From b896881ea87c0a019a5e18a507c7c265b259a4d3 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Fri, 15 May 2015 09:01:34 -0700
Subject: add test to confirm IDNA2003 is disallowed

document that this is a possible exception
---
 docs/x509.rst          |  3 +++
 tests/test_x509_ext.py | 11 +++++++++++
 2 files changed, 14 insertions(+)

diff --git a/docs/x509.rst b/docs/x509.rst
index c8505a87..c570f196 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -313,6 +313,9 @@ X.509 Certificate Object
         :raises cryptography.x509.UnsupportedGeneralNameType: If an extension
             contains a general name that is not supported.
 
+        :raises UnicodeError: If an extension contains IDNA encoding that is
+            invalid or not compliant with IDNA 2008.
+
         .. doctest::
 
             >>> for ext in cert.extensions:
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index d3488a9f..20a016b6 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -1332,6 +1332,17 @@ class TestRSASubjectAlternativeNameExtension(object):
         rfc822name = san.get_values_for_type(x509.RFC822Name)
         assert [u"email@em\xe5\xefl.com"] == rfc822name
 
+    def test_idna2003_invalid(self, backend):
+        cert = _load_cert(
+            os.path.join(
+                "x509", "custom", "san_idna2003_dnsname.pem"
+            ),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+        with pytest.raises(UnicodeError):
+            cert.extensions
+
     def test_unicode_rfc822_name_dns_name_uri(self, backend):
         cert = _load_cert(
             os.path.join(
-- 
cgit v1.2.3