Index: Makefile
===================================================================
--- Makefile
+++ Makefile
@@ -1221,6 +1221,7 @@
     SUBDIR += sas2ircu
     SUBDIR += sas3ircu
     SUBDIR += savelogs
+    SUBDIR += sbsigntool
     SUBDIR += scalpel
     SUBDIR += scan_ffs
     SUBDIR += scanbuttond
Index: sbsigntool/Makefile
===================================================================
--- sbsigntool/Makefile
+++ sbsigntool/Makefile
@@ -3,21 +3,23 @@
 
 PORTNAME=	sbsigntool
 PORTVERSION=	0.6
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 MASTER_SITES=	https://launchpad.net/ubuntu/+archive/primary/+files/
 DISTNAME=	${PORTNAME}_${PORTVERSION}.orig
 
-MAINTAINER=	ports@FreeBSD.org
+MAINTAINER=	obrien@FreeBSD.org
 COMMENT=	Signing utility for UEFI secure boot
 
 LICENSE=	GPLv3
 
-BROKEN=		fails to build
-DEPRECATED=	Broken for more than 6 months
-EXPIRATION_DATE=	2019-05-08
+# bfd.h can come from the binutils or libbfd ports.  BUT the binutils
+# port does not include ansidecl.h.  There are likely other GNU'ish
+# ports that do include ansidecl.h, so I don't want to depend only
+# on ansidecl.h and have build failures due to missing bfd.h.
 
 BUILD_DEPENDS=	${LOCALBASE}/lib/libgnuefi.a:devel/gnu-efi \
+		libbfd>=2.19:devel/libbfd \
 		help2man:misc/help2man
 LIB_DEPENDS=	libuuid.so:misc/e2fsprogs-libuuid
 
@@ -31,7 +33,14 @@
 LDFLAGS+=	-L${OPENSSLLIB}
 CFLAGS+=	-I${OPENSSLINC}
 
+.include <bsd.port.pre.mk>
+
+.if ${OPSYS} == FreeBSD && ${OSVERSION} < 1200085 && ${SSL_DEFAULT} == "base"
+# 1200085	339270	October 19, 2018	12.0-STABLE after updating OpenSSL to version 1.1.1.
+BROKEN=		${PORTNAME} requires Openssl 1.1.1.  Upgrade to FreeBSD 12.x or later; or add DEFAULT_VERSIONS+=ssl=[openssl|libressl*] to /etc/make.conf
+.endif
+
 post-patch:
 	@${REINPLACE_CMD} -e 's|<endian.h>|<sys/endian.h>|' ${WRKSRC}/configure ${WRKSRC}/lib/ccan/ccan/hash/hash.c
 
-.include <bsd.port.mk>
+.include <bsd.port.post.mk>
Index: sbsigntool/files/patch-src-idc.c
===================================================================
--- /dev/null
+++ sbsigntool/files/patch-src-idc.c
@@ -0,0 +1,20 @@
+--- src/idc.c.orig	2012-10-01 08:11:52.000000000 -0700
++++ src/idc.c	2021-01-05 18:48:13.369936000 -0800
+@@ -238,7 +238,7 @@
+ 
+ 	/* extract the idc from the signed PKCS7 'other' data */
+ 	str = p7->d.sign->contents->d.other->value.asn1_string;
+-	idcbuf = buf = ASN1_STRING_data(str);
++	idcbuf = buf = ASN1_STRING_get0_data(str);
+ 	idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
+ 
+ 	/* If we were passed a BIO, write the idc data, minus type and length,
+@@ -289,7 +289,7 @@
+ 	}
+ 
+ 	/* check hash against the one we calculated from the image */
+-	buf = ASN1_STRING_data(str);
++	buf = ASN1_STRING_get0_data(str);
+ 	if (memcmp(buf, sha, sizeof(sha))) {
+ 		fprintf(stderr, "Hash doesn't match image\n");
+ 		fprintf(stderr, " got:       %s\n", sha256_str(buf));
Index: sbsigntool/files/patch-src-sbkeysync.c
===================================================================
--- sbsigntool/files/patch-src-sbkeysync.c
+++ sbsigntool/files/patch-src-sbkeysync.c
@@ -1,12 +1,41 @@
---- src/sbkeysync.c.orig	2014-11-30 19:18:11.000000000 +0100
-+++ src/sbkeysync.c	2014-11-30 19:18:32.000000000 +0100
-@@ -38,7 +38,8 @@
+--- src/sbkeysync.c.orig	2012-10-10 10:21:54.000000000 -0700
++++ src/sbkeysync.c	2021-01-05 20:15:24.739061000 -0800
+@@ -31,6 +31,8 @@
+  */
+ #define _GNU_SOURCE
+ 
++#include <sys/param.h>
++#include <sys/mount.h>
+ #include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -38,8 +40,6 @@
  #include <fcntl.h>
  #include <unistd.h>
  #include <sys/stat.h>
 -#include <sys/statfs.h>
-+#include <sys/param.h>
-+#include <sys/mount.h>
- #include <sys/types.h>
+-#include <sys/types.h>
  
  #include <getopt.h>
+ 
+@@ -203,16 +203,15 @@
+ 		return -1;
+ 
+ 	/* we use the X509 serial number as the key ID */
+-	if (!x509->cert_info || !x509->cert_info->serialNumber)
++	serial = X509_get_serialNumber(x509);
++	if (!serial)
+ 		goto out;
+ 
+-	serial = x509->cert_info->serialNumber;
+-
+ 	key->id_len = ASN1_STRING_length(serial);
+-	key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
++	key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
+ 
+ 	key->description = talloc_array(key, char, description_len);
+-	X509_NAME_oneline(x509->cert_info->subject,
++	X509_NAME_oneline(X509_get_subject_name(x509),
+ 			key->description, description_len);
+ 
+ 	rc = 0;
Index: sbsigntool/files/patch-src-sbverify.c
===================================================================
--- /dev/null
+++ sbsigntool/files/patch-src-sbverify.c
@@ -0,0 +1,93 @@
+--- src/sbverify.c.orig	2012-10-11 17:15:11.000000000 -0700
++++ src/sbverify.c	2021-01-05 20:52:29.847511000 -0800
+@@ -123,9 +123,9 @@
+ 
+ 	for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
+ 		cert = sk_X509_value(p7->d.sign->cert, i);
+-		X509_NAME_oneline(cert->cert_info->subject,
++		X509_NAME_oneline(X509_get_subject_name(cert),
+ 				subject_name, cert_name_len);
+-		X509_NAME_oneline(cert->cert_info->issuer,
++		X509_NAME_oneline(X509_get_issuer_name(cert),
+ 				issuer_name, cert_name_len);
+ 
+ 		printf(" - subject: %s\n", subject_name);
+@@ -136,20 +136,26 @@
+ static void print_certificate_store_certs(X509_STORE *certs)
+ {
+ 	char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
++	STACK_OF(X509_OBJECT) *objs;
+ 	X509_OBJECT *obj;
++	X509 *cert;
+ 	int i;
+ 
+ 	printf("certificate store:\n");
+ 
+-	for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
+-		obj = sk_X509_OBJECT_value(certs->objs, i);
++	objs = X509_STORE_get0_objects(certs);
+ 
+-		if (obj->type != X509_LU_X509)
++	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
++		obj = sk_X509_OBJECT_value(objs, i);
++
++		if (X509_OBJECT_get_type(obj) != X509_LU_X509)
+ 			continue;
+ 
+-		X509_NAME_oneline(obj->data.x509->cert_info->subject,
++		cert = X509_OBJECT_get0_X509(obj);
++
++		X509_NAME_oneline(X509_get_subject_name(cert),
+ 				subject_name, cert_name_len);
+-		X509_NAME_oneline(obj->data.x509->cert_info->issuer,
++		X509_NAME_oneline(X509_get_issuer_name(cert),
+ 				issuer_name, cert_name_len);
+ 
+ 		printf(" - subject: %s\n", subject_name);
+@@ -182,12 +188,21 @@
+ 
+ static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
+ {
+-	X509_OBJECT obj;
++	STACK_OF(X509_OBJECT) *objs;
++	X509_OBJECT *obj;
++	int i;
+ 
+-	obj.type = X509_LU_X509;
+-	obj.data.x509 = cert;
++	objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
+ 
+-	return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
++	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
++		obj = sk_X509_OBJECT_value(objs, i);
++
++		if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
++		    !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
++			return 1;
++	}
++
++	return 0;
+ }
+ 
+ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
+@@ -195,15 +210,17 @@
+ 	int err = X509_STORE_CTX_get_error(ctx);
+ 
+ 	/* also accept code-signing keys */
+-	if (err == X509_V_ERR_INVALID_PURPOSE
+-			&& ctx->cert->ex_xkusage == XKU_CODE_SIGN)
++	if (err == X509_V_ERR_INVALID_PURPOSE &&
++			X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
++			== XKU_CODE_SIGN)
+ 		status = 1;
+ 
+ 	/* all certs given with the --cert argument are trusted */
+ 	else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
++			err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
+ 			err == X509_V_ERR_CERT_UNTRUSTED) {
+ 
+-		if (cert_in_store(ctx->current_cert, ctx))
++		if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
+ 			status = 1;
+ 	}
+