5 files changed, 115 insertions, 3 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index dd2aba65..42ca138d 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -269,6 +269,10 @@ class _Certificate(object):
                 value = self._build_subject_alt_name(ext)
             elif oid == x509.OID_EXTENDED_KEY_USAGE:
                 value = self._build_extended_key_usage(ext)
+            elif oid == x509.OID_AUTHORITY_KEY_IDENTIFIER:
+                value = self._build_authority_key_identifier(ext)
+            elif oid == x509.OID_AUTHORITY_INFORMATION_ACCESS:
+                value = self._build_authority_information_access(ext)
             elif critical:
                 raise x509.UnsupportedExtension(
                     "{0} is not currently supported".format(oid), oid
@@ -321,6 +325,66 @@ class _Certificate(object):
             self._backend._ffi.buffer(asn1_string.data, asn1_string.length)[:]
         )
 
+    def _build_authority_key_identifier(self, ext):
+        akid = self._backend._lib.X509V3_EXT_d2i(ext)
+        assert akid != self._backend._ffi.NULL
+        akid = self._backend._ffi.cast("AUTHORITY_KEYID *", akid)
+        akid = self._backend._ffi.gc(
+            akid, self._backend._lib.AUTHORITY_KEYID_free
+        )
+        key_identifier = None
+        authority_cert_issuer = None
+        authority_cert_serial_number = None
+
+        if akid.keyid != self._backend._ffi.NULL:
+            key_identifier = self._backend._ffi.buffer(
+                akid.keyid.data, akid.keyid.length
+            )[:]
+
+        if akid.issuer != self._backend._ffi.NULL:
+            authority_cert_issuer = []
+
+            num = self._backend._lib.sk_GENERAL_NAME_num(akid.issuer)
+            for i in range(num):
+                gn = self._backend._lib.sk_GENERAL_NAME_value(akid.issuer, i)
+                assert gn != self._backend._ffi.NULL
+                value = _build_general_name(self._backend, gn)
+
+                authority_cert_issuer.append(value)
+
+        if akid.serial != self._backend._ffi.NULL:
+            bn = self._backend._lib.ASN1_INTEGER_to_BN(
+                akid.serial, self._backend._ffi.NULL
+            )
+            assert bn != self._backend._ffi.NULL
+            bn = self._backend._ffi.gc(bn, self._backend._lib.BN_free)
+            authority_cert_serial_number = self._backend._bn_to_int(bn)
+
+        return x509.AuthorityKeyIdentifier(
+            key_identifier, authority_cert_issuer, authority_cert_serial_number
+        )
+
+    def _build_authority_information_access(self, ext):
+        aia = self._backend._lib.X509V3_EXT_d2i(ext)
+        assert aia != self._backend._ffi.NULL
+        aia = self._backend._ffi.cast(
+            "Cryptography_STACK_OF_ACCESS_DESCRIPTION *", aia
+        )
+        aia = self._backend._ffi.gc(
+            aia, self._backend._lib.sk_ACCESS_DESCRIPTION_free
+        )
+        num = self._backend._lib.sk_ACCESS_DESCRIPTION_num(aia)
+        access_descriptions = []
+        for i in range(num):
+            ad = self._backend._lib.sk_ACCESS_DESCRIPTION_value(aia, i)
+            assert ad.method != self._backend._ffi.NULL
+            oid = x509.ObjectIdentifier(_obj2txt(self._backend, ad.method))
+            assert ad.location != self._backend._ffi.NULL
+            gn = _build_general_name(self._backend, ad.location)
+            access_descriptions.append(x509.AccessDescription(oid, gn))
+
+        return x509.AuthorityInformationAccess(access_descriptions)
+
     def _build_key_usage(self, ext):
         bit_string = self._backend._lib.X509V3_EXT_d2i(ext)
         assert bit_string != self._backend._ffi.NULL
diff --git a/src/cryptography/hazmat/bindings/openssl/ssl.py b/src/cryptography/hazmat/bindings/openssl/ssl.py
index 4a824ae5..fd719c52 100644
--- a/src/cryptography/hazmat/bindings/openssl/ssl.py
+++ b/src/cryptography/hazmat/bindings/openssl/ssl.py
@@ -22,6 +22,7 @@ static const long Cryptography_HAS_SECURE_RENEGOTIATION;
 static const long Cryptography_HAS_COMPRESSION;
 static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB;
 static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP;
+static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE;
 
 /* Internally invented symbol to tell us if SNI is supported */
 static const long Cryptography_HAS_TLSEXT_HOSTNAME;
@@ -164,6 +165,7 @@ const char *SSL_state_string_long(const SSL *);
 SSL_SESSION *SSL_get1_session(SSL *);
 int SSL_set_session(SSL *, SSL_SESSION *);
 int SSL_get_verify_mode(const SSL *);
+void SSL_set_verify(SSL *, int, int (*)(int, X509_STORE_CTX *));
 void SSL_set_verify_depth(SSL *, int);
 int SSL_get_verify_depth(const SSL *);
 int (*SSL_get_verify_callback(const SSL *))(int, X509_STORE_CTX *);
@@ -325,6 +327,8 @@ void SSL_CTX_set_tlsext_servername_callback(
    is fraught with peril thanks to OS distributions we check some constants
    to determine if they are supported or not */
 long SSL_set_tlsext_status_ocsp_resp(SSL *, unsigned char *, int);
+long SSL_get_tlsext_status_ocsp_resp(SSL *, const unsigned char **);
+long SSL_set_tlsext_status_type(SSL *, long);
 long SSL_CTX_set_tlsext_status_cb(SSL_CTX *, int(*)(SSL *, void *));
 
 long SSL_session_reused(SSL *);
@@ -434,6 +438,14 @@ static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP = 1;
 #else
 static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP = 0;
 long (*SSL_set_tlsext_status_ocsp_resp)(SSL *, unsigned char *, int) = NULL;
+long (*SSL_get_tlsext_status_ocsp_resp)(SSL *, const unsigned char **) = NULL;
+#endif
+
+#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE
+static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE = 1;
+#else
+static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE = 0;
+long (*SSL_set_tlsext_status_type)(SSL *, long) = NULL;
 #endif
 
 #ifdef SSL_MODE_RELEASE_BUFFERS
@@ -620,6 +632,11 @@ CONDITIONAL_NAMES = {
 
     "Cryptography_HAS_STATUS_REQ_OCSP_RESP": [
         "SSL_set_tlsext_status_ocsp_resp",
+        "SSL_get_tlsext_status_ocsp_resp",
+    ],
+
+    "Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE": [
+        "SSL_set_tlsext_status_type",
     ],
 
     "Cryptography_HAS_RELEASE_BUFFERS": [
diff --git a/src/cryptography/hazmat/bindings/openssl/x509_vfy.py b/src/cryptography/hazmat/bindings/openssl/x509_vfy.py
index 1f75b86f..02631409 100644
--- a/src/cryptography/hazmat/bindings/openssl/x509_vfy.py
+++ b/src/cryptography/hazmat/bindings/openssl/x509_vfy.py
@@ -29,9 +29,23 @@ static const long Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE;
 typedef ... Cryptography_STACK_OF_ASN1_OBJECT;
 
 typedef ... X509_STORE;
-typedef ... X509_STORE_CTX;
 typedef ... X509_VERIFY_PARAM;
 
+typedef struct x509_store_ctx_st X509_STORE_CTX;
+struct x509_store_ctx_st {
+    X509_STORE *ctx;
+    int current_method;
+    X509 *cert;
+    Cryptography_STACK_OF_X509 *untrusted;
+    Cryptography_STACK_OF_X509_CRL *crls;
+    X509_VERIFY_PARAM *param;
+    void *other_ctx;
+    int (*verify)(X509_STORE_CTX *);
+    int (*verify_cb)(int, X509_STORE_CTX *);
+    int (*get_issuer)(X509 **, X509_STORE_CTX *, X509 *);
+    ...;
+};
+
 /* While these are defined in the source as ints, they're tagged here
    as longs, just in case they ever grow to large, such as what we saw
    with OP_ALL. */
diff --git a/src/cryptography/hazmat/bindings/openssl/x509v3.py b/src/cryptography/hazmat/bindings/openssl/x509v3.py
index 28dd7f32..c2b6860f 100644
--- a/src/cryptography/hazmat/bindings/openssl/x509v3.py
+++ b/src/cryptography/hazmat/bindings/openssl/x509v3.py
@@ -19,9 +19,12 @@ typedef LHASH_OF(CONF_VALUE) Cryptography_LHASH_OF_CONF_VALUE;
 #else
 typedef LHASH Cryptography_LHASH_OF_CONF_VALUE;
 #endif
+typedef STACK_OF(ACCESS_DESCRIPTION) Cryptography_STACK_OF_ACCESS_DESCRIPTION;
 """
 
 TYPES = """
+typedef ... Cryptography_STACK_OF_ACCESS_DESCRIPTION;
+
 typedef struct {
     X509 *issuer_cert;
     X509 *subject_cert;
@@ -92,6 +95,11 @@ typedef struct {
     ASN1_INTEGER *serial;
 } AUTHORITY_KEYID;
 
+typedef struct {
+    ASN1_OBJECT *method;
+    GENERAL_NAME *location;
+} ACCESS_DESCRIPTION;
+
 typedef ... Cryptography_LHASH_OF_CONF_VALUE;
 """
 
@@ -109,11 +117,20 @@ MACROS = """
 /* This is a macro defined by a call to DECLARE_ASN1_FUNCTIONS in the
    x509v3.h header. */
 void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *);
+/* This is a macro defined by a call to DECLARE_ASN1_FUNCTIONS in the
+   x509v3.h header. */
+void AUTHORITY_KEYID_free(AUTHORITY_KEYID *);
 void *X509V3_set_ctx_nodb(X509V3_CTX *);
 int sk_GENERAL_NAME_num(struct stack_st_GENERAL_NAME *);
 int sk_GENERAL_NAME_push(struct stack_st_GENERAL_NAME *, GENERAL_NAME *);
 GENERAL_NAME *sk_GENERAL_NAME_value(struct stack_st_GENERAL_NAME *, int);
 
+int sk_ACCESS_DESCRIPTION_num(Cryptography_STACK_OF_ACCESS_DESCRIPTION *);
+ACCESS_DESCRIPTION *sk_ACCESS_DESCRIPTION_value(
+    Cryptography_STACK_OF_ACCESS_DESCRIPTION *, int
+);
+void sk_ACCESS_DESCRIPTION_free(Cryptography_STACK_OF_ACCESS_DESCRIPTION *);
+
 X509_EXTENSION *X509V3_EXT_conf_nid(Cryptography_LHASH_OF_CONF_VALUE *,
                                     X509V3_CTX *, int, char *);
 
diff --git a/src/cryptography/hazmat/primitives/kdf/hkdf.py b/src/cryptography/hazmat/primitives/kdf/hkdf.py
index 65b7091a..f738bbdc 100644
--- a/src/cryptography/hazmat/primitives/kdf/hkdf.py
+++ b/src/cryptography/hazmat/primitives/kdf/hkdf.py
@@ -26,7 +26,7 @@ class HKDF(object):
 
         self._algorithm = algorithm
 
-        if not isinstance(salt, bytes) and salt is not None:
+        if not (salt is None or isinstance(salt, bytes)):
             raise TypeError("salt must be bytes.")
 
         if salt is None:
@@ -77,7 +77,7 @@ class HKDFExpand(object):
 
         self._length = length
 
-        if not isinstance(info, bytes) and info is not None:
+        if not (info is None or isinstance(info, bytes)):
             raise TypeError("info must be bytes.")
 
         if info is None: