9 files changed, 162 insertions, 16 deletions
diff --git a/docs/development/getting-started.rst b/docs/development/getting-started.rst
index f5d6c190..b3474002 100644
--- a/docs/development/getting-started.rst
+++ b/docs/development/getting-started.rst
@@ -44,7 +44,6 @@ each supported Python version and run the tests. For example:
     ERROR:   py26: InterpreterNotFound: python2.6
      py27: commands succeeded
     ERROR:   pypy: InterpreterNotFound: pypy
-    ERROR:   py32: InterpreterNotFound: python3.2
      py33: commands succeeded
      docs: commands succeeded
      pep8: commands succeeded
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index a102fa9f..69f54d3a 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -140,6 +140,14 @@ Custom X.509 Vectors
   subject alternative name extension with the ``registeredID`` general name.
 * ``all_key_usages.pem`` - An RSA 2048 bit self-signed certificate containing
   a key usage extension with all nine purposes set to true.
+* ``san_idna_names.pem`` - An RSA 2048 bit self-signed certificate containing
+  a subject alternative name extension with ``rfc822Name``, ``dNSName``, and
+  ``uniformResourceIdentifier`` general names with IDNA (:rfc:`5895`) encoding.
+* ``san_rfc822_names.pem`` - An RSA 2048 bit self-signed certificate containing
+  a subject alternative name extension with various ``rfc822Name`` values.
+* ``san_uri_with_port.pem`` - An RSA 2048 bit self-signed certificate
+  containing a subject alternative name extension with various
+  ``uniformResourceIdentifier`` values.
 
 Custom X.509 Request Vectors
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/docs/exceptions.rst b/docs/exceptions.rst
index 28da8ecc..59d7d9d7 100644
--- a/docs/exceptions.rst
+++ b/docs/exceptions.rst
@@ -37,9 +37,3 @@ Exceptions
 
     This is raised when the verify method of a key derivation function's
     computed key does not match the expected key.
-
-
-.. class:: InvalidToken
-
-    This is raised when the verify method of a one time password function's
-    computed token does not match the expected token.
diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst
index a5187749..3b5b677b 100644
--- a/docs/hazmat/primitives/asymmetric/rsa.rst
+++ b/docs/hazmat/primitives/asymmetric/rsa.rst
@@ -688,4 +688,4 @@ Key interfaces
 .. _`Chinese Remainder Theorem`: https://en.wikipedia.org/wiki/RSA_%28cryptosystem%29#Using_the_Chinese_remainder_algorithm
 .. _`security proof`: http://eprint.iacr.org/2001/062.pdf
 .. _`recommended padding algorithm`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
-.. _`proven secure`: http://cseweb.ucsd.edu/users/mihir/papers/oae.pdf
+.. _`proven secure`: http://cseweb.ucsd.edu/~mihir/papers/oae.pdf
diff --git a/docs/hazmat/primitives/asymmetric/utils.rst b/docs/hazmat/primitives/asymmetric/utils.rst
index 6b348801..7380f0b5 100644
--- a/docs/hazmat/primitives/asymmetric/utils.rst
+++ b/docs/hazmat/primitives/asymmetric/utils.rst
@@ -15,6 +15,8 @@ Asymmetric Utilities
 
     :returns: The decoded tuple ``(r, s)``.
 
+    :raises ValueError: Raised if the signature is malformed.
+
 .. function:: encode_rfc6979_signature(r, s)
 
     Creates an :rfc:`6979` byte string from raw signature values.
diff --git a/docs/hazmat/primitives/twofactor.rst b/docs/hazmat/primitives/twofactor.rst
index 89d81222..dd3e0250 100644
--- a/docs/hazmat/primitives/twofactor.rst
+++ b/docs/hazmat/primitives/twofactor.rst
@@ -11,6 +11,11 @@ Currently, it contains an algorithm for generating and verifying
 one time password values based on Hash-based message authentication
 codes (HMAC).
 
+.. class:: InvalidToken
+
+    This is raised when the verify method of a one time password function's
+    computed token does not match the expected token.
+
 .. currentmodule:: cryptography.hazmat.primitives.twofactor.hotp
 
 .. class:: HOTP(key, length, algorithm, backend)
@@ -66,8 +71,8 @@ codes (HMAC).
 
         :param bytes hotp: The one time password value to validate.
         :param int counter: The counter value to validate against.
-        :raises cryptography.exceptions.InvalidToken: This is raised when the
-            supplied HOTP does not match the expected HOTP.
+        :raises cryptography.hazmat.primitives.twofactor.InvalidToken: This
+             is raised when the supplied HOTP does not match the expected HOTP.
 
 Throttling
 ~~~~~~~~~~
@@ -164,5 +169,5 @@ similar to the following code.
 
         :param bytes totp: The one time password value to validate.
         :param int time: The time value to validate against.
-        :raises cryptography.exceptions.InvalidToken: This is raised when the
-            supplied TOTP does not match the expected TOTP.
+        :raises cryptography.hazmat.primitives.twofactor.InvalidToken: This
+             is raised when the supplied TOTP does not match the expected TOTP.
diff --git a/docs/installation.rst b/docs/installation.rst
index c061903e..1c25ff78 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -10,7 +10,7 @@ You can install ``cryptography`` with ``pip``:
 Supported platforms
 -------------------
 
-Currently we test ``cryptography`` on Python 2.6, 2.7, 3.2, 3.3, 3.4 and PyPy
+Currently we test ``cryptography`` on Python 2.6, 2.7, 3.3, 3.4 and PyPy
 on these operating systems.
 
 * x86-64 CentOS 7.x, 6.4 and CentOS 5.x
diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
index f7b73b38..b7c4c6c2 100644
--- a/docs/spelling_wordlist.txt
+++ b/docs/spelling_wordlist.txt
@@ -36,6 +36,7 @@ iterable
 Koblitz
 Lange
 metadata
+multi
 naïve
 namespace
 namespaces
diff --git a/docs/x509.rst b/docs/x509.rst
index d09651fb..035fa87f 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -271,11 +271,18 @@ X.509 Certificate Object
         :raises cryptography.x509.DuplicateExtension: If more than one
             extension of the same type is found within the certificate.
 
+        :raises cryptography.x509.UnsupportedExtension: If the certificate
+            contains an extension that is not supported.
+
+        :raises cryptography.x509.UnsupportedGeneralNameType: If an extension
+            contains a general name that is not supported.
+
         .. doctest::
 
             >>> for ext in cert.extensions:
             ...     print(ext)
             <Extension(oid=<ObjectIdentifier(oid=2.5.29.14, name=subjectKeyIdentifier)>, critical=False, value=<SubjectKeyIdentifier(digest='X\x01\x84$\x1b\xbc+R\x94J=\xa5\x10r\x14Q\xf5\xaf:\xc9')>)>
+            <Extension(oid=<ObjectIdentifier(oid=2.5.29.15, name=keyUsage)>, critical=True, value=<KeyUsage(digital_signature=False, content_commitment=False, key_encipherment=False, data_encipherment=False, key_agreement=False, key_cert_sign=True, crl_sign=True, encipher_only=None, decipher_only=None)>)>
             <Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)>
 
 X.509 CSR (Certificate Signing Request) Object
@@ -398,6 +405,80 @@ X.509 CSR (Certificate Signing Request) Object
 
         The dotted string value of the OID (e.g. ``"2.5.4.3"``)
 
+.. _general_name_classes:
+
+General Name Classes
+~~~~~~~~~~~~~~~~~~~~
+
+.. class:: GeneralName
+
+    .. versionadded:: 0.9
+
+    This is the generic interface that all the following classes are registered
+    against.
+
+.. class:: RFC822Name
+
+    .. versionadded:: 0.9
+
+    This corresponds to an email address. For example, ``user@example.com``.
+
+    .. attribute:: value
+
+        :type: :term:`text`
+
+.. class:: DNSName
+
+    .. versionadded:: 0.9
+
+    This corresponds to a domain name. For example, ``cryptography.io``.
+
+    .. attribute:: value
+
+        :type: :term:`text`
+
+.. class:: DirectoryName
+
+    .. versionadded:: 0.9
+
+    This corresponds to a directory name.
+
+    .. attribute:: value
+
+        :type: :class:`Name`
+
+.. class:: UniformResourceIdentifier
+
+    .. versionadded:: 0.9
+
+    This corresponds to a uniform resource identifier.  For example,
+    ``https://cryptography.io``.
+
+    .. attribute:: value
+
+        :type: :term:`text`
+
+.. class:: IPAddress
+
+    .. versionadded:: 0.9
+
+    This corresponds to an IP address.
+
+    .. attribute:: value
+
+        :type: :class:`~ipaddress.IPv4Address` or
+            :class:`~ipaddress.IPv6Address`.
+
+.. class:: RegisteredID
+
+    .. versionadded:: 0.9
+
+    This corresponds to a registered ID.
+
+    .. attribute:: value
+
+        :type: :class:`ObjectIdentifier`
+
 X.509 Extensions
 ~~~~~~~~~~~~~~~~
 
@@ -417,9 +498,6 @@ X.509 Extensions
         :raises cryptography.x509.ExtensionNotFound: If the certificate does
             not have the extension requested.
 
-        :raises cryptography.x509.UnsupportedExtension: If the certificate
-            contains an extension that is not supported.
-
         .. doctest::
 
             >>> cert.extensions.get_extension_for_oid(x509.OID_BASIC_CONSTRAINTS)
@@ -577,6 +655,35 @@ X.509 Extensions
     purposes indicated in the key usage extension. The object is
     iterable to obtain the list of :ref:`extended key usage OIDs <eku_oids>`.
 
+.. class:: AuthorityKeyIdentifier
+
+    .. versionadded:: 0.9
+
+    The authority key identifier extension provides a means of identifying the
+    public key corresponding to the private key used to sign a certificate.
+    This extension is typically used to assist in determining the appropriate
+    certificate chain. For more information about generation and use of this
+    extension see `RFC 5280 section 4.2.1.1`_.
+
+    .. attribute:: key_identifier
+
+        :type: bytes
+
+        A value derived from the public key used to verify the certificate's
+        signature.
+
+    .. attribute:: authority_cert_issuer
+
+        :type: :class:`Name` or None
+
+        The :class:`Name` of the issuer's issuer.
+
+    .. attribute:: authority_cert_serial_number
+
+        :type: int or None
+
+        The serial number of the issuer's issuer.
+
 .. class:: SubjectKeyIdentifier
 
     .. versionadded:: 0.9
@@ -590,6 +697,22 @@ X.509 Extensions
 
         The binary value of the identifier.
 
+.. class:: SubjectAlternativeName
+
+    .. versionadded:: 0.9
+
+    Subject alternative name is an X.509 extension that provides a list of
+    :ref:`general name <general_name_classes>` instances that provide a set
+    of identities for which the certificate is valid. The object is iterable to
+    get every element.
+
+    .. method:: get_values_for_type(type)
+
+        :param type: A :class:`GeneralName` provider. This is one of the
+            :ref:`general name classes <general_name_classes>`.
+
+        :returns: A list of values extracted from the matched general names.
+
 
 Object Identifiers
 ~~~~~~~~~~~~~~~~~~
@@ -844,6 +967,20 @@ Exceptions
 
         Returns the OID.
 
+.. class:: UnsupportedGeneralNameType
+
+    This is raised when a certificate contains an unsupported general name
+    type in an extension.
+
+    .. attribute:: type
+
+        :type: int
+
+        The integer value of the unsupported type. The complete list of
+        types can be found in `RFC 5280 section 4.2.1.6`_.
+
 
 .. _`public key infrastructure`: https://en.wikipedia.org/wiki/Public_key_infrastructure
 .. _`TLS`: https://en.wikipedia.org/wiki/Transport_Layer_Security
+.. _`RFC 5280 section 4.2.1.1`: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
+.. _`RFC 5280 section 4.2.1.6`: https://tools.ietf.org/html/rfc5280#section-4.2.1.6