3 files changed, 46 insertions, 34 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index db4f963a..5ab46d44 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1577,13 +1577,15 @@ class Backend(object):
             if format is serialization.PrivateFormat.PKCS8:
                 write_bio = self._lib.PEM_write_bio_PKCS8PrivateKey
                 key = evp_pkey
-            elif format is serialization.PrivateFormat.TraditionalOpenSSL:
+            else:
+                assert format is serialization.PrivateFormat.TraditionalOpenSSL
                 if evp_pkey.type == self._lib.EVP_PKEY_RSA:
                     write_bio = self._lib.PEM_write_bio_RSAPrivateKey
                 elif evp_pkey.type == self._lib.EVP_PKEY_DSA:
                     write_bio = self._lib.PEM_write_bio_DSAPrivateKey
-                elif (self._lib.Cryptography_HAS_EC == 1 and
-                      evp_pkey.type == self._lib.EVP_PKEY_EC):
+                else:
+                    assert self._lib.Cryptography_HAS_EC == 1
+                    assert evp_pkey.type == self._lib.EVP_PKEY_EC
                     write_bio = self._lib.PEM_write_bio_ECPrivateKey
 
                 key = cdata
@@ -1600,7 +1602,8 @@ class Backend(object):
                 return self._private_key_bytes_traditional_der(
                     evp_pkey.type, cdata
                 )
-            elif format is serialization.PrivateFormat.PKCS8:
+            else:
+                assert format is serialization.PrivateFormat.PKCS8
                 write_bio = self._lib.i2d_PKCS8PrivateKey_bio
                 key = evp_pkey
         else:
@@ -1625,7 +1628,8 @@ class Backend(object):
         elif (self._lib.Cryptography_HAS_EC == 1 and
               key_type == self._lib.EVP_PKEY_EC):
             write_bio = self._lib.i2d_ECPrivateKey_bio
-        elif key_type == self._lib.EVP_PKEY_DSA:
+        else:
+            assert key_type == self._lib.EVP_PKEY_DSA
             write_bio = self._lib.i2d_DSAPrivateKey_bio
 
         bio = self._create_mem_bio()
@@ -1640,7 +1644,8 @@ class Backend(object):
         if format is serialization.PublicFormat.SubjectPublicKeyInfo:
             if encoding is serialization.Encoding.PEM:
                 write_bio = self._lib.PEM_write_bio_PUBKEY
-            elif encoding is serialization.Encoding.DER:
+            else:
+                assert encoding is serialization.Encoding.DER
                 write_bio = self._lib.i2d_PUBKEY_bio
 
             key = evp_pkey
@@ -1649,7 +1654,8 @@ class Backend(object):
             assert evp_pkey.type == self._lib.EVP_PKEY_RSA
             if encoding is serialization.Encoding.PEM:
                 write_bio = self._lib.PEM_write_bio_RSAPublicKey
-            elif encoding is serialization.Encoding.DER:
+            else:
+                assert encoding is serialization.Encoding.DER
                 write_bio = self._lib.i2d_RSAPublicKey_bio
 
             key = cdata
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index 21414c05..822c7304 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -268,8 +268,9 @@ class _RSASignatureContext(object):
                     self._backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE):
                 reason = ("Salt length too long for key size. Try using "
                           "MAX_LENGTH instead.")
-            elif (errors[0].reason ==
-                    self._backend._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY):
+            else:
+                assert (errors[0].reason ==
+                        self._backend._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY)
                 reason = "Digest too large for key size. Use a larger key."
             assert reason is not None
             raise ValueError(reason)
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 63e4a177..ee9a3bbf 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -235,7 +235,13 @@ class _X509ExtensionParser(object):
                     )
             else:
                 d2i = backend._lib.X509V3_EXT_d2i(ext)
-                assert d2i != backend._ffi.NULL
+                if d2i == backend._ffi.NULL:
+                    backend._consume_errors()
+                    raise ValueError(
+                        "The {0} extension is invalid and can't be "
+                        "parsed".format(oid)
+                    )
+
                 value = handler(backend, d2i)
                 extensions.append(x509.Extension(oid, critical, value))
 
@@ -384,7 +390,8 @@ def _decode_certificate_policies(backend, cp):
                         pqi.d.cpsuri.data, pqi.d.cpsuri.length
                     )[:].decode('ascii')
                     qualifiers.append(cpsuri)
-                elif pqualid == x509.OID_CPS_USER_NOTICE:
+                else:
+                    assert pqualid == x509.OID_CPS_USER_NOTICE
                     user_notice = _decode_user_notice(
                         backend, pqi.d.usernotice
                     )
@@ -744,35 +751,33 @@ class _CertificateSigningRequest(object):
         return self._backend._read_mem_bio(bio)
 
 
+_EXTENSION_HANDLERS = {
+    x509.OID_BASIC_CONSTRAINTS: _decode_basic_constraints,
+    x509.OID_SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier,
+    x509.OID_KEY_USAGE: _decode_key_usage,
+    x509.OID_SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name,
+    x509.OID_EXTENDED_KEY_USAGE: _decode_extended_key_usage,
+    x509.OID_AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier,
+    x509.OID_AUTHORITY_INFORMATION_ACCESS: (
+        _decode_authority_information_access
+    ),
+    x509.OID_CERTIFICATE_POLICIES: _decode_certificate_policies,
+    x509.OID_CRL_DISTRIBUTION_POINTS: _decode_crl_distribution_points,
+    x509.OID_OCSP_NO_CHECK: _decode_ocsp_no_check,
+    x509.OID_INHIBIT_ANY_POLICY: _decode_inhibit_any_policy,
+    x509.OID_ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name,
+    x509.OID_NAME_CONSTRAINTS: _decode_name_constraints,
+}
+
+
 _CERTIFICATE_EXTENSION_PARSER = _X509ExtensionParser(
     ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x),
     get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i),
-    handlers={
-        x509.OID_BASIC_CONSTRAINTS: _decode_basic_constraints,
-        x509.OID_SUBJECT_KEY_IDENTIFIER: _decode_subject_key_identifier,
-        x509.OID_KEY_USAGE: _decode_key_usage,
-        x509.OID_SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name,
-        x509.OID_EXTENDED_KEY_USAGE: _decode_extended_key_usage,
-        x509.OID_AUTHORITY_KEY_IDENTIFIER: _decode_authority_key_identifier,
-        x509.OID_AUTHORITY_INFORMATION_ACCESS: (
-            _decode_authority_information_access
-        ),
-        x509.OID_CERTIFICATE_POLICIES: _decode_certificate_policies,
-        x509.OID_CRL_DISTRIBUTION_POINTS: _decode_crl_distribution_points,
-        x509.OID_OCSP_NO_CHECK: _decode_ocsp_no_check,
-        x509.OID_INHIBIT_ANY_POLICY: _decode_inhibit_any_policy,
-        x509.OID_ISSUER_ALTERNATIVE_NAME: _decode_issuer_alt_name,
-        x509.OID_NAME_CONSTRAINTS: _decode_name_constraints,
-    }
+    handlers=_EXTENSION_HANDLERS
 )
 
 _CSR_EXTENSION_PARSER = _X509ExtensionParser(
     ext_count=lambda backend, x: backend._lib.sk_X509_EXTENSION_num(x),
     get_ext=lambda backend, x, i: backend._lib.sk_X509_EXTENSION_value(x, i),
-    handlers={
-        x509.OID_BASIC_CONSTRAINTS: _decode_basic_constraints,
-        x509.OID_KEY_USAGE: _decode_key_usage,
-        x509.OID_SUBJECT_ALTERNATIVE_NAME: _decode_subject_alt_name,
-        x509.OID_EXTENDED_KEY_USAGE: _decode_extended_key_usage,
-    }
+    handlers=_EXTENSION_HANDLERS
 )