Index: generic/tlsX509.c
==================================================================
--- generic/tlsX509.c
+++ generic/tlsX509.c
@@ -93,11 +93,10 @@
     int mdnid, pknid, bits, len;
     uint32_t xflags, usage;
     char buffer[BUFSIZ];
     unsigned char md[EVP_MAX_MD_SIZE];
     STACK_OF(GENERAL_NAME) *names;
-    STACK_OF(DIST_POINT) *crl;
     STACK_OF(OPENSSL_STRING) *ocsp;
     unsigned long flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT;
     flags &= ~ASN1_STRFLGS_ESC_MSB;
 
     if (bio == NULL || certPtr == NULL) {
@@ -427,62 +426,94 @@
     }
     LAPPEND_LIST(interp, certPtr, "extendedKeyUsage", listPtr);
 
     /* CRL Distribution Points identifies where CRL information can be obtained.
 	RFC 5280 section 4.2.1.13*/
-    listPtr = Tcl_NewListObj(0, NULL);
-    if (crl = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL)) {
-	Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);
-
-	for (int i=0; i < sk_DIST_POINT_num(crl); i++) {
-	    DIST_POINT *dp = sk_DIST_POINT_value(crl, i);
-	    DIST_POINT_NAME *distpoint = dp->distpoint;
-
-	    if (distpoint->type == 0) {
-		/* fullname GENERALIZEDNAME */
-		for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) {
-		    GENERAL_NAME *gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j);
-		    int type;
-		    ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &type);
-		    if (type == GEN_URI) {
-			Tcl_ListObjAppendElement(interp, listPtr,
-			    Tcl_NewStringObj((char*)ASN1_STRING_get0_data(uri), ASN1_STRING_length(uri)));
-		    }
-		}
-	    } else if (distpoint->type == 1) {
-		/* relativename X509NAME */
-		STACK_OF(X509_NAME_ENTRY) *sk_relname = distpoint->name.relativename;
-		for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) {
-		    X509_NAME_ENTRY *e = sk_X509_NAME_ENTRY_value(sk_relname, j);
-		    ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
-		    Tcl_ListObjAppendElement(interp, listPtr,
-			Tcl_NewStringObj((char*)ASN1_STRING_data(d), ASN1_STRING_length(d)));
-		}
-	    }
-	}
-	CRL_DIST_POINTS_free(crl);
-    }
-    LAPPEND_LIST(interp, certPtr, "crlDistributionPoints", listPtr);
+    {
+	STACK_OF(DIST_POINT) *crl;
+	listPtr = Tcl_NewListObj(0, NULL);
+
+	if (crl = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL)) {
+	    Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);
+
+	    for (int i=0; i < sk_DIST_POINT_num(crl); i++) {
+		DIST_POINT *dp = sk_DIST_POINT_value(crl, i);
+		DIST_POINT_NAME *distpoint = dp->distpoint;
+
+		if (distpoint->type == 0) {
+		    /* fullname GENERALIZEDNAME */
+		    for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) {
+			GENERAL_NAME *gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j);
+			int type;
+			ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &type);
+			if (type == GEN_URI) {
+			    Tcl_ListObjAppendElement(interp, listPtr,
+				Tcl_NewStringObj((char*)ASN1_STRING_get0_data(uri), ASN1_STRING_length(uri)));
+			}
+		    }
+		} else if (distpoint->type == 1) {
+		    /* relativename X509NAME */
+		    STACK_OF(X509_NAME_ENTRY) *sk_relname = distpoint->name.relativename;
+		    for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) {
+			X509_NAME_ENTRY *e = sk_X509_NAME_ENTRY_value(sk_relname, j);
+			ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
+			Tcl_ListObjAppendElement(interp, listPtr,
+			    Tcl_NewStringObj((char*)ASN1_STRING_data(d), ASN1_STRING_length(d)));
+		    }
+		}
+	    }
+	    CRL_DIST_POINTS_free(crl);
+	}
+	LAPPEND_LIST(interp, certPtr, "crlDistributionPoints", listPtr);
+    }
 
     /* Freshest CRL extension */
     if (xflags & EXFLAG_FRESHEST) {
     }
 
     /* Authority Information Access indicates how to access info and services
 	for the certificate issuer. RFC 5280 section 4.2.2.1, NID_info_access */
     /* Get On-line Certificate Status Protocol (OSCP) URL */
-    listPtr = Tcl_NewListObj(0, NULL);
-    if (ocsp = X509_get1_ocsp(cert)) {
-	for (int i = 0; i < sk_OPENSSL_STRING_num(ocsp); i++) {
-	    Tcl_ListObjAppendElement(interp, listPtr,
-		Tcl_NewStringObj(sk_OPENSSL_STRING_value(ocsp, i), -1));
-	}
-	X509_email_free(ocsp);
-    }
-    LAPPEND_LIST(interp, certPtr, "ocsp", listPtr);
-
-    /* CA Issuers URL caIssuers */
+    {
+	STACK_OF(OPENSSL_STRING) *ocsp;
+	listPtr = Tcl_NewListObj(0, NULL);
+
+	if (ocsp = X509_get1_ocsp(cert)) {
+	    for (int i = 0; i < sk_OPENSSL_STRING_num(ocsp); i++) {
+		Tcl_ListObjAppendElement(interp, listPtr,
+		    Tcl_NewStringObj(sk_OPENSSL_STRING_value(ocsp, i), -1));
+	    }
+	    X509_email_free(ocsp);
+	    /* sk_OPENSSL_STRING_free(ocsp); */
+	}
+	LAPPEND_LIST(interp, certPtr, "ocsp", listPtr);
+    }
+
+    /* CA Issuers URL, caIssuers */
+    {
+	STACK_OF(ACCESS_DESCRIPTION) *ads;
+	listPtr = Tcl_NewListObj(0, NULL);
+
+	if (ads = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL)) {
+	    for (int i = 0; i < sk_ACCESS_DESCRIPTION_num(ads); i++) {
+		ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(ads, i);
+		if (OBJ_obj2nid(ad->method) == NID_ad_ca_issuers && ad->location) {
+		    if (ad->location->type == GEN_URI) {
+			unsigned char *buf;
+
+			len = ASN1_STRING_to_UTF8(&buf, ad->location->d.uniformResourceIdentifier);
+			Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(buf, len));
+			OPENSSL_free(buf);
+			break;
+		    }
+		}
+	    }
+	    /* sk_ACCESS_DESCRIPTION_pop_free(ads, ACCESS_DESCRIPTION_free); */
+	    AUTHORITY_INFO_ACCESS_free(ads);
+	}
+	LAPPEND_LIST(interp, certPtr, "caIssuers", listPtr);
+    }
 
     /* Subject Information Access - RFC 5280 section 4.2.2.2, NID_sinfo_access */
 
     /* Certificate Alias. If uses a PKCS#12 structure, alias will reflect the
 	friendlyName attribute (RFC 2985). */