2 files changed, 21 insertions, 2 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index af675116..7255b470 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -83,8 +83,14 @@ def _encode_asn1_str(backend, data, length):
     Create an ASN1_OCTET_STRING from a Python byte string.
     """
     s = backend._lib.ASN1_OCTET_STRING_new()
+    res = backend._lib.ASN1_OCTET_STRING_set(s, data, length)
+    assert res == 1
+    return s
+
+
+def _encode_asn1_str_gc(backend, data, length):
+    s = _encode_asn1_str(backend, data, length)
     s = backend._ffi.gc(s, backend._lib.ASN1_OCTET_STRING_free)
-    backend._lib.ASN1_OCTET_STRING_set(s, data, length)
     return s
 
 
@@ -185,6 +191,14 @@ def _encode_subject_alt_name(backend, san):
             name = _encode_name(backend, alt_name.value)
             gn.type = backend._lib.GEN_DIRNAME
             gn.d.directoryName = name
+        elif isinstance(alt_name, x509.IPAddress):
+            gn = backend._lib.GENERAL_NAME_new()
+            assert gn != backend._ffi.NULL
+            ipaddr = _encode_asn1_str(
+                backend, alt_name.value.packed, len(alt_name.value.packed)
+            )
+            gn.type = backend._lib.GEN_IPADD
+            gn.d.iPAddress = ipaddr
         else:
             raise NotImplementedError(
                 "Only DNSName and RegisteredID supported right now"
@@ -919,7 +933,7 @@ class Backend(object):
                 self._ffi.NULL,
                 obj,
                 1 if extension.critical else 0,
-                _encode_asn1_str(self, pp[0], r),
+                _encode_asn1_str_gc(self, pp[0], r),
             )
             assert extension != self._ffi.NULL
             res = self._lib.sk_X509_EXTENSION_push(extensions, extension)
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 6ad891b1..9b6b8826 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -6,6 +6,7 @@ from __future__ import absolute_import, division, print_function
 
 import binascii
 import datetime
+import ipaddress
 import os
 
 import pytest
@@ -1001,6 +1002,8 @@ class TestCertificateSigningRequestBuilder(object):
                         x509.OID_ORGANIZATION_NAME, u'We heart UTF8!\u2122'
                     )
                 ])),
+                x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
+                x509.IPAddress(ipaddress.ip_address(u"ff::")),
             ]),
             critical=False,
         ).sign(private_key, hashes.SHA256(), backend)
@@ -1021,6 +1024,8 @@ class TestCertificateSigningRequestBuilder(object):
                     x509.OID_ORGANIZATION_NAME, u'We heart UTF8!\u2122'
                 ),
             ])),
+            x509.IPAddress(ipaddress.ip_address(u"127.0.0.1")),
+            x509.IPAddress(ipaddress.ip_address(u"ff::")),
         ]
 
     def test_subject_alt_name_unsupported_general_name(self, backend):