3 files changed, 69 insertions, 26 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 3aa210d1..3866c0d4 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -289,7 +289,7 @@ def _encode_general_names(backend, names):
     return general_names
 
 
-def _encode_subject_alt_name(backend, san):
+def _encode_alt_name(backend, san):
     general_names = _encode_general_names(backend, san)
     general_names = backend._ffi.gc(
         general_names, backend._lib.GENERAL_NAMES_free
@@ -485,7 +485,8 @@ _EXTENSION_ENCODE_HANDLERS = {
     x509.OID_BASIC_CONSTRAINTS: _encode_basic_constraints,
     x509.OID_SUBJECT_KEY_IDENTIFIER: _encode_subject_key_identifier,
     x509.OID_KEY_USAGE: _encode_key_usage,
-    x509.OID_SUBJECT_ALTERNATIVE_NAME: _encode_subject_alt_name,
+    x509.OID_SUBJECT_ALTERNATIVE_NAME: _encode_alt_name,
+    x509.OID_ISSUER_ALTERNATIVE_NAME: _encode_alt_name,
     x509.OID_EXTENDED_KEY_USAGE: _encode_extended_key_usage,
     x509.OID_AUTHORITY_KEY_IDENTIFIER: _encode_authority_key_identifier,
     x509.OID_AUTHORITY_INFORMATION_ACCESS: (
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 8f559c84..debea5a2 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -4,7 +4,6 @@
 
 from __future__ import absolute_import, division, print_function
 
-import datetime
 import os
 import subprocess
 import sys
@@ -15,7 +14,6 @@ import pretend
 import pytest
 
 from cryptography import utils
-from cryptography import x509
 from cryptography.exceptions import InternalError, _Reasons
 from cryptography.hazmat.backends.interfaces import RSABackend
 from cryptography.hazmat.backends.openssl.backend import (
@@ -514,27 +512,6 @@ class TestOpenSSLSignX509Certificate(object):
         with pytest.raises(TypeError):
             backend.create_x509_certificate(object(), private_key, DummyHash())
 
-    def test_checks_for_unsupported_extensions(self):
-        private_key = RSA_KEY_2048.private_key(backend)
-        builder = x509.CertificateBuilder().subject_name(x509.Name([
-            x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
-        ])).issuer_name(x509.Name([
-            x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
-        ])).public_key(
-            private_key.public_key()
-        ).serial_number(
-            777
-        ).not_valid_before(
-            datetime.datetime(1999, 1, 1)
-        ).not_valid_after(
-            datetime.datetime(2020, 1, 1)
-        ).add_extension(
-            x509.IssuerAlternativeName([x509.DNSName(u"crypto.io")]), False
-        )
-
-        with pytest.raises(NotImplementedError):
-            builder.sign(private_key, hashes.SHA1(), backend)
-
 
 class TestOpenSSLSerialisationWithOpenSSL(object):
     def test_pem_password_cb_buffer_too_small(self):
diff --git a/tests/test_x509.py b/tests/test_x509.py
index c1db0260..94340579 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -27,6 +27,11 @@ from .hazmat.primitives.test_ec import _skip_curve_unsupported
 from .utils import load_vectors_from_file
 
 
+@utils.register_interface(x509.ExtensionType)
+class DummyExtension(object):
+    oid = x509.ObjectIdentifier("1.2.3.4")
+
+
 @utils.register_interface(x509.GeneralName)
 class FakeGeneralName(object):
     def __init__(self, value):
@@ -830,6 +835,29 @@ class TestRSACertificateRequest(object):
 class TestCertificateBuilder(object):
     @pytest.mark.requires_backend_interface(interface=RSABackend)
     @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_checks_for_unsupported_extensions(self, backend):
+        private_key = RSA_KEY_2048.private_key(backend)
+        builder = x509.CertificateBuilder().subject_name(x509.Name([
+            x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+        ])).issuer_name(x509.Name([
+            x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+        ])).public_key(
+            private_key.public_key()
+        ).serial_number(
+            777
+        ).not_valid_before(
+            datetime.datetime(1999, 1, 1)
+        ).not_valid_after(
+            datetime.datetime(2020, 1, 1)
+        ).add_extension(
+            DummyExtension(), False
+        )
+
+        with pytest.raises(NotImplementedError):
+            builder.sign(private_key, hashes.SHA1(), backend)
+
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
     def test_no_subject_name(self, backend):
         subject_private_key = RSA_KEY_2048.private_key(backend)
         builder = x509.CertificateBuilder().serial_number(
@@ -1416,6 +1444,43 @@ class TestCertificateBuilder(object):
 
     @pytest.mark.requires_backend_interface(interface=RSABackend)
     @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_issuer_alt_name(self, backend):
+        issuer_private_key = RSA_KEY_2048.private_key(backend)
+        subject_private_key = RSA_KEY_2048.private_key(backend)
+
+        not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+        not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+        cert = x509.CertificateBuilder().subject_name(
+            x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+        ).issuer_name(
+            x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')])
+        ).not_valid_before(
+            not_valid_before
+        ).not_valid_after(
+            not_valid_after
+        ).public_key(
+            subject_private_key.public_key()
+        ).serial_number(
+            123
+        ).add_extension(
+            x509.IssuerAlternativeName([
+                x509.DNSName(u"myissuer"),
+                x509.RFC822Name(u"email@domain.com"),
+            ]), critical=False
+        ).sign(issuer_private_key, hashes.SHA256(), backend)
+
+        ext = cert.extensions.get_extension_for_oid(
+            x509.OID_ISSUER_ALTERNATIVE_NAME
+        )
+        assert ext.critical is False
+        assert ext.value == x509.IssuerAlternativeName([
+            x509.DNSName(u"myissuer"),
+            x509.RFC822Name(u"email@domain.com"),
+        ])
+
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
     def test_extended_key_usage(self, backend):
         issuer_private_key = RSA_KEY_2048.private_key(backend)
         subject_private_key = RSA_KEY_2048.private_key(backend)
@@ -1718,7 +1783,7 @@ class TestCertificateSigningRequestBuilder(object):
             x509.SubjectAlternativeName([x509.DNSName(u"cryptography.io")]),
             critical=False,
         ).add_extension(
-            x509.IssuerAlternativeName([x509.DNSName(u"crypto.io")]), False
+            DummyExtension(), False
         )
         with pytest.raises(NotImplementedError):
             builder.sign(private_key, hashes.SHA256(), backend)