Merge pull request #1859 from reaperhulk/san-unsupported

SAN unsupported type

4 files changed, 56 insertions, 0 deletions

diff --git a/docs/x509.rst b/docs/x509.rst
index eed88b09..035fa87f 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -274,6 +274,9 @@ X.509 Certificate Object
         :raises cryptography.x509.UnsupportedExtension: If the certificate
             contains an extension that is not supported.
 
+        :raises cryptography.x509.UnsupportedGeneralNameType: If an extension
+            contains a general name that is not supported.
+
         .. doctest::
 
             >>> for ext in cert.extensions:
@@ -964,7 +967,20 @@ Exceptions
 
         Returns the OID.
 
+.. class:: UnsupportedGeneralNameType
+
+    This is raised when a certificate contains an unsupported general name
+    type in an extension.
+
+    .. attribute:: type
+
+        :type: int
+
+        The integer value of the unsupported type. The complete list of
+        types can be found in `RFC 5280 section 4.2.1.6`_.
+
 
 .. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure
 .. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security
 .. _`RFC 5280 section 4.2.1.1`: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
+.. _`RFC 5280 section 4.2.1.6`: https://tools.ietf.org/html/rfc5280#section-4.2.1.6
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index dcde5e73..cc4a92a6 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -63,6 +63,14 @@ def _build_general_name(backend, gn):
     if gn.type == backend._lib.GEN_DNS:
         data = backend._ffi.buffer(gn.d.dNSName.data, gn.d.dNSName.length)[:]
         return x509.DNSName(idna.decode(data))
+    else:
+        # otherName, x400Address or ediPartyName
+        raise x509.UnsupportedGeneralNameType(
+            "{0} is not a supported type".format(
+                x509._GENERAL_NAMES.get(gn.type, gn.type)
+            ),
+            gn.type
+        )
 
 
 @utils.register_interface(x509.Certificate)
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index 898ab6c7..dd6ea926 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -70,6 +70,19 @@ _OID_NAMES = {
 }
 
 
+_GENERAL_NAMES = {
+    0: "otherName",
+    1: "rfc822Name",
+    2: "dNSName",
+    3: "x400Address",
+    4: "directoryName",
+    5: "ediPartyName",
+    6: "uniformResourceIdentifier",
+    7: "iPAddress",
+    8: "registeredID",
+}
+
+
 class Version(Enum):
     v1 = 0
     v3 = 2
@@ -115,6 +128,12 @@ class ExtensionNotFound(Exception):
         self.oid = oid
 
 
+class UnsupportedGeneralNameType(Exception):
+    def __init__(self, msg, type):
+        super(UnsupportedGeneralNameType, self).__init__(msg)
+        self.type = type
+
+
 class NameAttribute(object):
     def __init__(self, oid, value):
         if not isinstance(oid, ObjectIdentifier):
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index a7e04156..1283fca7 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -757,3 +757,16 @@ class TestRSASubjectAlternativeNameExtension(object):
 
         dns = san.get_values_for_type(x509.DNSName)
         assert dns == [u"www.cryptography.io", u"cryptography.io"]
+
+    def test_unsupported_other_name(self, backend):
+        cert = _load_cert(
+            os.path.join(
+                "x509", "custom", "san_other_name.pem"
+            ),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+        with pytest.raises(x509.UnsupportedGeneralNameType) as exc:
+            cert.extensions
+
+        assert exc.value.type == 0