_ext>(env, x509Ref,
+            critical);
+}
+
+static jobjectArray NativeCrypto_get_X509_CRL_ext_oids(JNIEnv* env, jclass, jlong x509CrlRef,
+        jint critical) {
+    JNI_TRACE("get_X509_CRL_ext_oids(0x%llx, %d)", x509CrlRef, critical);
+    return get_X509Type_ext_oids<X509_CRL, X509_CRL_get_ext_by_critical, X509_CRL_get_ext>(env,
+            x509CrlRef, critical);
+}
+
+static jobjectArray NativeCrypto_get_X509_REVOKED_ext_oids(JNIEnv* env, jclass, jlong x509RevokedRef,
+        jint critical) {
+    JNI_TRACE("get_X509_CRL_ext_oids(0x%llx, %d)", x509RevokedRef, critical);
+    return get_X509Type_ext_oids<X509_REVOKED, X509_REVOKED_get_ext_by_critical,
+            X509_REVOKED_get_ext>(env, x509RevokedRef, critical);
+}
+
 #ifdef WITH_JNI_TRACE
 /**
  * Based on example logging call back from SSL_CTX_set_info_callback man page
@@ -3638,7 +5067,7 @@
     for (int i = 0; i < count; i++) {
         X509* cert = sk_X509_value(chain, i);
 
-        ScopedLocalRef<jbyteArray> byteArray(env, ASN1ToByteArray<X509>(env, cert, i2d_X509));
+        ScopedLocalRef<jbyteArray> byteArray(env, ASN1ToByteArray<X509, i2d_X509>(env, cert));
         if (byteArray.get() == NULL) {
             return NULL;
         }
@@ -3671,8 +5100,8 @@
     for (int i = 0; i < count; i++) {
         X509_NAME* principal = sk_X509_NAME_value(names, i);
 
-        ScopedLocalRef<jbyteArray> byteArray(env, ASN1ToByteArray<X509_NAME>(env, principal,
-                i2d_X509_NAME));
+        ScopedLocalRef<jbyteArray> byteArray(env, ASN1ToByteArray<X509_NAME, i2d_X509_NAME>(env,
+                principal));
         if (byteArray.get() == NULL) {
             return NULL;
         }
@@ -6019,11 +7448,7 @@
 static jbyteArray NativeCrypto_i2d_SSL_SESSION(JNIEnv* env, jclass, jlong ssl_session_address) {
     SSL_SESSION* ssl_session = to_SSL_SESSION(env, ssl_session_address, true);
     JNI_TRACE("ssl_session=%p NativeCrypto_i2d_SSL_SESSION", ssl_session);
-    if (ssl_session == NULL) {
-        return NULL;
-    }
-
-    return ASN1ToByteArray<SSL_SESSION>(env, ssl_session, i2d_SSL_SESSION);
+    return ASN1ToByteArray<SSL_SESSION, i2d_SSL_SESSION>(env, ssl_session);
 }
 
 /**
@@ -6168,6 +7593,69 @@
     NATIVE_METHOD(NativeCrypto, BIO_read, "(J[B)I"),
     NATIVE_METHOD(NativeCrypto, BIO_write, "(J[BII)V"),
     NATIVE_METHOD(NativeCrypto, BIO_free, "(J)V"),
+    NATIVE_METHOD(NativeCrypto, X509_NAME_print_ex, "(JJ)Ljava/lang/String;"),
+    NATIVE_METHOD(NativeCrypto, d2i_X509_bio, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, i2d_X509, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, PEM_read_bio_X509, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, PEM_read_bio_PKCS7, "(JI)[J"),
+    NATIVE_METHOD(NativeCrypto, d2i_PKCS7_bio, "(JI)[J"),
+    NATIVE_METHOD(NativeCrypto, X509_free, "(J)V"),
+    NATIVE_METHOD(NativeCrypto, X509_cmp, "(JJ)I"),
+    NATIVE_METHOD(NativeCrypto, get_X509_hashCode, "(J)I"),
+    NATIVE_METHOD(NativeCrypto, X509_print_ex, "(JJJJ)V"),
+    NATIVE_METHOD(NativeCrypto, X509_get_pubkey, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, X509_get_issuer_name, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, X509_get_subject_name, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, get_X509_pubkey_oid, "(J)Ljava/lang/String;"),
+    NATIVE_METHOD(NativeCrypto, get_X509_sig_alg_oid, "(J)Ljava/lang/String;"),
+    NATIVE_METHOD(NativeCrypto, get_X509_sig_alg_parameter, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, get_X509_issuerUID, "(J)[Z"),
+    NATIVE_METHOD(NativeCrypto, get_X509_subjectUID, "(J)[Z"),
+    NATIVE_METHOD(NativeCrypto, get_X509_ex_kusage, "(J)[Z"),
+    NATIVE_METHOD(NativeCrypto, get_X509_ex_xkusage, "(J)[Ljava/lang/String;"),
+    NATIVE_METHOD(NativeCrypto, X509_check_ca, "(J)I"),
+    NATIVE_METHOD(NativeCrypto, get_X509_ex_pathlen, "(J)I"),
+    NATIVE_METHOD(NativeCrypto, X509_get_ext_oid, "(JLjava/lang/String;)[B"),
+    NATIVE_METHOD(NativeCrypto, X509_CRL_get_ext_oid, "(JLjava/lang/String;)[B"),
+    NATIVE_METHOD(NativeCrypto, get_X509_CRL_crl_enc, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, X509_CRL_verify, "(JJ)V"),
+    NATIVE_METHOD(NativeCrypto, X509_CRL_get_lastUpdate, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, X509_CRL_get_nextUpdate, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, X509_REVOKED_get_ext_oid, "(JLjava/lang/String;)[B"),
+    NATIVE_METHOD(NativeCrypto, X509_REVOKED_get_serialNumber, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, X509_REVOKED_print, "(JJ)V"),
+    NATIVE_METHOD(NativeCrypto, get_X509_REVOKED_revocationDate, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, get_X509_ext_oids, "(JI)[Ljava/lang/String;"),
+    NATIVE_METHOD(NativeCrypto, get_X509_CRL_ext_oids, "(JI)[Ljava/lang/String;"),
+    NATIVE_METHOD(NativeCrypto, get_X509_REVOKED_ext_oids, "(JI)[Ljava/lang/String;"),
+    NATIVE_METHOD(NativeCrypto, get_X509_GENERAL_NAME_stack, "(JI)[[Ljava/lang/Object;"),
+    NATIVE_METHOD(NativeCrypto, X509_get_notBefore, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, X509_get_notAfter, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, X509_get_version, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, X509_get_serialNumber, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, X509_verify, "(JJ)V"),
+    NATIVE_METHOD(NativeCrypto, get_X509_cert_info_enc, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, get_X509_signature, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, get_X509_CRL_signature, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, get_X509_ex_flags, "(J)I"),
+    NATIVE_METHOD(NativeCrypto, d2i_X509_CRL_bio, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, PEM_read_bio_X509_CRL, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, X509_CRL_get0_by_cert, "(JJ)J"),
+    NATIVE_METHOD(NativeCrypto, X509_CRL_get0_by_serial, "(J[B)J"),
+    NATIVE_METHOD(NativeCrypto, X509_CRL_get_REVOKED, "(J)[J"),
+    NATIVE_METHOD(NativeCrypto, i2d_X509_CRL, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, X509_CRL_free, "(J)V"),
+    NATIVE_METHOD(NativeCrypto, X509_CRL_print, "(JJ)V"),
+    NATIVE_METHOD(NativeCrypto, get_X509_CRL_sig_alg_oid, "(J)Ljava/lang/String;"),
+    NATIVE_METHOD(NativeCrypto, get_X509_CRL_sig_alg_parameter, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, X509_CRL_get_issuer_name, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, X509_CRL_get_version, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, X509_CRL_get_ext, "(JLjava/lang/String;)J"),
+    NATIVE_METHOD(NativeCrypto, X509_REVOKED_get_ext, "(JLjava/lang/String;)J"),
+    NATIVE_METHOD(NativeCrypto, X509_REVOKED_dup, "(J)J"),
+    NATIVE_METHOD(NativeCrypto, i2d_X509_REVOKED, "(J)[B"),
+    NATIVE_METHOD(NativeCrypto, X509_supported_extension, "(J)I"),
+    NATIVE_METHOD(NativeCrypto, ASN1_TIME_to_Calendar, "(JLjava/util/Calendar;)V"),
     NATIVE_METHOD(NativeCrypto, SSL_CTX_new, "()J"),
     NATIVE_METHOD(NativeCrypto, SSL_CTX_free, "(J)V"),
     NATIVE_METHOD(NativeCrypto, SSL_CTX_set_session_id_context, "(J[B)V"),
@@ -6214,6 +7702,7 @@
     NATIVE_METHOD(NativeCrypto, SSL_get_npn_negotiated_protocol, "(J)[B"),
     NATIVE_METHOD(NativeCrypto, ERR_peek_last_error, "()J"),
 };
+
 void register_org_apache_harmony_xnet_provider_jsse_NativeCrypto(JNIEnv* env) {
     JNI_TRACE("register_org_apache_harmony_xnet_provider_jsse_NativeCrypto");
     jniRegisterNativeMethods(env, "org/apache/harmony/xnet/provider/jsse/NativeCrypto",
@@ -6229,8 +7718,11 @@
         abort();
     }
 
+    calendar_setMethod = env->GetMethodID(JniConstants::calendarClass, "set", "(IIIIII)V");
     inputStream_readMethod = env->GetMethodID(JniConstants::inputStreamClass, "read", "([B)I");
-    openSslInputStream_readLineMethod = env->GetMethodID(openSslOutputStreamClass, "readLine",
+    integer_valueOfMethod = env->GetStaticMethodID(JniConstants::integerClass, "valueOf",
+            "(I)Ljava/lang/Integer;");
+    openSslInputStream_readLineMethod = env->GetMethodID(openSslOutputStreamClass, "gets",
             "([B)I");
     outputStream_writeMethod = env->GetMethodID(JniConstants::outputStreamClass, "write", "([B)V");
     outputStream_flushMethod = env->GetMethodID(JniConstants::outputStreamClass, "flush", "()V");