add support for AIA to CertificateBuilder and OpenSSL backend

3 files changed, 54 insertions, 1 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 7917402f..570782a2 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -210,7 +210,9 @@ def _encode_authority_information_access(backend, authority_info_access):
     )
     for access_description in authority_info_access:
         ad = backend._lib.ACCESS_DESCRIPTION_new()
-        method = _txt2obj(backend, access_description.access_method)
+        method = _txt2obj(
+            backend, access_description.access_method.dotted_string
+        )
         gn = _encode_general_name(backend, access_description.access_location)
         ad.method = method
         ad.location = gn
@@ -1163,6 +1165,10 @@ class Backend(object):
                 pp, r = _encode_basic_constraints(self, extension.value)
             elif isinstance(extension.value, x509.SubjectAlternativeName):
                 pp, r = _encode_subject_alt_name(self, extension.value)
+            elif isinstance(extension.value, x509.AuthorityInformationAccess):
+                pp, r = _encode_authority_information_access(
+                    self, extension.value
+                )
             else:
                 raise NotImplementedError('Extension not yet supported.')
 
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index f35582b0..6e27cdb7 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -1724,6 +1724,10 @@ class CertificateBuilder(object):
             extension = Extension(
                 OID_SUBJECT_ALTERNATIVE_NAME, critical, extension
             )
+        elif isinstance(extension, AuthorityInformationAccess):
+            extension = Extension(
+                OID_AUTHORITY_INFORMATION_ACCESS, critical, extension
+            )
         elif isinstance(extension, InhibitAnyPolicy):
             extension = Extension(OID_INHIBIT_ANY_POLICY, critical, extension)
         else:
diff --git a/tests/test_x509.py b/tests/test_x509.py
index ba35f64d..0c63670d 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1563,6 +1563,49 @@ class TestCertificateSigningRequestBuilder(object):
 
         assert str(exc.value) == "Digest too big for RSA key"
 
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_build_cert_with_aia(self, backend):
+        issuer_private_key = RSA_KEY_2048.private_key(backend)
+        subject_private_key = RSA_KEY_2048.private_key(backend)
+
+        not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+        not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+        aia = x509.AuthorityInformationAccess([
+            x509.AccessDescription(
+                x509.OID_OCSP,
+                x509.UniformResourceIdentifier(u"http://ocsp.domain.com")
+            ),
+            x509.AccessDescription(
+                x509.OID_CA_ISSUERS,
+                x509.UniformResourceIdentifier(u"http://domain.com/ca.crt")
+            )
+        ])
+
+        builder = x509.CertificateBuilder().serial_number(
+            777
+        ).issuer_name(x509.Name([
+            x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+        ])).subject_name(x509.Name([
+            x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+        ])).public_key(
+            subject_private_key.public_key()
+        ).add_extension(
+            aia, critical=False
+        ).not_valid_before(
+            not_valid_before
+        ).not_valid_after(
+            not_valid_after
+        )
+
+        cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
+
+        ext = cert.extensions.get_extension_for_oid(
+            x509.OID_AUTHORITY_INFORMATION_ACCESS
+        )
+        assert ext.value == aia
+
 
 @pytest.mark.requires_backend_interface(interface=DSABackend)
 @pytest.mark.requires_backend_interface(interface=X509Backend)