7 files changed, 127 insertions, 12 deletions

diff --git a/src/cryptography/hazmat/bindings/openssl/asn1.py b/src/cryptography/hazmat/bindings/openssl/asn1.py
index 5b1a56f2..d8b8331e 100644
--- a/src/cryptography/hazmat/bindings/openssl/asn1.py
+++ b/src/cryptography/hazmat/bindings/openssl/asn1.py
@@ -99,7 +99,10 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *,
                                                    ASN1_GENERALIZEDTIME **);
 
 /*  ASN1 UTCTIME */
+ASN1_UTCTIME *ASN1_UTCTIME_new(void);
+void ASN1_UTCTIME_free(ASN1_UTCTIME *);
 int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *, time_t);
+ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *, time_t);
 
 /*  ASN1 GENERALIZEDTIME */
 int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *, const char *);
@@ -124,6 +127,7 @@ int ASN1_TIME_print(BIO *, ASN1_TIME *);
 int ASN1_STRING_length(ASN1_STRING *);
 ASN1_STRING *ASN1_STRING_dup(ASN1_STRING *);
 int ASN1_STRING_cmp(ASN1_STRING *, ASN1_STRING *);
+int ASN1_UTCTIME_print(BIO *, ASN1_UTCTIME *);
 
 ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *);
 int ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *, ASN1_OCTET_STRING *);
@@ -137,6 +141,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *, ASN1_INTEGER *);
 
 /* These isn't a macro the arg is const on openssl 1.0.2+ */
 int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *);
+int ASN1_UTCTIME_check(ASN1_UTCTIME *);
 
 /* Not a macro, const on openssl 1.0 */
 int ASN1_STRING_set_default_mask_asc(char *);
diff --git a/src/cryptography/hazmat/bindings/openssl/cms.py b/src/cryptography/hazmat/bindings/openssl/cms.py
index 7cbedf44..a43df5d9 100644
--- a/src/cryptography/hazmat/bindings/openssl/cms.py
+++ b/src/cryptography/hazmat/bindings/openssl/cms.py
@@ -25,6 +25,27 @@ typedef ... CMS_RevocationInfoChoice;
 typedef ... CMS_RecipientInfo;
 typedef ... CMS_ReceiptRequest;
 typedef ... CMS_Receipt;
+
+static const int CMS_TEXT;
+static const int CMS_NOCERTS;
+static const int CMS_NO_CONTENT_VERIFY;
+static const int CMS_NO_ATTR_VERIFY;
+static const int CMS_NOSIGS;
+static const int CMS_NOINTERN;
+static const int CMS_NO_SIGNER_CERT_VERIFY;
+static const int CMS_NOVERIFY;
+static const int CMS_DETACHED;
+static const int CMS_BINARY;
+static const int CMS_NOATTR;
+static const int CMS_NOSMIMECAP;
+static const int CMS_NOOLDMIMETYPE;
+static const int CMS_CRLFEOL;
+static const int CMS_STREAM;
+static const int CMS_NOCRL;
+static const int CMS_PARTIAL;
+static const int CMS_REUSE_DIGEST;
+static const int CMS_USE_KEYID;
+static const int CMS_DEBUG_DECRYPT;
 """
 
 FUNCTIONS = """
@@ -59,6 +80,26 @@ typedef void CMS_RevocationInfoChoice;
 typedef void CMS_RecipientInfo;
 typedef void CMS_ReceiptRequest;
 typedef void CMS_Receipt;
+const long CMS_TEXT = 0;
+const long CMS_NOCERTS = 0;
+const long CMS_NO_CONTENT_VERIFY = 0;
+const long CMS_NO_ATTR_VERIFY = 0;
+const long CMS_NOSIGS = 0;
+const long CMS_NOINTERN = 0;
+const long CMS_NO_SIGNER_CERT_VERIFY = 0;
+const long CMS_NOVERIFY = 0;
+const long CMS_DETACHED = 0;
+const long CMS_BINARY = 0;
+const long CMS_NOATTR = 0;
+const long CMS_NOSMIMECAP = 0;
+const long CMS_NOOLDMIMETYPE = 0;
+const long CMS_CRLFEOL = 0;
+const long CMS_STREAM = 0;
+const long CMS_NOCRL = 0;
+const long CMS_PARTIAL = 0;
+const long CMS_REUSE_DIGEST = 0;
+const long CMS_USE_KEYID = 0;
+const long CMS_DEBUG_DECRYPT = 0;
 BIO *(*BIO_new_CMS)(BIO *, CMS_ContentInfo *) = NULL;
 int (*i2d_CMS_bio_stream)(BIO *, CMS_ContentInfo *, BIO *, int) = NULL;
 int (*PEM_write_bio_CMS_stream)(BIO *, CMS_ContentInfo *, BIO *, int) = NULL;
@@ -87,5 +128,25 @@ CONDITIONAL_NAMES = {
         "CMS_encrypt",
         "CMS_decrypt",
         "CMS_add1_signer",
+        "CMS_TEXT",
+        "CMS_NOCERTS",
+        "CMS_NO_CONTENT_VERIFY",
+        "CMS_NO_ATTR_VERIFY",
+        "CMS_NOSIGS",
+        "CMS_NOINTERN",
+        "CMS_NO_SIGNER_CERT_VERIFY",
+        "CMS_NOVERIFY",
+        "CMS_DETACHED",
+        "CMS_BINARY",
+        "CMS_NOATTR",
+        "CMS_NOSMIMECAP",
+        "CMS_NOOLDMIMETYPE",
+        "CMS_CRLFEOL",
+        "CMS_STREAM",
+        "CMS_NOCRL",
+        "CMS_PARTIAL",
+        "CMS_REUSE_DIGEST",
+        "CMS_USE_KEYID",
+        "CMS_DEBUG_DECRYPT",
     ]
 }
diff --git a/src/cryptography/hazmat/bindings/openssl/evp.py b/src/cryptography/hazmat/bindings/openssl/evp.py
index 29590579..f00c2f0d 100644
--- a/src/cryptography/hazmat/bindings/openssl/evp.py
+++ b/src/cryptography/hazmat/bindings/openssl/evp.py
@@ -91,6 +91,12 @@ int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int,
                     EVP_PKEY *);
 
 const EVP_MD *EVP_md5(void);
+const EVP_MD *EVP_sha1(void);
+const EVP_MD *EVP_ripemd160(void);
+const EVP_MD *EVP_sha224(void);
+const EVP_MD *EVP_sha256(void);
+const EVP_MD *EVP_sha384(void);
+const EVP_MD *EVP_sha512(void);
 
 int PKCS5_PBKDF2_HMAC_SHA1(const char *, int, const unsigned char *, int, int,
                            int, unsigned char *);
@@ -219,7 +225,6 @@ int (*EVP_PKEY_assign_EC_KEY)(EVP_PKEY *, EC_KEY *) = NULL;
 EC_KEY *(*EVP_PKEY_get1_EC_KEY)(EVP_PKEY *) = NULL;
 int (*EVP_PKEY_set1_EC_KEY)(EVP_PKEY *, EC_KEY *) = NULL;
 #endif
-
 """
 
 CONDITIONAL_NAMES = {
diff --git a/src/cryptography/hazmat/bindings/openssl/nid.py b/src/cryptography/hazmat/bindings/openssl/nid.py
index 8d83c1e1..a025d3b4 100644
--- a/src/cryptography/hazmat/bindings/openssl/nid.py
+++ b/src/cryptography/hazmat/bindings/openssl/nid.py
@@ -201,6 +201,17 @@ static const int NID_any_policy;
 static const int NID_policy_mappings;
 static const int NID_target_information;
 static const int NID_no_rev_avail;
+
+static const int NID_commonName;
+static const int NID_countryName;
+static const int NID_localityName;
+static const int NID_stateOrProvinceName;
+static const int NID_organizationName;
+static const int NID_organizationalUnitName;
+static const int NID_serialNumber;
+static const int NID_surname;
+static const int NID_givenName;
+static const int NID_pkcs9_emailAddress;
 """
 
 FUNCTIONS = """
diff --git a/src/cryptography/hazmat/bindings/openssl/x509.py b/src/cryptography/hazmat/bindings/openssl/x509.py
index a6e1cb63..f51b0e59 100644
--- a/src/cryptography/hazmat/bindings/openssl/x509.py
+++ b/src/cryptography/hazmat/bindings/openssl/x509.py
@@ -140,6 +140,8 @@ int X509_EXTENSION_get_critical(X509_EXTENSION *);
 ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *);
 void X509_EXTENSION_free(X509_EXTENSION *);
 
+int i2d_X509(X509 *, unsigned char **);
+
 int X509_REQ_set_version(X509_REQ *, long);
 X509_REQ *X509_REQ_new(void);
 void X509_REQ_free(X509_REQ *);
@@ -257,6 +259,8 @@ int i2d_DSAPrivateKey(DSA *, unsigned char **);
 /* These aren't macros these arguments are all const X on openssl > 1.0.x */
 int X509_CRL_set_lastUpdate(X509_CRL *, ASN1_TIME *);
 int X509_CRL_set_nextUpdate(X509_CRL *, ASN1_TIME *);
+int X509_set_notBefore(X509 *, ASN1_UTCTIME *);
+int X509_set_notAfter(X509 *, ASN1_UTCTIME *);
 
 /* These use STACK_OF(X509_EXTENSION) in 0.9.8e. Once we drop support for
    RHEL/CentOS 5 we should move these back to FUNCTIONS. */
diff --git a/src/cryptography/hazmat/bindings/openssl/x509name.py b/src/cryptography/hazmat/bindings/openssl/x509name.py
index 9863c195..bda92eb7 100644
--- a/src/cryptography/hazmat/bindings/openssl/x509name.py
+++ b/src/cryptography/hazmat/bindings/openssl/x509name.py
@@ -20,6 +20,9 @@ typedef ... Cryptography_STACK_OF_X509_NAME;
 """
 
 FUNCTIONS = """
+X509_NAME *X509_NAME_new(void);
+void X509_NAME_free(X509_NAME *);
+
 int X509_NAME_entry_count(X509_NAME *);
 X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *, int);
 ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *);
@@ -37,7 +40,6 @@ int X509_NAME_get_index_by_NID(X509_NAME *, int, int);
 int X509_NAME_cmp(const X509_NAME *, const X509_NAME *);
 char *X509_NAME_oneline(X509_NAME *, char *, int);
 X509_NAME *X509_NAME_dup(X509_NAME *);
-void X509_NAME_free(X509_NAME *);
 """
 
 MACROS = """
diff --git a/src/cryptography/hazmat/primitives/serialization.py b/src/cryptography/hazmat/primitives/serialization.py
index 0dbbc85c..9d384fc7 100644
--- a/src/cryptography/hazmat/primitives/serialization.py
+++ b/src/cryptography/hazmat/primitives/serialization.py
@@ -10,6 +10,9 @@ import warnings
 
 from cryptography import utils
 from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.hazmat.primitives.asymmetric.dsa import (
+    DSAParameterNumbers, DSAPublicNumbers
+)
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
 
 
@@ -55,19 +58,23 @@ def load_ssh_public_key(data, backend):
     key_type = key_parts[0]
     key_body = key_parts[1]
 
-    if not key_type.startswith(b'ssh-'):
-        raise ValueError('SSH-formatted keys must begin with \'ssh-\'.')
+    try:
+        decoded_data = base64.b64decode(key_body)
+    except TypeError:
+        raise ValueError('Key is not in the proper format.')
 
-    if not key_type.startswith(b'ssh-rsa'):
-        raise UnsupportedAlgorithm('Only RSA keys are currently supported.')
+    if key_type == b'ssh-rsa':
+        return _load_ssh_rsa_public_key(decoded_data, backend)
+    elif key_type == b'ssh-dss':
+        return _load_ssh_dss_public_key(decoded_data, backend)
+    else:
+        raise UnsupportedAlgorithm(
+            'Only RSA and DSA keys are currently supported.'
+        )
 
-    return _load_ssh_rsa_public_key(key_body, backend)
 
-
-def _load_ssh_rsa_public_key(key_body, backend):
-    data = base64.b64decode(key_body)
-
-    key_type, rest = _read_next_string(data)
+def _load_ssh_rsa_public_key(decoded_data, backend):
+    key_type, rest = _read_next_string(decoded_data)
     e, rest = _read_next_mpint(rest)
     n, rest = _read_next_mpint(rest)
 
@@ -81,6 +88,26 @@ def _load_ssh_rsa_public_key(key_body, backend):
     return backend.load_rsa_public_numbers(RSAPublicNumbers(e, n))
 
 
+def _load_ssh_dss_public_key(decoded_data, backend):
+    key_type, rest = _read_next_string(decoded_data)
+    p, rest = _read_next_mpint(rest)
+    q, rest = _read_next_mpint(rest)
+    g, rest = _read_next_mpint(rest)
+    y, rest = _read_next_mpint(rest)
+
+    if key_type != b'ssh-dss':
+        raise ValueError(
+            'Key header and key body contain different key type values.')
+
+    if rest:
+        raise ValueError('Key body contains extra bytes.')
+
+    parameter_numbers = DSAParameterNumbers(p, q, g)
+    public_numbers = DSAPublicNumbers(y, parameter_numbers)
+
+    return backend.load_dsa_public_numbers(public_numbers)
+
+
 def _read_next_string(data):
     """Retrieves the next RFC 4251 string value from the data."""
     str_len, = struct.unpack('>I', data[:4])