pyca · alex · May 19, 2015 · May 15, 2015 · May 15, 2015 · May 19, 2015
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
@@ -151,6 +151,9 @@ Custom X.509 Vectors
 * ``san_idna_names.pem`` - An RSA 2048 bit self-signed certificate containing
   a subject alternative name extension with ``rfc822Name``, ``dNSName``, and
   ``uniformResourceIdentifier`` general names with IDNA (:rfc:`5895`) encoding.
+* ``san_idna2003_dnsname.pem`` - An RSA 2048 bit self-signed certificate
+  containing a subject alternative name extension with an IDNA 2003
+  (:rfc:`3490`) ``dNSName``.
 * ``san_rfc822_names.pem`` - An RSA 2048 bit self-signed certificate containing
   a subject alternative name extension with various ``rfc822Name`` values.
 * ``san_rfc822_idna.pem`` - An RSA 2048 bit self-signed certificate containing

diff --git a/docs/x509.rst b/docs/x509.rst
@@ -313,6 +313,9 @@ X.509 Certificate Object
         :raises cryptography.x509.UnsupportedGeneralNameType: If an extension
             contains a general name that is not supported.
 
+        :raises UnicodeError: If an extension contains IDNA encoding that is
+            invalid or not compliant with IDNA 2008.
+
         .. doctest::
 
             >>> for ext in cert.extensions:

diff --git a/setup.py b/setup.py
@@ -32,7 +32,7 @@
 VECTORS_DEPENDENCY = "cryptography_vectors=={0}".format(about['__version__'])
 
 requirements = [
-    "idna",
+    "idna>=2.0",
     "pyasn1",
     "six>=1.4.1",
     "setuptools"

diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
@@ -1332,6 +1332,17 @@ def test_rfc822name(self, backend):
         rfc822name = san.get_values_for_type(x509.RFC822Name)
         assert [u"email@em\xe5\xefl.com"] == rfc822name
 
+    def test_idna2003_invalid(self, backend):
+        cert = _load_cert(
+            os.path.join(
+                "x509", "custom", "san_idna2003_dnsname.pem"
+            ),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+        with pytest.raises(UnicodeError):
+            cert.extensions
+
     def test_unicode_rfc822_name_dns_name_uri(self, backend):
         cert = _load_cert(
             os.path.join(

diff --git a/vectors/cryptography_vectors/x509/custom/san_idna2003_dnsname.pem b/vectors/cryptography_vectors/x509/custom/san_idna2003_dnsname.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgITBmuEOcehqQ0T8RSnZfjR7vyzcTANBgkqhkiG9w0BAQUF
+ADASMRAwDgYDVQQDDAdQeUNBIENBMB4XDTE1MDUxNTA5NDYzOFoXDTE2MDUxNDA5
+NDYzOFowEjEQMA4GA1UEAwwHUHlDQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKILkg/zRXCemIUAy9NxKfLkiP640nVLEHOyQagPtWacyu4VS56s
+lozj4SFybkz3sZMid/agQagM7JhnXer+6j4BL/76KM74RSf1onb6AnRYb3Mo0nIz
+l1dT5w4fRGgbpoW+Z+GjuQnlwVteIvg0/V6uqETp1T9tYkpv+SJKlJJ2TtNHz6Fv
+AOcJcqagnKmbOTyMuk5vog83/nVVm2fEPOaKYrjUymgmfiWCXrMD/US5bUq1+Hr1
+10m8D8vhyaQhxSsX2Z+v63PhWrybJLUFHfmw7G4c6jM2Ojv9/Mbuh+UmEm0SFvZf
+Ltq8ts5chqpAAsdaYYuUOEbGpHeuCtsH2c0CAwEAAaMZMBcwFQYDVR0RBA4wDIIK
+eG4tLWs0aC53czANBgkqhkiG9w0BAQUFAAOCAQEAAylbqwHOUkqkWJ1USyIoPjra
+Si2O3XmQ2h7BSDeTP7hi8bHeKisjdGX5RlZvuQb/VCEnLpnQeyo0jP8rVoGX+hl/
+LAqpTWQhXQYAfCfWHENs0f+HJw0VB/I7/K6JfQfgZKhfaG7Lb3ZUYN6weM+DDS7E
+cUbmnk4fAyPLBTPR4nOw0hWF1IhqZ4x9Vr6s1VlmEaQ/sJi3zhFQx2mb8Lb/3h9b
+/WvYRvniEUYxGZ/q1fRmf+gGIacVTJtzpTxSDdSJugfhbm2wRQaXlSojRL+wO5Kg
+rDGwi9y5y+zWOFtQQCDEdhFLsw0ae3HPBQxxv85PzpuQD3EDgO0UolhAdZlIZg==
+-----END CERTIFICATE-----