7 files changed, 262 insertions, 3 deletions

diff --git a/cryptography/bindings/openssl/api.py b/cryptography/bindings/openssl/api.py
index 35d2cc55..6d3c82eb 100644
--- a/cryptography/bindings/openssl/api.py
+++ b/cryptography/bindings/openssl/api.py
@@ -41,7 +41,8 @@ class API(object):
         "rand",
         "rsa",
         "ssl",
-        "x509name"
+        "x509name",
+        "x509"
     ]
 
     def __init__(self):
diff --git a/cryptography/bindings/openssl/x509.py b/cryptography/bindings/openssl/x509.py
new file mode 100644
index 00000000..9a51a6d0
--- /dev/null
+++ b/cryptography/bindings/openssl/x509.py
@@ -0,0 +1,187 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+INCLUDES = """
+#include <openssl/ssl.h>
+"""
+
+TYPES = """
+typedef struct {
+    ASN1_OBJECT *algorithm;
+    ...;
+} X509_ALGOR;
+
+typedef struct {
+    X509_ALGOR *signature;
+    ...;
+} X509_CINF;
+
+typedef struct {
+    ASN1_OBJECT *object;
+    ASN1_BOOLEAN critical;
+    ASN1_OCTET_STRING *value;
+} X509_EXTENSION;
+
+typedef ... X509_EXTENSIONS;
+
+typedef ... X509_REQ;
+
+typedef ... x509_revoked_st;
+
+typedef struct {
+    ASN1_INTEGER *serialNumber;
+    ASN1_TIME *revocationDate;
+    X509_EXTENSIONS *extensions;
+    int sequence;
+    ...;
+} X509_REVOKED;
+
+typedef struct {
+    struct x509_revoked_st *revoked;
+    ...;
+} X509_CRL_INFO;
+
+typedef struct {
+    X509_CRL_INFO *crl;
+    ...;
+} X509_CRL;
+
+typedef struct {
+    X509_CINF *cert_info;
+    ...;
+} X509;
+
+typedef ... X509_STORE;
+typedef ... NETSCAPE_SPKI;
+"""
+
+FUNCTIONS = """
+X509 *X509_new();
+void X509_free(X509 *);
+X509 *X509_dup(X509 *);
+
+int X509_print_ex(BIO *, X509 *, unsigned long, unsigned long);
+
+int X509_set_version(X509 *, long);
+
+EVP_PKEY *X509_get_pubkey(X509 *);
+int X509_set_pubkey(X509 *, EVP_PKEY *);
+
+unsigned char *X509_alias_get0(X509 *, int *);
+int X509_sign(X509 *, EVP_PKEY *, const EVP_MD *);
+
+int X509_digest(const X509 *, const EVP_MD *, unsigned char *, unsigned int *);
+
+ASN1_TIME *X509_gmtime_adj(ASN1_TIME *, long);
+
+unsigned long X509_subject_name_hash(X509 *);
+
+X509_NAME *X509_get_subject_name(X509 *);
+int X509_set_subject_name(X509 *, X509_NAME *);
+
+X509_NAME *X509_get_issuer_name(X509 *);
+int X509_set_issuer_name(X509 *, X509_NAME *);
+
+int X509_get_ext_count(X509 *);
+int X509_add_ext(X509 *, X509_EXTENSION *, int);
+X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *);
+X509_EXTENSION *X509_get_ext(X509 *, int);
+int X509_EXTENSION_get_critical(X509_EXTENSION *);
+ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *);
+void X509_EXTENSION_free(X509_EXTENSION *);
+
+int X509_REQ_set_version(X509_REQ *, long);
+X509_REQ *X509_REQ_new();
+void X509_REQ_free(X509_REQ *);
+int X509_REQ_set_pubkey(X509_REQ *, EVP_PKEY *);
+int X509_REQ_sign(X509_REQ *, EVP_PKEY *, const EVP_MD *);
+int X509_REQ_verify(X509_REQ *, EVP_PKEY *);
+EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *);
+int X509_REQ_add_extensions(X509_REQ *, X509_EXTENSIONS *);
+int X509_REQ_print_ex(BIO *, X509_REQ *, unsigned long, unsigned long);
+
+int X509V3_EXT_print(BIO *, X509_EXTENSION *, unsigned long, int);
+ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *);
+
+X509_REVOKED *X509_REVOKED_new();
+void X509_REVOKED_free(X509_REVOKED *);
+
+int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *);
+
+int X509_REVOKED_add1_ext_i2d(X509_REVOKED *, int, void *, int, unsigned long);
+
+X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **);
+X509_CRL *X509_CRL_new();
+void X509_CRL_free(X509_CRL *);
+int X509_CRL_add0_revoked(X509_CRL *, X509_REVOKED *);
+int i2d_X509_CRL_bio(BIO *, X509_CRL *);
+int X509_CRL_print(BIO *, X509_CRL *);
+int X509_CRL_set_issuer_name(X509_CRL *, X509_NAME *);
+int X509_CRL_sign(X509_CRL *, EVP_PKEY *, const EVP_MD *);
+
+int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *, EVP_PKEY *);
+int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *, EVP_PKEY *, const EVP_MD *);
+char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *);
+EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *);
+int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *, EVP_PKEY *);
+NETSCAPE_SPKI *NETSCAPE_SPKI_new();
+void NETSCAPE_SPKI_free(NETSCAPE_SPKI *);
+
+/*  ASN1 serialization */
+int i2d_X509_bio(BIO *, X509 *);
+X509 *d2i_X509_bio(BIO *, X509 **);
+
+int i2d_X509_REQ_bio(BIO *, X509_REQ *);
+X509_REQ *d2i_X509_REQ_bio(BIO *, X509_REQ **);
+
+int i2d_PrivateKey_bio(BIO *, EVP_PKEY *);
+EVP_PKEY *d2i_PrivateKey_bio(BIO *, EVP_PKEY **);
+
+ASN1_INTEGER *X509_get_serialNumber(X509 *);
+int X509_set_serialNumber(X509 *, ASN1_INTEGER *);
+
+/*  X509_STORE */
+X509_STORE *X509_STORE_new();
+void X509_STORE_free(X509_STORE *);
+int X509_STORE_add_cert(X509_STORE *, X509 *);
+"""
+
+MACROS = """
+long X509_get_version(X509 *);
+
+ASN1_TIME *X509_get_notBefore(X509 *);
+ASN1_TIME *X509_get_notAfter(X509 *);
+
+long X509_REQ_get_version(X509_REQ *);
+X509_NAME *X509_REQ_get_subject_name(X509_REQ *);
+
+struct stack_st_X509 *sk_X509_new_null();
+void sk_X509_free(struct stack_st_X509 *);
+int sk_X509_num(struct stack_st_X509 *);
+int sk_X509_push(struct stack_st_X509 *, X509 *);
+X509 *sk_X509_value(struct stack_st_X509 *, int);
+
+X509_EXTENSIONS *sk_X509_EXTENSION_new_null();
+int sk_X509_EXTENSION_num(X509_EXTENSIONS *);
+X509_EXTENSION *sk_X509_EXTENSION_value(X509_EXTENSIONS *, int);
+int sk_X509_EXTENSION_push(X509_EXTENSIONS *, X509_EXTENSION *);
+void sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int);
+void sk_X509_EXTENSION_free(X509_EXTENSIONS *);
+
+int sk_X509_REVOKED_num(struct x509_revoked_st *);
+X509_REVOKED *sk_X509_REVOKED_value(struct x509_revoked_st *, int);
+
+/* These aren't macros these arguments are all const X on openssl > 1.0.x */
+int X509_CRL_set_lastUpdate(X509_CRL *, const ASN1_TIME *);
+int X509_CRL_set_nextUpdate(X509_CRL *, const ASN1_TIME *);
+"""
diff --git a/cryptography/primitives/hashes.py b/cryptography/primitives/hashes.py
index d004c45c..affca564 100644
--- a/cryptography/primitives/hashes.py
+++ b/cryptography/primitives/hashes.py
@@ -70,3 +70,9 @@ class SHA512(BaseHash):
     name = "sha512"
     digest_size = 64
     block_size = 128
+
+
+class RIPEMD160(BaseHash):
+    name = "ripemd160"
+    digest_size = 20
+    block_size = 64
diff --git a/tests/primitives/test_hash_vectors.py b/tests/primitives/test_hash_vectors.py
index d0fe46d1..51c4b85d 100644
--- a/tests/primitives/test_hash_vectors.py
+++ b/tests/primitives/test_hash_vectors.py
@@ -17,7 +17,7 @@ import os
 
 from cryptography.primitives import hashes
 
-from .utils import generate_hash_test
+from .utils import generate_hash_test, generate_long_string_hash_test
 from ..utils import load_hash_vectors_from_file
 
 
@@ -89,3 +89,23 @@ class TestSHA512(object):
         only_if=lambda api: api.supports_hash(hashes.SHA512),
         skip_message="Does not support SHA512",
     )
+
+
+class TestRIPEMD160(object):
+    test_RIPEMD160 = generate_hash_test(
+        load_hash_vectors_from_file,
+        os.path.join("ISO", "ripemd160"),
+        [
+            "ripevectors.txt",
+        ],
+        hashes.RIPEMD160,
+        only_if=lambda api: api.supports_hash(hashes.RIPEMD160),
+        skip_message="Does not support RIPEMD160",
+    )
+
+    test_RIPEMD160_long_string = generate_long_string_hash_test(
+        hashes.RIPEMD160,
+        "52783243c1697bdbe16d37f97f68f08325dc1528",
+        only_if=lambda api: api.supports_hash(hashes.RIPEMD160),
+        skip_message="Does not support RIPEMD160",
+    )
diff --git a/tests/primitives/test_hashes.py b/tests/primitives/test_hashes.py
index 2f2dd1c7..bfb45037 100644
--- a/tests/primitives/test_hashes.py
+++ b/tests/primitives/test_hashes.py
@@ -66,3 +66,13 @@ class TestSHA512(object):
         only_if=lambda api: api.supports_hash(hashes.SHA512),
         skip_message="Does not support SHA512",
     )
+
+
+class TestRIPEMD160(object):
+    test_RIPEMD160 = generate_base_hash_test(
+        hashes.RIPEMD160,
+        digest_size=20,
+        block_size=64,
+        only_if=lambda api: api.supports_hash(hashes.RIPEMD160),
+        skip_message="Does not support RIPEMD160",
+    )
diff --git a/tests/primitives/test_utils.py b/tests/primitives/test_utils.py
index 43ec8a71..9888309e 100644
--- a/tests/primitives/test_utils.py
+++ b/tests/primitives/test_utils.py
@@ -1,6 +1,7 @@
 import pytest
 
-from .utils import encrypt_test, hash_test, base_hash_test
+from .utils import (base_hash_test, encrypt_test, hash_test,
+    long_string_hash_test)
 
 
 class TestEncryptTest(object):
@@ -34,3 +35,14 @@ class TestBaseHashTest(object):
                 skip_message="message!"
             )
         assert exc_info.value.args[0] == "message!"
+
+
+class TestLongHashTest(object):
+    def test_skips_if_only_if_returns_false(self):
+        with pytest.raises(pytest.skip.Exception) as exc_info:
+            long_string_hash_test(
+                None, None, None,
+                only_if=lambda api: False,
+                skip_message="message!"
+            )
+        assert exc_info.value.args[0] == "message!"
diff --git a/tests/primitives/utils.py b/tests/primitives/utils.py
index 0d4c0eb3..8b32700b 100644
--- a/tests/primitives/utils.py
+++ b/tests/primitives/utils.py
@@ -95,3 +95,26 @@ def base_hash_test(api, hash_cls, digest_size, block_size, only_if,
     m_copy = m.copy()
     assert m != m_copy
     assert m._ctx != m_copy._ctx
+
+
+def generate_long_string_hash_test(hash_factory, md, only_if=lambda api: True,
+                                   skip_message=None):
+    def test_long_string_hash(self):
+        for api in _ALL_APIS:
+            yield(
+                long_string_hash_test,
+                api,
+                hash_factory,
+                md,
+                only_if,
+                skip_message
+            )
+    return test_long_string_hash
+
+
+def long_string_hash_test(api, hash_factory, md, only_if, skip_message):
+    if not only_if(api):
+        pytest.skip(skip_message)
+    m = hash_factory(api)
+    m.update(b"a" * 1000000)
+    assert m.hexdigest() == md.lower()