1 files changed, 12 insertions, 3 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 80f32e29..2de5a8c7 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -64,7 +64,9 @@ def _decode_general_names(backend, gns):
 def _decode_general_name(backend, gn):
     if gn.type == backend._lib.GEN_DNS:
         data = backend._asn1_string_to_bytes(gn.d.dNSName)
-        if data.startswith(b"*."):
+        if not data:
+            decoded = u""
+        elif data.startswith(b"*."):
             # This is a wildcard name. We need to remove the leading wildcard,
             # IDNA decode, then re-add the wildcard. Wildcard characters should
             # always be left-most (RFC 2595 section 2.4).
@@ -82,7 +84,10 @@ def _decode_general_name(backend, gn):
     elif gn.type == backend._lib.GEN_URI:
         data = backend._asn1_string_to_ascii(gn.d.uniformResourceIdentifier)
         parsed = urllib_parse.urlparse(data)
-        hostname = idna.decode(parsed.hostname)
+        if parsed.hostname:
+            hostname = idna.decode(parsed.hostname)
+        else:
+            hostname = ""
         if parsed.port:
             netloc = hostname + u":" + six.text_type(parsed.port)
         else:
@@ -260,7 +265,11 @@ class _Certificate(object):
 
     def public_key(self):
         pkey = self._backend._lib.X509_get_pubkey(self._x509)
-        self._backend.openssl_assert(pkey != self._backend._ffi.NULL)
+        if pkey == self._backend._ffi.NULL:
+            # Remove errors from the stack.
+            self._backend._consume_errors()
+            raise ValueError("Certificate public key is of an unknown type")
+
         pkey = self._backend._ffi.gc(pkey, self._backend._lib.EVP_PKEY_free)
 
         return self._backend._evp_pkey_to_public_key(pkey)