3 files changed, 48 insertions, 0 deletions
diff --git a/src/_cffi_src/openssl/ocsp.py b/src/_cffi_src/openssl/ocsp.py
index 1701f41c..61546027 100644
--- a/src/_cffi_src/openssl/ocsp.py
+++ b/src/_cffi_src/openssl/ocsp.py
@@ -35,6 +35,8 @@ OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *, int);
 int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *);
 X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *, int);
 OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *);
+OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *, OCSP_CERTID *);
+OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *, const X509 *, const X509 *);
 
 
 OCSP_BASICRESP *OCSP_BASICRESP_new(void);
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 6a0446bc..bdf8f370 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1430,6 +1430,22 @@ class Backend(object):
         request = self._ffi.gc(request, self._lib.OCSP_REQUEST_free)
         return _OCSPRequest(self, request)
 
+    def create_ocsp_request(self, builder):
+        ocsp_req = self._lib.OCSP_REQUEST_new()
+        self.openssl_assert(ocsp_req != self._ffi.NULL)
+        ocsp_req = self._ffi.gc(ocsp_req, self._lib.OCSP_REQUEST_free)
+        for cert, issuer, algorithm in builder._requests:
+            evp_md = self._lib.EVP_get_digestbyname(
+                algorithm.name.encode("ascii"))
+            self.openssl_assert(evp_md != self._ffi.NULL)
+            certid = self._lib.OCSP_cert_to_id(
+                evp_md, cert._x509, issuer._x509
+            )
+            self.openssl_assert(certid != self._ffi.NULL)
+            onereq = self._lib.OCSP_request_add0_id(ocsp_req, certid)
+            self.openssl_assert(onereq != self._ffi.NULL)
+        return _OCSPRequest(self, ocsp_req)
+
     def elliptic_curve_exchange_algorithm_supported(self, algorithm, curve):
         return (
             self.elliptic_curve_supported(curve) and
diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py
index 22894dde..0567197d 100644
--- a/src/cryptography/x509/ocsp.py
+++ b/src/cryptography/x509/ocsp.py
@@ -9,6 +9,7 @@ import abc
 import six
 
 from cryptography.hazmat.primitives import hashes
+from cryptography.x509 import Certificate
 
 
 _OIDS_TO_HASH = {
@@ -25,6 +26,35 @@ def load_der_ocsp_request(data):
     return backend.load_der_ocsp_request(data)
 
 
+class OCSPRequestBuilder(object):
+    def __init__(self, requests=[]):
+        self._requests = requests
+
+    def add_request(self, cert, issuer, algorithm):
+        allowed_hashes = (
+            hashes.SHA1, hashes.SHA224, hashes.SHA256,
+            hashes.SHA384, hashes.SHA512
+        )
+        if not isinstance(algorithm, allowed_hashes):
+            raise ValueError(
+                "Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512"
+            )
+        if (
+            not isinstance(cert, Certificate) or
+            not isinstance(issuer, Certificate)
+        ):
+            raise TypeError("cert and issuer must be a Certificate")
+
+        return OCSPRequestBuilder(self._requests + [(cert, issuer, algorithm)])
+
+    def build(self):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if len(self._requests) == 0:
+            raise ValueError("You must add a request before building")
+
+        return backend.create_ocsp_request(self)
+
+
 @six.add_metaclass(abc.ABCMeta)
 class OCSPRequest(object):
     @abc.abstractmethod