6 files changed, 53 insertions, 8 deletions
diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
index defa69d3..c856e3d9 100644
--- a/src/_cffi_src/build_openssl.py
+++ b/src/_cffi_src/build_openssl.py
@@ -79,7 +79,6 @@ ffi = build_ffi_for_binding(
         "objects",
         "opensslv",
         "pem",
-        "pkcs7",
         "pkcs12",
         "rand",
         "rsa",
@@ -87,7 +86,8 @@ ffi = build_ffi_for_binding(
         "x509",
         "x509name",
         "x509v3",
-        "x509_vfy"
+        "x509_vfy",
+        "pkcs7",
     ],
     pre_include=_OSX_PRE_INCLUDE,
     post_include=_OSX_POST_INCLUDE,
diff --git a/src/_cffi_src/openssl/pkcs7.py b/src/_cffi_src/openssl/pkcs7.py
index 5d6ee45f..0dd89582 100644
--- a/src/_cffi_src/openssl/pkcs7.py
+++ b/src/_cffi_src/openssl/pkcs7.py
@@ -10,7 +10,33 @@ INCLUDES = """
 
 TYPES = """
 typedef struct {
+    Cryptography_STACK_OF_X509 *cert;
+    Cryptography_STACK_OF_X509_CRL *crl;
+    ...;
+} PKCS7_SIGNED;
+
+typedef struct {
+    Cryptography_STACK_OF_X509 *cert;
+    Cryptography_STACK_OF_X509_CRL *crl;
+    ...;
+} PKCS7_SIGN_ENVELOPE;
+
+typedef ... PKCS7_DIGEST;
+typedef ... PKCS7_ENCRYPT;
+typedef ... PKCS7_ENVELOPE;
+
+typedef struct {
     ASN1_OBJECT *type;
+    union {
+        char *ptr;
+        ASN1_OCTET_STRING *data;
+        PKCS7_SIGNED *sign;
+        PKCS7_ENVELOPE *enveloped;
+        PKCS7_SIGN_ENVELOPE *signed_and_enveloped;
+        PKCS7_DIGEST *digest;
+        PKCS7_ENCRYPT *encrypted;
+        ASN1_TYPE *other;
+     } d;
     ...;
 } PKCS7;
 
@@ -44,13 +70,17 @@ Cryptography_STACK_OF_X509 *PKCS7_get0_signers(PKCS7 *,
 PKCS7 *PKCS7_encrypt(Cryptography_STACK_OF_X509 *, BIO *,
                      const EVP_CIPHER *, int);
 int PKCS7_decrypt(PKCS7 *, EVP_PKEY *, X509 *, BIO *, int);
+
+BIO *PKCS7_dataInit(PKCS7 *, BIO *);
 """
 
 MACROS = """
+int PKCS7_type_is_encrypted(PKCS7 *);
 int PKCS7_type_is_signed(PKCS7 *);
 int PKCS7_type_is_enveloped(PKCS7 *);
 int PKCS7_type_is_signedAndEnveloped(PKCS7 *);
 int PKCS7_type_is_data(PKCS7 *);
+int PKCS7_type_is_digest(PKCS7 *);
 """
 
 CUSTOMIZATIONS = ""
diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py
index 84e49640..8e163dc2 100644
--- a/src/_cffi_src/openssl/x509v3.py
+++ b/src/_cffi_src/openssl/x509v3.py
@@ -202,6 +202,8 @@ void OTHERNAME_free(OTHERNAME *);
 void *X509V3_set_ctx_nodb(X509V3_CTX *);
 
 int i2d_GENERAL_NAMES(GENERAL_NAMES *, unsigned char **);
+GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **, const unsigned char **,
+                                 long);
 
 int i2d_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE *, unsigned char **);
 
diff --git a/src/cryptography/hazmat/backends/interfaces.py b/src/cryptography/hazmat/backends/interfaces.py
index a43621a7..d93968cf 100644
--- a/src/cryptography/hazmat/backends/interfaces.py
+++ b/src/cryptography/hazmat/backends/interfaces.py
@@ -212,7 +212,7 @@ class EllipticCurveBackend(object):
     @abc.abstractmethod
     def load_elliptic_curve_private_numbers(self, numbers):
         """
-        Return an EllipticCurvePublicKey provider using the given numbers.
+        Return an EllipticCurvePrivateKey provider using the given numbers.
         """
 
 
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index ac025e95..0d3b3dd4 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1776,9 +1776,13 @@ class Backend(object):
             self.openssl_assert(res == 1)
 
             res = self._lib.BN_cmp(bn_x, check_x)
-            self.openssl_assert(res == 0)
+            if res != 0:
+                self._consume_errors()
+                raise ValueError("Invalid EC Key X point.")
             res = self._lib.BN_cmp(bn_y, check_y)
-            self.openssl_assert(res == 0)
+            if res != 0:
+                self._consume_errors()
+                raise ValueError("Invalid EC Key Y point.")
 
         res = self._lib.EC_KEY_set_public_key(ctx, point)
         self.openssl_assert(res == 1)
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 80f32e29..2de5a8c7 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -64,7 +64,9 @@ def _decode_general_names(backend, gns):
 def _decode_general_name(backend, gn):
     if gn.type == backend._lib.GEN_DNS:
         data = backend._asn1_string_to_bytes(gn.d.dNSName)
-        if data.startswith(b"*."):
+        if not data:
+            decoded = u""
+        elif data.startswith(b"*."):
             # This is a wildcard name. We need to remove the leading wildcard,
             # IDNA decode, then re-add the wildcard. Wildcard characters should
             # always be left-most (RFC 2595 section 2.4).
@@ -82,7 +84,10 @@ def _decode_general_name(backend, gn):
     elif gn.type == backend._lib.GEN_URI:
         data = backend._asn1_string_to_ascii(gn.d.uniformResourceIdentifier)
         parsed = urllib_parse.urlparse(data)
-        hostname = idna.decode(parsed.hostname)
+        if parsed.hostname:
+            hostname = idna.decode(parsed.hostname)
+        else:
+            hostname = ""
         if parsed.port:
             netloc = hostname + u":" + six.text_type(parsed.port)
         else:
@@ -260,7 +265,11 @@ class _Certificate(object):
 
     def public_key(self):
         pkey = self._backend._lib.X509_get_pubkey(self._x509)
-        self._backend.openssl_assert(pkey != self._backend._ffi.NULL)
+        if pkey == self._backend._ffi.NULL:
+            # Remove errors from the stack.
+            self._backend._consume_errors()
+            raise ValueError("Certificate public key is of an unknown type")
+
         pkey = self._backend._ffi.gc(pkey, self._backend._lib.EVP_PKEY_free)
 
         return self._backend._evp_pkey_to_public_key(pkey)