path: root/main/lua-ossl/git-2014.03.27.patch

diff --git a/GNUmakefile b/GNUmakefile
index 9c1fece..2955d86 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -32,6 +32,8 @@ RANLIB ?= ranlib
 M4 ?= m4
 RM ?= rm
 CP ?= cp
+LN ?= ln
+LN_S ?= $(LN) -s
 RMDIR ?= rmdir
 MKDIR ?= mkdir
 CHMOD ?= chmod
@@ -62,6 +64,8 @@ $(d)/config:
 	printf 'M4 ?= $(value M4)'"\n" >> $(@D)/.config
 	printf 'RM ?= $(value RM)'"\n" >> $(@D)/.config
 	printf 'CP ?= $(value CP)'"\n" >> $(@D)/.config
+	printf 'LN ?= $(value LN)'"\n" >> $(@D)/.config
+	printf 'LN_S ?= $(value LN_S)'"\n" >> $(@D)/.config
 	printf 'RMDIR ?= $(value RMDIR)'"\n" >> $(@D)/.config
 	printf 'MKDIR ?= $(value MKDIR)'"\n" >> $(@D)/.config
 	printf 'CHMOD ?= $(value CHMOD)'"\n" >> $(@D)/.config
@@ -106,6 +110,11 @@ endif
 ifeq ($(VENDOR_CC_$(d)), sunpro)
 CFLAGS_$(d) += -xcode=pic13
 CFLAGS_$(d) += -g
+#
+# Solaris Studio has a brain-dead function call analyzer which counts
+# arguments before preprocessor expansion.
+#
+CFLAGS_$(d) += -erroff=E_ARGUEMENT_MISMATCH
 endif
 
 ifeq ($(VENDOR_OS_$(d)), Darwin)
diff --git a/doc/luaossl.tex b/doc/luaossl.tex
index 0aac6c3..347c2fe 100644
--- a/doc/luaossl.tex
+++ b/doc/luaossl.tex
@@ -221,28 +221,30 @@ Install Lua 5.3 module.
 
 \module{openssl.bignum} binds OpenSSL's libcrypto bignum library. It supports all the standard arithmetic operations. Regular number operands in a mixed arithmetic expression are upgraded as-if \method{bignum.new} was used explicitly. The \fn{\_\_tostring} metamethod generates a decimal encoded represention.
 
-\subsubsection[\fn{bignum.new}]{\fn{bignum.new(number)}}
+\subsubsection[\fn{bignum.new}]{\fn{bignum.new($number$)}}
 
-Wraps the sign and integral part of `number' as a bignum object, discarding any fractional part.
+Wraps the sign and integral part of $number$ as a bignum object, discarding any fractional part.
 
-\subsubsection[\fn{bignum.interpose}]{\fn{bignum.interpose(name, function)}}
+\subsubsection[\fn{bignum.interpose}]{\fn{bignum.interpose($name$, $function$)}}
 
 Add or interpose a bignum class method. Returns the previous method, if any.
 
 \end{Module}
 
 
-\begin{Module}{openssl.pubkey}
+\begin{Module}{openssl.pkey}
 
-\module{openssl.pubkey} binds OpenSSL's libcrypto public-private key library. The \fn{tostring} metamethod generates a PEM encoded representation of the public key---excluding the private key.
+\module{openssl.pkey} binds OpenSSL's libcrypto public-private key library. The \fn{\_\_tostring} metamethod generates a PEM encoded representation of the public key---excluding the private key.
 
-\subsubsection[\fn{pubkey.new}]{\fn{pubkey.new(string)}}
+\subsubsection[\fn{pkey.new}]{\fn{pkey.new($string$[, $format$])}}
 
-Initializes a new pubkey object from the PEM-encoded key in `string'.
+Initializes a new pkey object from the PEM- or DER-encoded key in $string$. $format$ defaults to ``*'', which means to automatically test the input encoding. If $format$ is explicitly ``PEM'' or ``DER'', then only that decoding format is used.
 
-\subsubsection[\fn{pubkey.new}]{\fn{pubkey.new\{ $\ldots$ \}}}
+On failure throws an error.
 
-Generates a new pubkey object according to the specified parameters.
+\subsubsection[\fn{pkey.new}]{\fn{pkey.new\{ $\ldots$ \}}}
+
+Generates a new pkey object according to the specified parameters.
 
 \begin{ctabular}{ c | c | p{5in}}
 field & type:default & description\\\hline
@@ -254,37 +256,37 @@ field & type:default & description\\\hline
 
 .curve & string:prime192v1 & for elliptic curve keys, the OpenSSL string identifier of the curve
 \end{ctabular}
-\subsubsection[\fn{pubkey.interpose}]{\fn{pubkey.interpose(name, function)}}
+\subsubsection[\fn{pkey.interpose}]{\fn{pkey.interpose($name$, $function$)}}
 
-Add or interpose a pubkey class method. Returns the previous method, if any.
+Add or interpose a pkey class method. Returns the previous method, if any.
 
-\subsubsection[\fn{pubkey:type}]{\fn{pubkey:type()}}
+\subsubsection[\fn{pkey:type}]{\fn{pkey:type()}}
 
 Returns the OpenSSL string identifier for the type of key.
 
-\subsubsection[\fn{pubkey:setPublicKey}]{\fn{pubkey:setPublicKey(string)}}
+\subsubsection[\fn{pkey:setPublicKey}]{\fn{pkey:setPublicKey($string$[, $format$])}}
 
-Set the public key component to that described by the PEM encoded public key in `string'.
+Set the public key component to that described by the PEM- or DER-encoded public key in $string$. $format$ is as described in \fn{openssl.pkey.new}---``PEM'', ``DER'', or ``*'' (default).
 
-\subsubsection[\fn{pubkey:setPrivateKey}]{\fn{pubkey:setPrivateKey(string)}}
+\subsubsection[\fn{pkey:setPrivateKey}]{\fn{pkey:setPrivateKey($string$[, $format$])}}
 
-Set the private key component to that described by the PEM encoded private key in `string'.
+Set the private key component to that described by the PEM encoded private key in $string$. $format$ is as described in \fn{openssl.pkey.new}.
 
-\subsubsection[\fn{pubkey:sign}]{\fn{pubkey:sign(digest)}}
+\subsubsection[\fn{pkey:sign}]{\fn{pkey:sign($digest$)}}
 
-Sign data which has been consumed by the specified \module{openssl.digest} `digest'. Digests and keys are not all interchangeable. For example, an elliptic curve key requires a digest of type ``ecdsa-with-SHA1'', while DSA requires ``dss1''. OpenSSL supports more varied digests for RSA.
+Sign data which has been consumed by the specified \module{openssl.digest} $digest$. Digests and keys are not all interchangeable. For example, an elliptic curve key requires a digest of type ``ecdsa-with-SHA1'', while DSA requires ``dss1''. OpenSSL supports more varied digests for RSA.
 
 Returns the signature as an opaque binary string\footnote{Elliptic curve signatures are two X.509 DER-encoded numbers, for example, while RSA signatures are encrypted DER structures.} on success, and throws an error otherwise.
 
-\subsubsection[\fn{pubkey:verify}]{\fn{pubkey:verify(signature, digest)}}
+\subsubsection[\fn{pkey:verify}]{\fn{pkey:verify($signature$, $digest$)}}
 
-Verify the string `signature' as signing the document consumed by \module{openssl.digest} `digest`. See the :sign method for constraints on the format and type of the parameters.
+Verify the string $signature$ as signing the document consumed by \module{openssl.digest} $digest$. See the :sign method for constraints on the format and type of the parameters.
 
 Returns true on success, false for properly formatted but invalid signatures, and throws an error otherwise. Because the structure of the signature is opaque and not susceptible to sanity checking before passing to OpenSSL, an application should always be prepared for an error to be thrown when verifying untrusted signatures. OpenSSL, of course, should be able to handle all malformed inputs. But the module does not attempt to differentiate local system errors from errors triggered by malformed signatures because the set of such errors may change in the future.
 
-\subsubsection[\fn{pubkey:toPEM}]{\fn{pubkey:toPEM(which[, which])}}
+\subsubsection[\fn{pkey:toPEM}]{\fn{pkey:toPEM($which$[, $which$])}}
 
-Returns the PEM encoded string representation(s) of the specified key component. `which' must be one of ``public'', ``PublicKey'', ``private'', or ``PrivateKey''. For the two argument form, returns two values.
+Returns the PEM encoded string representation(s) of the specified key component. $which$ must be one of ``public'', ``PublicKey'', ``private'', or ``PrivateKey''. For the two argument form, returns two values.
 
 \end{Module}
 
@@ -297,13 +299,13 @@ Binds the X.509 distinguished name OpenSSL ASN.1 object, used for representing c
 
 Returns an empty name object.
 
-\subsubsection[\fn{name.interpose}]{\fn{name.interpose(name, function)}}
+\subsubsection[\fn{name.interpose}]{\fn{name.interpose($name$, $function$)}}
 
 Add or interpose a name class method. Returns the previous method, if any.
 
-\subsubsection[\fn{name:add}]{\fn{name:add(type, value)}}
+\subsubsection[\fn{name:add}]{\fn{name:add($type$, $value$)}}
 
-Add a distinguished name component. `type' is the OpenSSL string identifier of the component type---short, long, or OID forms. `value' is the string value of the component. DN components are free-form, and are encoded raw.
+Add a distinguished name component. $type$ is the OpenSSL string identifier of the component type---short, long, or OID forms. $value$ is the string value of the component. DN components are free-form, and are encoded raw.
 
 \subsubsection[\fn{name:all}]{\fn{name:all()}}
 
@@ -332,19 +334,19 @@ Binds the X.509 alternative names (a.k.a ``general names'') OpenSSL ASN.1 object
 
 Returns an empty altname object.
 
-\subsubsection[\fn{altname.interpose}]{\fn{altname.interpose(name, function)}}
+\subsubsection[\fn{altname.interpose}]{\fn{altname.interpose($name$, $function$)}}
 
 Add or interpose an altname class method. Returns the previous method, if any.
 
-\subsubsection[\fn{altname:add}]{\fn{altname:add(type, value)}}
+\subsubsection[\fn{altname:add}]{\fn{altname:add($type$, $value$)}}
 
-Add an alternative name. `type' must specify one of the four basic types identified by ``RFC822Name'', ``RFC822'', ``email'', ``UniformResourceIdentifier'', ``URI'', ``DNSName'', ``DNS'', ``IPAddress'', and ``IP''.
+Add an alternative name. $type$ must specify one of the five basic types identified by ``RFC822Name'', ``RFC822'', ``email'', ``UniformResourceIdentifier'', ``URI'', ``DNSName'', ``DNS'', ``IPAddress'', ``IP'', or ``DirName''.
 
-`value' is a string acceptable to OpenSSL's sanity checks. For an IP address, `value' must be parseable by the system's \fn{inet\_pton} routine, as IP addresses are stored as raw 4- or 16-byte octets.
+For all types except ``DirName'', $value$ is a string acceptable to OpenSSL's sanity checks. For an IP address, $value$ must be parseable by the system's \fn{inet\_pton} routine, as IP addresses are stored as raw 4- or 16-byte octets. ``DirName'' takes an \module{openssl.x509.name} object.
 
 \subsubsection[\fn{name:\_\_pairs}]{\fn{name:\_\_pairs()}}
 
-Returns a key-value iterator over the alternative names. The key is one of ``email'', ``URI'', ``DNS'', or ``IP''. The value is the string representation of the name.
+Returns a key-value iterator over the alternative names. The key is one of ``email'', ``URI'', ``DNS'', ``IP'', or ``DirName''. The value is the string representation of the name.
 
 \end{Module}
 
@@ -353,11 +355,11 @@ Returns a key-value iterator over the alternative names. The key is one of ``ema
 
 Binds the X.509 certificate OpenSSL ASN.1 object.
 
-\subsubsection[\fn{x509.new}]{\fn{x509.new([string])}}
+\subsubsection[\fn{x509.new}]{\fn{x509.new([$string$[, $format$]])}}
 
-Returns a new x509 object, optionally initialized to the PEM encoded certificate specified by `string'.
+Returns a new x509 object, optionally initialized to the PEM- or DER-encoded certificate specified by $string$. $format$ is as described in \fn{openssl.pkey.new}--``PEM'', ``DER'', or ``*'' (default).
 
-\subsubsection[\fn{x509.interpose}]{\fn{x509.interpose(name, function)}}
+\subsubsection[\fn{x509.interpose}]{\fn{x509.interpose($name$, $function$)}}
 
 Add or interpose an x509 class method. Returns the previous method, if any.
 
@@ -365,7 +367,7 @@ Add or interpose an x509 class method. Returns the previous method, if any.
 
 Returns the X.509 version of the certificate.
 
-\subsubsection[\fn{x509:setVersion}]{\fn{x509:setVersion(number)}}
+\subsubsection[\fn{x509:setVersion}]{\fn{x509:setVersion($number$)}}
 
 Sets the X.509 version of the certificate.
 
@@ -373,27 +375,27 @@ Sets the X.509 version of the certificate.
 
 Returns the serial of the certificate as an \module{openssl.bignum}.
 
-\subsubsection[\fn{x509:setSerial}]{\fn{x509:setSerial(number)}}
+\subsubsection[\fn{x509:setSerial}]{\fn{x509:setSerial($number$)}}
 
-Sets the serial of the certificate. `number' is a Lua or \module{openssl.bignum} number.
+Sets the serial of the certificate. $number$ is a Lua or \module{openssl.bignum} number.
 
-\subsubsection[\fn{x509:digest}]{\fn{x509:digest([type[, format]])}}
+\subsubsection[\fn{x509:digest}]{\fn{x509:digest([$type$[, $format$]])}}
 
-Returns the cryptographic one-way message digest of the certificate. `type' is the OpenSSL string identifier of the hash type---e.g. ``md5'', ``sha1'' (default), ``sha256'', etc. `format' specifies the representation of the digest---``s'' for an octet string, ``x'' for a hexadecimal string (default), and ``n'' for an \module{openssl.bignum} number.
+Returns the cryptographic one-way message digest of the certificate. $type$ is the OpenSSL string identifier of the hash type---e.g. ``md5'', ``sha1'' (default), ``sha256'', etc. $format$ specifies the representation of the digest---``s'' for an octet string, ``x'' for a hexadecimal string (default), and ``n'' for an \module{openssl.bignum} number.
 
 \subsubsection[\fn{x509:getLifetime}]{\fn{x509:getLifetime()}}
 
 Returns the certificate validity ``Not Before'' and ``Not After'' dates as two Unix timestamp numbers.
 
-\subsubsection[\fn{x509:setLifetime}]{\fn{x509:setLifetime([notbefore][, notafter])}}
+\subsubsection[\fn{x509:setLifetime}]{\fn{x509:setLifetime([$notbefore$][, $notafter$])}}
 
-Sets the certificate validity dates. A nil value leaves the particular date unchanged.
+Sets the certificate validity dates. $notbefore$ and $notafter$ should be UNIX timestamps. A nil value leaves the particular date unchanged.
 
 \subsubsection[\fn{x509:getIssuer}]{\fn{x509:getIssuer()}}
 
 Returns the issuer distinguished name as an \module{x509.name} object.
 
-\subsubsection[\fn{x509:setIssuer}]{\fn{x509:setIssuer(name)}}
+\subsubsection[\fn{x509:setIssuer}]{\fn{x509:setIssuer($name$)}}
 
 Sets the issuer distinguished name.
 
@@ -401,7 +403,7 @@ Sets the issuer distinguished name.
 
 Returns the subject distinguished name as an \module{x509.name} object.
 
-\subsubsection[\fn{x509:setSubject}]{\fn{x509:setSubject(name)}}
+\subsubsection[\fn{x509:setSubject}]{\fn{x509:setSubject($name$)}}
 
 Sets the subject distinguished name.
 
@@ -409,7 +411,7 @@ Sets the subject distinguished name.
 
 Returns the issuer alternative names as an \module{x509.altname} object.
 
-\subsubsection[\fn{x509:setIssuerAlt}]{\fn{x509:setIssuer(altname)}}
+\subsubsection[\fn{x509:setIssuerAlt}]{\fn{x509:setIssuer($altname$)}}
 
 Sets the issuer alternative names.
 
@@ -417,7 +419,7 @@ Sets the issuer alternative names.
 
 Returns the subject alternative names as an \module{x509.name} object.
 
-\subsubsection[\fn{x509:setSubjectAlt}]{\fn{x509:setSubjectAlt(name)}}
+\subsubsection[\fn{x509:setSubjectAlt}]{\fn{x509:setSubjectAlt($name$)}}
 
 Sets the subject alternative names.
 
@@ -425,7 +427,7 @@ Sets the subject alternative names.
 
 Returns the issuer alternative names critical flag as a boolean.
 
-\subsubsection[\fn{x509:setIssuerAltCritical}]{\fn{x509:setIssuerAltCritical(boolean)}}
+\subsubsection[\fn{x509:setIssuerAltCritical}]{\fn{x509:setIssuerAltCritical($boolean$)}}
 
 Sets the issuer alternative names critical flag.
 
@@ -433,13 +435,13 @@ Sets the issuer alternative names critical flag.
 
 Returns the subject alternative names critical flag as a boolean.
 
-\subsubsection[\fn{x509:setSubjectAltCritical}]{\fn{x509:setSubjectAltCritical(boolean)}}
+\subsubsection[\fn{x509:setSubjectAltCritical}]{\fn{x509:setSubjectAltCritical($boolean$)}}
 
 Sets the subject alternative names critical flag.
 
-\subsubsection[\fn{x509:getBasicConstraints}]{\fn{x509:getBasicConstraints([which[, which $\ldots$ ]])}}
+\subsubsection[\fn{x509:getBasicConstraints}]{\fn{x509:getBasicConstraints([$which$[, $which$ $\ldots$ ]])}}
 
-Returns the X.509 ``basic constraint'' flags. If specified, `which' should be one of ``CA'' or ``pathLen'', which returns the specified constraint---respectively, a boolean and a number.  If no parameters are specified, returns a table with fields ``CA'' and ``pathLen''.
+Returns the X.509 `basic constraint' flags. If specified, $which$ should be one of ``CA'' or ``pathLen'', which returns the specified constraint---respectively, a boolean and a number.  If no parameters are specified, returns a table with fields ``CA'' and ``pathLen''.
 
 \subsubsection[\fn{x509:setBasicConstraints}]{\fn{x509:setBasicConstraints\{ $\ldots$ \}}}
 
@@ -449,25 +451,25 @@ Sets the basic constraint flag according to the defined field values for ``CA''
 
 Returns the basic constraints critical flag as a boolean.
 
-\subsubsection[\fn{x509:setBasicConstraintsCritical}]{\fn{x509:setBasicConstraintsCritical(boolean)}}
+\subsubsection[\fn{x509:setBasicConstraintsCritical}]{\fn{x509:setBasicConstraintsCritical($boolean$)}}
 
 Sets the basic constraints critical flag.
 
-\subsubsection[\fn{x509:isIssuedBy}]{\fn{x509:isIssuedBy(issuer)}}
+\subsubsection[\fn{x509:isIssuedBy}]{\fn{x509:isIssuedBy($issuer$)}}
 
-Returns a boolean according to whether the specified issuer---an \module{openssl.x509} object---signed the instance certificate.
+Returns a boolean according to whether the specified issuer---an \module{openssl.x509.name} object---signed the instance certificate.
 
 \subsubsection[\fn{x509:getPublicKey}]{\fn{x509:getPublicKey()}}
 
-Returns the public key component as an \module{openssl.pubkey} object.
+Returns the public key component as an \module{openssl.pkey} object.
 
-\subsubsection[\fn{x509:setPublicKey}]{\fn{x509:setPublicKey(key)}}
+\subsubsection[\fn{x509:setPublicKey}]{\fn{x509:setPublicKey($key$)}}
 
-Sets the public key component referenced by the \module{openssl.pubkey} object `key'.
+Sets the public key component referenced by the \module{openssl.pkey} object $key$.
 
-\subsubsection[\fn{x509:sign}]{\fn{x509:sign(key [, type])}}
+\subsubsection[\fn{x509:sign}]{\fn{x509:sign($key$ [, $type$])}}
 
-Signs and updates the instance certificate using the \module{openssl.pubkey} `key'. `type' is an optional string describing the digest type. See \module{pubkey:sign}, regarding which types of digests are valid. If `type' is omitted than a default type is used---``sha1'' for RSA keys, ``dss1'' for DSA keys, and ``ecdsa-with-SHA1'' for EC keys.
+Signs and updates the instance certificate using the \module{openssl.pkey} $key$. $type$ is an optional string describing the digest type. See \module{pkey:sign}, regarding which types of digests are valid. If $type$ is omitted than a default type is used---``sha1'' for RSA keys, ``dss1'' for DSA keys, and ``ecdsa-with-SHA1'' for EC keys.
 
 \subsubsection[\fn{x509:\_\_tostring}]{\fn{x509:\_\_tostring}}
 
@@ -480,11 +482,11 @@ Returns the PEM encoded representation of the instance certificate.
 
 Binds the X.509 certificate signing request OpenSSL ASN.1 object.
 
-\subsubsection[\fn{csr.new}]{\fn{csr.new([x509|string])}}
+\subsubsection[\fn{csr.new}]{\fn{csr.new([$x509$|$string$[, $format$]])}}
 
-Returns a new request object, optionally initialized to the specified \module{openssl.x509} certificate `x509' or the the PEM encoded certificate signing request `string'.
+Returns a new request object, optionally initialized to the specified \module{openssl.x509} certificate $x509$ or the PEM- or DER-encoded certificate signing request $string$. $format$ is as described in \fn{openssl.pkey.new}---``PEM'', ``DER'', or ``*'' (default).
 
-\subsubsection[\fn{csr.interpose}]{\fn{csr.interpose(name, function)}}
+\subsubsection[\fn{csr.interpose}]{\fn{csr.interpose($name$, $function$)}}
 
 Add or interpose a request class method. Returns the previous method, if any.
 
@@ -492,7 +494,7 @@ Add or interpose a request class method. Returns the previous method, if any.
 
 Returns the X.509 version of the request.
 
-\subsubsection[\fn{car:setVersion}]{\fn{csr:setVersion(number)}}
+\subsubsection[\fn{car:setVersion}]{\fn{csr:setVersion($number$)}}
 
 Sets the X.509 version of the request.
 
@@ -500,21 +502,21 @@ Sets the X.509 version of the request.
 
 Returns the subject distinguished name as an \module{x509.name} object.
 
-\subsubsection[\fn{csr:setSubject}]{\fn{csr:setSubject(name)}}
+\subsubsection[\fn{csr:setSubject}]{\fn{csr:setSubject($name$)}}
 
 Sets the subject distinguished name.
 
 \subsubsection[\fn{csr:getPublicKey}]{\fn{csr:getPublicKey()}}
 
-Returns the public key component as an \module{openssl.pubkey} object.
+Returns the public key component as an \module{openssl.pkey} object.
 
-\subsubsection[\fn{csr:setPublicKey}]{\fn{csr:setPublicKey(key)}}
+\subsubsection[\fn{csr:setPublicKey}]{\fn{csr:setPublicKey($key$)}}
 
-Sets the public key component referenced by the \module{openssl.pubkey} object `key'.
+Sets the public key component referenced by the \module{openssl.pkey} object $key$.
 
-\subsubsection[\fn{car:sign}]{\fn{csr:sign(key)}}
+\subsubsection[\fn{car:sign}]{\fn{csr:sign($key$)}}
 
-Signs the instance request using the \module{openssl.pubkey} `key'.
+Signs the instance request using the \module{openssl.pkey} $key$.
 
 \subsubsection[\fn{csr:\_\_tostring}]{\fn{csr:\_\_tostring}}
 
@@ -531,13 +533,13 @@ Binds the ``STACK\_OF(X509)'' OpenSSL object, principally used in the OpenSSL li
 
 Returns a new chain object.
 
-\subsubsection[\fn{chain.interpose}]{\fn{chain.interpose(name, function)}}
+\subsubsection[\fn{chain.interpose}]{\fn{chain.interpose($name$, $function$)}}
 
 Add or interpose a chain class method. Returns the previous method, if any.
 
-\subsubsection[\fn{chain:add}]{\fn{chain:add(x509)}}
+\subsubsection[\fn{chain:add}]{\fn{chain:add($crt$)}}
 
-Append the X.509 certificate `x509'.
+Append the X.509 certificate $crt$.
 
 \subsubsection[\fn{chain:\_\_ipairs}]{\fn{chain:\_\_ipairs()}}
 
@@ -554,17 +556,17 @@ Binds the X.509 certificate ``X509\_STORE'' OpenSSL object, principally used for
 
 Returns a new store object.
 
-\subsubsection[\fn{store.interpose}]{\fn{store.interpose(name, function)}}
+\subsubsection[\fn{store.interpose}]{\fn{store.interpose($name$, $function$)}}
 
 Add or interpose a store class method. Returns the previous method, if any.
 
-\subsubsection[\fn{store:add}]{\fn{store:add(x509|filepath|dirpath)}}
+\subsubsection[\fn{store:add}]{\fn{store:add($crt$|$filepath$|$dirpath$)}}
 
-Add the X.509 certificate `x509' to the store, load the certificates from the file `filepath', or set the OpenSSL ``hash dir'' certificate path `dirpath'.
+Add the X.509 certificate $crt$ to the store, load the certificates from the file $filepath$, or set the OpenSSL `hashdir' certificate path $dirpath$.
 
-\subsubsection[\fn{store:verify}]{\fn{store:verify(x509[, chain])}}
+\subsubsection[\fn{store:verify}]{\fn{store:verify($crt$[, $chain$])}}
 
-Returns two values. The first is a boolean value for whether the specified certificate `x509' was verified. If true, the second value is a  \module{openssl.x509.chain} object validation chain. If false, the second value is a string describing why verification failed. The optional parameter `chain' is an \module{openssl.x509.chain} object of untrusted certificates linking the certificate `x509' to one of the trusted certificates in the instance store.
+Returns two values. The first is a boolean value for whether the specified certificate $crt$ was verified. If true, the second value is a \module{openssl.x509.chain} object validation chain. If false, the second value is a string describing why verification failed. The optional parameter $chain$ is an \module{openssl.x509.chain} object of untrusted certificates linking the certificate $crt$ to one of the trusted certificates in the instance store.
 
 \end{Module}
 
@@ -587,35 +589,35 @@ VERIFY\_CLIENT\_ONCE & do not request peer certificates after initial handshake
 
 See the \href{http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#NOTES}{NOTES section} in the OpenSSL documentation for \fn{SSL\_CTX\_set\_verify\_mode}.
 
-\subsubsection[\fn{context.new}]{\fn{context.new([protocol][, server])}}
+\subsubsection[\fn{context.new}]{\fn{context.new([$protocol$][, $server$])}}
 
-Returns a new context object. `protocol' is an optional string identifier selecting the SSL mode---TLSv1 (default), SSLv3, SSLv23, or SSLv2. If `server' is true, then SSL connections instantiated using this context will be placed into server mode, otherwise they behave as clients.
+Returns a new context object. $protocol$ is an optional string identifier selecting the SSL mode---``TLSv1'' (default), ``SSLv3'', ``SSLv23'', or ``SSLv2''. If $server$ is true, then SSL connections instantiated using this context will be placed into server mode, otherwise they behave as clients.
 
-\subsubsection[\fn{context.interpose}]{\fn{context.interpose(name, function)}}
+\subsubsection[\fn{context.interpose}]{\fn{context.interpose($name$, $function$)}}
 
 Add or interpose a context class method. Returns the previous method, if any.
 
-\subsubsection[\fn{context:setStore}]{\fn{context:setStore(store)}}
+\subsubsection[\fn{context:setStore}]{\fn{context:setStore($store$)}}
 
-Sets the \module{x509.store} of the context instance.
+Sets the \module{openssl.x509.store} of the context instance.
 
 \subsubsection[\fn{context:getVerify}]{\fn{context:getVerify()}}
 
 Returns two values: the bitwise verification mode flags, and the maximum validation depth.
 
-\subsubsection[\fn{context:setVerify}]{\fn{context:setVerify([mode][, depth])}}
+\subsubsection[\fn{context:setVerify}]{\fn{context:setVerify([$mode$][, $depth$])}}
 
 Sets the verification mode flags and maximum validation chain depth.
 
-\subsubsection[\fn{context:setCertificate}]{\fn{context:setCertificate(x509)}}
+\subsubsection[\fn{context:setCertificate}]{\fn{context:setCertificate($crt$)}}
 
-Sets the X.509 certificate \module{openssl.x509} object `x509' to send during SSL connection instance handshakes.
+Sets the X.509 certificate \module{openssl.x509} object $crt$ to send during SSL connection instance handshakes.
 
-\subsubsection[\fn{context:setPrivateKey}]{\fn{context:setPrivateKey(key)}}
+\subsubsection[\fn{context:setPrivateKey}]{\fn{context:setPrivateKey($key$)}}
 
-Sets the private key \module{openssl.pubkey} object `key' for use during SSL connection instance handshakes.
+Sets the private key \module{openssl.pkey} object $key$ for use during SSL connection instance handshakes.
 
-\subsubsection[\fn{context:setCipherList}]{\fn{context:setCipherList(string)}}
+\subsubsection[\fn{context:setCipherList}]{\fn{context:setCipherList($string$)}}
 
 Sets the allowed public key and private key algorithms. The string format is documented in the \href{http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT}{OpenSSL ciphers(1) utility documentation}.
 
@@ -626,17 +628,17 @@ Sets the allowed public key and private key algorithms. The string format is doc
 
 Binds the ``SSL'' OpenSSL object, which represents an SSL connection instance. See \method{socket.checktls}.
 
-\subsubsection[\fn{ssl.interpose}]{\fn{ssl.interpose(name, function)}}
+\subsubsection[\fn{ssl.interpose}]{\fn{ssl.interpose($name$, $function$)}}
 
 Add or interpose an ssl class method. Returns the previous method, if any.
 
 \subsubsection[\fn{ssl:getPeerCertificate}]{\fn{ssl:getPeerCertificate()}}
 
-Returns the X.509 peer certificate as a \module{cqueues.openssl.x509} object. If no peer certificate is available, returns nil.
+Returns the X.509 peer certificate as an \module{openssl.x509} object. If no peer certificate is available, returns nil.
 
 \subsubsection[\fn{ssl:getPeerChain}]{\fn{ssl:getPeerChain()}}
 
-Similar to :getPeerCertifiate, but returns the entire chain sent by the peer as a \module{cqueues.openssl.x509.chain} object.
+Similar to :getPeerCertifiate, but returns the entire chain sent by the peer as an \module{openssl.x509.chain} object.
 
 \subsubsection[\fn{ssl:getCipherInfo}]{\fn{ssl:getCipherInfo()}}
 
@@ -657,21 +659,21 @@ field & description\\\hline
 
 Binds the ``EVP\_MD\_CTX'' OpenSSL object, which represents a cryptographic message digest (i.e. hashing) algorithm instance.
 
-\subsubsection[\fn{digest.interpose}]{\fn{digest.interpose(name, function)}}
+\subsubsection[\fn{digest.interpose}]{\fn{digest.interpose($name$, $function$)}}
 
 Add or interpose a digest class method. Returns the previous method, if any.
 
-\subsubsection[\fn{digest.new}]{\fn{digest.new([type])}}
+\subsubsection[\fn{digest.new}]{\fn{digest.new([$type$])}}
 
-Return a new digest instance using the specified algorithm `type'. `type' is a string suitable for passing to the OpenSSL routine EVP\_get\_digestbyname, and defaults to ``sha1''.
+Return a new digest instance using the specified algorithm $type$. $type$ is a string suitable for passing to the OpenSSL routine EVP\_get\_digestbyname, and defaults to ``sha1''.
 
-\subsubsection[\fn{digest:update}]{\fn{digest:update([string [, ...]])}}
+\subsubsection[\fn{digest:update}]{\fn{digest:update([$string$ [, ...]])}}
 
-Update the digest with the specified strings. Returns true.
+Update the digest with the specified string(s). Returns the digest object.
 
-\subsubsection[\fn{digest:final}]{\fn{digest:final([string [, ...]])}}
+\subsubsection[\fn{digest:final}]{\fn{digest:final([$string$ [, ...]])}}
 
-Update the digest with the specified strings. Returns the final message digest as a binary string.
+Update the digest with the specified string(s). Returns the final message digest as a binary string.
 
 \end{Module}
 
@@ -680,21 +682,21 @@ Update the digest with the specified strings. Returns the final message digest a
 
 Binds the ``HMAC\_CTX'' OpenSSL object, which represents a cryptographic HMAC algorithm instance.
 
-\subsubsection[\fn{hmac.interpose}]{\fn{hmac.interpose(name, function)}}
+\subsubsection[\fn{hmac.interpose}]{\fn{hmac.interpose($name$, $function$)}}
 
 Add or interpose an HMAC class method. Returns the previous method, if any.
 
-\subsubsection[\fn{hmac.new}]{\fn{hmac.new(key [, type])}}
+\subsubsection[\fn{hmac.new}]{\fn{hmac.new($key$ [, $type$])}}
 
-Return a new HMAC instance using the specified `key' and `type'. `key' is the secret used for HMAC authentication. `type' is a string suitable for passing to the OpenSSL routine EVP\_get\_digestbyname, and defaults to ``sha1''.
+Return a new HMAC instance using the specified $key$ and $type$. $key$ is the secret used for HMAC authentication. $type$ is a string suitable for passing to the OpenSSL routine EVP\_get\_digestbyname, and defaults to ``sha1''.
 
-\subsubsection[\fn{hmac:update}]{\fn{hmac:update([string [, ...]])}}
+\subsubsection[\fn{hmac:update}]{\fn{hmac:update([$string$ [, ...]])}}
 
-Update the HMAC with the specified strings. Returns true.
+Update the HMAC with the specified string(s). Returns the HMAC object.
 
-\subsubsection[\fn{hmac:final}]{\fn{hmac:final([string [, ...]])}}
+\subsubsection[\fn{hmac:final}]{\fn{hmac:final([$string$ [, ...]])}}
 
-Update the HMAC with the specified strings. Returns the final HMAC checksum as a binary string.
+Update the HMAC with the specified string(s). Returns the final HMAC checksum as a binary string.
 
 \end{Module}
 
@@ -703,31 +705,31 @@ Update the HMAC with the specified strings. Returns the final HMAC checksum as a
 
 Binds the ``EVP\_CIPHER\_CTX'' OpenSSL object, which represents a cryptographic cipher instance.
 
-\subsubsection[\fn{cipher.interpose}]{\fn{cipher.interpose(name, function)}}
+\subsubsection[\fn{cipher.interpose}]{\fn{cipher.interpose($name$, $function$)}}
 
 Add or interpose a cipher class method. Returns the previous method, if any.
 
-\subsubsection[\fn{cipher.new}]{\fn{cipher.new(type)}}
+\subsubsection[\fn{cipher.new}]{\fn{cipher.new($type$)}}
 
-Return a new, uninitialized cipher instance. `type' is a string suitable for passing to the OpenSSL routine EVP\_get\_cipherbyname, typically of a form similar to ``AES-128-CBC''.
+Return a new, uninitialized cipher instance. $type$ is a string suitable for passing to the OpenSSL routine EVP\_get\_cipherbyname, typically of a form similar to ``AES-128-CBC''.
 
 The cipher is uninitialized because some algorithms support or require additional \textit{ad hoc} parameters before key initialization. The API still allows one-shot encryption like ``cipher.new(type):encrypt(key, iv):final(plaintext)''.
 
-\subsubsection[\fn{cipher:encrypt}]{\fn{cipher:encrypt(key [, iv] [, padding])}}
+\subsubsection[\fn{cipher:encrypt}]{\fn{cipher:encrypt($key$ [, $iv$] [, $padding$])}}
 
-Initialize the cipher in encryption mode. `key' and `iv' are binary strings with lengths equal to that required by the cipher instance as configured. In other words, key stretching and other transformations must be done explicitly. If the mode does not take an IV or equivalent, such as in ECB mode, then it may be nil. `padding' is a boolean which controls whether PKCS padding is applied, and defaults to true. Returns the cipher instance.
+Initialize the cipher in encryption mode. $key$ and $iv$ are binary strings with lengths equal to that required by the cipher instance as configured. In other words, key stretching and other transformations must be done explicitly. If the mode does not take an IV or equivalent, such as in ECB mode, then it may be nil. $padding$ is a boolean which controls whether PKCS padding is applied, and defaults to true. Returns the cipher instance.
 
-\subsubsection[\fn{cipher:decrypt}]{\fn{cipher:decrypt(key [, iv] [, padding])}}
+\subsubsection[\fn{cipher:decrypt}]{\fn{cipher:decrypt($key$ [, $iv$] [, $padding$])}}
 
-Initialize the cipher in decryption mode. `key', `iv', and `padding' are as described in :encrypt. Returns the cipher instance.
+Initialize the cipher in decryption mode. $key$, $iv$, and $padding$ are as described in \fn{:encrypt}. Returns the cipher instance.
 
-\subsubsection[\fn{cipher:update}]{\fn{cipher:update([string [, ...]])}}
+\subsubsection[\fn{cipher:update}]{\fn{cipher:update([$string$ [, ...]])}}
 
-Update the cipher instance with the specified strings. Returns a string on success, or nil and an error message on failure. The returned string may be empty if no blocks can be flushed.
+Update the cipher instance with the specified string(s). Returns a string on success, or nil and an error message on failure. The returned string may be empty if no blocks can be flushed.
 
-\subsubsection[\fn{cipher:final}]{\fn{cipher:final([string [, ...]])}}
+\subsubsection[\fn{cipher:final}]{\fn{cipher:final([$string$ [, ...]])}}
 
-Update the cipher with the specified strings. Returns the final output string on success, or nil and an error message on failure. The returned string may be empty if all blocks have already been flushed in prior :update calls.
+Update the cipher with the specified string(s). Returns the final output string on success, or nil and an error message on failure. The returned string may be empty if all blocks have already been flushed in prior \fn{:update} calls.
 
 \end{Module}
 
@@ -738,9 +740,9 @@ Binds OpenSSL's random number interfaces.
 
 OpenSSL will automatically attempt to seed itself from the system. The only time this could theoretically fail is if /dev/urandom (or similar) were not visible or could not be opened. This might happen if within a chroot jail, or if a file descriptor limit were reached.
 
-\subsubsection[\fn{rand.bytes}]{\fn{rand.bytes(count)}}
+\subsubsection[\fn{rand.bytes}]{\fn{rand.bytes($count$)}}
 
-Returns `count' cryptographically-strong bytes as a single string. Throws an error if OpenSSL could  not complete the request---e.g. because the CSPRNG could not be seeded.
+Returns $count$ cryptographically-strong bytes as a single string. Throws an error if OpenSSL could  not complete the request---e.g. because the CSPRNG could not be seeded.
 
 \subsubsection[\fn{rand.ready}]{\fn{rand.ready()}}
 
@@ -748,11 +750,11 @@ Returns a boolean describing whether the CSPRNG has been properly seeded.
 
 In the default CSPRNG engine this routine will also attempt to seed the system if not already. Because seeding only needs to happen once per process to ensure a successful RAND\_bytes invocation\footnote{At least this appeared to be the case when examining the source code of OpenSSL 1.0.1. See md\_rand.c near line 407---``Once we've had enough initial seeding we don't bother to adjust the entropy count, though, because we're not ambitious to provide *information-theoretic* randomness.''}, it may be prudent to assert on rand:ready() at application startup.
 
-\subsubsection[\fn{rand.uniform}]{\fn{rand.uniform([n])}}
+\subsubsection[\fn{rand.uniform}]{\fn{rand.uniform([$n$])}}
 
-Returns a cryptographically strong uniform random integer in the interval $[0, n-1]$. If `n' is omitted, the interval is $[0, 2^{64}-1]$.
+Returns a cryptographically strong uniform random integer in the interval $[0, n-1]$. If $n$ is omitted, the interval is $[0, 2^{64}-1]$.
 
-The routine operates internally on 64-bit unsigned integers.\footnote{Actually, \texttt{unsigned long long}.} Because neither Lua 5.1 nor 5.2 support 64-bit integers, it's probably best to generate numbers that fit the integral range of your Lua implementation. Lua 5.3 is expected to add a new arithmetic type for 64-bit signed integers in two's-complement representation. This new arithmetic type will be used for return values when available.
+The routine operates internally on 64-bit unsigned integers.\footnote{Actually, \texttt{unsigned long long}.} Because neither Lua 5.1 nor 5.2 support 64-bit integers, it's probably best to generate numbers that fit the integral range of your Lua implementation. Lua 5.3 supports a new arithmetic type for 64-bit signed integers in two's-complement representation. This new arithmetic type will be used for argument and return values when available.
 
 \end{Module}
 
@@ -771,13 +773,13 @@ These examples and others are made available under examples/ in the source tree.
 -- specifying subject DN and public key to CAs. See API documentation for
 -- CSR generation.
 --
-local pubkey = require"openssl.pubkey"
+local pkey = require"openssl.pkey"
 local x509 = require"openssl.x509"
 local name = require"openssl.x509.name"
 local altname = require"openssl.x509.altname"
 
 -- generate our public/private key pair
-local key = pubkey.new{ type = "EC", curve = "prime192v1" }
+local key = pkey.new{ type = "EC", curve = "prime192v1" }
 
 -- our Subject and Issuer DN (self-signed, so same)
 local dn = name.new()
@@ -826,11 +828,11 @@ io.popen("openssl x509 -text -noout", "w"):write(tostring(crt))
 --
 -- Example public-key signature verification.
 --
-local pubkey = require"openssl.pubkey"
+local pkey = require"openssl.pkey"
 local digest = require"openssl.digest"
 
 -- generate a public/private key pair
-local key = pubkey.new{ type = "EC", curve = "prime192v1" }
+local key = pkey.new{ type = "EC", curve = "prime192v1" }
 
 -- digest our message using an appropriate digest ("ecdsa-with-SHA1" for EC;
 -- "dss1" for DSA; and "sha1", "sha256", etc for RSA).
@@ -842,7 +844,7 @@ local sig = key:sign(data)
 
 -- to prove verification works, instantiate a new object holding just
 -- the public key
-local pub = pubkey.new(key:toPEM"public")
+local pub = pkey.new(key:toPEM"public")
 
 -- a utility routine to output our signature
 local function tohex(b)
diff --git a/examples/self.x509 b/examples/self.x509
index 39525d0..31d6058 100755
--- a/examples/self.x509
+++ b/examples/self.x509
@@ -7,15 +7,15 @@
 -- CSR generation.
 --
 
-local pubkey = require"openssl.pubkey"
+local pkey = require"openssl.pkey"
 local x509 = require"openssl.x509"
 local name = require"openssl.x509.name"
 local altname = require"openssl.x509.altname"
 
 -- generate our public/private key pair
---local key = pubkey.new{ type = "RSA", bits = 1024 }
---local key = pubkey.new{ type = "DSA", bits = 1024 }
-local key = pubkey.new{ type = "EC", curve = "prime192v1" }
+--local key = pkey.new{ type = "RSA", bits = 1024 }
+--local key = pkey.new{ type = "DSA", bits = 1024 }
+local key = pkey.new{ type = "EC", curve = "prime192v1" }
 
 -- our Subject and Issuer DN (self-signed, so same)
 local dn = name.new()
diff --git a/examples/vrfy.sig b/examples/vrfy.sig
index 94daf43..cf60995 100755
--- a/examples/vrfy.sig
+++ b/examples/vrfy.sig
@@ -3,11 +3,11 @@
 -- Example public-key signature verification.
 --
 
-local pubkey = require"openssl.pubkey"
+local pkey = require"openssl.pkey"
 local digest = require"openssl.digest"
 
 -- generate a public/private key pair
-local key = pubkey.new{ type = "EC", curve = "prime192v1" }
+local key = pkey.new{ type = "EC", curve = "prime192v1" }
 
 -- digest our message using an appropriate digest ("ecdsa-with-SHA1" for EC;
 -- "dss1" for DSA; and "sha1", "sha256", etc for RSA).
@@ -19,7 +19,7 @@ local sig = key:sign(data)
 
 -- to prove verification works, instantiate a new object holding just
 -- the public key
-local pub = pubkey.new(key:toPEM"public")
+local pub = pkey.new(key:toPEM"public")
 
 -- a utility routine to output our signature
 local function tohex(b)
diff --git a/src/GNUmakefile b/src/GNUmakefile
index 295eb89..99b2336 100644
--- a/src/GNUmakefile
+++ b/src/GNUmakefile
@@ -29,7 +29,14 @@ ifeq ($(CC_$(d)), sunpro)
 CPPFLAGS_$(d) += -DOPENSSL_NO_EC
 endif
 
-LDFLAGS_$(d) += -lssl -lcrypto -lpthread -ldl
+LDFLAGS_$(d) += -lssl -lcrypto -lpthread
+
+# NetBSD, FreeBSD, OpenBSD (and presumably descendants) lack any libdl;
+# dlopen, et al are part of libc.
+ifneq ($(patsubst %BSD,BSD,$(OS_$(d))), BSD)
+LDFLAGS_$(d) += -ldl
+endif
+
 
 #
 # C O M P I L A T I O N  R U L E S
@@ -81,6 +88,7 @@ LUAC$(1)_$(d) = $$(or $$(call LUAPATH_$(d), $(1), luac), true)
 MODS$(1)_$(d) = \
 	$$(DESTDIR)$(2)/_openssl.so \
 	$$(DESTDIR)$(3)/openssl/bignum.lua \
+	$$(DESTDIR)$(3)/openssl/pkey.lua \
 	$$(DESTDIR)$(3)/openssl/pubkey.lua \
 	$$(DESTDIR)$(3)/openssl/x509.lua \
 	$$(DESTDIR)$(3)/openssl/x509/name.lua \
@@ -105,6 +113,9 @@ $$(DESTDIR)$(3)/openssl/%.lua: $$(d)/openssl.%.lua
 	$$(MKDIR) -p $$(@D)
 	$$(CP) -p $$< $$@
 
+$$(DESTDIR)$(3)/openssl/pubkey.lua: $$(DESTDIR)$(3)/openssl/pkey.lua
+	cd $$(@D) && $(LN_S) -f $$(<F) $$(@F)
+
 $$(DESTDIR)$(3)/openssl/x509/%.lua: $$(d)/openssl.x509.%.lua
 	$$(LUAC$(1)_$(d)) -p $$<
 	$$(MKDIR) -p $$(@D)
diff --git a/src/openssl.c b/src/openssl.c
index 1554053..432c683 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -31,6 +31,7 @@
 #include <strings.h>	/* strcasecmp(3) */
 #include <math.h>	/* INFINITY fabs(3) floor(3) frexp(3) fmod(3) round(3) isfinite(3) */
 #include <time.h>	/* struct tm time_t strptime(3) */
+#include <ctype.h>      /* tolower(3) */
 
 #include <sys/types.h>
 #include <sys/stat.h>	/* struct stat stat(2) */
@@ -63,7 +64,7 @@
 #endif
 
 #define BIGNUM_CLASS     "BIGNUM*"
-#define PUBKEY_CLASS     "EVP_PKEY*"
+#define PKEY_CLASS       "EVP_PKEY*"
 #define X509_NAME_CLASS  "X509_NAME*"
 #define X509_GENS_CLASS  "GENERAL_NAMES*"
 #define X509_CERT_CLASS  "X509*"
@@ -96,6 +97,8 @@
 #define stricmp(a, b) strcasecmp((a), (b))
 #define strieq(a, b) (!stricmp((a), (b)))
 
+#define xtolower(c) tolower((unsigned char)(c))
+
 #define SAY_(file, func, line, fmt, ...) \
 	fprintf(stderr, "%s:%d: " fmt "%s", __func__, __LINE__, __VA_ARGS__)
 
@@ -218,7 +221,7 @@ static void addclass(lua_State *L, const char *name, const luaL_Reg *methods, co
 } /* addclass() */
 
 
-static int checkoption(struct lua_State *L, int index, const char *def, const char *opts[]) {
+static int checkoption(struct lua_State *L, int index, const char *def, const char *const opts[]) {
 	const char *opt = (def)? luaL_optstring(L, index, def) : luaL_checkstring(L, index);
 	int i; 
 
@@ -231,6 +234,34 @@ static int checkoption(struct lua_State *L, int index, const char *def, const ch
 } /* checkoption() */
 
 
+#define X509_ANY 0x01
+#define X509_PEM 0x02
+#define X509_DER 0x04
+#define X509_ALL (X509_PEM|X509_DER)
+
+static int optencoding(lua_State *L, int index, const char *def, int allow) {
+	static const char *const opts[] = { "*", "pem", "der", NULL };
+	int type = 0;
+
+	switch (checkoption(L, index, def, opts)) {
+	case 0:
+		type = X509_ANY;
+		break;
+	case 1:
+		type = X509_PEM;
+		break;
+	case 2:
+		type = X509_DER;
+		break;
+	}
+
+	if (!(type & allow))
+		luaL_argerror(L, index, lua_pushfstring(L, "invalid option %s", luaL_checkstring(L, index)));
+
+	return type;
+} /* optencoding() */
+
+
 static _Bool getfield(lua_State *L, int index, const char *k) {
 	lua_getfield(L, index, k);
 
@@ -675,7 +706,7 @@ int luaopen__openssl_bignum(lua_State *L) {
 
 
 /*
- * EVP_PKEY - openssl.pubkey
+ * EVP_PKEY - openssl.pkey
  *
  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
@@ -719,11 +750,12 @@ static BIO *getbio(lua_State *L) {
 static int pk_new(lua_State *L) {
 	EVP_PKEY **ud;
 
-	lua_settop(L, 1);
+	/* #1 table or key; if key, #2 format and #3 type */
+	lua_settop(L, 3);
 
-	ud = prepsimple(L, PUBKEY_CLASS);
+	ud = prepsimple(L, PKEY_CLASS);
 
-	if (lua_istable(L, 1)) {
+	if (lua_istable(L, 1) || lua_isnil(L, 1)) {
 		int type = EVP_PKEY_RSA;
 		unsigned bits = 1024;
 		unsigned exp = 65537;
@@ -774,14 +806,14 @@ static int pk_new(lua_State *L) {
 
 creat:
 		if (!(*ud = EVP_PKEY_new()))
-			return throwssl(L, "pubkey.new");
+			return throwssl(L, "pkey.new");
 
 		switch (EVP_PKEY_type(type)) {
 		case EVP_PKEY_RSA: {
 			RSA *rsa;
 
 			if (!(rsa = RSA_generate_key(bits, exp, 0, 0)))
-				return throwssl(L, "pubkey.new");
+				return throwssl(L, "pkey.new");
 
 			EVP_PKEY_set1_RSA(*ud, rsa);
 
@@ -793,11 +825,11 @@ creat:
 			DSA *dsa;
 
 			if (!(dsa = DSA_generate_parameters(bits, 0, 0, 0, 0, 0, 0)))
-				return throwssl(L, "pubkey.new");
+				return throwssl(L, "pkey.new");
 
 			if (!DSA_generate_key(dsa)) {
 				DSA_free(dsa);
-				return throwssl(L, "pubkey.new");
+				return throwssl(L, "pkey.new");
 			}
 
 			EVP_PKEY_set1_DSA(*ud, dsa);
@@ -810,11 +842,11 @@ creat:
 			DH *dh;
 
 			if (!(dh = DH_generate_parameters(bits, exp, 0, 0)))
-				return throwssl(L, "pubkey.new");
+				return throwssl(L, "pkey.new");
 
 			if (!DH_generate_key(dh)) {
 				DH_free(dh);
-				return throwssl(L, "pubkey.new");
+				return throwssl(L, "pkey.new");
 			}
 
 			EVP_PKEY_set1_DH(*ud, dh);
@@ -829,7 +861,7 @@ creat:
 			EC_KEY *key;
 
 			if (!(grp = EC_GROUP_new_by_curve_name(curve)))
-				return throwssl(L, "pubkey.new");
+				return throwssl(L, "pkey.new");
 
 			EC_GROUP_set_asn1_flag(grp, OPENSSL_EC_NAMED_CURVE);
 
@@ -838,7 +870,7 @@ creat:
 
 			if (!(key = EC_KEY_new())) {
 				EC_GROUP_free(grp);
-				return throwssl(L, "pubkey.new");
+				return throwssl(L, "pkey.new");
 			}
 
 			EC_KEY_set_group(key, grp);
@@ -847,7 +879,7 @@ creat:
 
 			if (!EC_KEY_generate_key(key)) {
 				EC_KEY_free(key);
-				return throwssl(L, "pubkey.new");
+				return throwssl(L, "pkey.new");
 			}
 
 			EVP_PKEY_set1_EC_KEY(*ud, key);
@@ -860,37 +892,69 @@ creat:
 		default:
 			return luaL_error(L, "%d: unknown EVP base type (%d)", EVP_PKEY_type(type), type);
 		} /* switch() */
-	} else {
-		const char *pem;
+	} else if (lua_isstring(L, 1)) {
+		int type = optencoding(L, 2, "*", X509_ANY|X509_PEM|X509_DER);
+		int ispub = -1;
+		const char *opt, *data;
 		size_t len;
 		BIO *bio;
-		int ok;
+		int ok = 0;
+
+		/* check if specified publickey or privatekey */
+		if ((opt = luaL_optstring(L, 3, NULL))) {
+			if (xtolower(opt[0]) == 'p' && xtolower(opt[1]) == 'u') {
+				ispub = 1;
+			} else if (xtolower(opt[0]) == 'p' && xtolower(opt[1]) == 'r') {
+				ispub = 0;
+			} else {
+				return luaL_argerror(L, 3, lua_pushfstring(L, "invalid option %s", opt));
+			}
+		}
 
-		if (!(*ud = EVP_PKEY_new()))
-			return throwssl(L, "pubkey.new");
+		data = luaL_checklstring(L, 1, &len);
 
-		switch (lua_type(L, 1)) {
-		case LUA_TSTRING:
-			pem = luaL_checklstring(L, 1, &len);
+		if (!(bio = BIO_new_mem_buf((void *)data, len)))
+			return throwssl(L, "pkey.new");
 
-			if (!(bio = BIO_new_mem_buf((void *)pem, len)))
-				return throwssl(L, "pubkey.new");
+		if (type == X509_PEM || type == X509_ANY) {
+			if (ispub == 1 || ispub == -1) {
+				ok = !!(*ud = PEM_read_bio_PUBKEY(bio, NULL, 0, ""));
 
-			if (strstr(pem, "PUBLIC KEY")) {
-				ok = !!PEM_read_bio_PUBKEY(bio, ud, 0, 0);
-			} else {
-				ok = !!PEM_read_bio_PrivateKey(bio, ud, 0, 0);
+				if (ok || (type == X509_PEM && ispub == 1))
+					goto done;
 			}
 
-			BIO_free(bio);
+			if (ispub == 0 || ispub == -1) {
+				ok = !!(*ud = PEM_read_bio_PrivateKey(bio, NULL, 0, ""));
 
-			if (!ok)
-				return throwssl(L, "pubkey.new");
+				if (ok || (type == X509_PEM && ispub == 0))
+					goto done;
+			}
+		}
 
-			break;
-		default:
-			return luaL_error(L, "%s: unknown key initializer", lua_typename(L, lua_type(L, 1)));
-		} /* switch() */
+		if (type == X509_DER || type == X509_ANY) {
+			if (ispub == 1 || ispub == -1) {
+				ok = !!(*ud = d2i_PUBKEY_bio(bio, NULL));
+
+				if (ok || (type == X509_DER && ispub == 1))
+					goto done;
+			}
+
+			if (ispub == 0 || ispub == -1) {
+				ok = !!(*ud = d2i_PrivateKey_bio(bio, NULL));
+
+				if (ok || (type == X509_DER && ispub == 0))
+					goto done;
+			}
+		}
+
+done:
+		BIO_free(bio);
+
+		if (!ok)
+			return throwssl(L, "pkey.new");
+	} else {
+		return luaL_error(L, "%s: unknown key initializer", lua_typename(L, lua_type(L, 1)));
 	}
 
 	return 1;
@@ -903,7 +967,7 @@ static int pk_interpose(lua_State *L) {
 
 
 static int pk_type(lua_State *L) {
-	EVP_PKEY *key = checksimple(L, 1, PUBKEY_CLASS);
+	EVP_PKEY *key = checksimple(L, 1, PKEY_CLASS);
 	int nid = key->type;
 
 	pushnid(L, nid);
@@ -913,25 +977,30 @@ static int pk_type(lua_State *L) {
 
 
 static int pk_setPublicKey(lua_State *L) {
-	EVP_PKEY **key = luaL_checkudata(L, 1, PUBKEY_CLASS);
-	const char *pem;
+	EVP_PKEY **key = luaL_checkudata(L, 1, PKEY_CLASS);
+	const char *data;
 	size_t len;
 	BIO *bio;
-	int ok;
+	int type, ok = 0;
 
-	lua_settop(L, 2);
+	data = luaL_checklstring(L, 2, &len);
+	type = optencoding(L, 3, "*", X509_ANY|X509_PEM|X509_DER);
 
-	pem = luaL_checklstring(L, 2, &len);
+	if (!(bio = BIO_new_mem_buf((void *)data, len)))
+		return throwssl(L, "pkey.new");
 
-	if (!(bio = BIO_new_mem_buf((void *)pem, len)))
-		return throwssl(L, "pubkey.new");
+	if (type == X509_ANY || type == X509_PEM) {
+		ok = !!PEM_read_bio_PUBKEY(bio, key, 0, "");
+	}
 
-	ok = !!PEM_read_bio_PUBKEY(bio, key, 0, 0);
+	if (!ok && (type == X509_ANY || type == X509_DER)) {
+		ok = !!d2i_PUBKEY_bio(bio, key);
+	}
 
 	BIO_free(bio);
 
 	if (!ok)
-		return throwssl(L, "pubkey.new");
+		return throwssl(L, "pkey.new");
 
 	lua_pushboolean(L, 1);
 
@@ -940,25 +1009,30 @@ static int pk_setPublicKey(lua_State *L) {
 
 
 static int pk_setPrivateKey(lua_State *L) {
-	EVP_PKEY **key = luaL_checkudata(L, 1, PUBKEY_CLASS);
-	const char *pem;
+	EVP_PKEY **key = luaL_checkudata(L, 1, PKEY_CLASS);
+	const char *data;
 	size_t len;
 	BIO *bio;
-	int ok;
+	int type, ok = 0;
 
-	lua_settop(L, 2);
+	data = luaL_checklstring(L, 2, &len);
+	type = optencoding(L, 3, "*", X509_ANY|X509_PEM|X509_DER);
 
-	pem = luaL_checklstring(L, 2, &len);
+	if (!(bio = BIO_new_mem_buf((void *)data, len)))
+		return throwssl(L, "pkey.new");
 
-	if (!(bio = BIO_new_mem_buf((void *)pem, len)))
-		return throwssl(L, "pubkey.new");
+	if (type == X509_ANY || type == X509_PEM) {
+		ok = !!PEM_read_bio_PrivateKey(bio, key, 0, "");
+	}
 
-	ok = !!PEM_read_bio_PrivateKey(bio, key, 0, 0);
+	if (!ok && (type == X509_ANY || type == X509_DER)) {
+		ok = !!d2i_PrivateKey_bio(bio, key);
+	}
 
 	BIO_free(bio);
 
 	if (!ok)
-		return throwssl(L, "pubkey.new");
+		return throwssl(L, "pkey.new");
 
 	lua_pushboolean(L, 1);
 
@@ -967,19 +1041,19 @@ static int pk_setPrivateKey(lua_State *L) {
 
 
 static int pk_sign(lua_State *L) {
-	EVP_PKEY *key = checksimple(L, 1, PUBKEY_CLASS);
+	EVP_PKEY *key = checksimple(L, 1, PKEY_CLASS);
 	EVP_MD_CTX *md = luaL_checkudata(L, 2, DIGEST_CLASS);
 	luaL_Buffer B;
 	unsigned n;
 
 	if (LUAL_BUFFERSIZE < EVP_PKEY_size(key))
-		return luaL_error(L, "pubkey:sign: LUAL_BUFFERSIZE(%u) < EVP_PKEY_size(%u)", (unsigned)LUAL_BUFFERSIZE, (unsigned)EVP_PKEY_size(key));
+		return luaL_error(L, "pkey:sign: LUAL_BUFFERSIZE(%u) < EVP_PKEY_size(%u)", (unsigned)LUAL_BUFFERSIZE, (unsigned)EVP_PKEY_size(key));
 
 	luaL_buffinit(L, &B);
 	n = LUAL_BUFFERSIZE;
 
 	if (!EVP_SignFinal(md, (void *)luaL_prepbuffer(&B), &n, key))
-		return throwssl(L, "pubkey:sign");
+		return throwssl(L, "pkey:sign");
 
 	luaL_addsize(&B, n);
 	luaL_pushresult(&B);
@@ -989,7 +1063,7 @@ static int pk_sign(lua_State *L) {
 
 
 static int pk_verify(lua_State *L) {
-	EVP_PKEY *key = checksimple(L, 1, PUBKEY_CLASS);
+	EVP_PKEY *key = checksimple(L, 1, PKEY_CLASS);
 	size_t len;
 	const void *sig = luaL_checklstring(L, 2, &len);
 	EVP_MD_CTX *md = luaL_checkudata(L, 3, DIGEST_CLASS);
@@ -1005,7 +1079,7 @@ static int pk_verify(lua_State *L) {
 
 		break;
 	default:
-		return throwssl(L, "pubkey:verify");
+		return throwssl(L, "pkey:verify");
 	}
 
 	return 1;
@@ -1013,7 +1087,7 @@ static int pk_verify(lua_State *L) {
 
 
 static int pk_toPEM(lua_State *L) {
-	EVP_PKEY *key = checksimple(L, 1, PUBKEY_CLASS);
+	EVP_PKEY *key = checksimple(L, 1, PKEY_CLASS);
 	int top, i, ok;
 	BIO *bio;
 	char *pem;
@@ -1027,7 +1101,7 @@ static int pk_toPEM(lua_State *L) {
 	bio = getbio(L);
 
 	for (i = 2; i <= top; i++) {
-		static const char *opts[] = {
+		static const char *const opts[] = {
 			"public", "PublicKey",
 			"private", "PrivateKey",
 //			"params", "Parameters",
@@ -1037,7 +1111,7 @@ static int pk_toPEM(lua_State *L) {
 		switch (checkoption(L, i, NULL, opts)) {
 		case 0: case 1: /* public, PublicKey */
 			if (!PEM_write_bio_PUBKEY(bio, key))
-				return throwssl(L, "pubkey:__tostring");
+				return throwssl(L, "pkey:__tostring");
 
 			len = BIO_get_mem_data(bio, &pem);
 			lua_pushlstring(L, pem, len);
@@ -1046,7 +1120,7 @@ static int pk_toPEM(lua_State *L) {
 			break;
 		case 2: case 3: /* private, PrivateKey */
 			if (!PEM_write_bio_PrivateKey(bio, key, 0, 0, 0, 0, 0))
-				throwssl(L, "pubkey:__tostring");
+				throwssl(L, "pkey:__tostring");
 
 			len = BIO_get_mem_data(bio, &pem);
 			lua_pushlstring(L, pem, len);
@@ -1066,7 +1140,7 @@ static int pk_toPEM(lua_State *L) {
 				DSA_free(dsa);
 
 				if (!ok)
-					return throwssl(L, "pubkey:__tostring");
+					return throwssl(L, "pkey:__tostring");
 
 				break;
 			}
@@ -1078,7 +1152,7 @@ static int pk_toPEM(lua_State *L) {
 				DH_free(dh);
 
 				if (!ok)
-					return throwssl(L, "pubkey:__tostring");
+					return throwssl(L, "pkey:__tostring");
 
 				break;
 			}
@@ -1092,7 +1166,7 @@ static int pk_toPEM(lua_State *L) {
 				EC_KEY_free(ec);
 
 				if (!ok)
-					return throwssl(L, "pubkey:__tostring");
+					return throwssl(L, "pkey:__tostring");
 
 				break;
 			}
@@ -1119,24 +1193,34 @@ static int pk_toPEM(lua_State *L) {
 
 
 static int pk__tostring(lua_State *L) {
-	EVP_PKEY *key = checksimple(L, 1, PUBKEY_CLASS);
+	EVP_PKEY *key = checksimple(L, 1, PKEY_CLASS);
+	int type = optencoding(L, 2, "pem", X509_PEM|X509_DER);
 	BIO *bio = getbio(L);
-	char *pem;
+	char *data;
 	long len;
-	int ok;
+	int ok = 0;
 
-	if (!PEM_write_bio_PUBKEY(bio, key))
-		return throwssl(L, "pubkey:__tostring");
+	switch (type) {
+	case X509_PEM:
+		if (!PEM_write_bio_PUBKEY(bio, key))
+			return throwssl(L, "pkey:__tostring");
+		break;
+	case X509_DER:
+		if (!i2d_PUBKEY_bio(bio, key))
+			return throwssl(L, "pkey:__tostring");
+		break;
+	} /* switch() */
 
-	len = BIO_get_mem_data(bio, &pem);
-	lua_pushlstring(L, pem, len);
+	len = BIO_get_mem_data(bio, &data);
+
+	lua_pushlstring(L, data, len);
 
 	return 1;
 } /* pk__tostring() */
 
 
 static int pk__gc(lua_State *L) {
-	EVP_PKEY **ud = luaL_checkudata(L, 1, PUBKEY_CLASS);
+	EVP_PKEY **ud = luaL_checkudata(L, 1, PKEY_CLASS);
 
 	EVP_PKEY_free(*ud);
 	*ud = NULL;
@@ -1168,12 +1252,20 @@ static const luaL_Reg pk_globals[] = {
 	{ NULL,        NULL },
 };
 
-int luaopen__openssl_pubkey(lua_State *L) {
+int luaopen__openssl_pkey(lua_State *L) {
 	initall(L);
 
 	luaL_newlib(L, pk_globals);
 
 	return 1;
+} /* luaopen__openssl_pkey() */
+
+
+/*
+ * Deprecated module name.
+ */
+int luaopen__openssl_pubkey(lua_State *L) {
+	return luaopen__openssl_pkey(L);
 } /* luaopen__openssl_pubkey() */
 
 
@@ -1225,7 +1317,7 @@ static int xn_add(lua_State *L) {
 	if (!ok)
 		return throwssl(L, "x509.name:add");
 
-	lua_pushboolean(L, 1);
+	lua_pushvalue(L, 1);
 
 	return 1;
 } /* xn_add() */
@@ -1424,15 +1516,16 @@ static int gn_setCritical(lua_State *L) {
 
 static int gn_checktype(lua_State *L, int index) {
 	static const struct { int type; const char *name; } table[] = {
-		{ GEN_EMAIL, "RFC822Name" },
-		{ GEN_EMAIL, "RFC822" },
-		{ GEN_EMAIL, "email" },
-		{ GEN_URI,   "UniformResourceIdentifier" },
-		{ GEN_URI,   "URI" },
-		{ GEN_DNS,   "DNSName" },
-		{ GEN_DNS,   "DNS" },
-		{ GEN_IPADD, "IPAddress" },
-		{ GEN_IPADD, "IP" },
+		{ GEN_EMAIL,   "RFC822Name" },
+		{ GEN_EMAIL,   "RFC822" },
+		{ GEN_EMAIL,   "email" },
+		{ GEN_URI,     "UniformResourceIdentifier" },
+		{ GEN_URI,     "URI" },
+		{ GEN_DNS,     "DNSName" },
+		{ GEN_DNS,     "DNS" },
+		{ GEN_IPADD,   "IPAddress" },
+		{ GEN_IPADD,   "IP" },
+		{ GEN_DIRNAME, "DirName" },
 	};
 	const char *type = luaL_checkstring(L, index);
 	unsigned i;
@@ -1449,12 +1542,28 @@ static int gn_checktype(lua_State *L, int index) {
 static int gn_add(lua_State *L) {
 	GENERAL_NAMES *gens = checksimple(L, 1, X509_GENS_CLASS);
 	int type = gn_checktype(L, 2);
+	X509_NAME *name;
 	size_t len;
-	const char *txt = luaL_checklstring(L, 3, &len);
+	const char *txt;
 	GENERAL_NAME *gen = NULL;
 	union { struct in6_addr in6; struct in_addr in; } ip;
 
-	if (type == GEN_IPADD) {
+	switch (type) {
+	case GEN_DIRNAME:
+		name = checksimple(L, 3, X509_NAME_CLASS);
+
+		if (!(gen = GENERAL_NAME_new()))
+			goto error;
+
+		gen->type = type;
+
+		if (!(gen->d.dirn = X509_NAME_dup(name)))
+			goto error;
+
+		break;
+	case GEN_IPADD:
+		txt = luaL_checkstring(L, 3);
+
 		if (strchr(txt, ':')) {
 			if (1 != inet_pton(AF_INET6, txt, &ip.in6))
 				return luaL_error(L, "%s: invalid address", txt);
@@ -1468,22 +1577,27 @@ static int gn_add(lua_State *L) {
 			txt = (char *)&ip.in.s_addr;
 			len = 4;
 		}
-	}
 
-	if (!(gen = GENERAL_NAME_new()))
-		goto error;
+		goto text;
+	default:
+		txt = luaL_checklstring(L, 3, &len);
+text:
+		if (!(gen = GENERAL_NAME_new()))
+			goto error;
 
-	gen->type = type;
+		gen->type = type;
 
-	if (!(gen->d.ia5 = M_ASN1_IA5STRING_new()))
-		goto error;
+		if (!(gen->d.ia5 = M_ASN1_IA5STRING_new()))
+			goto error;
 
-	if (!ASN1_STRING_set(gen->d.ia5, (unsigned char *)txt, len))
-		goto error;
+		if (!ASN1_STRING_set(gen->d.ia5, (unsigned char *)txt, len))
+			goto error;
+		break;
+	} /* switch() */
 
 	sk_GENERAL_NAME_push(gens, gen);
 
-	lua_pushboolean(L, 1);
+	lua_pushvalue(L, 1);
 
 	return 1;
 error:
@@ -1493,6 +1607,9 @@ error:
 } /* gn_add() */
 
 
+#define GN_PUSHSTRING(L, o) \
+	lua_pushlstring((L), (char *)M_ASN1_STRING_data((o)), M_ASN1_STRING_length((o)))
+
 static int gn__next(lua_State *L) {
 	GENERAL_NAMES *gens = checksimple(L, lua_upvalueindex(1), X509_GENS_CLASS);
 	int i = lua_tointeger(L, lua_upvalueindex(2));
@@ -1513,21 +1630,18 @@ static int gn__next(lua_State *L) {
 
 		switch (name->type) {
 		case GEN_EMAIL:
-			tag = "email";
-			txt = (char *)M_ASN1_STRING_data(name->d.rfc822Name);
-			len = M_ASN1_STRING_length(name->d.rfc822Name);
+			lua_pushstring(L, "email");
+			GN_PUSHSTRING(L, name->d.rfc822Name);
 
 			break;
 		case GEN_URI:
-			tag = "URI";
-			txt = (char *)M_ASN1_STRING_data(name->d.uniformResourceIdentifier);
-			len = M_ASN1_STRING_length(name->d.uniformResourceIdentifier);
+			lua_pushstring(L, "URI");
+			GN_PUSHSTRING(L, name->d.uniformResourceIdentifier);
 
 			break;
 		case GEN_DNS:
-			tag = "DNS";
-			txt = (char *)M_ASN1_STRING_data(name->d.dNSName);
-			len = M_ASN1_STRING_length(name->d.dNSName);
+			lua_pushstring(L, "DNS");
+			GN_PUSHSTRING(L, name->d.dNSName);
 
 			break;
 		case GEN_IPADD:
@@ -1555,16 +1669,21 @@ static int gn__next(lua_State *L) {
 
 			len = strlen(txt);
 
+			lua_pushstring(L, "IP");
+			lua_pushlstring(L, txt, len);
+
+			break;
+		case GEN_DIRNAME:
+			lua_pushstring(L, "DirName");
+			xn_dup(L, name->d.dirn);
+
 			break;
 		default:
 			continue;
-		}
-
-		lua_pushstring(L, tag);
-		lua_pushlstring(L, txt, len);
+		} /* switch() */
 
 		break;
-	}
+	} /* while() */
 
 	lua_pushinteger(L, i);
 	lua_replace(L, lua_upvalueindex(2));
@@ -1624,22 +1743,29 @@ int luaopen__openssl_x509_altname(lua_State *L) {
  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
 static int xc_new(lua_State *L) {
-	const char *pem;
+	const char *data;
 	size_t len;
 	X509 **ud;
 
-	lua_settop(L, 1);
+	lua_settop(L, 2);
 
 	ud = prepsimple(L, X509_CERT_CLASS);
 
-	if ((pem = luaL_optlstring(L, 1, NULL, &len))) {
+	if ((data = luaL_optlstring(L, 1, NULL, &len))) {
+		int type = optencoding(L, 2, "*", X509_ANY|X509_PEM|X509_DER);
 		BIO *tmp;
-		int ok;
+		int ok = 0;
 
-		if (!(tmp = BIO_new_mem_buf((char *)pem, len)))
+		if (!(tmp = BIO_new_mem_buf((char *)data, len)))
 			return throwssl(L, "x509.cert.new");
 
-		ok = !!PEM_read_bio_X509(tmp, ud, 0, ""); /* no password */
+		if (type == X509_PEM || type == X509_ANY) {
+			ok = !!(*ud = PEM_read_bio_X509(tmp, NULL, 0, "")); /* no password */
+		}
+
+		if (!ok && (type == X509_DER || type == X509_ANY)) {
+			ok = !!(*ud = d2i_X509_bio(tmp, NULL));
+		}
 
 		BIO_free(tmp);
 
@@ -2343,7 +2469,7 @@ done:
 
 static int xc_getPublicKey(lua_State *L) {
 	X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
-	EVP_PKEY **key = prepsimple(L, PUBKEY_CLASS);
+	EVP_PKEY **key = prepsimple(L, PKEY_CLASS);
 
 	if (!(*key = X509_get_pubkey(crt)))
 		return throwssl(L, "x509.cert:getPublicKey");
@@ -2354,7 +2480,7 @@ static int xc_getPublicKey(lua_State *L) {
 
 static int xc_setPublicKey(lua_State *L) {
 	X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
-	EVP_PKEY *key = checksimple(L, 2, PUBKEY_CLASS);
+	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
 
 	if (!X509_set_pubkey(crt, key))
 		return throwssl(L, "x509.cert:setPublicKey");
@@ -2386,7 +2512,7 @@ static const EVP_MD *xc_signature(lua_State *L, int index, EVP_PKEY *key) {
 
 static int xc_sign(lua_State *L) {
 	X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
-	EVP_PKEY *key = checksimple(L, 2, PUBKEY_CLASS);
+	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
 
 	if (!X509_sign(crt, key, xc_signature(L, 3, key)))
 		return throwssl(L, "x509.cert:sign");
@@ -2399,17 +2525,25 @@ static int xc_sign(lua_State *L) {
 
 static int xc__tostring(lua_State *L) {
 	X509 *crt = checksimple(L, 1, X509_CERT_CLASS);
-	int fmt = checkoption(L, 2, "pem", (const char *[]){ "pem", NULL });
+	int type = optencoding(L, 2, "pem", X509_PEM|X509_DER);
 	BIO *bio = getbio(L);
-	char *pem;
+	char *data;
 	long len;
 
-	if (!PEM_write_bio_X509(bio, crt))
-		return throwssl(L, "x509.cert:__tostring");
+	switch (type) {
+	case X509_PEM:
+		if (!PEM_write_bio_X509(bio, crt))
+			return throwssl(L, "x509.cert:__tostring");
+		break;
+	case X509_DER:
+		if (!i2d_X509_bio(bio, crt))
+			return throwssl(L, "x509.cert:__tostring");
+		break;
+	} /* switch() */
 
-	len = BIO_get_mem_data(bio, &pem);
+	len = BIO_get_mem_data(bio, &data);
 
-	lua_pushlstring(L, pem, len);
+	lua_pushlstring(L, data, len);
 
 	return 1;
 } /* xc__tostring() */
@@ -2486,26 +2620,33 @@ int luaopen__openssl_x509_cert(lua_State *L) {
  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
 static int xr_new(lua_State *L) {
-	const char *pem;
+	const char *data;
 	size_t len;
 	X509_REQ **ud;
 	X509 *crt;
 
-	lua_settop(L, 1);
+	lua_settop(L, 2);
 
 	ud = prepsimple(L, X509_CSR_CLASS);
 
 	if ((crt = testsimple(L, 1, X509_CERT_CLASS))) {
 		if (!(*ud = X509_to_X509_REQ(crt, 0, 0)))
 			return throwssl(L, "x509.csr.new");
-	} else if ((pem = luaL_optlstring(L, 1, NULL, &len))) {
+	} else if ((data = luaL_optlstring(L, 1, NULL, &len))) {
+		int type = optencoding(L, 2, "*", X509_ANY|X509_PEM|X509_DER);
 		BIO *tmp;
-		int ok;
+		int ok = 0;
 
-		if (!(tmp = BIO_new_mem_buf((char *)pem, len)))
+		if (!(tmp = BIO_new_mem_buf((char *)data, len)))
 			return throwssl(L, "x509.csr.new");
 
-		ok = !!PEM_read_bio_X509_REQ(tmp, ud, 0, ""); /* no password */
+		if (type == X509_PEM || type == X509_ANY) {
+			ok = !!(*ud = PEM_read_bio_X509_REQ(tmp, NULL, 0, "")); /* no password */
+		}
+
+		if (!ok && (type == X509_DER || type == X509_ANY)) {
+			ok = !!(*ud = d2i_X509_REQ_bio(tmp, NULL));
+		}
 
 		BIO_free(tmp);
 
@@ -2575,7 +2716,7 @@ static int xr_setSubject(lua_State *L) {
 
 static int xr_getPublicKey(lua_State *L) {
 	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
-	EVP_PKEY **key = prepsimple(L, PUBKEY_CLASS);
+	EVP_PKEY **key = prepsimple(L, PKEY_CLASS);
 
 	if (!(*key = X509_REQ_get_pubkey(csr)))
 		return throwssl(L, "x509.cert:getPublicKey");
@@ -2586,7 +2727,7 @@ static int xr_getPublicKey(lua_State *L) {
 
 static int xr_setPublicKey(lua_State *L) {
 	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
-	EVP_PKEY *key = checksimple(L, 2, PUBKEY_CLASS);
+	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
 
 	if (!X509_REQ_set_pubkey(csr, key))
 		return throwssl(L, "x509.csr:setPublicKey");
@@ -2599,7 +2740,7 @@ static int xr_setPublicKey(lua_State *L) {
 
 static int xr_sign(lua_State *L) {
 	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
-	EVP_PKEY *key = checksimple(L, 2, PUBKEY_CLASS);
+	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
 
 	if (!X509_REQ_sign(csr, key, xc_signature(L, 3, key)))
 		return throwssl(L, "x509.csr:sign");
@@ -2612,17 +2753,25 @@ static int xr_sign(lua_State *L) {
 
 static int xr__tostring(lua_State *L) {
 	X509_REQ *csr = checksimple(L, 1, X509_CSR_CLASS);
-	int fmt = checkoption(L, 2, "pem", (const char *[]){ "pem", NULL });
+	int type = optencoding(L, 2, "pem", X509_PEM|X509_DER);
 	BIO *bio = getbio(L);
-	char *pem;
+	char *data;
 	long len;
 
-	if (!PEM_write_bio_X509_REQ(bio, csr))
-		return throwssl(L, "x509.csr:__tostring");
+	switch (type) {
+	case X509_PEM:
+		if (!PEM_write_bio_X509_REQ(bio, csr))
+			return throwssl(L, "x509.csr:__tostring");
+		break;
+	case X509_DER:
+		if (!i2d_X509_REQ_bio(bio, csr))
+			return throwssl(L, "x509.csr:__tostring");
+		break;
+	} /* switch() */
 
-	len = BIO_get_mem_data(bio, &pem);
+	len = BIO_get_mem_data(bio, &data);
 
-	lua_pushlstring(L, pem, len);
+	lua_pushlstring(L, data, len);
 
 	return 1;
 } /* xr__tostring() */
@@ -2745,7 +2894,7 @@ static int xl_add(lua_State *L) {
 		return throwssl(L, "x509.chain:add");
 	}
 
-	lua_pushboolean(L, 1);
+	lua_pushvalue(L, 1);
 
 	return 1;
 } /* xl_add() */
@@ -2880,7 +3029,7 @@ static int xs_add(lua_State *L) {
 		}
 	}
 
-	lua_pushboolean(L, 1);
+	lua_pushvalue(L, 1);
 
 	return 1;
 } /* xs_add() */
@@ -3063,7 +3212,7 @@ int luaopen__openssl_x509_store_context(lua_State *L) {
  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
 static int sx_new(lua_State *L) {
-	static const char *opts[] = {
+	static const char *const opts[] = {
 		"SSLv2", "SSLv3", "SSLv23", "SSL", "TLSv1", "TLS", NULL
 	};
 	/* later versions of SSL declare a const qualifier on the return type */
@@ -3168,7 +3317,7 @@ static int sx_setCertificate(lua_State *L) {
 
 static int sx_setPrivateKey(lua_State *L) {
 	SSL_CTX *ctx = checksimple(L, 1, SSL_CTX_CLASS);
-	EVP_PKEY *key = checksimple(L, 2, PUBKEY_CLASS);
+	EVP_PKEY *key = checksimple(L, 2, PKEY_CLASS);
 
 	/*
 	 * NOTE: No easy way to dup the key, but a shared reference should
@@ -3409,8 +3558,8 @@ static int md_update(lua_State *L) {
 
 	md_update_(L, ctx, 2, lua_gettop(L));
 
-	lua_pushboolean(L, 1);
-	
+	lua_pushvalue(L, 1);
+
 	return 1;
 } /* md_update() */
 
@@ -3512,8 +3661,8 @@ static int hmac_update(lua_State *L) {
 
 	hmac_update_(L, ctx, 2, lua_gettop(L));
 
-	lua_pushboolean(L, 1);
-	
+	lua_pushvalue(L, 1);
+
 	return 1;
 } /* hmac_update() */
 
@@ -3876,15 +4025,18 @@ static unsigned long long rand_llu(lua_State *L) {
  * (https://groups.google.com/forum/message/raw?msg=sci.crypt/DMslf6tSrD8/rv9rk6oP3r4J)
  */
 static int rand_uniform(lua_State *L) {
-	if (lua_isnoneornil(L, 1)) {
-		unsigned long long r = rand_llu(L);
-
-		lua_pushnumber(L, r);
+	unsigned long long r;
 
-		return 1;
+	if (lua_isnoneornil(L, 1)) {
+		r = rand_llu(L);
 	} else {
-		unsigned long long N = luaL_checknumber(L, 1);
-		unsigned long long r, m;
+		unsigned long long N, m;
+
+		if (sizeof (lua_Unsigned) >= sizeof r) {
+			N = luaL_checkunsigned(L, 1);
+		} else {
+			N = luaL_checknumber(L, 1);
+		}
 
 		luaL_argcheck(L, N > 1, 1, lua_pushfstring(L, "[0, %d): interval is empty", (int)N));
 
@@ -3894,10 +4046,16 @@ static int rand_uniform(lua_State *L) {
 			r = rand_llu(L);
 		} while (r < m);
 
-		lua_pushnumber(L, (r % N));
+		r = r % N;
+	}
 
-		return 1;
+	if (sizeof (lua_Unsigned) >= sizeof r) {
+		lua_pushunsigned(L, r);
+	} else {
+		lua_pushnumber(L, r);
 	}
+
+	return 1;
 } /* rand_uniform() */
 
 
@@ -4009,7 +4167,7 @@ static int mt_init(void) {
 	if (bound && !mt_state.dlref) {
 		Dl_info info;
 
-		if (!dladdr(&luaopen__openssl_rand, &info)) {
+		if (!dladdr((void *)&luaopen__openssl_rand, &info)) {
 			error = -1;
 			goto leave;
 		}
@@ -4064,7 +4222,7 @@ static void initall(lua_State *L) {
 	pthread_mutex_unlock(&mutex);
 
 	addclass(L, BIGNUM_CLASS, bn_methods, bn_metatable);
-	addclass(L, PUBKEY_CLASS, pk_methods, pk_metatable);
+	addclass(L, PKEY_CLASS, pk_methods, pk_metatable);
 	addclass(L, X509_NAME_CLASS, xn_methods, xn_metatable);
 	addclass(L, X509_GENS_CLASS, gn_methods, gn_metatable);
 	addclass(L, X509_CERT_CLASS, xc_methods, xc_metatable);
diff --git a/src/openssl.pkey.lua b/src/openssl.pkey.lua
new file mode 100644
index 0000000..2cbd6d2
--- /dev/null
+++ b/src/openssl.pkey.lua
@@ -0,0 +1,4 @@
+local pkey = require"_openssl.pkey"
+
+return pkey
+
diff --git a/src/openssl.pubkey.lua b/src/openssl.pubkey.lua
deleted file mode 100644
index 6dc5614..0000000
--- a/src/openssl.pubkey.lua
+++ /dev/null
@@ -1,4 +0,0 @@
-local pubkey = require"_openssl.pubkey"
-
-return pubkey
-