diff --git a/CHANGES b/CHANGES
index 5859004a4c..f3c99b5d2c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,10 @@
          *) applies to 0.9.6a (/0.9.6b) and 0.9.7
          +) applies to 0.9.7 only
 
+  +) Tidy up PKCS#12 attribute handling. Add support for the CSP name
+     attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
+     [Steve Henson]
+
   *) Fix OAEP check.
      [Ulf Möller, Bodo Möller]
 
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 90abbb84d2..f277956cd9 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -99,6 +99,7 @@ int MAIN(int argc, char **argv)
     BIO *in=NULL, *out = NULL, *inkey = NULL, *certsin = NULL;
     char **args;
     char *name = NULL;
+    char *csp_name = NULL;
     PKCS12 *p12 = NULL;
     char pass[50], macpass[50];
     int export_cert = 0;
@@ -197,6 +198,11 @@ int MAIN(int argc, char **argv)
 			args++;	
 			name = *args;
 		    } else badarg = 1;
+		} else if (!strcmp (*args, "-CSP")) {
+		    if (args[1]) {
+			args++;	
+			csp_name = *args;
+		    } else badarg = 1;
 		} else if (!strcmp (*args, "-caname")) {
 		    if (args[1]) {
 			args++;	
@@ -572,6 +578,7 @@ int MAIN(int argc, char **argv)
 	PKCS8_PRIV_KEY_INFO_free(p8);
 	p8 = NULL;
         if (name) PKCS12_add_friendlyname (bag, name, -1);
+	if(csp_name) PKCS12_add_CSPName_asc(bag, csp_name, -1);
 	PKCS12_add_localkeyid (bag, keyid, keyidlen);
 	bags = sk_PKCS12_SAFEBAG_new_null();
 	sk_PKCS12_SAFEBAG_push (bags, bag);
diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c
index 732e68fe46..0187ddb015 100644
--- a/crypto/asn1/a_strnid.c
+++ b/crypto/asn1/a_strnid.c
@@ -170,8 +170,10 @@ static ASN1_STRING_TABLE tbl_standard[] = {
 {NID_givenName,			1, ub_name, DIRSTRING_TYPE, 0},
 {NID_surname,			1, ub_name, DIRSTRING_TYPE, 0},
 {NID_initials,			1, ub_name, DIRSTRING_TYPE, 0},
+{NID_friendlyName,		-1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK},
 {NID_name,			1, ub_name, DIRSTRING_TYPE, 0},
-{NID_dnQualifier,		-1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK}
+{NID_dnQualifier,		-1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
+{NID_ms_csp_name,		-1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK}
 };
 
 static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index 788c69d497..17c806cf08 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -61,12 +61,12 @@
  * perl obj_dat.pl obj_mac.h obj_dat.h
  */
 
-#define NUM_NID 492
-#define NUM_SN 490
-#define NUM_LN 490
-#define NUM_OBJ 464
+#define NUM_NID 493
+#define NUM_SN 491
+#define NUM_LN 491
+#define NUM_OBJ 465
 
-static unsigned char lvalues[3783]={
+static unsigned char lvalues[3792]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@@ -531,6 +531,7 @@ static unsigned char lvalues[3783]={
 0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06,     /* [3759] OBJ_X9_62_prime239v3 */
 0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,     /* [3767] OBJ_X9_62_prime256v1 */
 0x2A,0x86,0x48,0xCE,0x3D,0x04,0x01,          /* [3775] OBJ_ecdsa_with_SHA1 */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x01,/* [3782] OBJ_ms_csp_name */
 };
 
 static ASN1_OBJECT nid_objs[NUM_NID]={
@@ -1284,6 +1285,7 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"prime256v1","prime256v1",NID_X9_62_prime256v1,8,&(lvalues[3767]),0},
 {"ecdsa-with-SHA1","ecdsa-with-SHA1",NID_ecdsa_with_SHA1,7,
 	&(lvalues[3775]),0},
+{"CSPName","Microsoft CSP Name",NID_ms_csp_name,9,&(lvalues[3782]),0},
 };
 
 static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -1312,6 +1314,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[410]),/* "CCITT" */
 &(nid_objs[13]),/* "CN" */
 &(nid_objs[141]),/* "CRLReason" */
+&(nid_objs[492]),/* "CSPName" */
 &(nid_objs[367]),/* "CrlID" */
 &(nid_objs[107]),/* "D" */
 &(nid_objs[391]),/* "DC" */
@@ -1807,6 +1810,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[142]),/* "Invalidity Date" */
 &(nid_objs[388]),/* "Mail" */
 &(nid_objs[383]),/* "Management" */
+&(nid_objs[492]),/* "Microsoft CSP Name" */
 &(nid_objs[135]),/* "Microsoft Commercial Code Signing" */
 &(nid_objs[138]),/* "Microsoft Encrypted File System" */
 &(nid_objs[171]),/* "Microsoft Extension Request" */
@@ -2542,6 +2546,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[188]),/* OBJ_SMIME                        1 2 840 113549 1 9 16 */
 &(nid_objs[156]),/* OBJ_friendlyName                 1 2 840 113549 1 9 20 */
 &(nid_objs[157]),/* OBJ_localKeyID                   1 2 840 113549 1 9 21 */
+&(nid_objs[492]),/* OBJ_ms_csp_name                  1 3 6 1 4 1 311 17 1 */
 &(nid_objs[91]),/* OBJ_bf_cbc                       1 3 6 1 4 1 3029 1 2 */
 &(nid_objs[315]),/* OBJ_id_regCtrl_regToken          1 3 6 1 5 5 7 5 1 1 */
 &(nid_objs[316]),/* OBJ_id_regCtrl_authenticator     1 3 6 1 5 5 7 5 1 2 */
diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
index 37ca4efffa..cd114a2600 100644
--- a/crypto/objects/obj_mac.h
+++ b/crypto/objects/obj_mac.h
@@ -639,6 +639,11 @@
 #define NID_localKeyID		157
 #define OBJ_localKeyID		OBJ_pkcs9,21L
 
+#define SN_ms_csp_name		"CSPName"
+#define LN_ms_csp_name		"Microsoft CSP Name"
+#define NID_ms_csp_name		492
+#define OBJ_ms_csp_name		1L,3L,6L,1L,4L,1L,311L,17L,1L
+
 #define OBJ_certTypes		OBJ_pkcs9,22L
 
 #define LN_x509Certificate		"x509Certificate"
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index 355a2b55f6..362bdb713d 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -489,3 +489,4 @@ X9_62_prime239v2		488
 X9_62_prime239v3		489
 X9_62_prime256v1		490
 ecdsa_with_SHA1		491
+ms_csp_name		492
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index 1e51416c73..86d337d01e 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -201,6 +201,8 @@ id-smime-cti 6		: id-smime-cti-ets-proofOfCreation
 
 pkcs9 20		:			: friendlyName
 pkcs9 21		:			: localKeyID
+!Cname ms-csp-name
+1 3 6 1 4 1 311 17 1	: CSPName		: Microsoft CSP Name
 !Alias certTypes pkcs9 22
 certTypes 1		:			: x509Certificate
 certTypes 2		:			: sdsiCertificate
diff --git a/crypto/pkcs12/p12_attr.c b/crypto/pkcs12/p12_attr.c
index 2d4d04292a..026cf3826a 100644
--- a/crypto/pkcs12/p12_attr.c
+++ b/crypto/pkcs12/p12_attr.c
@@ -62,156 +62,63 @@
 
 /* Add a local keyid to a safebag */
 
-int PKCS12_add_localkeyid (PKCS12_SAFEBAG *bag, unsigned char *name,
+int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name,
 	     int namelen)
 {
-	X509_ATTRIBUTE *attrib;
-	ASN1_BMPSTRING *oct;
-	ASN1_TYPE *keyid;
-	if (!(keyid = ASN1_TYPE_new ())) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+	if (X509at_add1_attr_by_NID(&bag->attrib, NID_localKeyID,
+				V_ASN1_OCTET_STRING, name, namelen))
+		return 1;
+	else 
 		return 0;
-	}
-	keyid->type = V_ASN1_OCTET_STRING;
-	if (!(oct = M_ASN1_OCTET_STRING_new())) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	if (!M_ASN1_OCTET_STRING_set(oct, name, namelen)) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	keyid->value.octet_string = oct;
-	if (!(attrib = X509_ATTRIBUTE_new ())) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	attrib->object = OBJ_nid2obj(NID_localKeyID);
-	if (!(attrib->value.set = sk_ASN1_TYPE_new_null())) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	sk_ASN1_TYPE_push (attrib->value.set,keyid);
-	attrib->single = 0;
-	if (!bag->attrib && !(bag->attrib = sk_X509_ATTRIBUTE_new_null ())) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	sk_X509_ATTRIBUTE_push (bag->attrib, attrib);
-	return 1;
 }
 
 /* Add key usage to PKCS#8 structure */
 
-int PKCS8_add_keyusage (PKCS8_PRIV_KEY_INFO *p8, int usage)
+int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage)
 {
-	X509_ATTRIBUTE *attrib;
-	ASN1_BIT_STRING *bstr;
-	ASN1_TYPE *keyid;
 	unsigned char us_val;
 	us_val = (unsigned char) usage;
-	if (!(keyid = ASN1_TYPE_new ())) {
-		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+	if (X509at_add1_attr_by_NID(&p8->attributes, NID_key_usage,
+				V_ASN1_BIT_STRING, &us_val, 1))
+		return 1;
+	else
 		return 0;
-	}
-	keyid->type = V_ASN1_BIT_STRING;
-	if (!(bstr = M_ASN1_BIT_STRING_new())) {
-		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	if (!M_ASN1_BIT_STRING_set(bstr, &us_val, 1)) {
-		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	keyid->value.bit_string = bstr;
-	if (!(attrib = X509_ATTRIBUTE_new ())) {
-		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	attrib->object = OBJ_nid2obj(NID_key_usage);
-	if (!(attrib->value.set = sk_ASN1_TYPE_new_null())) {
-		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	sk_ASN1_TYPE_push (attrib->value.set,keyid);
-	attrib->single = 0;
-	if (!p8->attributes
-	    && !(p8->attributes = sk_X509_ATTRIBUTE_new_null ())) {
-		PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	sk_X509_ATTRIBUTE_push (p8->attributes, attrib);
-	return 1;
 }
 
 /* Add a friendlyname to a safebag */
 
-int PKCS12_add_friendlyname_asc (PKCS12_SAFEBAG *bag, const char *name,
+int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name,
 				 int namelen)
 {
-	unsigned char *uniname;
-	int ret, unilen;
-	if (!asc2uni(name, namelen, &uniname, &unilen)) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,
-							ERR_R_MALLOC_FAILURE);
+	if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
+				MBSTRING_ASC, (unsigned char *)name, namelen))
+		return 1;
+	else
 		return 0;
-	}
-	ret = PKCS12_add_friendlyname_uni (bag, uniname, unilen);
-	OPENSSL_free(uniname);
-	return ret;
 }
-	
 
-int PKCS12_add_friendlyname_uni (PKCS12_SAFEBAG *bag,
+
+int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag,
 				 const unsigned char *name, int namelen)
 {
-	X509_ATTRIBUTE *attrib;
-	ASN1_BMPSTRING *bmp;
-	ASN1_TYPE *fname;
-	/* Zap ending double null if included */
-	if(!name[namelen - 1] && !name[namelen - 2]) namelen -= 2;
-	if (!(fname = ASN1_TYPE_new ())) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
-							ERR_R_MALLOC_FAILURE);
+	if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
+				MBSTRING_BMP, name, namelen))
+		return 1;
+	else
 		return 0;
-	}
-	fname->type = V_ASN1_BMPSTRING;
-	if (!(bmp = M_ASN1_BMPSTRING_new())) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
-							ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	if (!(bmp->data = OPENSSL_malloc (namelen))) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
-							ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	memcpy (bmp->data, name, namelen);
-	bmp->length = namelen;
-	fname->value.bmpstring = bmp;
-	if (!(attrib = X509_ATTRIBUTE_new ())) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
-							ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	attrib->object = OBJ_nid2obj(NID_friendlyName);
-	if (!(attrib->value.set = sk_ASN1_TYPE_new_null())) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME,
-							ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	sk_ASN1_TYPE_push (attrib->value.set,fname);
-	attrib->single = 0;
-	if (!bag->attrib && !(bag->attrib = sk_X509_ATTRIBUTE_new_null ())) {
-		PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
-							ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	sk_X509_ATTRIBUTE_push (bag->attrib, attrib);
-	return PKCS12_OK;
 }
 
-ASN1_TYPE *PKCS12_get_attr_gen (STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
+int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name,
+				 int namelen)
+{
+	if (X509at_add1_attr_by_NID(&bag->attrib, NID_ms_csp_name,
+				MBSTRING_ASC, (unsigned char *)name, namelen))
+		return 1;
+	else
+		return 0;
+}
+
+ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
 {
 	X509_ATTRIBUTE *attrib;
 	int i;
diff --git a/crypto/pkcs12/pkcs12.h b/crypto/pkcs12/pkcs12.h
index 01c20ddc6e..611762777d 100644
--- a/crypto/pkcs12/pkcs12.h
+++ b/crypto/pkcs12/pkcs12.h
@@ -201,6 +201,8 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12);
 int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen);
 int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name,
 				int namelen);
+int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name,
+				int namelen);
 int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name,
 				int namelen);
 int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage);
diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index 009fba199e..2a440901de 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -77,7 +77,8 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
 	const unsigned char *s = NULL;
 	X509_ALGOR algor;
 	ASN1_OCTET_STRING digest;
-	if(rsa->flags & RSA_FLAG_SIGN_VER)
+	if((rsa->flags & RSA_FLAG_SIGN_VER)
+	      && ENGINE_get_RSA(rsa->engine)->rsa_sign)
 	      return ENGINE_get_RSA(rsa->engine)->rsa_sign(type,
 			m, m_len, sigret, siglen, rsa);
 	/* Special case: SSL signature, just check the length */
@@ -154,7 +155,8 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
 		return(0);
 		}
 
-	if(rsa->flags & RSA_FLAG_SIGN_VER)
+	if((rsa->flags & RSA_FLAG_SIGN_VER)
+	    && ENGINE_get_RSA(rsa->engine)->rsa_verify)
 	    return ENGINE_get_RSA(rsa->engine)->rsa_verify(dtype,
 			m, m_len, sigbuf, siglen, rsa);
 
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 16a5653b1d..4951bad8cc 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -967,14 +967,14 @@ X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
 X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
 int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
 int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
-			ASN1_OBJECT *obj, int type,
-			unsigned char *bytes, int len);
+			const ASN1_OBJECT *obj, int type,
+			const unsigned char *bytes, int len);
 int X509_REQ_add1_attr_by_NID(X509_REQ *req,
 			int nid, int type,
-			unsigned char *bytes, int len);
+			const unsigned char *bytes, int len);
 int X509_REQ_add1_attr_by_txt(X509_REQ *req,
-			char *attrname, int type,
-			unsigned char *bytes, int len);
+			const char *attrname, int type,
+			const unsigned char *bytes, int len);
 
 int		X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
 
@@ -1113,22 +1113,22 @@ X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc);
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
 					 X509_ATTRIBUTE *attr);
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
-			ASN1_OBJECT *obj, int type,
-			unsigned char *bytes, int len);
+			const ASN1_OBJECT *obj, int type,
+			const unsigned char *bytes, int len);
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
 			int nid, int type,
-			unsigned char *bytes, int len);
+			const unsigned char *bytes, int len);
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
-			char *attrname, int type,
-			unsigned char *bytes, int len);
+			const char *attrname, int type,
+			const unsigned char *bytes, int len);
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
-	     int atrtype, void *data, int len);
+	     int atrtype, const void *data, int len);
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
-	     ASN1_OBJECT *obj, int atrtype, void *data, int len);
+	     const ASN1_OBJECT *obj, int atrtype, const void *data, int len);
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
-		char *atrname, int type, unsigned char *bytes, int len);
-int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj);
-int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int len);
+		const char *atrname, int type, const unsigned char *bytes, int len);
+int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
+int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len);
 void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
 					int atrtype, void *data);
 int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr);
diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c
index f074d2ab18..0bae3d32a1 100644
--- a/crypto/x509/x509_att.c
+++ b/crypto/x509/x509_att.c
@@ -149,8 +149,8 @@ err2:
 }
 
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
-			ASN1_OBJECT *obj, int type,
-			unsigned char *bytes, int len)
+			const ASN1_OBJECT *obj, int type,
+			const unsigned char *bytes, int len)
 {
 	X509_ATTRIBUTE *attr;
 	STACK_OF(X509_ATTRIBUTE) *ret;
@@ -163,7 +163,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
 
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
 			int nid, int type,
-			unsigned char *bytes, int len)
+			const unsigned char *bytes, int len)
 {
 	X509_ATTRIBUTE *attr;
 	STACK_OF(X509_ATTRIBUTE) *ret;
@@ -175,8 +175,8 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
 }
 
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
-			char *attrname, int type,
-			unsigned char *bytes, int len)
+			const char *attrname, int type,
+			const unsigned char *bytes, int len)
 {
 	X509_ATTRIBUTE *attr;
 	STACK_OF(X509_ATTRIBUTE) *ret;
@@ -188,7 +188,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
 }
 
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
-	     int atrtype, void *data, int len)
+	     int atrtype, const void *data, int len)
 {
 	ASN1_OBJECT *obj;
 	X509_ATTRIBUTE *ret;
@@ -205,7 +205,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
 }
 
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
-	     ASN1_OBJECT *obj, int atrtype, void *data, int len)
+	     const ASN1_OBJECT *obj, int atrtype, const void *data, int len)
 {
 	X509_ATTRIBUTE *ret;
 
@@ -234,7 +234,7 @@ err:
 }
 
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
-		char *atrname, int type, unsigned char *bytes, int len)
+		const char *atrname, int type, const unsigned char *bytes, int len)
 	{
 	ASN1_OBJECT *obj;
 	X509_ATTRIBUTE *nattr;
@@ -252,7 +252,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
 	return nattr;
 	}
 
-int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj)
+int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
 {
 	if ((attr == NULL) || (obj == NULL))
 		return(0);
@@ -261,7 +261,7 @@ int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj)
 	return(1);
 }
 
-int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int len)
+int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len)
 {
 	ASN1_TYPE *ttmp;
 	ASN1_STRING *stmp;
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index e2766e1a5f..0affa3bf30 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -251,8 +251,8 @@ int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
 }
 
 int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
-			ASN1_OBJECT *obj, int type,
-			unsigned char *bytes, int len)
+			const ASN1_OBJECT *obj, int type,
+			const unsigned char *bytes, int len)
 {
 	if(X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj,
 				type, bytes, len)) return 1;
@@ -261,7 +261,7 @@ int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
 
 int X509_REQ_add1_attr_by_NID(X509_REQ *req,
 			int nid, int type,
-			unsigned char *bytes, int len)
+			const unsigned char *bytes, int len)
 {
 	if(X509at_add1_attr_by_NID(&req->req_info->attributes, nid,
 				type, bytes, len)) return 1;
@@ -269,8 +269,8 @@ int X509_REQ_add1_attr_by_NID(X509_REQ *req,
 }
 
 int X509_REQ_add1_attr_by_txt(X509_REQ *req,
-			char *attrname, int type,
-			unsigned char *bytes, int len)
+			const char *attrname, int type,
+			const unsigned char *bytes, int len)
 {
 	if(X509at_add1_attr_by_txt(&req->req_info->attributes, attrname,
 				type, bytes, len)) return 1;