2 files changed, 33 insertions, 10 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index f05b0515..753cb50d 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -139,20 +139,25 @@ def _encode_basic_constraints(backend, basic_constraints):
 def _encode_subject_alt_name(backend, san):
     general_names = backend._lib.GENERAL_NAMES_new()
     assert general_names != backend._ffi.NULL
-    # TODO: GC
+    general_names = backend._ffi.gc(
+        general_names, backend._lib.GENERAL_NAMES_free
+    )
 
     for alt_name in san:
-        assert isinstance(alt_name, x509.DNSName)
         gn = backend._lib.GENERAL_NAME_new()
         assert gn != backend._ffi.NULL
-        gn.type = backend._lib.GEN_DNS
-        ia5 = backend._lib.ASN1_IA5STRING_new()
-        assert ia5 != backend._ffi.NULL
-        gn.d.dNSName = ia5
-        # TODO: idna
-        value = alt_name.value.encode("ascii")
-        res = backend._lib.ASN1_STRING_set(gn.d.dNSName, value, len(value))
-        assert res == 1
+        # TODO: GC?
+        if isinstance(alt_name, x509.DNSName):
+            gn.type = backend._lib.GEN_DNS
+            ia5 = backend._lib.ASN1_IA5STRING_new()
+            assert ia5 != backend._ffi.NULL
+            # TODO: idna
+            value = alt_name.value.encode("ascii")
+            res = backend._lib.ASN1_STRING_set(ia5, value, len(value))
+            assert res == 1
+            gn.d.dNSName = ia5
+        else:
+            raise NotImplementedError("Only DNSNames are supported right now")
 
         res = backend._lib.sk_GENERAL_NAME_push(general_names, gn)
         assert res == 1
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 3975d5b6..6cc0fc48 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -935,6 +935,24 @@ class TestCertificateSigningRequestBuilder(object):
             x509.DNSName(u"google.com"),
         ]
 
+    def test_subject_alt_name_unsupported_general_name(self, backend):
+        private_key = RSA_KEY_2048.private_key(backend)
+
+        builder = x509.CertificateSigningRequestBuilder().subject_name(
+            x509.Name([
+                x509.NameAttribute(x509.OID_COMMON_NAME, u"SAN"),
+            ])
+        ).add_extension(
+            x509.SubjectAlternativeName([
+                x509.RFC822Name(u"test@example.com"),
+            ]),
+            critical=False,
+        )
+
+        with pytest.raises(NotImplementedError):
+            builder.sign(private_key, hashes.SHA256(), backend)
+
+
 
 @pytest.mark.requires_backend_interface(interface=DSABackend)
 @pytest.mark.requires_backend_interface(interface=X509Backend)