add test to confirm IDNA2003 is disallowed document that this is a possible exception

commit: b896881ea87c0a019a5e18a507c7c265b259a4d3 [log] [tgz]
author: Paul Kehrer <paul.l.kehrer@gmail.com> Fri May 15 09:01:34 2015 -0700
committer: Paul Kehrer <paul.l.kehrer@gmail.com> Mon May 18 18:55:29 2015 -0700
tree: 9e3b138845027fc339e1a2679988bdd024568f57
parent: d0a66e7ea409a9a152c6dbc7a85f42ad1cc9148a [diff]
diff --git a/docs/x509.rst b/docs/x509.rst
index c8505a8..c570f19 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst

@@ -313,6 +313,9 @@
         :raises cryptography.x509.UnsupportedGeneralNameType: If an extension
             contains a general name that is not supported.
 
+        :raises UnicodeError: If an extension contains IDNA encoding that is
+            invalid or not compliant with IDNA 2008.
+
         .. doctest::
 
             >>> for ext in cert.extensions:

diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index d3488a9..20a016b 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py

@@ -1332,6 +1332,17 @@
         rfc822name = san.get_values_for_type(x509.RFC822Name)
         assert [u"email@em\xe5\xefl.com"] == rfc822name
 
+    def test_idna2003_invalid(self, backend):
+        cert = _load_cert(
+            os.path.join(
+                "x509", "custom", "san_idna2003_dnsname.pem"
+            ),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+        with pytest.raises(UnicodeError):
+            cert.extensions
+
     def test_unicode_rfc822_name_dns_name_uri(self, backend):
         cert = _load_cert(
             os.path.join(
commit	b896881ea87c0a019a5e18a507c7c265b259a4d3	[log] [tgz]
author	Paul Kehrer <paul.l.kehrer@gmail.com>	Fri May 15 09:01:34 2015 -0700
committer	Paul Kehrer <paul.l.kehrer@gmail.com>	Mon May 18 18:55:29 2015 -0700
tree	9e3b138845027fc339e1a2679988bdd024568f57
parent	d0a66e7ea409a9a152c6dbc7a85f42ad1cc9148a [diff]