4 files changed, 41 insertions, 8 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index b45c8986..06db6f22 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -235,7 +235,7 @@ def _encode_basic_constraints(backend, basic_constraints):
         constraints, backend._lib.BASIC_CONSTRAINTS_free
     )
     constraints.ca = 255 if basic_constraints.ca else 0
-    if basic_constraints.ca:
+    if basic_constraints.ca and basic_constraints.path_length is not None:
         constraints.pathlen = _encode_asn1_int(
             backend, basic_constraints.path_length
         )
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 073dfb1e..7ca4850d 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -68,7 +68,9 @@ def _decode_general_names(backend, gns):
 def _decode_general_name(backend, gn):
     if gn.type == backend._lib.GEN_DNS:
         data = backend._asn1_string_to_bytes(gn.d.dNSName)
-        if data.startswith(b"*."):
+        if not data:
+            decoded = u""
+        elif data.startswith(b"*."):
             # This is a wildcard name. We need to remove the leading wildcard,
             # IDNA decode, then re-add the wildcard. Wildcard characters should
             # always be left-most (RFC 2595 section 2.4).
@@ -86,7 +88,10 @@ def _decode_general_name(backend, gn):
     elif gn.type == backend._lib.GEN_URI:
         data = backend._asn1_string_to_ascii(gn.d.uniformResourceIdentifier)
         parsed = urllib_parse.urlparse(data)
-        hostname = idna.decode(parsed.hostname)
+        if parsed.hostname:
+            hostname = idna.decode(parsed.hostname)
+        else:
+            hostname = ""
         if parsed.port:
             netloc = hostname + u":" + six.text_type(parsed.port)
         else:
@@ -269,7 +274,11 @@ class _Certificate(object):
 
     def public_key(self):
         pkey = self._backend._lib.X509_get_pubkey(self._x509)
-        self._backend.openssl_assert(pkey != self._backend._ffi.NULL)
+        if pkey == self._backend._ffi.NULL:
+            # Remove errors from the stack.
+            self._backend._consume_errors()
+            raise ValueError("Certificate public key is of an unknown type")
+
         pkey = self._backend._ffi.gc(pkey, self._backend._lib.EVP_PKEY_free)
 
         return self._backend._evp_pkey_to_public_key(pkey)
diff --git a/src/cryptography/hazmat/primitives/asymmetric/key_exchange.py b/src/cryptography/hazmat/primitives/asymmetric/key_exchange.py
new file mode 100644
index 00000000..a9846e28
--- /dev/null
+++ b/src/cryptography/hazmat/primitives/asymmetric/key_exchange.py
@@ -0,0 +1,18 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+
+@six.add_metaclass(abc.ABCMeta)
+class KeyExchangeContext(object):
+    @abc.abstractmethod
+    def agree(self, public_key):
+        """
+        Returns the agreed key material.
+        """
diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py
index 237d5968..dac4046d 100644
--- a/src/cryptography/utils.py
+++ b/src/cryptography/utils.py
@@ -58,6 +58,12 @@ class InterfaceNotImplemented(Exception):
     pass
 
 
+if hasattr(inspect, "signature"):
+    signature = inspect.signature
+else:
+    signature = inspect.getargspec
+
+
 def verify_interface(iface, klass):
     for method in iface.__abstractmethods__:
         if not hasattr(klass, method):
@@ -67,13 +73,13 @@ def verify_interface(iface, klass):
         if isinstance(getattr(iface, method), abc.abstractproperty):
             # Can't properly verify these yet.
             continue
-        spec = inspect.getargspec(getattr(iface, method))
-        actual = inspect.getargspec(getattr(klass, method))
-        if spec != actual:
+        sig = signature(getattr(iface, method))
+        actual = signature(getattr(klass, method))
+        if sig != actual:
             raise InterfaceNotImplemented(
                 "{0}.{1}'s signature differs from the expected. Expected: "
                 "{2!r}. Received: {3!r}".format(
-                    klass, method, spec, actual
+                    klass, method, sig, actual
                 )
             )