2 files changed, 38 insertions, 17 deletions

diff --git a/src/_cffi_src/openssl/x509name.py b/src/_cffi_src/openssl/x509name.py
index 7b833d61..86d50bbd 100644
--- a/src/_cffi_src/openssl/x509name.py
+++ b/src/_cffi_src/openssl/x509name.py
@@ -16,10 +16,7 @@ typedef STACK_OF(X509_NAME_ENTRY) Cryptography_STACK_OF_X509_NAME_ENTRY;
 
 TYPES = """
 typedef ... Cryptography_STACK_OF_X509_NAME_ENTRY;
-typedef struct {
-    Cryptography_STACK_OF_X509_NAME_ENTRY *entries;
-    ...;
-} X509_NAME;
+typedef ... X509_NAME;
 typedef ... X509_NAME_ENTRY;
 typedef ... Cryptography_STACK_OF_X509_NAME;
 """
@@ -47,6 +44,10 @@ int X509_NAME_get_index_by_NID(X509_NAME *, int, int);
 int X509_NAME_cmp(const X509_NAME *, const X509_NAME *);
 char *X509_NAME_oneline(X509_NAME *, char *, int);
 X509_NAME *X509_NAME_dup(X509_NAME *);
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **,
+                                               ASN1_OBJECT *, int,
+                                               const unsigned char *, int);
+int X509_NAME_add_entry(X509_NAME *, X509_NAME_ENTRY *, int, int);
 """
 
 MACROS = """
@@ -56,6 +57,9 @@ int sk_X509_NAME_push(Cryptography_STACK_OF_X509_NAME *, X509_NAME *);
 X509_NAME *sk_X509_NAME_value(Cryptography_STACK_OF_X509_NAME *, int);
 void sk_X509_NAME_free(Cryptography_STACK_OF_X509_NAME *);
 int sk_X509_NAME_ENTRY_num(Cryptography_STACK_OF_X509_NAME_ENTRY *);
+Cryptography_STACK_OF_X509_NAME_ENTRY *sk_X509_NAME_ENTRY_new_null(void);
+int sk_X509_NAME_ENTRY_push(Cryptography_STACK_OF_X509_NAME_ENTRY *,
+                            X509_NAME_ENTRY *);
 X509_NAME_ENTRY *sk_X509_NAME_ENTRY_value(
     Cryptography_STACK_OF_X509_NAME_ENTRY *, int);
 Cryptography_STACK_OF_X509_NAME_ENTRY *sk_X509_NAME_ENTRY_dup(
diff --git a/src/cryptography/hazmat/backends/openssl/encode_asn1.py b/src/cryptography/hazmat/backends/openssl/encode_asn1.py
index 8cdf4c4b..b56dfa70 100644
--- a/src/cryptography/hazmat/backends/openssl/encode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/encode_asn1.py
@@ -97,17 +97,8 @@ def _encode_name(backend, attributes):
     """
     subject = backend._lib.X509_NAME_new()
     for attribute in attributes:
-        value = attribute.value.encode('utf8')
-        obj = _txt2obj_gc(backend, attribute.oid.dotted_string)
-        if attribute.oid == NameOID.COUNTRY_NAME:
-            # Per RFC5280 Appendix A.1 countryName should be encoded as
-            # PrintableString, not UTF8String
-            type = backend._lib.MBSTRING_ASC
-        else:
-            type = backend._lib.MBSTRING_UTF8
-        res = backend._lib.X509_NAME_add_entry_by_OBJ(
-            subject, obj, type, value, -1, -1, 0,
-        )
+        name_entry = _encode_name_entry(backend, attribute)
+        res = backend._lib.X509_NAME_add_entry(subject, name_entry, -1, 0)
         backend.openssl_assert(res == 1)
     return subject
 
@@ -118,6 +109,33 @@ def _encode_name_gc(backend, attributes):
     return subject
 
 
+def _encode_sk_name_entry(backend, attributes):
+    """
+    The sk_X50_NAME_ENTRY created will not be gc'd.
+    """
+    stack = backend._lib.sk_X509_NAME_ENTRY_new_null()
+    for attribute in attributes:
+        name_entry = _encode_name_entry(backend, attribute)
+        res = backend._lib.sk_X509_NAME_ENTRY_push(stack, name_entry)
+        backend.openssl_assert(res == 1)
+    return stack
+
+
+def _encode_name_entry(backend, attribute):
+    value = attribute.value.encode('utf8')
+    obj = _txt2obj_gc(backend, attribute.oid.dotted_string)
+    if attribute.oid == NameOID.COUNTRY_NAME:
+        # Per RFC5280 Appendix A.1 countryName should be encoded as
+        # PrintableString, not UTF8String
+        type = backend._lib.MBSTRING_ASC
+    else:
+        type = backend._lib.MBSTRING_UTF8
+    name_entry = backend._lib.X509_NAME_ENTRY_create_by_OBJ(
+        backend._ffi.NULL, obj, type, value, -1
+    )
+    return name_entry
+
+
 def _encode_crl_number(backend, crl_number):
     asn1int = _encode_asn1_int_gc(backend, crl_number.crl_number)
     return _encode_extension_to_der(
@@ -516,8 +534,7 @@ def _encode_crl_distribution_points(backend, crl_distribution_points):
             dpn = backend._lib.DIST_POINT_NAME_new()
             backend.openssl_assert(dpn != backend._ffi.NULL)
             dpn.type = _DISTPOINT_TYPE_RELATIVENAME
-            name = _encode_name_gc(backend, point.relative_name)
-            relativename = backend._lib.sk_X509_NAME_ENTRY_dup(name.entries)
+            relativename = _encode_sk_name_entry(backend, point.relative_name)
             backend.openssl_assert(relativename != backend._ffi.NULL)
             dpn.name.relativename = relativename
             dp.distpoint = dpn