diff --git a/asn1.go b/asn1.go
index 69fac2b..be2141b 100644
--- a/asn1.go
+++ b/asn1.go
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"encoding/binary"
 	"encoding/asn1"
+	"unicode/utf8"
 )
 
 func stringFromByteSlice (chars []byte) string {
@@ -35,6 +36,9 @@ func decodeASN1String (value *asn1.RawValue) (string, error) {
 	if !value.IsCompound && value.Class == 0 {
 		if value.Tag == 12 {
 			// UTF8String
+			if !utf8.Valid(value.Bytes) {
+				return "", errors.New("Malformed UTF8String")
+			}
 			return string(value.Bytes), nil
 		} else if value.Tag == 19 || value.Tag == 22 || value.Tag == 20 {
 			// * PrintableString - subset of ASCII
diff --git a/x509.go b/x509.go
index 50c5e48..ec4060d 100644
--- a/x509.go
+++ b/x509.go
@@ -280,6 +280,15 @@ func (cert *Certificate) ParseTBSCertificate () (*TBSCertificate, error) {
 }
 
 
+func isAscii (bytes []byte) bool {
+	for _, b := range bytes {
+		if b > 127 {
+			return false
+		}
+	}
+	return true
+}
+
 func parseSANExtension (value []byte) ([]string, error) {
 	var dnsNames []string
 	var seq asn1.RawValue
@@ -306,6 +315,9 @@ func parseSANExtension (value []byte) ([]string, error) {
 		}
 		switch val.Tag {
 		case 2:
+			if !isAscii(val.Bytes) {
+				return nil, errors.New("failed to parse subjectAltName: DNS name contains non-ASCII characters")
+			}
 			dnsNames = append(dnsNames, string(val.Bytes))
 		}
 	}