* Adds the following openssl compatibility API's:

- SSL_CIPHER_get_id - SSL_CIPHER_get_rfc_name - SSL_get_cipher_by_value - X509_print_ex - X509_NAME_add_entry_by_NID - X509_time_adj - X509_time_adj_ex - DTLSv1_get_timeout - DTLSv1_handle_timeout - DTLSv1_set_initial_timeout_duration - SSL_CTX_set_current_time_cb - PEM_write_bio_RSA_PUBKEY - PEM_read_bio_RSA_PUBKEY - PEM_write_bio_PUBKEY - EVP_PKEY_missing_parameters - EVP_PKEY_cmp - BN_is_negative - BIO_set_retry_write * Improvements to the notBefore and notAfter date handling. * Improvements to BIO and BIO_METHOD - Moved structure to public area to allow for dereferencing - Renamed members to provide compatibility. - Added support for custom BIO methods for read/write. * Added advanced openssl compatibility test cases for key and certificate generation. * Fix for `ASN1_STRING_set` to allow NULL data. * Fix to populate public key information on `EVP_PKEY_assign_RSA` and `EVP_PKEY_assign_EC_KEY`. * Fix naming for `X509_get_notBefore` and `X509_get_notAfter` functions. * Added `wc_EccPublicKeyDerSize`. * Improvements to `wc_RsaPublicKeyDerSize`, so dummy memory doesn't have to be allocated. * Made the `wc_*PublicKeyDerSize` functions public. * Eliminate use of snprintf for UTC to generalized time conversion in `wolfSSL_ASN1_TIME_to_generalizedtime`.
2019-09-24 10:45:33 -07:00 · 2019-09-24 10:45:33 -07:00 · 872d222b59
parent 4a6925e2ef
commit 872d222b59
23 changed files with 1464 additions and 672 deletions
--- a/cyassl/ssl.h
+++ b/cyassl/ssl.h
@ -164,8 +164,8 @@
 /* get index cert in PEM */
 #define CyaSSL_X509_get_subjectCN wolfSSL_X509_get_subjectCN
 #define CyaSSL_X509_get_der       wolfSSL_X509_get_der
-#define CyaSSL_X509_notBefore     wolfSSL_X509_notBefore
-#define CyaSSL_X509_notAfter      wolfSSL_X509_notAfter
+#define CyaSSL_X509_get_notBefore wolfSSL_X509_get_notBefore
+#define CyaSSL_X509_get_notAfter  wolfSSL_X509_get_notAfter
 #define CyaSSL_X509_version       wolfSSL_X509_version

 #define CyaSSL_cmp_peer_cert_to_file wolfSSL_cmp_peer_cert_to_file
--- a/doc/dox_comments/header_files/ssl.h
+++ b/doc/dox_comments/header_files/ssl.h
@ -5819,7 +5819,7 @@ WOLFSSL_API const unsigned char* wolfSSL_X509_get_der(WOLFSSL_X509*, int*);
    \brief This function checks to see if x509 is NULL and if it’s not,
    it returns the notAfter member of the x509 struct.

-    \return pointer returns a constant byte pointer to the notAfter
+    \return pointer to struct with ASN1_TIME to the notAfter
    member of the x509 struct.
    \return NULL returned if the x509 object is NULL.

@ -5830,15 +5830,15 @@ WOLFSSL_API const unsigned char* wolfSSL_X509_get_der(WOLFSSL_X509*, int*);
    WOLFSSL_X509* x509 = (WOLFSSL_X509)XMALOC(sizeof(WOLFSSL_X509), NULL,
    DYNAMIC_TYPE_X509) ;
    ...
-    byte* notAfter = wolfSSL_X509_notAfter(x509);
+    const WOLFSSL_ASN1_TIME* notAfter = wolfSSL_X509_get_notAfter(x509);
    if(notAfter == NULL){
-	    // Failure case, the x509 object is null.
+        // Failure case, the x509 object is null.
    }
    \endcode

-    \sa none
+    \sa wolfSSL_X509_get_notBefore
 */
-WOLFSSL_API const unsigned char* wolfSSL_X509_notAfter(WOLFSSL_X509*);
+WOLFSSL_API WOLFSSL_ASN1_TIME* wolfSSL_X509_get_notAfter(WOLFSSL_X509*);

 /*!
    \ingroup CertsKeys
@ -12210,8 +12210,8 @@ WOLFSSL_API char* wolfSSL_X509_get_next_altname(WOLFSSL_X509*);
    \brief The function checks to see if x509 is NULL and if it’s not, it
    returns the notBefore member of the x509 struct.

-    \return pointer This function returns a constant byte pointer to the x509’s
-    member notAfter.
+    \return pointer to struct with ASN1_TIME to the notBefore
+        member of the x509 struct.
    \return NULL the function returns NULL if the x509 structure is NULL.

    \param x509 a pointer to the WOLFSSL_X509 struct.
@ -12221,15 +12221,15 @@ WOLFSSL_API char* wolfSSL_X509_get_next_altname(WOLFSSL_X509*);
    WOLFSSL_X509* x509 = (WOLFSSL_X509)XMALLOC(sizeof(WOLFSSL_X509), NULL,
    DYNAMIC_TYPE_X509) ;
    …
-    byte* notAfter = wolfSSL_X509_notAfter(x509);
+    const WOLFSSL_ASN1_TIME* notAfter = wolfSSL_X509_get_notBefore(x509);
    if(notAfter == NULL){
            //The x509 object was NULL
    }
    \endcode

-    \sa wolfSSL_X509_notAfter
+    \sa wolfSSL_X509_get_notAfter
 */
-WOLFSSL_API const unsigned char* wolfSSL_X509_notBefore(WOLFSSL_X509*);
+WOLFSSL_API WOLFSSL_ASN1_TIME* wolfSSL_X509_get_notBefore(WOLFSSL_X509*);

 /*!
    \ingroup IO
--- a/src/bio.c
+++ b/src/bio.c
@ -101,12 +101,12 @@ static int wolfSSL_BIO_MEMORY_read(WOLFSSL_BIO* bio, void* buf, int len)
                XMEMCPY(tmp, (void*)(pt + sz), memSz - sz);

                /* reset internal bio->mem */
-                XFREE(bio->mem, bio->heap, DYNAMIC_TYPE_OPENSSL);
-                bio->mem    = tmp;
-                bio->memLen = memSz-sz;
+                XFREE(bio->ptr, bio->heap, DYNAMIC_TYPE_OPENSSL);
+                bio->ptr    = tmp;
+                bio->num = memSz-sz;
                if (bio->mem_buf != NULL) {
-                    bio->mem_buf->data = (char*)bio->mem;
-                    bio->mem_buf->length = bio->memLen;
+                    bio->mem_buf->data = (char*)bio->ptr;
+                    bio->mem_buf->length = bio->num;
                }
            }
            bio->wrSz  -= sz;
@ -376,16 +376,16 @@ static int wolfSSL_BIO_MEMORY_write(WOLFSSL_BIO* bio, const void* data,
        return sz;
    }

-    if (bio->mem == NULL) {
-        bio->mem = (byte*)XMALLOC(len, bio->heap, DYNAMIC_TYPE_OPENSSL);
-        if (bio->mem == NULL) {
+    if (bio->ptr == NULL) {
+        bio->ptr = (byte*)XMALLOC(len, bio->heap, DYNAMIC_TYPE_OPENSSL);
+        if (bio->ptr == NULL) {
            WOLFSSL_MSG("Error on malloc");
            return WOLFSSL_FAILURE;
        }
-        bio->memLen = len;
+        bio->num = len;
        if (bio->mem_buf != NULL) {
-            bio->mem_buf->data = (char*)bio->mem;
-            bio->mem_buf->length = bio->memLen;
+            bio->mem_buf->data = (char*)bio->ptr;
+            bio->mem_buf->length = bio->num;
        }
    }

@ -393,21 +393,21 @@ static int wolfSSL_BIO_MEMORY_write(WOLFSSL_BIO* bio, const void* data,
    if (wolfSSL_BIO_get_mem_data(bio, (void*)&buf) < 0) {
        return WOLFSSL_BIO_ERROR;
    }
-    if (bio->memLen < sz + len) {
-        bio->mem = (byte*)XREALLOC(bio->mem, sz + len, bio->heap,
+    if (bio->num < sz + len) {
+        bio->ptr = (byte*)XREALLOC(bio->ptr, sz + len, bio->heap,
            DYNAMIC_TYPE_OPENSSL);
-        if (bio->mem == NULL) {
+        if (bio->ptr == NULL) {
            WOLFSSL_MSG("Error on realloc");
            return WOLFSSL_FAILURE;
        }
-        bio->memLen = sz + len;
+        bio->num = sz + len;
        if (bio->mem_buf != NULL) {
-            bio->mem_buf->data = (char*)bio->mem;
-            bio->mem_buf->length = bio->memLen;
+            bio->mem_buf->data = (char*)bio->ptr;
+            bio->mem_buf->length = bio->num;
        }
    }

-    XMEMCPY(bio->mem + sz, data, len);
+    XMEMCPY((byte*)bio->ptr + sz, data, len);
    bio->wrSz += len;

    return len;
@ -543,22 +543,46 @@ int wolfSSL_BIO_write(WOLFSSL_BIO* bio, const void* data, int len)
 }


-/* NOTE: add support for bio->infoCb() when implemented */
-WOLFSSL_API long wolfSSL_BIO_ctrl(WOLFSSL_BIO *bio, int cmd, long larg, void *parg)
+/* Wrapper for other BIO type funcions, expected to grow as OpenSSL compatability
+ * layer grows.
+ *
+ * return info. specific to the cmd that is passed in.
+ */
+#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)
+long wolfSSL_BIO_ctrl(WOLFSSL_BIO *bio, int cmd, long larg, void *parg)
 {
-    (void)bio;
-    (void)cmd;
-    (void)larg;
-    (void)parg;
+    long ret;
+
+    (void)larg; /* not currently used */
+
+    WOLFSSL_ENTER("wolfSSL_BIO_ctrl");

    if (bio && bio->method && bio->method->custom &&
-            bio->method->custom->ctrlCb) {
+        bio->method->custom->ctrlCb) {
        return bio->method->custom->ctrlCb(bio, cmd, larg, parg);
    }

-    WOLFSSL_STUB("BIO_ctrl");
-    return 0;
+    switch(cmd) {
+        case BIO_CTRL_WPENDING:
+            ret = (long)wolfSSL_BIO_ctrl_pending(bio);
+            break;
+        case BIO_CTRL_INFO:
+            ret = (long)wolfSSL_BIO_get_mem_data(bio, parg);
+            break;
+        case BIO_CTRL_FLUSH:
+            ret = (long)wolfSSL_BIO_flush(bio);
+            break;
+        case BIO_CTRL_RESET:
+            ret = (long)wolfSSL_BIO_reset(bio);
+            break;
+        default:
+            WOLFSSL_MSG("CMD not yet implemented");
+            ret = WOLFSSL_FAILURE;
+            break;
+    }
+    return ret;
 }
+#endif


 /* helper function for wolfSSL_BIO_gets
@ -896,21 +920,21 @@ int wolfSSL_BIO_set_write_buf_size(WOLFSSL_BIO *bio, long size)
        return WOLFSSL_FAILURE;
    }

-    if (bio->mem != NULL) {
-        XFREE(bio->mem, bio->heap, DYNAMIC_TYPE_OPENSSL);
+    if (bio->ptr != NULL) {
+        XFREE(bio->ptr, bio->heap, DYNAMIC_TYPE_OPENSSL);
    }

-    bio->mem = (byte*)XMALLOC(bio->wrSz, bio->heap, DYNAMIC_TYPE_OPENSSL);
-    if (bio->mem == NULL) {
+    bio->ptr = (byte*)XMALLOC(bio->wrSz, bio->heap, DYNAMIC_TYPE_OPENSSL);
+    if (bio->ptr == NULL) {
        WOLFSSL_MSG("Memory allocation error");
        return WOLFSSL_FAILURE;
    }
-    bio->memLen = bio->wrSz;
+    bio->num = bio->wrSz;
    bio->wrIdx = 0;
    bio->rdIdx = 0;
    if (bio->mem_buf != NULL) {
-        bio->mem_buf->data = (char*)bio->mem;
-        bio->mem_buf->length = bio->memLen;
+        bio->mem_buf->data = (char*)bio->ptr;
+        bio->mem_buf->length = bio->num;
    }

    return WOLFSSL_SUCCESS;
@ -938,12 +962,12 @@ int wolfSSL_BIO_make_bio_pair(WOLFSSL_BIO *b1, WOLFSSL_BIO *b2)
    }

    /* set default write size if not already set */
-    if (b1->mem == NULL && wolfSSL_BIO_set_write_buf_size(b1,
+    if (b1->ptr == NULL && wolfSSL_BIO_set_write_buf_size(b1,
                            WOLFSSL_BIO_SIZE) != WOLFSSL_SUCCESS) {
        return WOLFSSL_FAILURE;
    }

-    if (b2->mem == NULL && wolfSSL_BIO_set_write_buf_size(b2,
+    if (b2->ptr == NULL && wolfSSL_BIO_set_write_buf_size(b2,
                            WOLFSSL_BIO_SIZE) != WOLFSSL_SUCCESS) {
        return WOLFSSL_FAILURE;
    }
@ -984,7 +1008,7 @@ int wolfSSL_BIO_nread0(WOLFSSL_BIO *bio, char **buf)
        WOLFSSL_BIO* pair = bio->pair;

        /* case where have wrapped around write buffer */
-        *buf = (char*)pair->mem + pair->rdIdx;
+        *buf = (char*)pair->ptr + pair->rdIdx;
        if (pair->wrIdx > 0 && pair->rdIdx >= pair->wrIdx) {
            return pair->wrSz - pair->rdIdx;
        }
@ -1016,7 +1040,7 @@ int wolfSSL_BIO_nread(WOLFSSL_BIO *bio, char **buf, int num)
    if (bio->pair != NULL) {
        /* special case if asking to read 0 bytes */
        if (num == 0) {
-            *buf = (char*)bio->pair->mem + bio->pair->rdIdx;
+            *buf = (char*)bio->pair->ptr + bio->pair->rdIdx;
            return 0;
        }

@ -1067,7 +1091,7 @@ int wolfSSL_BIO_nwrite(WOLFSSL_BIO *bio, char **buf, int num)

    if (bio->pair != NULL) {
        if (num == 0) {
-            *buf = (char*)bio->mem + bio->wrIdx;
+            *buf = (char*)bio->ptr + bio->wrIdx;
            return 0;
        }

@ -1106,7 +1130,7 @@ int wolfSSL_BIO_nwrite(WOLFSSL_BIO *bio, char **buf, int num)
        if (num < sz) {
            sz = num;
        }
-        *buf = (char*)bio->mem + bio->wrIdx;
+        *buf = (char*)bio->ptr + bio->wrIdx;
        bio->wrIdx += sz;

        /* if at the end of the buffer and space for wrap around then set
@ -1147,12 +1171,12 @@ int wolfSSL_BIO_reset(WOLFSSL_BIO *bio)
            bio->rdIdx = 0;
            bio->wrIdx = 0;
            bio->wrSz  = 0;
-            XFREE(bio->mem, bio->heap, DYNAMIC_TYPE_OPENSSL);
-            bio->mem = NULL;
-            bio->memLen = 0;
+            XFREE(bio->ptr, bio->heap, DYNAMIC_TYPE_OPENSSL);
+            bio->ptr = NULL;
+            bio->num = 0;
            if (bio->mem_buf != NULL) {
-                bio->mem_buf->data = (char*)bio->mem;
-                bio->mem_buf->length = bio->memLen;
+                bio->mem_buf->data = (char*)bio->ptr;
+                bio->mem_buf->length = bio->num;
            }
            return 0;

@ -1177,7 +1201,7 @@ long wolfSSL_BIO_set_fp(WOLFSSL_BIO *bio, XFILE fp, int c)
        return WOLFSSL_FAILURE;
    }

-    bio->close = (byte)c;
+    bio->shutdown = (byte)c;
    bio->file  = fp;

    return WOLFSSL_SUCCESS;
@ -1211,7 +1235,7 @@ int wolfSSL_BIO_write_filename(WOLFSSL_BIO *bio, char *name)
    }

    if (bio->type == WOLFSSL_BIO_FILE) {
-        if (bio->file != XBADFILE && bio->close == BIO_CLOSE) {
+        if (bio->file != XBADFILE && bio->shutdown == BIO_CLOSE) {
            XFCLOSE(bio->file);
        }

@ -1219,7 +1243,7 @@ int wolfSSL_BIO_write_filename(WOLFSSL_BIO *bio, char *name)
        if (bio->file == XBADFILE) {
            return WOLFSSL_FAILURE;
        }
-        bio->close = BIO_CLOSE;
+        bio->shutdown = BIO_CLOSE;

        return WOLFSSL_SUCCESS;
    }
@ -1339,11 +1363,11 @@ long wolfSSL_BIO_set_nbio(WOLFSSL_BIO* bio, long on)
        case WOLFSSL_BIO_SOCKET:
        #ifdef XFCNTL
            {
-                int flag = XFCNTL(bio->fd, F_GETFL, 0);
+                int flag = XFCNTL(bio->num, F_GETFL, 0);
                if (on)
-                    XFCNTL(bio->fd, F_SETFL, flag | O_NONBLOCK);
+                    XFCNTL(bio->num, F_SETFL, flag | O_NONBLOCK);
                else
-                    XFCNTL(bio->fd, F_SETFL, flag & ~O_NONBLOCK);
+                    XFCNTL(bio->num, F_SETFL, flag & ~O_NONBLOCK);
            }
        #endif
            break;
--- a/src/internal.c
+++ b/src/internal.c
@ -3406,20 +3406,16 @@ void FreeX509(WOLFSSL_X509* x509)
        if (x509->authInfoCaIssuer != NULL) {
            XFREE(x509->authInfoCaIssuer, x509->heap, DYNAMIC_TYPE_X509_EXT);
        }
-        if (x509->notBeforeTime != NULL) {
-            XFREE(x509->notBeforeTime, x509->heap, DYNAMIC_TYPE_OPENSSL);
-        }
-        if (x509->notAfterTime != NULL) {
-            XFREE(x509->notAfterTime, x509->heap, DYNAMIC_TYPE_OPENSSL);
-        }
        if (x509->ext_sk != NULL) {
            wolfSSL_sk_X509_EXTENSION_free(x509->ext_sk);
        }
+        #endif /* OPENSSL_ALL || WOLFSSL_QT */
+        #ifdef OPENSSL_EXTRA
        /* Free serialNumber that was set by wolfSSL_X509_get_serialNumber */
        if (x509->serialNumber != NULL) {
            wolfSSL_ASN1_INTEGER_free(x509->serialNumber);
        }
-        #endif /* OPENSSL_ALL || WOLFSSL_QT */
+        #endif
        if (x509->extKeyUsageSrc != NULL) {
            XFREE(x509->extKeyUsageSrc, x509->heap, DYNAMIC_TYPE_X509_EXT);
            x509->extKeyUsageSrc= NULL;
@ -4679,22 +4675,22 @@ int wolfSSL_IsPrivatePkSet(WOLFSSL* ssl)
 {
    int pkcbset = 0;
    (void)ssl;
-    
+
 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || !defined(NO_RSA)
    if (0
    #ifdef HAVE_ECC
-        || (ssl->ctx->EccSignCb != NULL && 
+        || (ssl->ctx->EccSignCb != NULL &&
                                        ssl->buffers.keyType == ecc_dsa_sa_algo)
    #endif
    #ifdef HAVE_ED25519
-        || (ssl->ctx->Ed25519SignCb != NULL && 
+        || (ssl->ctx->Ed25519SignCb != NULL &&
                                        ssl->buffers.keyType == ed25519_sa_algo)
    #endif
    #ifndef NO_RSA
        || (ssl->ctx->RsaSignCb != NULL && ssl->buffers.keyType == rsa_sa_algo)
        || (ssl->ctx->RsaDecCb != NULL && ssl->buffers.keyType == rsa_kea)
        #ifdef WC_RSA_PSS
-        || (ssl->ctx->RsaPssSignCb != NULL && 
+        || (ssl->ctx->RsaPssSignCb != NULL &&
                                        ssl->buffers.keyType == rsa_pss_sa_algo)
        #endif
    #endif
@ -8905,17 +8901,20 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
    }
 #endif /* WOLFSSL_SEP */
    {
-        int minSz = min(dCert->beforeDateLen, MAX_DATE_SZ);
-        if (minSz > 0) {
+        int minSz;
+        if (dCert->beforeDateLen > 0) {
+            minSz = min(dCert->beforeDate[1], MAX_DATE_SZ);
+            x509->notBefore.type = dCert->beforeDate[0];
            x509->notBefore.length = minSz;
-            XMEMCPY(x509->notBefore.data, dCert->beforeDate, minSz);
+            XMEMCPY(x509->notBefore.data, &dCert->beforeDate[2], minSz);
        }
        else
            x509->notBefore.length = 0;
-        minSz = min(dCert->afterDateLen, MAX_DATE_SZ);
-        if (minSz > 0) {
+        if (dCert->afterDateLen > 0) {
+            minSz = min(dCert->beforeDate[1], MAX_DATE_SZ);
+            x509->notAfter.type = dCert->beforeDate[0];
            x509->notAfter.length = minSz;
-            XMEMCPY(x509->notAfter.data, dCert->afterDate, minSz);
+            XMEMCPY(x509->notAfter.data, &dCert->afterDate[2], minSz);
        }
        else
            x509->notAfter.length = 0;
@ -10533,9 +10532,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                                args->lastErr = MEMORY_E;
                                goto exit_ppc;
                            }
-                            
+
                            XMEMCPY(ssl->peerTsipEncRsaKeyIndex,
-                                        args->dCert->tsip_encRsaKeyIdx, 
+                                        args->dCert->tsip_encRsaKeyIdx,
                                        TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY);
                         }
                    #endif
@ -21108,8 +21107,8 @@ int SendClientKeyExchange(WOLFSSL* ssl)
                    #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
                       !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
                    if (tsip_useable(ssl)) {
-                        ret = tsip_generatePremasterSecret( 
-                        &ssl->arrays->preMasterSecret[VERSION_SZ], 
+                        ret = tsip_generatePremasterSecret(
+                        &ssl->arrays->preMasterSecret[VERSION_SZ],
                        ENCRYPT_LEN - VERSION_SZ);
                    } else {
                    #endif
@ -21128,7 +21127,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
                        ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;

                    ssl->arrays->preMasterSz = SECRET_LEN;
-                   
+
                    break;
                }
            #endif /* !NO_RSA */
@ -21452,13 +21451,13 @@ int SendClientKeyExchange(WOLFSSL* ssl)
                {
                    #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
                       !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
-                    if (tsip_useable(ssl) && 
+                    if (tsip_useable(ssl) &&
                                     wc_RsaEncryptSize(ssl->peerRsaKey) == 256) {
                        ret = tsip_generateEncryptPreMasterSecret(ssl,
                                                            args->encSecret,
                                                            &args->encSz);
-                        
-                    } else 
+
+                    } else
                    #endif
                        ret = RsaEnc(ssl,
                            ssl->arrays->preMasterSecret, SECRET_LEN,
--- a/src/ssl.c
+++ b/src/ssl.c
--- a/tests/api.c
+++ b/tests/api.c
@ -18869,8 +18869,8 @@ static void test_wolfSSL_ASN1_TIME_print(void)
    /* create a bad time and test results */
    AssertNotNull(t = X509_get_notAfter(x509));
    AssertIntEQ(ASN1_TIME_check(t), WOLFSSL_SUCCESS);
-    t->data[10] = 0;
-    t->data[5]  = 0;
+    t->data[8] = 0;
+    t->data[3]  = 0;
    AssertIntNE(ASN1_TIME_print(bio, t), 1);
    AssertIntEQ(BIO_read(bio, buf, sizeof(buf)), 14);
    AssertIntEQ(XMEMCMP(buf, "Bad time value", 14), 0);
@ -18891,8 +18891,6 @@ static void test_wolfSSL_ASN1_UTCTIME_print(void)
    unsigned char buf[25];
    const char* validDate   = "190424111501Z"; /* UTC = YYMMDDHHMMSSZ */
    const char* invalidDate = "190424111501X"; /* UTC = YYMMDDHHMMSSZ */
-    byte* ptr1;
-    byte* ptr2;

    printf(testingFmt, "ASN1_UTCTIME_print()");

@ -18905,10 +18903,9 @@ static void test_wolfSSL_ASN1_UTCTIME_print(void)
    AssertNotNull(bio = BIO_new(BIO_s_mem()));
    AssertNotNull(utc = (ASN1_UTCTIME*)XMALLOC(sizeof(ASN1_UTCTIME), NULL,
                                                           DYNAMIC_TYPE_ASN1));
-    ptr1 = utc->data;
-    *ptr1 = (byte)ASN_UTC_TIME; ptr1++;
-    *ptr1 = (byte)ASN_UTC_TIME_SIZE; ptr1++;
-    XMEMCPY(ptr1, (byte*)validDate, ASN_UTC_TIME_SIZE);
+    utc->type = ASN_UTC_TIME;
+    utc->length = ASN_UTC_TIME_SIZE;
+    XMEMCPY(utc->data, (byte*)validDate, ASN_UTC_TIME_SIZE);
    AssertIntEQ(ASN1_UTCTIME_print(bio, utc), 1);
    AssertIntEQ(BIO_read(bio, buf, sizeof(buf)), 24);
    AssertIntEQ(XMEMCMP(buf, "Apr 24 11:15:01 2019 GMT", sizeof(buf)-1), 0);
@ -18918,10 +18915,9 @@ static void test_wolfSSL_ASN1_UTCTIME_print(void)

    /* Invalid format */
    AssertNotNull(bio = BIO_new(BIO_s_mem()));
-    ptr2 = utc->data;
-    *ptr2 = (byte)ASN_UTC_TIME; ptr2++;
-    *ptr2 = (byte)ASN_UTC_TIME_SIZE; ptr2++;
-    XMEMCPY(ptr2, (byte*)invalidDate, ASN_UTC_TIME_SIZE);
+    utc->type = ASN_UTC_TIME;
+    utc->length = ASN_UTC_TIME_SIZE;
+    XMEMCPY(utc->data, (byte*)invalidDate, ASN_UTC_TIME_SIZE);
    AssertIntEQ(ASN1_UTCTIME_print(bio, utc), 0);
    AssertIntEQ(BIO_read(bio, buf, sizeof(buf)), 14);
    AssertIntEQ(XMEMCMP(buf, "Bad time value", 14), 0);
@ -21291,6 +21287,10 @@ static void test_wolfSSL_BIO(void)
    AssertIntEQ((int)BIO_ctrl_pending(bio1), 8);
    AssertIntEQ((int)BIO_ctrl_pending(bio2), 20);

+    /* try read using ctrl function */
+    AssertIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_WPENDING, 0, NULL), 8);
+    AssertIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_WPENDING, 0, NULL), 20);
+
    AssertIntEQ(BIO_nread(bio2, &bufPt, (int)BIO_ctrl_pending(bio2)), 20);
    for (i = 0; i < 20; i++) {
        AssertIntEQ((int)bufPt[i], i);
@ -21531,7 +21531,7 @@ static void test_wolfSSL_ASN1_TIME_adj(void)
    WOLFSSL_ASN1_TIME *asn_time, *s;
    int offset_day;
    long offset_sec;
-    char date_str[20];
+    char date_str[CTC_DATE_SIZE];
    time_t t;

    printf(testingFmt, "wolfSSL_ASN1_TIME_adj()");
@ -21545,18 +21545,18 @@ static void test_wolfSSL_ASN1_TIME_adj(void)
    offset_sec = 45 * mini;
    /* offset_sec = -45 * min;*/
    asn_time = wolfSSL_ASN1_TIME_adj(s, t, offset_day, offset_sec);
-    AssertTrue(asn_time->data[0] == asn_utc_time);
-    XSTRNCPY(date_str,(const char*) &asn_time->data+2,13);
+    AssertTrue(asn_time->type == asn_utc_time);
+    XSTRNCPY(date_str, (const char*)&asn_time->data, sizeof(date_str));
    AssertIntEQ(0, XMEMCMP(date_str, "000222211500Z", 13));

    /* negative offset */
    offset_sec = -45 * mini;
    asn_time = wolfSSL_ASN1_TIME_adj(s, t, offset_day, offset_sec);
-    AssertTrue(asn_time->data[0] == asn_utc_time);
-    XSTRNCPY(date_str,(const char*) &asn_time->data+2,13);
+    AssertTrue(asn_time->type == asn_utc_time);
+    XSTRNCPY(date_str, (const char*)&asn_time->data, sizeof(date_str));
    AssertIntEQ(0, XMEMCMP(date_str, "000222194500Z", 13));

-    XFREE(s,NULL,DYNAMIC_TYPE_OPENSSL);
+    XFREE(s, NULL, DYNAMIC_TYPE_OPENSSL);
    XMEMSET(date_str, 0, sizeof(date_str));

    /* Generalized time will overflow time_t if not long */
@ -21569,11 +21569,11 @@ static void test_wolfSSL_ASN1_TIME_adj(void)
        offset_day = 12;
        offset_sec = 10 * mini;
    asn_time = wolfSSL_ASN1_TIME_adj(s, t, offset_day, offset_sec);
-    AssertTrue(asn_time->data[0] == asn_gen_time);
-    XSTRNCPY(date_str,(const char*) &asn_time->data+2, 15);
+    AssertTrue(asn_time->type == asn_gen_time);
+    XSTRNCPY(date_str, (const char*)&asn_time->data, sizeof(date_str));
    AssertIntEQ(0, XMEMCMP(date_str, "20550313091000Z", 15));

-    XFREE(s,NULL,DYNAMIC_TYPE_OPENSSL);
+    XFREE(s, NULL, DYNAMIC_TYPE_OPENSSL);
    XMEMSET(date_str, 0, sizeof(date_str));
 #endif /* !TIME_T_NOT_64BIT && !NO_64BIT */

@ -21584,16 +21584,16 @@ static void test_wolfSSL_ASN1_TIME_adj(void)
    offset_day = 7;
    offset_sec = 45 * mini;
    asn_time = wolfSSL_ASN1_TIME_adj(s, t, offset_day, offset_sec);
-    AssertTrue(asn_time->data[0] == asn_utc_time);
-    XSTRNCPY(date_str,(const char*) &asn_time->data+2,13);
+    AssertTrue(asn_time->type == asn_utc_time);
+    XSTRNCPY(date_str, (const char*)&asn_time->data, sizeof(date_str));
    AssertIntEQ(0, XMEMCMP(date_str, "000222211515Z", 13));
-    XFREE(asn_time,NULL,DYNAMIC_TYPE_OPENSSL);
+    XFREE(asn_time, NULL, DYNAMIC_TYPE_OPENSSL);

    asn_time = wolfSSL_ASN1_TIME_adj(NULL, t, offset_day, offset_sec);
-    AssertTrue(asn_time->data[0] == asn_utc_time);
-    XSTRNCPY(date_str,(const char*) &asn_time->data+2,13);
+    AssertTrue(asn_time->type == asn_utc_time);
+    XSTRNCPY(date_str, (const char*)&asn_time->data, sizeof(date_str));
    AssertIntEQ(0, XMEMCMP(date_str, "000222211515Z", 13));
-    XFREE(asn_time,NULL,DYNAMIC_TYPE_OPENSSL);
+    XFREE(asn_time, NULL, DYNAMIC_TYPE_OPENSSL);

    printf(resultFmt, passed);
 #endif
@ -21604,21 +21604,45 @@ static void test_wolfSSL_X509_cmp_time(void)
 {
 #if defined(OPENSSL_EXTRA) && !defined(NO_ASN1_TIME) \
 && !defined(USER_TIME) && !defined(TIME_OVERRIDES)
-
-    printf(testingFmt, "wolfSSL_X509_cmp_time()");
-
    WOLFSSL_ASN1_TIME asn_time;
    time_t t;

+    printf(testingFmt, "wolfSSL_X509_cmp_time()");
+
    AssertIntEQ(0, wolfSSL_X509_cmp_time(NULL, &t));
    XMEMSET(&asn_time, 0, sizeof(WOLFSSL_ASN1_TIME));
    AssertIntEQ(0, wolfSSL_X509_cmp_time(&asn_time, &t));

-    asn_time.data[0] = ASN_UTC_TIME;
-    asn_time.data[1] = ASN_UTC_TIME_SIZE;
-    XMEMCPY(&asn_time.data[2], "000222211515Z", 13);
+    asn_time.type = ASN_UTC_TIME;
+    asn_time.length = ASN_UTC_TIME_SIZE;
+    XMEMCPY(&asn_time.data, "000222211515Z", 13);
    AssertIntEQ(-1, wolfSSL_X509_cmp_time(&asn_time, NULL));

+    printf(resultFmt, passed);
+#endif
+}
+
+static void test_wolfSSL_X509_time_adj(void)
+{
+#if defined(OPENSSL_EXTRA) && !defined(NO_ASN1_TIME) && \
+    !defined(USER_TIME) && !defined(TIME_OVERRIDES) && \
+    defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA)
+    X509*  x509;
+    time_t t, not_before, not_after;
+
+    printf(testingFmt, "wolfSSL_X509_time_adj()");
+
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_buffer(
+        client_cert_der_2048, sizeof_client_cert_der_2048,
+        WOLFSSL_FILETYPE_ASN1));
+
+    t = 0;
+    not_before = XTIME(0);
+    not_after = XTIME(0) + (60 * 24 * 30); /* 30 days after */
+    AssertNotNull(X509_time_adj(X509_get_notBefore(x509), not_before, &t));
+    AssertNotNull(X509_time_adj(X509_get_notAfter(x509), not_after, &t));
+
+    X509_free(x509);

    printf(resultFmt, passed);
 #endif
@ -21695,8 +21719,10 @@ static void test_wolfSSL_X509(void)
 static void test_wolfSSL_X509_get_ext_count(void)
 {
 #if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM)
+    int ret = 0;
    WOLFSSL_X509* x509;
    const char ocspRootCaFile[] = "./certs/ocsp/root-ca-cert.pem";
+    FILE* f;

    printf(testingFmt, "wolfSSL_X509_get_ext_count()");

@ -21713,14 +21739,29 @@ static void test_wolfSSL_X509_get_ext_count(void)
    AssertIntEQ(X509_get_ext_count(x509), 5);
    wolfSSL_X509_free(x509);

+    AssertNotNull(f = fopen("./certs/server-cert.pem", "rb"));
+    AssertNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL));
+    fclose(f);
+
+    printf(testingFmt, "wolfSSL_X509_get_ext_count() valid input");
+    AssertIntEQ((ret = wolfSSL_X509_get_ext_count(x509)), 3);
+    printf(resultFmt, ret == 3 ? passed : failed);
+
+    printf(testingFmt, "wolfSSL_X509_get_ext_count() NULL argument");
+    AssertIntEQ((ret = wolfSSL_X509_get_ext_count(NULL)), WOLFSSL_FAILURE);
+    printf(resultFmt, ret == WOLFSSL_FAILURE ? passed : failed);
+
+    wolfSSL_X509_free(x509);
+
    printf(resultFmt, passed);
 #endif
 }

 static void test_wolfSSL_X509_sign(void)
 {
-#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && \
-    !defined(NO_CERTS) && defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ)
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
+    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ)
+    int ret;
    X509_NAME *name;
    X509 *x509;
    EVP_PKEY *pub;
@ -21737,32 +21778,40 @@ static void test_wolfSSL_X509_sign(void)
    long clientPubKeySz = (long)sizeof_client_keypub_der_2048;
 #endif

-    printf(testingFmt, "wolfSSL_X509_sign");
+    printf(testingFmt, "wolfSSL_X509_sign\n");

    /* Set X509_NAME fields */
    AssertNotNull(name = X509_NAME_new());
    AssertIntEQ(X509_NAME_add_entry_by_txt(name, "country", MBSTRING_UTF8,
-                                       (byte*)"US", 2, -1, 0), WOLFSSL_SUCCESS);
+                                       (byte*)"US", 2, -1, 0), SSL_SUCCESS);
    AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
-                             (byte*)"wolfssl.com", 11, -1, 0), WOLFSSL_SUCCESS);
+                             (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
    AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
-                     (byte*)"support@wolfssl.com", 19, -1, 0), WOLFSSL_SUCCESS);
+                     (byte*)"support@wolfssl.com", 19, -1, 0), SSL_SUCCESS);

    /* Get private and public keys */
    AssertNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &rsaPriv,
                                                                  clientKeySz));
    AssertNotNull(pub = wolfSSL_d2i_PUBKEY(NULL, &rsaPub, clientPubKeySz));
    AssertNotNull(x509 = X509_new());
-
+    /* Set version 3 */
+    AssertIntNE(X509_set_version(x509, 2L), 0);
    /* Set subject name, add pubkey, and sign certificate */
-    AssertIntEQ(X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
-    AssertIntEQ(X509_set_pubkey(x509, pub), WOLFSSL_SUCCESS);
+    AssertIntEQ(X509_set_subject_name(x509, name), SSL_SUCCESS);
+    AssertIntEQ(X509_set_pubkey(x509, pub), SSL_SUCCESS);
    /* Test invalid parameters */
    AssertIntEQ(X509_sign(NULL, priv, EVP_sha256()), 0);
    AssertIntEQ(X509_sign(x509, NULL, EVP_sha256()), 0);
    AssertIntEQ(X509_sign(x509, priv, NULL), 0);
-    /* Valid case - size should be 798 */
-    AssertIntEQ(X509_sign(x509, priv, EVP_sha256()), 798);
+
+    ret = X509_sign(x509, priv, EVP_sha256());
+
+    /* Valid case - size should be 768 */
+#ifdef USE_CERT_BUFFERS_1024
+    AssertIntEQ(ret, 768);
+#else
+    AssertIntEQ(ret, 798);
+#endif

    X509_NAME_free(name);
    EVP_PKEY_free(priv);
@ -22582,6 +22631,8 @@ static void test_wolfSSL_X509_NAME_ENTRY(void)
 #endif

    AssertNotNull(nm = X509_get_subject_name(x509));
+
+    /* Test add entry */
    AssertNotNull(entry = X509_NAME_ENTRY_create_by_NID(NULL, NID_commonName,
                0x0c, cn, (int)sizeof(cn)));
    AssertIntEQ(X509_NAME_add_entry(nm, entry, -1, 0), SSL_SUCCESS);
@ -22591,8 +22642,13 @@ static void test_wolfSSL_X509_NAME_ENTRY(void)
                                           1), WOLFSSL_SUCCESS);

    X509_NAME_ENTRY_free(entry);
+
+    /* Test add entry by NID */
+    AssertIntEQ(X509_NAME_add_entry_by_NID(nm, NID_commonName, MBSTRING_UTF8,
+                                       cn, -1, -1, 0), WOLFSSL_SUCCESS);
+
    BIO_free(bio);
-    X509_free(x509);
+    X509_free(x509); /* free's nm */

    printf(resultFmt, passed);
    #endif
@ -22729,7 +22785,7 @@ static void test_wolfSSL_X509_set_notBefore(void)
    /* ANS1_TIME_check validates by checking if arguement can be parsed */
    AssertIntEQ(ASN1_TIME_check(time_check), WOLFSSL_SUCCESS);
    /* Convert to human readable format and compare to intended date */
-    AssertIntEQ(ASN1_TIME_print(bio,time_check), 1);
+    AssertIntEQ(ASN1_TIME_print(bio, time_check), 1);
    AssertIntEQ(BIO_read(bio, buf, sizeof(buf)), 24);
    AssertIntEQ(XMEMCMP(buf, "May  8 20:30:00 2019 GMT", sizeof(buf) - 1), 0);
    /*
@ -24021,8 +24077,7 @@ static void test_wolfSSL_SHA256(void)

 static void test_wolfSSL_X509_get_serialNumber(void)
 {
-#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
-    !defined(NO_RSA)
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA)
    ASN1_INTEGER* a;
    BIGNUM* bn;
    X509*   x509;
@ -24033,11 +24088,12 @@ static void test_wolfSSL_X509_get_serialNumber(void)
    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile,
                                                      SSL_FILETYPE_PEM));
    AssertNotNull(a = X509_get_serialNumber(x509));
-    X509_free(x509);

    /* check on value of ASN1 Integer */
    AssertNotNull(bn = ASN1_INTEGER_to_BN(a, NULL));

+    X509_free(x509); /* free's a */
+
    AssertNotNull(serialHex = BN_bn2hex(bn));
    AssertStrEQ(serialHex, "1");
    OPENSSL_free(serialHex);
@ -24045,7 +24101,6 @@ static void test_wolfSSL_X509_get_serialNumber(void)
    AssertIntEQ(BN_get_word(bn), 1);

    BN_free(bn);
-    ASN1_INTEGER_free(a);

    /* hard test free'ing with dynamic buffer to make sure there is no leaks */
    a = ASN1_INTEGER_new();
@ -24167,49 +24222,49 @@ static void test_wolfSSL_ASN1_TIME_to_generalizedtime(void){
    XMEMSET(t->data, 0, ASN_GENERALIZED_TIME_SIZE);
    AssertNotNull(out = (WOLFSSL_ASN1_TIME*)XMALLOC(sizeof(WOLFSSL_ASN1_TIME),
                NULL, DYNAMIC_TYPE_TMP_BUFFER));
-    t->data[0] = ASN_UTC_TIME;
-    t->data[1] = ASN_UTC_TIME_SIZE;
-    XMEMCPY(t->data + 2,"050727123456Z",ASN_UTC_TIME_SIZE);
+    t->type = ASN_UTC_TIME;
+    t->length = ASN_UTC_TIME_SIZE;
+    XMEMCPY(t->data, "050727123456Z", ASN_UTC_TIME_SIZE);

    tlen = wolfSSL_ASN1_TIME_get_length(t);
    AssertIntEQ(tlen, ASN_UTC_TIME_SIZE);
    data = wolfSSL_ASN1_TIME_get_data(t);
    AssertStrEQ((char*)data, "050727123456Z");
    gtime = wolfSSL_ASN1_TIME_to_generalizedtime(t, &out);
-    AssertIntEQ(gtime->data[0], ASN_GENERALIZED_TIME);
-    AssertIntEQ(gtime->data[1], ASN_GENERALIZED_TIME_SIZE);
-    AssertStrEQ((char*)gtime->data + 2, "20050727123456Z");
+    AssertIntEQ(gtime->type, ASN_GENERALIZED_TIME);
+    AssertIntEQ(gtime->length, ASN_GENERALIZED_TIME_SIZE);
+    AssertStrEQ((char*)gtime->data, "20050727123456Z");

    /* Generalized Time test */
    XMEMSET(t, 0, ASN_GENERALIZED_TIME_SIZE);
    XMEMSET(out, 0, ASN_GENERALIZED_TIME_SIZE);
    XMEMSET(data, 0, ASN_GENERALIZED_TIME_SIZE);
    gtime = NULL;
-    t->data[0] = ASN_GENERALIZED_TIME;
-    t->data[1] = ASN_GENERALIZED_TIME_SIZE;
-    XMEMCPY(t->data + 2,"20050727123456Z",ASN_GENERALIZED_TIME_SIZE);
+    t->type = ASN_GENERALIZED_TIME;
+    t->length = ASN_GENERALIZED_TIME_SIZE;
+    XMEMCPY(t->data, "20050727123456Z", ASN_GENERALIZED_TIME_SIZE);

    tlen = wolfSSL_ASN1_TIME_get_length(t);
    AssertIntEQ(tlen, ASN_GENERALIZED_TIME_SIZE);
    data = wolfSSL_ASN1_TIME_get_data(t);
    AssertStrEQ((char*)data, "20050727123456Z");
    gtime = wolfSSL_ASN1_TIME_to_generalizedtime(t, &out);
-    AssertIntEQ(gtime->data[0], ASN_GENERALIZED_TIME);
-    AssertIntEQ(gtime->data[1], ASN_GENERALIZED_TIME_SIZE);
-    AssertStrEQ((char*)gtime->data + 2, "20050727123456Z");
+    AssertIntEQ(gtime->type, ASN_GENERALIZED_TIME);
+    AssertIntEQ(gtime->length, ASN_GENERALIZED_TIME_SIZE);
+    AssertStrEQ((char*)gtime->data, "20050727123456Z");
    XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER);

    /* Null parameter test */
    XMEMSET(t, 0, ASN_GENERALIZED_TIME_SIZE);
    gtime = NULL;
    out = NULL;
-    t->data[0] = ASN_UTC_TIME;
-    t->data[1] = ASN_UTC_TIME_SIZE;
-    XMEMCPY(t->data + 2,"050727123456Z",ASN_UTC_TIME_SIZE);
+    t->type = ASN_UTC_TIME;
+    t->length = ASN_UTC_TIME_SIZE;
+    XMEMCPY(t->data, "050727123456Z", ASN_UTC_TIME_SIZE);
    AssertNotNull(gtime = wolfSSL_ASN1_TIME_to_generalizedtime(t, NULL));
-    AssertIntEQ(gtime->data[0], ASN_GENERALIZED_TIME);
-    AssertIntEQ(gtime->data[1], ASN_GENERALIZED_TIME_SIZE);
-    AssertStrEQ((char*)gtime->data + 2, "20050727123456Z");
+    AssertIntEQ(gtime->type, ASN_GENERALIZED_TIME);
+    AssertIntEQ(gtime->length, ASN_GENERALIZED_TIME_SIZE);
+    AssertStrEQ((char*)gtime->data, "20050727123456Z");

    XFREE(gtime, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    XFREE(t, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -25144,9 +25199,8 @@ static void test_wolfSSL_OCSP_get0_info()
    AssertIntEQ(x509Int->dataMax, serial->dataMax);
    AssertIntEQ(XMEMCMP(x509Int->data, serial->data, serial->dataMax), 0);

-    ASN1_INTEGER_free(x509Int);
    OCSP_CERTID_free(id);
-    X509_free(cert);
+    X509_free(cert); /* free's x509Int */
    X509_free(issuer);

    printf(resultFmt, "passed");
@ -25622,7 +25676,8 @@ static void test_wc_ecc_get_curve_id_from_params(void)
 }
 static void test_wolfSSL_EVP_PKEY_encrypt(void)
 {
-#if defined(OPENSSL_ALL) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN)
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \
+    !defined(HAVE_FAST_RSA)
    WOLFSSL_RSA* rsa = NULL;
    WOLFSSL_EVP_PKEY* pkey = NULL;
    WOLFSSL_EVP_PKEY_CTX* ctx = NULL;
@ -25697,7 +25752,8 @@ static void test_wolfSSL_EVP_PKEY_encrypt(void)
 }
 static void test_wolfSSL_EVP_PKEY_sign(void)
 {
-#if defined(OPENSSL_ALL) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN)
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \
+    !defined(HAVE_FAST_RSA)
    WOLFSSL_RSA* rsa = NULL;
    WOLFSSL_EVP_PKEY* pkey = NULL;
    WOLFSSL_EVP_PKEY_CTX* ctx = NULL;
@ -25744,7 +25800,7 @@ static void test_wolfSSL_EVP_PKEY_sign(void)
    AssertIntEQ(RSA_public_decrypt((int)siglen, sig, sigVerify,
                             rsa, RSA_PKCS1_PSS_PADDING), SHA256_DIGEST_LENGTH);
 #else
-    AssertIntEQ(RSA_public_decrypt(siglen, sig, sigVerify,
+    AssertIntEQ(RSA_public_decrypt((int)siglen, sig, sigVerify,
                             rsa, RSA_PKCS1_PADDING), SHA256_DIGEST_LENGTH);
 #endif

@ -25770,7 +25826,7 @@ static void test_wolfSSL_EVP_PKEY_sign(void)

 static void test_EVP_PKEY_rsa(void)
 {
-#if defined(OPENSSL_ALL) && !defined(NO_RSA)
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA)
    WOLFSSL_RSA* rsa;
    WOLFSSL_EVP_PKEY* pkey;

@ -25787,7 +25843,7 @@ static void test_EVP_PKEY_rsa(void)

 static void test_EVP_PKEY_ec(void)
 {
-#if defined(OPENSSL_ALL) && defined(HAVE_ECC)
+#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC)
    WOLFSSL_EC_KEY* ecKey;
    WOLFSSL_EVP_PKEY* pkey;

@ -25802,6 +25858,75 @@ static void test_EVP_PKEY_ec(void)
 #endif
 }

+static void test_EVP_PKEY_cmp(void)
+{
+#if defined(OPENSSL_EXTRA)
+    EVP_PKEY *a, *b;
+    const unsigned char *in;
+
+#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048)
+    in = client_key_der_2048;
+    AssertNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
+        &in, (long)sizeof_client_key_der_2048));
+    in = client_key_der_2048;
+    AssertNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
+        &in, (long)sizeof_client_key_der_2048));
+
+    /* Test success case RSA */
+    AssertIntEQ(EVP_PKEY_cmp(a, b), 0);
+
+    EVP_PKEY_free(b);
+    EVP_PKEY_free(a);
+#endif
+
+#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256)
+    in = ecc_clikey_der_256;
+    AssertNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL,
+        &in, (long)sizeof_ecc_clikey_der_256));
+    in = ecc_clikey_der_256;
+    AssertNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL,
+        &in, (long)sizeof_ecc_clikey_der_256));
+
+    /* Test success case ECC */
+    AssertIntEQ(EVP_PKEY_cmp(a, b), 0);
+
+    EVP_PKEY_free(b);
+    EVP_PKEY_free(a);
+#endif
+
+    /* Test failure cases */
+#if !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) && \
+     defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256)
+
+    in = client_key_der_2048;
+    AssertNotNull(a = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
+        &in, (long)sizeof_client_key_der_2048));
+    in = ecc_clikey_der_256;
+    AssertNotNull(b = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL,
+        &in, (long)sizeof_ecc_clikey_der_256));
+
+    AssertIntNE(EVP_PKEY_cmp(a, b), 0);
+
+    EVP_PKEY_free(b);
+    EVP_PKEY_free(a);
+#endif
+
+    /* invalid or empty failure cases */
+    a = EVP_PKEY_new();
+    b = EVP_PKEY_new();
+    AssertIntNE(EVP_PKEY_cmp(NULL, NULL), 0);
+    AssertIntNE(EVP_PKEY_cmp(a, NULL), 0);
+    AssertIntNE(EVP_PKEY_cmp(NULL, b), 0);
+    AssertIntNE(EVP_PKEY_cmp(a, b), 0);
+    EVP_PKEY_free(b);
+    EVP_PKEY_free(a);
+
+    (void)in;
+
+    printf(resultFmt, passed);
+#endif
+}
+
 static void test_ERR_load_crypto_strings(void)
 {
 #if defined(OPENSSL_ALL)
@ -27448,17 +27573,26 @@ static void test_wolfSSL_X509_print()
    BIO *bio;

    printf(testingFmt, "wolfSSL_X509_print");
-    x509 = wolfSSL_X509_load_certificate_file(svrCertFile, WOLFSSL_FILETYPE_PEM);
+    x509 = X509_load_certificate_file(svrCertFile, WOLFSSL_FILETYPE_PEM);
    AssertNotNull(x509);

-    AssertNotNull(bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()));
-    AssertIntEQ(X509_print(bio, x509),SSL_SUCCESS);
-
+    /* print to memory */
+    AssertNotNull(bio = BIO_new(BIO_s_mem()));
+    AssertIntEQ(X509_print(bio, x509), SSL_SUCCESS);
+    AssertIntEQ(BIO_get_mem_data(bio, NULL), 3212);
    BIO_free(bio);
+
+    /* print to stdout */
+    AssertNotNull(bio = BIO_new(BIO_s_file()));
+    wolfSSL_BIO_set_fp(bio, stdout, BIO_NOCLOSE);
+    AssertIntEQ(X509_print(bio, x509), SSL_SUCCESS);
+    BIO_free(bio);
+
    X509_free(x509);
    printf(resultFmt, passed);
 #endif
 }
+
 static void test_wolfSSL_RSA_print()
 {
 #if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && \
@ -27597,6 +27731,121 @@ static void test_wolfSSL_RSA_verify()
 #endif
 }

+
+#if defined(OPENSSL_EXTRA) && (defined(HAVE_ECC) || !defined(NO_RSA)) && \
+    !defined(NO_CERTS) && defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ)
+static void test_openssl_make_self_signed_certificate(EVP_PKEY* pkey)
+{
+    X509* x509 = NULL;
+    BIGNUM* serial_number = NULL;
+    X509_NAME* name = NULL;
+    time_t epoch_off = 0;
+    ASN1_INTEGER* asn1_serial_number;
+    long not_before, not_after;
+
+    AssertNotNull(x509 = X509_new());
+
+    AssertIntNE(X509_set_pubkey(x509, pkey), 0);
+
+    AssertNotNull(serial_number = BN_new());
+    AssertIntNE(BN_pseudo_rand(serial_number, 64, 0, 0), 0);
+    AssertNotNull(asn1_serial_number = X509_get_serialNumber(x509));
+    AssertNotNull(BN_to_ASN1_INTEGER(serial_number, asn1_serial_number));
+
+    /* version 3 */
+    AssertIntNE(X509_set_version(x509, 2L), 0);
+
+    AssertNotNull(name = X509_NAME_new());
+
+    AssertIntNE(X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_UTF8,
+        (unsigned char*)"www.wolfssl.com", -1, -1, 0), 0);
+
+    AssertIntNE(X509_set_subject_name(x509, name), 0);
+    AssertIntNE(X509_set_issuer_name(x509, name), 0);
+
+    not_before = (long)XTIME(NULL);
+    not_after = not_before + (365 * 24 * 60 * 60);
+    AssertNotNull(X509_time_adj(X509_get_notBefore(x509), not_before, &epoch_off));
+    AssertNotNull(X509_time_adj(X509_get_notAfter(x509), not_after, &epoch_off));
+
+    AssertIntNE(X509_sign(x509, pkey, EVP_sha256()), 0);
+
+    BN_free(serial_number);
+    X509_NAME_free(name);
+    X509_free(x509);
+}
+#endif
+
+static void test_openssl_generate_key_and_cert(void)
+{
+#if defined(OPENSSL_EXTRA)
+#if !defined(NO_RSA)
+    {
+        EVP_PKEY* pkey = EVP_PKEY_new();
+        int key_length = 2048;
+        BIGNUM* exponent = BN_new();
+        RSA* rsa = RSA_new();
+
+        AssertNotNull(pkey);
+        AssertNotNull(exponent);
+        AssertNotNull(rsa);
+
+        AssertIntNE(BN_set_word(exponent, WC_RSA_EXPONENT), 0);
+    #ifndef WOLFSSL_KEY_GEN
+        AssertIntEQ(RSA_generate_key_ex(rsa, key_length, exponent, NULL), WOLFSSL_FAILURE);
+
+        #if defined(USE_CERT_BUFFERS_1024)
+        AssertIntNE(wolfSSL_RSA_LoadDer_ex(rsa, server_key_der_1024,
+            sizeof_server_key_der_1024, WOLFSSL_RSA_LOAD_PRIVATE), 0);
+        key_length = 1024;
+        #elif defined(USE_CERT_BUFFERS_2048)
+        AssertIntNE(wolfSSL_RSA_LoadDer_ex(rsa, server_key_der_2048,
+            sizeof_server_key_der_2048, WOLFSSL_RSA_LOAD_PRIVATE), 0);
+        #else
+        RSA_free(rsa);
+        rsa = NULL;
+        #endif
+    #else
+        AssertIntNE(RSA_generate_key_ex(rsa, key_length, exponent, NULL), 0);
+    #endif
+
+        if (rsa) {
+            AssertIntNE(EVP_PKEY_assign_RSA(pkey, rsa), 0);
+
+            BN_free(exponent);
+
+        #if !defined(NO_CERTS) && defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ)
+            test_openssl_make_self_signed_certificate(pkey);
+        #endif
+        }
+
+        EVP_PKEY_free(pkey);
+    }
+#endif /* !NO_RSA */
+
+#ifdef HAVE_ECC
+    {
+        EVP_PKEY* pkey = EVP_PKEY_new();
+        EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+
+        AssertNotNull(pkey);
+        AssertNotNull(ec_key);
+
+        EC_KEY_set_asn1_flag(ec_key, OPENSSL_EC_NAMED_CURVE);
+
+        AssertIntNE(EC_KEY_generate_key(ec_key), 0);
+        AssertIntNE(EVP_PKEY_assign_EC_KEY(pkey, ec_key), 0);
+
+    #if !defined(NO_CERTS) && defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ)
+        test_openssl_make_self_signed_certificate(pkey);
+    #endif
+
+        EVP_PKEY_free(pkey);
+    }
+#endif /* HAVE_ECC */
+#endif /* OPENSSL_EXTRA */
+}
+
 static void test_stubs_are_stubs()
 {
 #if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_STUB)
@ -27830,6 +28079,7 @@ void ApiTest(void)
    test_wolfSSL_set_tlsext_status_type();
    test_wolfSSL_ASN1_TIME_adj();
    test_wolfSSL_X509_cmp_time();
+    test_wolfSSL_X509_time_adj();
    test_wolfSSL_CTX_set_client_CA_list();
    test_wolfSSL_CTX_add_client_CA();
    test_wolfSSL_CTX_set_srp_username();
@ -27913,6 +28163,7 @@ void ApiTest(void)
    test_wolfSSL_X509_cmp();
    test_wolfSSL_RSA_print();
    test_wolfSSL_ASN1_STRING_print();
+    test_openssl_generate_key_and_cert();

    /* test the no op functions for compatibility */
    test_no_op_functions();
@ -27922,6 +28173,7 @@ void ApiTest(void)
    test_wolfSSL_EVP_PKEY_encrypt();
    test_wolfSSL_EVP_PKEY_sign();
    test_EVP_PKEY_ec();
+    test_EVP_PKEY_cmp();
    /* OpenSSL error API tests */
    test_ERR_load_crypto_strings();
    /* OpenSSL sk_X509 API test */
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -627,12 +627,17 @@ static int SetASNInt(int len, byte firstByte, byte* output)
 {
    word32 idx = 0;

-    output[idx++] = ASN_INTEGER;
+    if (output)
+        output[idx] = ASN_INTEGER;
+    idx++;
    if (firstByte & 0x80)
        len++;
-    idx += SetLength(len, output + idx);
-    if (firstByte & 0x80)
-        output[idx++] = 0x00;
+    idx += SetLength(len, output ? output + idx : NULL);
+    if (firstByte & 0x80) {
+        if (output)
+            output[idx] = 0x00;
+        idx++;
+    }

    return idx;
 }
@ -664,16 +669,19 @@ static int SetASNIntMP(mp_int* n, int maxSz, byte* output)
    if (maxSz >= 0 && (idx + length) > maxSz)
        return BUFFER_E;

-    err = mp_to_unsigned_bin(n, output + idx);
-    if (err != MP_OKAY)
-        return MP_TO_E;
+    if (output) {
+        err = mp_to_unsigned_bin(n, output + idx);
+        if (err != MP_OKAY)
+            return MP_TO_E;
+    }
    idx += length;

    return idx;
 }
 #endif

-#if !defined(NO_RSA) && defined(HAVE_USER_RSA) && defined(WOLFSSL_CERT_GEN)
+#if !defined(NO_RSA) && defined(HAVE_USER_RSA) && \
+    (defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA))
 /* Set the DER/BER encoding of the ASN.1 INTEGER element with an mp_int from
 * an RSA key.
 * The number is assumed to be positive.
@ -697,9 +705,11 @@ static int SetASNIntRSA(void* n, byte* output)
    if ((idx + length) > MAX_RSA_INT_SZ)
        return BUFFER_E;

-    err = wc_Rsa_to_unsigned_bin(n, output + idx, length);
-    if (err != MP_OKAY)
-        return MP_TO_E;
+    if (output) {
+        err = wc_Rsa_to_unsigned_bin(n, output + idx, length);
+        if (err != MP_OKAY)
+            return MP_TO_E;
+    }
    idx += length;

    return idx;
@ -957,9 +967,14 @@ static word32 SetBitString(word32 len, byte unusedBits, byte* output)
 {
    word32 idx = 0;

-    output[idx++] = ASN_BIT_STRING;
-    idx += SetLength(len + 1, output + idx);
-    output[idx++] = unusedBits;
+    if (output)
+        output[idx] = ASN_BIT_STRING;
+    idx++;
+
+    idx += SetLength(len + 1, output ? output + idx : NULL);
+    if (output)
+        output[idx] = unusedBits;
+    idx++;

    return idx;
 }
@ -6053,13 +6068,19 @@ WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output)
 {
    word32 i = 0, j;

-    if (length < ASN_LONG_LENGTH)
-        output[i++] = (byte)length;
+    if (length < ASN_LONG_LENGTH) {
+        if (output)
+            output[i] = (byte)length;
+        i++;
+    }
    else {
-        output[i++] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH);
+        if (output)
+            output[i] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH);
+        i++;

        for (j = BytePrecision(length); j; --j) {
-            output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE));
+            if (output)
+                output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE));
            i++;
        }
    }
@ -6070,8 +6091,9 @@ WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output)

 WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output)
 {
-    output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED;
-    return SetLength(len, output + 1) + 1;
+    if (output)
+        output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED;
+    return SetLength(len, output ? output + 1 : NULL) + 1;
 }

 WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output)
@ -6185,11 +6207,13 @@ WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
    idSz  = SetObjectId(algoSz, ID_Length);
    seqSz = SetSequence(idSz + algoSz + tagSz + curveSz, seqArray);

-    XMEMCPY(output, seqArray, seqSz);
-    XMEMCPY(output + seqSz, ID_Length, idSz);
-    XMEMCPY(output + seqSz + idSz, algoName, algoSz);
-    if (tagSz == 2)
-        SetASNNull(&output[seqSz + idSz + algoSz]);
+    if (output) {
+        XMEMCPY(output, seqArray, seqSz);
+        XMEMCPY(output + seqSz, ID_Length, idSz);
+        XMEMCPY(output + seqSz + idSz, algoName, algoSz);
+        if (tagSz == 2)
+            SetASNNull(&output[seqSz + idSz + algoSz]);
+    }

    return seqSz + idSz + algoSz + tagSz;

@ -10124,74 +10148,52 @@ static int SetRsaPublicKey(byte* output, RsaKey* key,
    return idx;
 }

-int RsaPublicKeyDerSize(RsaKey* key, int with_header)
+#endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN &&
+                                           !HAVE_USER_RSA))) */
+
+#if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA))
+int wc_RsaPublicKeyDerSize(RsaKey* key, int with_header)
 {
-    byte* dummy = NULL;
-    byte seq[MAX_SEQ_SZ];
-    byte bitString[1 + MAX_LENGTH_SZ + 1];
-    int  nSz;
-    int  eSz;
-    int  seqSz;
-    int  bitStringSz;
-    int  idx;
+    int  idx = 0;
+    int  nSz, eSz, seqSz, bitStringSz, algoSz;

    if (key == NULL)
        return BAD_FUNC_ARG;

    /* n */
-    dummy = (byte*)XMALLOC(MAX_RSA_INT_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
-    if (dummy == NULL)
-        return MEMORY_E;
-
 #ifdef HAVE_USER_RSA
-    nSz = SetASNIntRSA(key->n, dummy);
+    nSz = SetASNIntRSA(key->n, NULL);
 #else
-    nSz = SetASNIntMP(&key->n, MAX_RSA_INT_SZ, dummy);
+    nSz = SetASNIntMP(&key->n, MAX_RSA_INT_SZ, NULL);
 #endif
-    XFREE(dummy, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
    if (nSz < 0) {
        return nSz;
    }

    /* e */
-    dummy = (byte*)XMALLOC(MAX_RSA_E_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
-    if (dummy == NULL) {
-        XFREE(dummy, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
-        return MEMORY_E;
-    }
-
 #ifdef HAVE_USER_RSA
-    eSz = SetASNIntRSA(key->e, dummy);
+    eSz = SetASNIntRSA(key->e, NULL);
 #else
-    eSz = SetASNIntMP(&key->e, MAX_RSA_INT_SZ, dummy);
+    eSz = SetASNIntMP(&key->e, MAX_RSA_INT_SZ, NULL);
 #endif
-    XFREE(dummy, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
    if (eSz < 0) {
        return eSz;
    }

-    seqSz  = SetSequence(nSz + eSz, seq);
+    seqSz  = SetSequence(nSz + eSz, NULL);

    /* headers */
    if (with_header) {
-        int  algoSz;
-        dummy = (byte*)XMALLOC(MAX_RSA_INT_SZ, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
-        if (dummy == NULL)
-            return MEMORY_E;
+        algoSz = SetAlgoID(RSAk, NULL, oidKeyType, 0);
+        bitStringSz = SetBitString(seqSz + nSz + eSz, 0, NULL);

-        algoSz = SetAlgoID(RSAk, dummy, oidKeyType, 0);
-        bitStringSz  = SetBitString(seqSz + nSz + eSz, 0, bitString);
-
-        idx = SetSequence(nSz + eSz + seqSz + bitStringSz + algoSz, dummy);
-        XFREE(dummy, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        idx += SetSequence(nSz + eSz + seqSz + bitStringSz + algoSz, NULL);

        /* algo */
        idx += algoSz;
        /* bit string */
        idx += bitStringSz;
    }
-    else
-        idx = 0;

    /* seq */
    idx += seqSz;
@ -10202,8 +10204,8 @@ int RsaPublicKeyDerSize(RsaKey* key, int with_header)

    return idx;
 }
-#endif /* !NO_RSA && (WOLFSSL_CERT_GEN || (WOLFSSL_KEY_GEN &&
-                                           !HAVE_USER_RSA))) */
+
+#endif /* !NO_RSA && WOLFSSL_CERT_GEN */


 #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)
@ -10587,20 +10589,24 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int with_header)

        idx = SetSequence(pubSz + curveSz + bitStringSz + algoSz, output);
        /* algo */
-        XMEMCPY(output + idx, algo, algoSz);
+        if (output)
+            XMEMCPY(output + idx, algo, algoSz);
        idx += algoSz;
-       /* curve */
-        XMEMCPY(output + idx, curve, curveSz);
+        /* curve */
+        if (output)
+            XMEMCPY(output + idx, curve, curveSz);
        idx += curveSz;
        /* bit string */
-        XMEMCPY(output + idx, bitString, bitStringSz);
+        if (output)
+            XMEMCPY(output + idx, bitString, bitStringSz);
        idx += bitStringSz;
    }
    else
        idx = 0;

    /* pub */
-    XMEMCPY(output + idx, pub, pubSz);
+    if (output)
+        XMEMCPY(output + idx, pub, pubSz);
    idx += pubSz;

 #ifdef WOLFSSL_SMALL_STACK
@ -10626,7 +10632,7 @@ int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen,
    word32 keySz  = 0;
    int ret;

-    if (output == NULL || key == NULL) {
+    if (key == NULL) {
        return BAD_FUNC_ARG;
    }

@ -10645,12 +10651,23 @@ int wc_EccPublicKeyToDer(ecc_key* key, byte* output, word32 inLen,
        return ret;
    }

-    if (inLen < keySz + infoSz) {
+    /* if output null then just return size */
+    if (output == NULL) {
+        return keySz + infoSz;
+    }
+
+    if (output == NULL || inLen < keySz + infoSz) {
        return BUFFER_E;
    }

    return SetEccPublicKey(output, key, with_AlgCurve);
 }
+
+int wc_EccPublicKeyDerSize(ecc_key* key, int with_AlgCurve)
+{
+    return wc_EccPublicKeyToDer(key, NULL, 0, with_AlgCurve);
+}
+
 #endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT */

 #if defined(HAVE_ED25519) && (defined(WOLFSSL_CERT_GEN) || \
@ -10807,9 +10824,11 @@ static int CopyValidity(byte* output, Cert* cert)

    /* headers and output */
    seqSz = SetSequence(cert->beforeDateSz + cert->afterDateSz, output);
-    XMEMCPY(output + seqSz, cert->beforeDate, cert->beforeDateSz);
-    XMEMCPY(output + seqSz + cert->beforeDateSz, cert->afterDate,
-                                                 cert->afterDateSz);
+    if (output) {
+        XMEMCPY(output + seqSz, cert->beforeDate, cert->beforeDateSz);
+        XMEMCPY(output + seqSz + cert->beforeDateSz, cert->afterDate,
+                                                     cert->afterDateSz);
+    }
    return seqSz + cert->beforeDateSz + cert->afterDateSz;
 }

@ -12253,17 +12272,20 @@ static int AddSignature(byte* buffer, int bodySz, const byte* sig, int sigSz,
    int  idx = bodySz, seqSz;

    /* algo */
-    idx += SetAlgoID(sigAlgoType, buffer + idx, oidSigType, 0);
+    idx += SetAlgoID(sigAlgoType, buffer ? buffer + idx : NULL, oidSigType, 0);
    /* bit string */
-    idx += SetBitString(sigSz, 0, buffer + idx);
+    idx += SetBitString(sigSz, 0, buffer ? buffer + idx : NULL);
    /* signature */
-    XMEMCPY(buffer + idx, sig, sigSz);
+    if (buffer)
+        XMEMCPY(buffer + idx, sig, sigSz);
    idx += sigSz;

    /* make room for overall header */
    seqSz = SetSequence(idx, seq);
-    XMEMMOVE(buffer + seqSz, buffer, idx);
-    XMEMCPY(buffer, seq, seqSz);
+    if (buffer) {
+        XMEMMOVE(buffer + seqSz, buffer, idx);
+        XMEMCPY(buffer, seq, seqSz);
+    }

    return idx + seqSz;
 }
@ -12282,6 +12304,10 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz,
    DerCert der[1];
 #endif

+    if (derBuffer == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
    cert->keyType = eccKey ? ECC_KEY : (rsaKey ? RSA_KEY :
                                         (ed25519Key ? ED25519_KEY : NTRU_KEY));

@ -12611,20 +12637,25 @@ static int WriteCertReqBody(DerCert* der, byte* buffer)
    /* signed part header */
    idx = SetSequence(der->total, buffer);
    /* version */
-    XMEMCPY(buffer + idx, der->version, der->versionSz);
+    if (buffer)
+        XMEMCPY(buffer + idx, der->version, der->versionSz);
    idx += der->versionSz;
    /* subject */
-    XMEMCPY(buffer + idx, der->subject, der->subjectSz);
+    if (buffer)
+        XMEMCPY(buffer + idx, der->subject, der->subjectSz);
    idx += der->subjectSz;
    /* public key */
-    XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
+    if (buffer)
+        XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
    idx += der->publicKeySz;
    /* attributes */
-    XMEMCPY(buffer + idx, der->attrib, der->attribSz);
+    if (buffer)
+        XMEMCPY(buffer + idx, der->attrib, der->attribSz);
    idx += der->attribSz;
    /* extensions */
    if (der->extensionsSz) {
-        XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
+        if (buffer)
+            XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
                                               (int)sizeof(der->extensions)));
        idx += der->extensionsSz;
    }
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@ -6145,7 +6145,8 @@ int wc_ecc_export_x963(ecc_key* key, byte* out, word32* outLen)

   /* return length needed only */
   if (key != NULL && out == NULL && outLen != NULL) {
-      numlen = key->dp->size;
+      /* if key hasn't been setup assume max bytes for size estimation */
+      numlen = key->dp ? key->dp->size : MAX_ECC_BYTES;
      *outLen = 1 + 2*numlen;
      return LENGTH_ONLY_E;
   }
@ -6156,7 +6157,7 @@ int wc_ecc_export_x963(ecc_key* key, byte* out, word32* outLen)
   if (key->type == ECC_PRIVATEKEY_ONLY)
       return ECC_PRIVATEONLY_E;

-   if (wc_ecc_is_valid_idx(key->idx) == 0) {
+   if (wc_ecc_is_valid_idx(key->idx) == 0 || key->dp == NULL) {
      return ECC_BAD_ARG_E;
   }
   numlen = key->dp->size;
--- a/wolfcrypt/src/evp.c
+++ b/wolfcrypt/src/evp.c
@ -1242,10 +1242,10 @@ int wolfSSL_EVP_PKEY_size(WOLFSSL_EVP_PKEY *pkey)
    WOLFSSL_ENTER("EVP_PKEY_size");

    switch (pkey->type) {
-#if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+#ifndef NO_RSA
    case EVP_PKEY_RSA:
        return (int)wolfSSL_RSA_size((const WOLFSSL_RSA*)(pkey->rsa));
-#endif /* NO_RSA */
+#endif /* !NO_RSA */

 #ifdef HAVE_ECC
    case EVP_PKEY_EC:
@ -1262,6 +1262,70 @@ int wolfSSL_EVP_PKEY_size(WOLFSSL_EVP_PKEY *pkey)
    return 0;
 }

+#ifndef NO_WOLFSSL_STUB
+WOLFSSL_API int wolfSSL_EVP_PKEY_missing_parameters(WOLFSSL_EVP_PKEY *pkey)
+{
+    (void)pkey;
+    /* not using missing params callback and returning zero to indicate success */
+    return 0;
+}
+#endif
+
+WOLFSSL_API int wolfSSL_EVP_PKEY_cmp(const WOLFSSL_EVP_PKEY *a, const WOLFSSL_EVP_PKEY *b)
+{
+    int ret = -1; /* failure */
+    int a_sz = 0, b_sz = 0;
+
+    if (a == NULL || b == NULL)
+        return ret;
+
+    /* check its the same type of key */
+    if (a->type != b->type)
+        return ret;
+
+    /* get size based on key type */
+    switch (a->type) {
+#ifndef NO_RSA
+    case EVP_PKEY_RSA:
+        a_sz = (int)wolfSSL_RSA_size((const WOLFSSL_RSA*)(a->rsa));
+        b_sz = (int)wolfSSL_RSA_size((const WOLFSSL_RSA*)(b->rsa));
+        break;
+#endif /* !NO_RSA */
+#ifdef HAVE_ECC
+    case EVP_PKEY_EC:
+        if (a->ecc == NULL || a->ecc->internal == NULL ||
+            b->ecc == NULL || b->ecc->internal == NULL) {
+            return ret;
+        }
+        a_sz = wc_ecc_size((ecc_key*)(a->ecc->internal));
+        b_sz = wc_ecc_size((ecc_key*)(b->ecc->internal));
+        break;
+#endif /* HAVE_ECC */
+    default:
+        break;
+    } /* switch (a->type) */
+
+    /* check size */
+    if (a_sz <= 0 || b_sz <= 0 || a_sz != b_sz) {
+        return ret;
+    }
+
+    /* check public key size */
+    if (a->pkey_sz > 0 && b->pkey_sz > 0 && a->pkey_sz != b->pkey_sz) {
+        return ret;
+    }
+
+    /* check public key */
+    if (a->pkey.ptr && b->pkey.ptr) {
+        if (XMEMCMP(a->pkey.ptr, b->pkey.ptr, a->pkey_sz) != 0) {
+            return ret;
+        }
+    }
+    ret = 0; /* success */
+
+    return ret;
+}
+

 /* Initialize structure for signing
 *
@ -1732,14 +1796,14 @@ int wolfSSL_EVP_DigestSignFinal(WOLFSSL_EVP_MD_CTX *ctx, unsigned char *sig,
            return WOLFSSL_SUCCESS;
        }
    }
-#if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+#ifndef NO_RSA
    else if (ctx->pctx->pkey->type == EVP_PKEY_RSA) {
        if (sig == NULL) {
            *siglen = wolfSSL_RSA_size(ctx->pctx->pkey->rsa);
            return WOLFSSL_SUCCESS;
        }
    }
-#endif
+#endif /* !NO_RSA */
 #ifdef HAVE_ECC
    else if (ctx->pctx->pkey->type == EVP_PKEY_EC) {
        if (sig == NULL) {
--- a/wolfcrypt/user-crypto/include/user_rsa.h
+++ b/wolfcrypt/user-crypto/include/user_rsa.h
@ -106,9 +106,9 @@ WOLFSSL_API int  wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx,
                                                               RsaKey*, word32);
 WOLFSSL_API int  wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz,
                                        const byte* e, word32 eSz, RsaKey* key);
+WOLFSSL_API int wc_RsaKeyToDer(RsaKey*, byte* output, word32 inLen);
+WOLFSSL_API int wc_RsaKeyToPublicDer(RsaKey*, byte* output, word32 inLen);
 #ifdef WOLFSSL_KEY_GEN
-    WOLFSSL_API int wc_RsaKeyToDer(RsaKey*, byte* output, word32 inLen);
-    WOLFSSL_API int wc_RsaKeyToPublicDer(RsaKey*, byte* output, word32 inLen);
    WOLFSSL_API int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng);
 #endif
 WOLFSSL_API int  wc_RsaFlattenPublicKey(RsaKey*, byte*, word32*, byte*,
@ -116,7 +116,7 @@ WOLFSSL_API int  wc_RsaFlattenPublicKey(RsaKey*, byte*, word32*, byte*,
 WOLFSSL_API int  wc_RsaSetRNG(RsaKey* key, WC_RNG* rng);


-#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN)
+#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)
        /* abstracted BN operations with RSA key */
    WOLFSSL_API int wc_Rsa_leading_bit(void* BN);
    WOLFSSL_API int wc_Rsa_unsigned_bin_size(void* BN);
--- a/wolfcrypt/user-crypto/src/rsa.c
+++ b/wolfcrypt/user-crypto/src/rsa.c
@ -99,7 +99,7 @@ int wc_InitRsaKey(RsaKey* key, void* heap)


 /* three functions needed for cert and key gen */
-#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN)
+#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)
 /* return 1 if there is a leading bit*/
 int wc_Rsa_leading_bit(void* bn)
 {
@ -171,7 +171,7 @@ int wc_Rsa_to_unsigned_bin(void* bn, byte* in, int inLen)
    }
    return MP_OKAY;
 }
-#endif /* WOLFSSL_CERT_GEN or WOLFSSL_KEY_GEN */
+#endif /* WOLFSSL_CERT_GEN || WOLFSSL_KEY_GEN || OPENSSL_EXTRA */


 #ifdef OPENSSL_EXTRA /* functions needed for openssl compatibility layer */
@ -2305,6 +2305,10 @@ makeKeyEnd:
    return ret;
 }

+#endif
+
+#if defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)
+
 /********** duplicate code needed -- future refactor */
 #define MAX_VERSION_SZ 5
 #define MAX_SEQ_SZ 5
@ -2765,7 +2769,7 @@ int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen)
 }


-#endif /* WOLFSSL_KEY_GEN */
+#endif /* WOLFSSL_KEY_GEN || OPENSSL_EXTRA */

 #ifdef WC_RSA_BLINDING

--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -1612,60 +1612,6 @@ WOLFSSL_LOCAL ProtocolVersion MakeTLSv1_3(void);
 #endif


-
-/* custom method with user set callbacks */
-#define MAX_BIO_METHOD_NAME 256
-typedef struct WOLFSSL_BIO_METHOD_CUSTOM {
-    char name[MAX_BIO_METHOD_NAME];
-
-    wolfSSL_BIO_meth_puts_cb putsCb;
-    wolfSSL_BIO_meth_gets_cb getsCb;
-
-    wolfSSL_BIO_meth_read_cb  readCb;
-    wolfSSL_BIO_meth_write_cb writeCb;
-
-    wolfSSL_BIO_meth_destroy_cb freeCb;
-    wolfSSL_BIO_meth_create_cb  createCb;
-
-    wolfSSL_BIO_meth_get_ctrl_cb ctrlCb;
-} WOLFSSL_BIO_METHOD_CUSTOM;
-
-/* wolfSSL BIO_METHOD type */
-struct WOLFSSL_BIO_METHOD {
-    byte type;               /* method type */
-    WOLFSSL_BIO_METHOD_CUSTOM* custom;
-};
-
-
-/* wolfSSL BIO type */
-struct WOLFSSL_BIO {
-    WOLFSSL_BUF_MEM* mem_buf;
-    WOLFSSL_BIO_METHOD* method;
-    WOLFSSL*     ssl;           /* possible associated ssl */
-#ifndef NO_FILESYSTEM
-    XFILE        file;
-#endif
-    WOLFSSL_BIO* prev;          /* previous in chain */
-    WOLFSSL_BIO* next;          /* next in chain */
-    WOLFSSL_BIO* pair;          /* BIO paired with */
-    void*        heap;          /* user heap hint */
-    byte*        mem;           /* memory buffer */
-    void*        usrCtx;        /* user set pointer */
-    char*        infoArg;       /* BIO callback argument */
-    wolf_bio_info_cb infoCb;    /* BIO callback */
-    int         wrSz;          /* write buffer size (mem) */
-    int         wrIdx;         /* current index for write buffer */
-    int         rdIdx;         /* current read index */
-    int         readRq;        /* read request */
-    int         memLen;        /* memory buffer length */
-    int         fd;            /* possible file descriptor */
-    int         eof;           /* eof flag */
-    int         flags;
-    byte        type;          /* method type */
-    byte        close;         /* close flag */
-};
-
-
 /* wolfSSL method type */
 struct WOLFSSL_METHOD {
    ProtocolVersion version;
@ -3565,14 +3511,12 @@ struct WOLFSSL_X509 {
    byte             certPolicyCrit;
 #endif /* (WOLFSSL_SEP || WOLFSSL_QT) && (OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL) */
 #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
-    WOLFSSL_ASN1_TIME* notAfterTime;
-    WOLFSSL_ASN1_TIME* notBeforeTime;
    WOLFSSL_STACK* ext_sk; /* Store X509_EXTENSIONS from wolfSSL_X509_get_ext */
    WOLFSSL_STACK* ext_d2i;/* Store d2i extensions from wolfSSL_X509_get_ext_d2i */
-    WOLFSSL_ASN1_INTEGER* serialNumber; /* Stores SN from wolfSSL_X509_get_serialNumber */
 #endif /* WOLFSSL_QT || OPENSSL_ALL */
-    int              notBeforeSz;
-    int              notAfterSz;
+#ifdef OPENSSL_EXTRA
+    WOLFSSL_ASN1_INTEGER* serialNumber; /* Stores SN from wolfSSL_X509_get_serialNumber */
+#endif
    WOLFSSL_ASN1_TIME notBefore;
    WOLFSSL_ASN1_TIME notAfter;
    buffer           sig;
--- a/wolfssl/openssl/asn1.h
+++ b/wolfssl/openssl/asn1.h
@ -32,6 +32,7 @@
 #define ASN1_STRING_set      wolfSSL_ASN1_STRING_set
 #define ASN1_STRING_free     wolfSSL_ASN1_STRING_free

+#define V_ASN1_INTEGER                   0x02
 #define V_ASN1_OCTET_STRING              0x04 /* tag for ASN1_OCTET_STRING */
 #define V_ASN1_NEG                       0x100
 #define V_ASN1_NEG_INTEGER               (2 | V_ASN1_NEG)
@ -68,6 +69,13 @@
 #define V_ASN1_UTCTIME                  23
 #define V_ASN1_GENERALIZEDTIME          24

+#define ASN1_STRING_FLAG_BITS_LEFT       0x008
+#define ASN1_STRING_FLAG_NDEF            0x010
+#define ASN1_STRING_FLAG_CONT            0x020
+#define ASN1_STRING_FLAG_MSTRING         0x040
+#define ASN1_STRING_FLAG_EMBED           0x080
+
+
 WOLFSSL_API WOLFSSL_ASN1_INTEGER *wolfSSL_BN_to_ASN1_INTEGER(
    const WOLFSSL_BIGNUM*, WOLFSSL_ASN1_INTEGER*);
 #define BN_to_ASN1_INTEGER wolfSSL_BN_to_ASN1_INTEGER
--- a/wolfssl/openssl/bio.h
+++ b/wolfssl/openssl/bio.h
@ -75,7 +75,9 @@
 /* helper to set specific retry/read flags */
 #define BIO_set_retry_read(bio)\
    wolfSSL_BIO_set_flags((bio), WOLFSSL_BIO_FLAG_RETRY | WOLFSSL_BIO_FLAG_READ)
-
+#define BIO_set_retry_write(bio)\
+    wolfSSL_BIO_set_flags((bio), WOLFSSL_BIO_FLAG_RETRY | WOLFSSL_BIO_FLAG_WRITE)
+        
 #define BIO_clear_retry_flags      wolfSSL_BIO_clear_retry_flags

 #define BIO_meth_new               wolfSSL_BIO_meth_new
--- a/wolfssl/openssl/bn.h
+++ b/wolfssl/openssl/bn.h
@ -82,6 +82,7 @@ WOLFSSL_API int wolfSSL_BN_num_bits(const WOLFSSL_BIGNUM*);
 WOLFSSL_API int wolfSSL_BN_is_zero(const WOLFSSL_BIGNUM*);
 WOLFSSL_API int wolfSSL_BN_is_one(const WOLFSSL_BIGNUM*);
 WOLFSSL_API int wolfSSL_BN_is_odd(const WOLFSSL_BIGNUM*);
+WOLFSSL_API int wolfSSL_BN_is_negative(const WOLFSSL_BIGNUM*);

 WOLFSSL_API int wolfSSL_BN_cmp(const WOLFSSL_BIGNUM*, const WOLFSSL_BIGNUM*);

@ -145,6 +146,7 @@ typedef WOLFSSL_BN_GENCB BN_GENCB;
 #define BN_is_zero  wolfSSL_BN_is_zero
 #define BN_is_one   wolfSSL_BN_is_one
 #define BN_is_odd   wolfSSL_BN_is_odd
+#define BN_is_negative wolfSSL_BN_is_negative

 #define BN_cmp    wolfSSL_BN_cmp

--- a/wolfssl/openssl/evp.h
+++ b/wolfssl/openssl/evp.h
@ -190,9 +190,31 @@ enum {
    NID_md2           = 77,
    NID_md5           =  4,
    NID_hmac          = 855,
+    NID_dhKeyAgreement= 28,
+    EVP_PKEY_DH       = NID_dhKeyAgreement,
    EVP_PKEY_HMAC     = NID_hmac
 };

+enum {
+    NID_md5WithRSA    = 104,
+    NID_md5WithRSAEncryption = 8,
+    NID_dsaWithSHA1   = 113,
+    NID_dsaWithSHA1_2 = 70,
+    NID_sha1WithRSA   = 115,
+    NID_sha1WithRSAEncryption = 65,
+    NID_sha224WithRSAEncryption = 671,
+    NID_sha256WithRSAEncryption = 668,
+    NID_sha384WithRSAEncryption = 669,
+    NID_sha512WithRSAEncryption = 670,
+    NID_ecdsa_with_SHA1 = 416,
+    NID_ecdsa_with_SHA224 = 793,
+    NID_ecdsa_with_SHA256 = 794,
+    NID_ecdsa_with_SHA384 = 795,
+    NID_ecdsa_with_SHA512 = 796,
+    NID_dsa_with_SHA224 = 802,
+    NID_dsa_with_SHA256 = 803,
+};
+
 enum {
    NID_aes_128_cbc = 419,
    NID_aes_192_cbc = 423,
@ -421,6 +443,8 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_encrypt_init(WOLFSSL_EVP_PKEY_CTX *ctx);
 WOLFSSL_API WOLFSSL_EVP_PKEY *wolfSSL_EVP_PKEY_new(void);
 WOLFSSL_API void wolfSSL_EVP_PKEY_free(WOLFSSL_EVP_PKEY*);
 WOLFSSL_API int wolfSSL_EVP_PKEY_size(WOLFSSL_EVP_PKEY *pkey);
+WOLFSSL_API int wolfSSL_EVP_PKEY_missing_parameters(WOLFSSL_EVP_PKEY *pkey);
+WOLFSSL_API int wolfSSL_EVP_PKEY_cmp(const WOLFSSL_EVP_PKEY *a, const WOLFSSL_EVP_PKEY *b);
 WOLFSSL_API int wolfSSL_EVP_PKEY_type(int type);
 WOLFSSL_API int wolfSSL_EVP_PKEY_id(const EVP_PKEY *pkey);
 WOLFSSL_API int wolfSSL_EVP_PKEY_base_id(const EVP_PKEY *pkey);
@ -632,6 +656,8 @@ typedef WOLFSSL_EVP_CIPHER_CTX EVP_CIPHER_CTX;
 #define EVP_PKEY_free                  wolfSSL_EVP_PKEY_free
 #define EVP_PKEY_up_ref                wolfSSL_EVP_PKEY_up_ref
 #define EVP_PKEY_size                  wolfSSL_EVP_PKEY_size
+#define EVP_PKEY_missing_parameters    wolfSSL_EVP_PKEY_missing_parameters
+#define EVP_PKEY_cmp                   wolfSSL_EVP_PKEY_cmp
 #define EVP_PKEY_type                  wolfSSL_EVP_PKEY_type
 #define EVP_PKEY_base_id               wolfSSL_EVP_PKEY_base_id
 #define EVP_PKEY_id                    wolfSSL_EVP_PKEY_id
--- a/wolfssl/openssl/pem.h
+++ b/wolfssl/openssl/pem.h
@ -50,6 +50,15 @@ WOLFSSL_RSA* wolfSSL_PEM_read_bio_RSAPrivateKey(WOLFSSL_BIO* bio,
                                                  WOLFSSL_RSA**,
                                                  pem_password_cb* cb,
                                                  void* arg);
+
+WOLFSSL_API
+int wolfSSL_PEM_write_bio_RSA_PUBKEY(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa);
+
+WOLFSSL_API
+WOLFSSL_RSA *wolfSSL_PEM_read_bio_RSA_PUBKEY(WOLFSSL_BIO* bio,
+                                             WOLFSSL_RSA** rsa,
+                                             pem_password_cb* cb, void *u);
+
 WOLFSSL_API
 WOLFSSL_EC_GROUP* wolfSSL_PEM_read_bio_ECPKParameters(WOLFSSL_BIO* bio,
                                                      WOLFSSL_EC_GROUP** group,
@ -133,6 +142,8 @@ int wolfSSL_PEM_write_bio_PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key,
                                        const WOLFSSL_EVP_CIPHER* cipher,
                                        unsigned char* passwd, int len,
                                        pem_password_cb* cb, void* arg);
+WOLFSSL_API
+int wolfSSL_PEM_write_bio_PUBKEY(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key);


 WOLFSSL_API
@ -184,6 +195,8 @@ int wolfSSL_PEM_write_DHparams(XFILE fp, WOLFSSL_DH* dh);
 /* RSA */
 #define PEM_write_bio_RSAPrivateKey     wolfSSL_PEM_write_bio_RSAPrivateKey
 #define PEM_read_bio_RSAPrivateKey      wolfSSL_PEM_read_bio_RSAPrivateKey
+#define PEM_write_bio_RSA_PUBKEY        wolfSSL_PEM_write_bio_RSA_PUBKEY
+#define PEM_read_bio_RSA_PUBKEY         wolfSSL_PEM_read_bio_RSA_PUBKEY
 #define PEM_read_bio_ECPKParameters     wolfSSL_PEM_read_bio_ECPKParameters
 #define PEM_write_RSAPrivateKey         wolfSSL_PEM_write_RSAPrivateKey
 #define PEM_write_RSA_PUBKEY            wolfSSL_PEM_write_RSA_PUBKEY
@ -201,6 +214,7 @@ int wolfSSL_PEM_write_DHparams(XFILE fp, WOLFSSL_DH* dh);
 #define PEM_read_bio_PrivateKey         wolfSSL_PEM_read_bio_PrivateKey
 #define PEM_read_PUBKEY                 wolfSSL_PEM_read_PUBKEY
 #define PEM_read_bio_PUBKEY             wolfSSL_PEM_read_bio_PUBKEY
+#define PEM_write_bio_PUBKEY            wolfSSL_PEM_write_bio_PUBKEY

 #ifdef __cplusplus
    }  /* extern "C" */ 
--- a/wolfssl/openssl/ssl.h
+++ b/wolfssl/openssl/ssl.h
@ -215,7 +215,7 @@ typedef WOLFSSL_X509_VERIFY_PARAM X509_VERIFY_PARAM;
    #define SSL_use_RSAPrivateKey_file        wolfSSL_use_RSAPrivateKey_file
 #endif

-#define SSL_CTX_new                     wolfSSL_CTX_new
+#define SSL_CTX_new(method)             wolfSSL_CTX_new((WOLFSSL_METHOD*)(method))
 #define SSL_new                         wolfSSL_new
 #define SSL_set_fd                      wolfSSL_set_fd
 #define SSL_get_fd                      wolfSSL_get_fd
@ -271,6 +271,10 @@ typedef WOLFSSL_X509_VERIFY_PARAM X509_VERIFY_PARAM;
 #define SSL_CIPHER_description          wolfSSL_CIPHER_description
 #define SSL_CIPHER_get_name             wolfSSL_CIPHER_get_name
 #define SSL_CIPHER_get_version          wolfSSL_CIPHER_get_version
+#define SSL_CIPHER_get_id               wolfSSL_CIPHER_get_id
+#define SSL_CIPHER_get_rfc_name         wolfSSL_CIPHER_get_rfc_name
+#define SSL_get_cipher_by_value         wolfSSL_get_cipher_by_value
+
 #define SSL_get1_session                wolfSSL_get1_session

 #define SSL_get_keyblock_size           wolfSSL_get_keyblock_size
@ -348,6 +352,7 @@ typedef WOLFSSL_X509_VERIFY_PARAM X509_VERIFY_PARAM;
 #define X509_set_version                wolfSSL_X509_set_version
 #define X509_sign                       wolfSSL_X509_sign
 #define X509_print                      wolfSSL_X509_print
+#define X509_print_ex                   wolfSSL_X509_print_ex
 #define X509_verify_cert_error_string   wolfSSL_X509_verify_cert_error_string
 #define X509_verify_cert                wolfSSL_X509_verify_cert
 #define X509_check_private_key          wolfSSL_X509_check_private_key
@ -399,12 +404,15 @@ typedef WOLFSSL_X509_VERIFY_PARAM X509_VERIFY_PARAM;
 #define X509_NAME_ENTRY_create_by_NID   wolfSSL_X509_NAME_ENTRY_create_by_NID
 #define X509_NAME_add_entry             wolfSSL_X509_NAME_add_entry
 #define X509_NAME_add_entry_by_txt      wolfSSL_X509_NAME_add_entry_by_txt
+#define X509_NAME_add_entry_by_NID      wolfSSL_X509_NAME_add_entry_by_NID
 #define X509_NAME_oneline               wolfSSL_X509_NAME_oneline
 #define X509_NAME_get_index_by_NID      wolfSSL_X509_NAME_get_index_by_NID
 #define X509_NAME_print_ex              wolfSSL_X509_NAME_print_ex
 #define X509_NAME_digest                wolfSSL_X509_NAME_digest
 #define X509_cmp_current_time           wolfSSL_X509_cmp_current_time
 #define X509_cmp_time                   wolfSSL_X509_cmp_time
+#define X509_time_adj                   wolfSSL_X509_time_adj
+#define X509_time_adj_ex                wolfSSL_X509_time_adj_ex

 #define sk_ACCESS_DESCRIPTION_num       wolfSSL_sk_ACCESS_DESCRIPTION_num
 #define sk_ACCESS_DESCRIPTION_value     wolfSSL_sk_ACCESS_DESCRIPTION_value
@ -763,10 +771,17 @@ typedef WOLFSSL_ASN1_BIT_STRING    ASN1_BIT_STRING;
 /* yassl had set the default to be 500 */
 #define SSL_get_default_timeout(ctx)    500

+#define DTLSv1_get_timeout(ssl, timeleft)   wolfSSL_DTLSv1_get_timeout((ssl), (Timeval*)(timeleft))
+#define DTLSv1_handle_timeout               wolfSSL_DTLSv1_handle_timeout
+#define DTLSv1_set_initial_timeout_duration wolfSSL_DTLSv1_set_initial_timeout_duration
+
+#ifndef NO_WOLFSSL_STUB
+#define SSL_CTX_set_current_time_cb(ssl, cb) ({ (void)ssl; (void)cb; })
+#endif
+
 #define SSL_CTX_use_certificate         wolfSSL_CTX_use_certificate
 #define SSL_CTX_use_PrivateKey          wolfSSL_CTX_use_PrivateKey
 #define BIO_read_filename               wolfSSL_BIO_read_filename
-#define BIO_s_file                      wolfSSL_BIO_s_file
 #define SSL_CTX_set_verify_depth        wolfSSL_CTX_set_verify_depth
 #define SSL_set_verify_depth            wolfSSL_set_verify_depth
 #define SSL_get_app_data                wolfSSL_get_app_data
@ -805,7 +820,6 @@ enum {
 #include <wolfssl/openssl/pem.h>

 #define SSL_CTRL_CHAIN       88
-#define BIO_CTRL_WPENDING    13
 #define GEN_IPADD            7
 #define ERR_LIB_SSL          20
 #define SSL_R_SHORT_READ     10
@ -905,6 +919,8 @@ enum {
 #define BIO_CTRL_RESET          1
 #define BIO_CTRL_INFO           3
 #define BIO_CTRL_FLUSH          11
+#define BIO_CTRL_WPENDING       13
+
 #define BIO_CLOSE               0x01
 #define BIO_FP_WRITE            0x04

@ -936,9 +952,6 @@ enum {
 #define SSL_CTX_ctrl                    wolfSSL_CTX_ctrl

 #define SSL3_RANDOM_SIZE                32 /* same as RAN_LEN in internal.h */
-#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(OPENSSL_EXTRA) \
-                                                         || defined(OPENSSL_ALL)
-#include <wolfssl/openssl/asn1.h>

 #define SSL2_VERSION                     0x0002
 #define SSL3_VERSION                     0x0300
@ -948,8 +961,17 @@ enum {
 #define TLS1_3_VERSION                   0x0304
 #define DTLS1_VERSION                    0xFEFF
 #define DTLS1_2_VERSION                  0xFEFD
+
+#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(OPENSSL_EXTRA) \
+                                                         || defined(OPENSSL_ALL)
+#include <wolfssl/openssl/asn1.h>
+
 #define SSL23_ST_SR_CLNT_HELLO_A        (0x210|0x2000)
 #define SSL3_ST_SR_CLNT_HELLO_A         (0x110|0x2000)
+
+#define SSL3_AD_BAD_CERTIFICATE          bad_certificate
+#define SSL_AD_BAD_CERTIFICATE           SSL3_AD_BAD_CERTIFICATE
+
 #define ASN1_STRFLGS_ESC_MSB             4

 #define SSL_MAX_MASTER_KEY_LENGTH       WOLFSSL_MAX_MASTER_KEY_LENGTH
@ -1118,6 +1140,16 @@ enum {
 #define SSL_do_handshake                wolfSSL_SSL_do_handshake
 #endif  /* OPENSSL_EXTRA */

+/* cipher suites for compatibility */
+#define TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA            (0xc013)
+#define TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA            (0xc014)
+#define TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256         (0xc02f)
+#define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   (0xcca8)
+#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          (0xc009)
+#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          (0xc00a)
+#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256       (0xc02b)
+#define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
+
 #ifdef __cplusplus
    } /* extern "C" */
 #endif
--- a/wolfssl/openssl/x509.h
+++ b/wolfssl/openssl/x509.h
@ -4,3 +4,19 @@

 /* for compatibility, this is expected to be included */
 #include <openssl/dh.h>
+
+/* wolfSSL_X509_print_ex flags */
+#define X509_FLAG_COMPAT        (0UL)
+#define X509_FLAG_NO_HEADER     (1UL << 0)
+#define X509_FLAG_NO_VERSION    (1UL << 1)
+#define X509_FLAG_NO_SERIAL     (1UL << 2)
+#define X509_FLAG_NO_SIGNAME    (1UL << 3)
+#define X509_FLAG_NO_ISSUER     (1UL << 4)
+#define X509_FLAG_NO_VALIDITY   (1UL << 5)
+#define X509_FLAG_NO_SUBJECT    (1UL << 6)
+#define X509_FLAG_NO_PUBKEY     (1UL << 7)
+#define X509_FLAG_NO_EXTENSIONS (1UL << 8)
+#define X509_FLAG_NO_SIGDUMP    (1UL << 9)
+#define X509_FLAG_NO_AUX        (1UL << 10)
+#define X509_FLAG_NO_ATTRIBUTES (1UL << 11)
+#define X509_FLAG_NO_IDS        (1UL << 12)
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@ -39,6 +39,9 @@
    #include <wolfssl/wolfcrypt/wolfevent.h>
 #endif

+/* used internally by wolfSSL while OpenSSL types aren't */
+#include <wolfssl/callbacks.h>
+
 #ifndef NO_FILESYSTEM
    #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
        #if MQX_USE_IO_OLD
@ -206,13 +209,10 @@ struct WOLFSSL_BASIC_CONSTRAINTS {
 #define WOLFSSL_ASN1_UTCTIME          WOLFSSL_ASN1_TIME
 #define WOLFSSL_ASN1_GENERALIZEDTIME  WOLFSSL_ASN1_TIME

-struct WOLFSSL_ASN1_TIME {
-    /* MAX_DATA_SIZE is 32 */
-    unsigned char data[32 + 2];
-    /* ASN_TIME | LENGTH | date bytes */

-    /* for compat */
-    word32 length;
+struct WOLFSSL_ASN1_TIME {
+    unsigned char data[CTC_DATE_SIZE]; /* date bytes */
+    int length;
    int type;
 };

@ -421,6 +421,69 @@ typedef struct WOLFSSL_BUF_MEM {
    size_t max;    /* maximum length */
 } WOLFSSL_BUF_MEM;

+/* custom method with user set callbacks */
+typedef int (*wolfSSL_BIO_meth_write_cb)(WOLFSSL_BIO*, const char*, int);
+typedef int (*wolfSSL_BIO_meth_read_cb)(WOLFSSL_BIO *, char *, int);
+typedef int (*wolfSSL_BIO_meth_puts_cb)(WOLFSSL_BIO*, const char*);
+typedef int (*wolfSSL_BIO_meth_gets_cb)(WOLFSSL_BIO*, char*, int);
+typedef long (*wolfSSL_BIO_meth_get_ctrl_cb)(WOLFSSL_BIO*, int, long, void*);
+typedef int (*wolfSSL_BIO_meth_create_cb)(WOLFSSL_BIO*);
+typedef int (*wolfSSL_BIO_meth_destroy_cb)(WOLFSSL_BIO*);
+
+#define MAX_BIO_METHOD_NAME 256
+typedef struct WOLFSSL_BIO_METHOD_CUSTOM {
+    char name[MAX_BIO_METHOD_NAME];
+
+    wolfSSL_BIO_meth_puts_cb putsCb;
+    wolfSSL_BIO_meth_gets_cb getsCb;
+
+    wolfSSL_BIO_meth_read_cb  readCb;
+    wolfSSL_BIO_meth_write_cb writeCb;
+
+    wolfSSL_BIO_meth_destroy_cb freeCb;
+    wolfSSL_BIO_meth_create_cb  createCb;
+
+    wolfSSL_BIO_meth_get_ctrl_cb ctrlCb;
+} WOLFSSL_BIO_METHOD_CUSTOM;
+
+/* wolfSSL BIO_METHOD type */
+struct WOLFSSL_BIO_METHOD {
+    byte type;               /* method type */
+    WOLFSSL_BIO_METHOD_CUSTOM* custom;
+};
+
+/* wolfSSL BIO type */
+typedef long (*wolf_bio_info_cb)(WOLFSSL_BIO *bio, int event, const char *parg,
+                                 int iarg, long larg, long return_value);
+
+struct WOLFSSL_BIO {
+    WOLFSSL_BUF_MEM* mem_buf;
+    WOLFSSL_BIO_METHOD* method;
+    WOLFSSL*     ssl;           /* possible associated ssl */
+#ifndef NO_FILESYSTEM
+    XFILE        file;          /* file descriptor */
+#endif
+    WOLFSSL_BIO* prev;          /* previous in chain */
+    WOLFSSL_BIO* next;          /* next in chain */
+    WOLFSSL_BIO* pair;          /* BIO paired with */
+    void*        heap;          /* user heap hint */
+    byte*        ptr;           /* memory buffer */
+    void*        usrCtx;        /* user set pointer */
+    char*        infoArg;       /* BIO callback argument */
+    wolf_bio_info_cb infoCb;    /* BIO callback */
+    int          wrSz;          /* write buffer size (mem) */
+    int          wrIdx;         /* current index for write buffer */
+    int          rdIdx;         /* current read index */
+    int          readRq;        /* read request */
+    int          num;           /* length */
+    int          eof;           /* eof flag */
+    int          flags;
+    byte         type;          /* method type */
+    byte         init:1;        /* bio has been initialized */
+    byte         shutdown:1;    /* close flag */
+};
+
+
 typedef struct WOLFSSL_COMP_METHOD {
    int type;            /* stunnel dereference */
 } WOLFSSL_COMP_METHOD;
@ -897,6 +960,11 @@ WOLFSSL_API int  wolfSSL_dtls_get_using_nonblock(WOLFSSL*);
 #define wolfSSL_get_using_nonblock wolfSSL_dtls_get_using_nonblock
    /* The old names are deprecated. */
 WOLFSSL_API int  wolfSSL_dtls_get_current_timeout(WOLFSSL* ssl);
+WOLFSSL_API int  wolfSSL_DTLSv1_get_timeout(WOLFSSL* ssl, Timeval* timeleft);
+WOLFSSL_API void wolfSSL_DTLSv1_set_initial_timeout_duration(WOLFSSL* ssl,
+    word32 duration_ms);
+WOLFSSL_API int  wolfSSL_DTLSv1_handle_timeout(WOLFSSL* ssl);
+
 WOLFSSL_API int  wolfSSL_dtls_set_timeout_init(WOLFSSL* ssl, int);
 WOLFSSL_API int  wolfSSL_dtls_set_timeout_max(WOLFSSL* ssl, int);
 WOLFSSL_API int  wolfSSL_dtls_got_timeout(WOLFSSL* ssl);
@ -1031,6 +1099,9 @@ WOLFSSL_API WOLFSSL_CIPHER*  wolfSSL_get_current_cipher(WOLFSSL*);
 WOLFSSL_API char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER*, char*, int);
 WOLFSSL_API const char*  wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher);
 WOLFSSL_API const char*  wolfSSL_CIPHER_get_version(const WOLFSSL_CIPHER* cipher);
+WOLFSSL_API word32       wolfSSL_CIPHER_get_id(const WOLFSSL_CIPHER* cipher);
+WOLFSSL_API char*        wolfSSL_CIPHER_get_rfc_name(const WOLFSSL_CIPHER* cipher);
+WOLFSSL_API const WOLFSSL_CIPHER* wolfSSL_get_cipher_by_value(word16 value);
 WOLFSSL_API const char*  wolfSSL_SESSION_CIPHER_get_name(WOLFSSL_SESSION* session);
 WOLFSSL_API const char*  wolfSSL_get_cipher(WOLFSSL*);
 WOLFSSL_API void wolfSSL_sk_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk);
@ -1064,11 +1135,8 @@ WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_push(WOLFSSL_BIO*, WOLFSSL_BIO* append);
 WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_pop(WOLFSSL_BIO*);
 WOLFSSL_API int  wolfSSL_BIO_flush(WOLFSSL_BIO*);
 WOLFSSL_API int  wolfSSL_BIO_pending(WOLFSSL_BIO*);
-
-typedef long (*wolf_bio_info_cb)(WOLFSSL_BIO *bio, int event, const char *parg,
-                                 int iarg, long larg, long return_value);
-WOLFSSL_API void  wolfSSL_BIO_set_callback(WOLFSSL_BIO *bio,
-                                           wolf_bio_info_cb callback_func);
+WOLFSSL_API void wolfSSL_BIO_set_callback(WOLFSSL_BIO *bio,
+                                          wolf_bio_info_cb callback_func);
 WOLFSSL_API wolf_bio_info_cb wolfSSL_BIO_get_callback(WOLFSSL_BIO *bio);
 WOLFSSL_API void  wolfSSL_BIO_set_callback_arg(WOLFSSL_BIO *bio, char *arg);
 WOLFSSL_API char* wolfSSL_BIO_get_callback_arg(const WOLFSSL_BIO *bio);
@ -1095,25 +1163,19 @@ WOLFSSL_API int wolfSSL_BIO_clear_retry_flags(WOLFSSL_BIO*);

 WOLFSSL_API WOLFSSL_BIO_METHOD *wolfSSL_BIO_meth_new(int, const char*);
 WOLFSSL_API void wolfSSL_BIO_meth_free(WOLFSSL_BIO_METHOD*);
-typedef int (*wolfSSL_BIO_meth_write_cb)(WOLFSSL_BIO*, const char*, int);
 WOLFSSL_API int wolfSSL_BIO_meth_set_write(WOLFSSL_BIO_METHOD*, wolfSSL_BIO_meth_write_cb);
-typedef int (*wolfSSL_BIO_meth_read_cb)(WOLFSSL_BIO *, char *, int);
 WOLFSSL_API int wolfSSL_BIO_meth_set_read(WOLFSSL_BIO_METHOD*, wolfSSL_BIO_meth_read_cb);
-typedef int (*wolfSSL_BIO_meth_puts_cb)(WOLFSSL_BIO*, const char*);
 WOLFSSL_API int wolfSSL_BIO_meth_set_puts(WOLFSSL_BIO_METHOD*, wolfSSL_BIO_meth_puts_cb);
-typedef int (*wolfSSL_BIO_meth_gets_cb)(WOLFSSL_BIO*, char*, int);
 WOLFSSL_API int wolfSSL_BIO_meth_set_gets(WOLFSSL_BIO_METHOD*, wolfSSL_BIO_meth_gets_cb);
-typedef long (*wolfSSL_BIO_meth_get_ctrl_cb)(WOLFSSL_BIO*, int, long, void*);
 WOLFSSL_API int wolfSSL_BIO_meth_set_ctrl(WOLFSSL_BIO_METHOD*, wolfSSL_BIO_meth_get_ctrl_cb);
-typedef int (*wolfSSL_BIO_meth_create_cb)(WOLFSSL_BIO*);
 WOLFSSL_API int wolfSSL_BIO_meth_set_create(WOLFSSL_BIO_METHOD*, wolfSSL_BIO_meth_create_cb);
-typedef int (*wolfSSL_BIO_meth_destroy_cb)(WOLFSSL_BIO*);
 WOLFSSL_API int wolfSSL_BIO_meth_set_destroy(WOLFSSL_BIO_METHOD*, wolfSSL_BIO_meth_destroy_cb);
 WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_new_mem_buf(void* buf, int len);

-
 WOLFSSL_API long wolfSSL_BIO_set_ssl(WOLFSSL_BIO*, WOLFSSL*, int flag);
-WOLFSSL_API long wolfSSL_BIO_set_fd(WOLFSSL_BIO* b, int fd, int flag);
+#ifndef NO_FILESYSTEM
+WOLFSSL_API long wolfSSL_BIO_set_fd(WOLFSSL_BIO* b, XFILE fd, int flag);
+#endif
 WOLFSSL_API void wolfSSL_set_bio(WOLFSSL*, WOLFSSL_BIO* rd, WOLFSSL_BIO* wr);

 #ifndef NO_FILESYSTEM
@ -1177,6 +1239,8 @@ WOLFSSL_API int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* n,
 #ifndef NO_RSA
 WOLFSSL_API int wolfSSL_RSA_print(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa, int offset);
 #endif
+WOLFSSL_API int wolfSSL_X509_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509* x509,
+    unsigned long nmflags, unsigned long cflag);
 WOLFSSL_API int wolfSSL_X509_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509);
 WOLFSSL_API char*       wolfSSL_X509_NAME_oneline(WOLFSSL_X509_NAME*, char*, int);
 WOLFSSL_API WOLFSSL_X509_NAME*  wolfSSL_X509_get_issuer_name(WOLFSSL_X509*);
@ -1285,6 +1349,10 @@ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_PKEY_new(void);
 WOLFSSL_API int       wolfSSL_X509_cmp_current_time(const WOLFSSL_ASN1_TIME*);
 WOLFSSL_API int wolfSSL_X509_cmp_time(const WOLFSSL_ASN1_TIME* asnTime,
        time_t *cmpTime);
+WOLFSSL_API WOLFSSL_ASN1_TIME *wolfSSL_X509_time_adj_ex(WOLFSSL_ASN1_TIME *asnTime,
+    int offset_day, long offset_sec, time_t *in_tm);
+WOLFSSL_API WOLFSSL_ASN1_TIME *wolfSSL_X509_time_adj(WOLFSSL_ASN1_TIME *asnTime,
+    long offset_sec, time_t *in_tm);
 WOLFSSL_API int       wolfSSL_sk_X509_REVOKED_num(WOLFSSL_X509_REVOKED*);
 #ifdef OPENSSL_EXTRA
 WOLFSSL_API void      wolfSSL_X509_STORE_CTX_set_time(WOLFSSL_X509_STORE_CTX*,
@ -1600,6 +1668,7 @@ enum {
    X509_R_CERT_ALREADY_IN_HASH_TABLE,

    XN_FLAG_SPC_EQ  = (1 << 23),
+    XN_FLAG_SEP_CPLUS_SPC = (2 << 16),
    XN_FLAG_ONELINE = 0,
    XN_FLAG_RFC2253 = 1,

@ -1903,6 +1972,8 @@ WOLFSSL_API int wolfSSL_set_compression(WOLFSSL* ssl);

 WOLFSSL_API int wolfSSL_set_timeout(WOLFSSL*, unsigned int);
 WOLFSSL_API int wolfSSL_CTX_set_timeout(WOLFSSL_CTX*, unsigned int);
+WOLFSSL_API void wolfSSL_CTX_set_current_time_cb(WOLFSSL_CTX* ctx,
+    void (*cb)(const WOLFSSL* ssl, Timeval* out_clock));

 /* get wolfSSL peer X509_CHAIN */
 WOLFSSL_API WOLFSSL_X509_CHAIN* wolfSSL_get_peer_chain(WOLFSSL* ssl);
@ -1930,8 +2001,6 @@ WOLFSSL_API int  wolfSSL_X509_get_serial_number(WOLFSSL_X509*,unsigned char*,int
 WOLFSSL_API char*  wolfSSL_X509_get_subjectCN(WOLFSSL_X509*);
 WOLFSSL_API const unsigned char* wolfSSL_X509_get_der(WOLFSSL_X509*, int*);
 WOLFSSL_API const unsigned char* wolfSSL_X509_get_tbs(WOLFSSL_X509*, int*);
-WOLFSSL_API const unsigned char* wolfSSL_X509_notBefore(WOLFSSL_X509*);
-WOLFSSL_API const unsigned char* wolfSSL_X509_notAfter(WOLFSSL_X509*);
 WOLFSSL_API int wolfSSL_X509_version(WOLFSSL_X509*);

 WOLFSSL_API int wolfSSL_cmp_peer_cert_to_file(WOLFSSL*, const char*);
@ -2933,9 +3002,6 @@ int wolfSSL_DeriveTlsKeys(unsigned char* key_data, word32 keyLen,

 #ifdef WOLFSSL_CALLBACKS

-/* used internally by wolfSSL while OpenSSL types aren't */
-#include <wolfssl/callbacks.h>
-
 typedef int (*HandShakeCallBack)(HandShakeInfo*);
 typedef int (*TimeoutCallBack)(TimeoutInfo*);

@ -3021,12 +3087,15 @@ WOLFSSL_API long wolfSSL_CTX_clear_extra_chain_certs(WOLFSSL_CTX* ctx);
 #ifndef NO_CERTS
 WOLFSSL_API WOLFSSL_X509_NAME_ENTRY* wolfSSL_X509_NAME_ENTRY_create_by_NID(
            WOLFSSL_X509_NAME_ENTRY** out, int nid, int type,
-            unsigned char* data, int dataSz);
+            const unsigned char* data, int dataSz);
 WOLFSSL_API int wolfSSL_X509_NAME_add_entry(WOLFSSL_X509_NAME* name,
                              WOLFSSL_X509_NAME_ENTRY* entry, int idx, int set);
 WOLFSSL_API int wolfSSL_X509_NAME_add_entry_by_txt(WOLFSSL_X509_NAME *name,
    const char *field, int type, const unsigned char *bytes, int len, int loc,
    int set);
+WOLFSSL_API int wolfSSL_X509_NAME_add_entry_by_NID(WOLFSSL_X509_NAME *name, int nid,
+                                           int type, const unsigned char *bytes,
+                                           int len, int loc, int set);
 WOLFSSL_API int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME* x,
            const WOLFSSL_X509_NAME* y);
 WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_NAME_new(void);
@ -3094,6 +3163,7 @@ WOLFSSL_API WOLFSSL_X509_STORE* wolfSSL_CTX_get_cert_store(WOLFSSL_CTX* ctx);

 WOLFSSL_API size_t wolfSSL_BIO_wpending(const WOLFSSL_BIO *bio);
 WOLFSSL_API size_t wolfSSL_BIO_ctrl_pending(WOLFSSL_BIO *b);
+
 WOLFSSL_API size_t wolfSSL_get_server_random(const WOLFSSL *ssl,
                                             unsigned char *out, size_t outlen);
 WOLFSSL_API int wolfSSL_get_server_tmp_key(const WOLFSSL*, WOLFSSL_EVP_PKEY**);
@ -3187,7 +3257,8 @@ WOLFSSL_API int wolfSSL_PEM_write_bio_X509_AUX(WOLFSSL_BIO *bp,WOLFSSL_X509 *x);
 WOLFSSL_API int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x);
 #endif /* HAVE_STUNNEL || HAVE_LIGHTY */

-#ifdef OPENSSL_ALL
+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && defined(WOLFSSL_CERT_GEN) && \
+                                                       defined(WOLFSSL_CERT_REQ)
 WOLFSSL_API int wolfSSL_i2d_X509_REQ(WOLFSSL_X509* req, unsigned char** out);
 WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_REQ_new(void);
 WOLFSSL_API void wolfSSL_X509_REQ_free(WOLFSSL_X509* req);
@ -3413,7 +3484,6 @@ WOLFSSL_API int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a,
 WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx);
 WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx,
    void *data);
-
 WOLFSSL_API int wolfSSL_X509_NAME_digest(const WOLFSSL_X509_NAME *data,
    const WOLFSSL_EVP_MD *type, unsigned char *md, unsigned int *len);

--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@ -1105,7 +1105,6 @@ WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx,
 WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
                             int maxIdx);
 WOLFSSL_LOCAL int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der);
-WOLFSSL_LOCAL int RsaPublicKeyDerSize(RsaKey* key, int with_header);

 #ifdef HAVE_ECC
    /* ASN sig helpers */
--- a/wolfssl/wolfcrypt/asn_public.h
+++ b/wolfssl/wolfcrypt/asn_public.h
@ -106,7 +106,8 @@ enum CertType {
    PKCS12_TYPE,
    PKCS8_PRIVATEKEY_TYPE,
    PKCS8_ENC_PRIVATEKEY_TYPE,
-    DETECT_CERT_TYPE
+    DETECT_CERT_TYPE,
+    DH_PRIVATEKEY_TYPE,
 };


@ -204,9 +205,9 @@ typedef struct WOLFSSL_ASN1_INTEGER {
    unsigned char* data;
    unsigned int   dataMax;   /* max size of data buffer */
    unsigned int   isDynamic:1; /* flag for if data pointer dynamic (1 is yes 0 is no) */
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
+
    int length;
-#endif
+    int type;
 } WOLFSSL_ASN1_INTEGER;


@ -367,7 +368,7 @@ WOLFSSL_API int wc_SetAltNamesBuffer(Cert*, const byte*, int);
 WOLFSSL_API int wc_SetDatesBuffer(Cert*, const byte*, int);

 #ifndef NO_ASN_TIME
-WOLFSSL_API int wc_GetCertDates(Cert* cert, struct tm* before, 
+WOLFSSL_API int wc_GetCertDates(Cert* cert, struct tm* before,
    struct tm* after);
 #endif

@ -425,7 +426,7 @@ WOLFSSL_API int wc_SetExtKeyUsageOID(Cert *cert, const char *oid, word32 sz,

 #endif /* WOLFSSL_CERT_GEN */

-WOLFSSL_API int wc_GetDateInfo(const byte* certDate, int certDateSz, 
+WOLFSSL_API int wc_GetDateInfo(const byte* certDate, int certDateSz,
    const byte** date, byte* format, int* length);
 #ifndef NO_ASN_TIME
 WOLFSSL_API int wc_GetDateAsCalendarTime(const byte* date, int length,
@ -434,7 +435,7 @@ WOLFSSL_API int wc_GetDateAsCalendarTime(const byte* date, int length,

 #if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)

-    WOLFSSL_API int wc_PemGetHeaderFooter(int type, const char** header, 
+    WOLFSSL_API int wc_PemGetHeaderFooter(int type, const char** header,
        const char** footer);

 #endif
@ -476,9 +477,12 @@ WOLFSSL_API void wc_FreeDer(DerBuffer** pDer);
                                word32 outputSz, byte *cipherIno, int type);
 #endif

-#if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
+#ifndef NO_RSA
+    #if !defined(HAVE_USER_RSA)
    WOLFSSL_API int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx,
        word32 inSz, const byte** n, word32* nSz, const byte** e, word32* eSz);
+    #endif
+    WOLFSSL_API int wc_RsaPublicKeyDerSize(RsaKey* key, int with_header);
 #endif

 #ifdef HAVE_ECC
@ -496,6 +500,7 @@ WOLFSSL_API void wc_FreeDer(DerBuffer** pDer);
                                              ecc_key*, word32);
    WOLFSSL_API int wc_EccPublicKeyToDer(ecc_key*, byte* output,
                                         word32 inLen, int with_AlgCurve);
+    WOLFSSL_API int wc_EccPublicKeyDerSize(ecc_key*, int with_AlgCurve);
 #endif

 #ifdef HAVE_ED25519
--- a/wolfssl/wolfcrypt/sp.h
+++ b/wolfssl/wolfcrypt/sp.h