# HG changeset patch
# User duke
# Date 1499270636 -7200
# Node ID 16ba58282d117247f480aae7a79b88141ade52a3
# Parent  7e10f66481f707e871c72d341c3813fe43c9af2d# Parent  836dfc08398ee88ccc1cedc43d8bcc9c8c702e9d
Merge

diff -r 836dfc08398e -r 16ba58282d11 .hgtags-top-repo
--- a/.hgtags-top-repo	Wed Jul 05 18:03:21 2017 +0200
+++ b/.hgtags-top-repo	Wed Jul 05 18:03:56 2017 +0200
@@ -148,3 +148,4 @@
 1a5f1d6b98d6827cdb529a4abe6e52a886d944f4 jdk8-b24
 221a378e06a326f45e5d89e2123cd6323e0181d1 jdk8-b25
 2accafff224ae39caf5f532c305251ba624bf2c0 jdk8-b26
+1533dfab9903e4edcfead3b0192643f38c418b9b jdk8-b27
diff -r 836dfc08398e -r 16ba58282d11 corba/.hgtags
--- a/corba/.hgtags	Wed Jul 05 18:03:21 2017 +0200
+++ b/corba/.hgtags	Wed Jul 05 18:03:56 2017 +0200
@@ -148,3 +148,4 @@
 b98f0e6dddf987df565029a1f58417fc1844c3f3 jdk8-b24
 e45d6b406d5f91ff5256a5c82456ab1e7eb8becd jdk8-b25
 79f709a099f40c08f76567fa6d813f9009a69826 jdk8-b26
+4fffe75e4edd39a2517f10b743941bf94edb143d jdk8-b27
diff -r 836dfc08398e -r 16ba58282d11 corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyFactoryImpl.java
--- a/corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyFactoryImpl.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyFactoryImpl.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -82,6 +82,6 @@
     private String[] __ids = { "IDL:omg.org/DynamicAny/DynAnyFactory:1.0" };
 
     public String[] _ids() {
-        return __ids;
+        return (String[]) __ids.clone();
     }
 }
diff -r 836dfc08398e -r 16ba58282d11 corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyImpl.java
--- a/corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyImpl.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyImpl.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -195,6 +195,6 @@
     private String[] __ids = { "IDL:omg.org/DynamicAny/DynAny:1.0" };
 
     public String[] _ids() {
-        return __ids;
+        return (String[]) __ids.clone();
     }
 }
diff -r 836dfc08398e -r 16ba58282d11 corba/src/share/classes/com/sun/org/omg/SendingContext/_CodeBaseImplBase.java
--- a/corba/src/share/classes/com/sun/org/omg/SendingContext/_CodeBaseImplBase.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/corba/src/share/classes/com/sun/org/omg/SendingContext/_CodeBaseImplBase.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -138,7 +138,7 @@
 
     public String[] _ids ()
     {
-        return __ids;
+        return (String[]) __ids.clone();
     }
 
 
diff -r 836dfc08398e -r 16ba58282d11 hotspot/.hgtags
--- a/hotspot/.hgtags	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/.hgtags	Wed Jul 05 18:03:56 2017 +0200
@@ -224,3 +224,5 @@
 f92a171cf0071ca6c3fa8231d7d570377f8b2f4d hs23-b16
 f92a171cf0071ca6c3fa8231d7d570377f8b2f4d hs23-b16
 931e5f39e365a0d550d79148ff87a7f9e864d2e1 hs23-b16
+3b24e7e01d20ca590d0f86b1222bb7c3f1a2aa2d jdk8-b27
+975c4105f1e2ef1190a75b77124033f1fd4290b5 hs24-b01
diff -r 836dfc08398e -r 16ba58282d11 hotspot/agent/src/share/classes/sun/jvm/hotspot/oops/ConstantPool.java
--- a/hotspot/agent/src/share/classes/sun/jvm/hotspot/oops/ConstantPool.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/agent/src/share/classes/sun/jvm/hotspot/oops/ConstantPool.java	Wed Jul 05 18:03:56 2017 +0200
@@ -648,7 +648,12 @@
   }
 
   public void printValueOn(PrintStream tty) {
-    tty.print("ConstantPool for " + getPoolHolder().getName().asString());
+    Oop holder = poolHolder.getValue(this);
+    if (holder instanceof Klass) {
+      tty.print("ConstantPool for " + ((Klass)holder).getName().asString());
+    } else {
+      tty.print("ConstantPool for partially loaded class");
+    }
   }
 
   public long getObjectSize() {
diff -r 836dfc08398e -r 16ba58282d11 hotspot/make/hotspot_version
--- a/hotspot/make/hotspot_version	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/make/hotspot_version	Wed Jul 05 18:03:56 2017 +0200
@@ -33,9 +33,9 @@
 # Don't put quotes (fail windows build).
 HOTSPOT_VM_COPYRIGHT=Copyright 2011
 
-HS_MAJOR_VER=23
+HS_MAJOR_VER=24
 HS_MINOR_VER=0
-HS_BUILD_NUMBER=16
+HS_BUILD_NUMBER=01
 
 JDK_MAJOR_VER=1
 JDK_MINOR_VER=8
diff -r 836dfc08398e -r 16ba58282d11 hotspot/make/linux/makefiles/ppc.make
--- a/hotspot/make/linux/makefiles/ppc.make	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/make/linux/makefiles/ppc.make	Wed Jul 05 18:03:56 2017 +0200
@@ -28,3 +28,6 @@
 # Must also specify if CPU is big endian
 CFLAGS += -DVM_BIG_ENDIAN
 
+ifdef E500V2
+ASFLAGS += -Wa,-mspe -Wa,--defsym -Wa,E500V2=1 
+endif
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/cpu/sparc/vm/c1_LIRAssembler_sparc.cpp
--- a/hotspot/src/cpu/sparc/vm/c1_LIRAssembler_sparc.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/cpu/sparc/vm/c1_LIRAssembler_sparc.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -3231,6 +3231,26 @@
   // no-op on TSO
 }
 
+void LIR_Assembler::membar_loadload() {
+  // no-op
+  //__ membar(Assembler::Membar_mask_bits(Assembler::loadload));
+}
+
+void LIR_Assembler::membar_storestore() {
+  // no-op
+  //__ membar(Assembler::Membar_mask_bits(Assembler::storestore));
+}
+
+void LIR_Assembler::membar_loadstore() {
+  // no-op
+  //__ membar(Assembler::Membar_mask_bits(Assembler::loadstore));
+}
+
+void LIR_Assembler::membar_storeload() {
+  __ membar(Assembler::Membar_mask_bits(Assembler::StoreLoad));
+}
+
+
 // Pack two sequential registers containing 32 bit values
 // into a single 64 bit register.
 // src and src->successor() are packed into dst
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/cpu/x86/vm/c1_LIRAssembler_x86.cpp
--- a/hotspot/src/cpu/x86/vm/c1_LIRAssembler_x86.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/cpu/x86/vm/c1_LIRAssembler_x86.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -3713,6 +3713,25 @@
   // __ store_fence();
 }
 
+void LIR_Assembler::membar_loadload() {
+  // no-op
+  //__ membar(Assembler::Membar_mask_bits(Assembler::loadload));
+}
+
+void LIR_Assembler::membar_storestore() {
+  // no-op
+  //__ membar(Assembler::Membar_mask_bits(Assembler::storestore));
+}
+
+void LIR_Assembler::membar_loadstore() {
+  // no-op
+  //__ membar(Assembler::Membar_mask_bits(Assembler::loadstore));
+}
+
+void LIR_Assembler::membar_storeload() {
+  __ membar(Assembler::Membar_mask_bits(Assembler::StoreLoad));
+}
+
 void LIR_Assembler::get_thread(LIR_Opr result_reg) {
   assert(result_reg->is_register(), "check");
 #ifdef _LP64
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/cpu/x86/vm/vm_version_x86.cpp
--- a/hotspot/src/cpu/x86/vm/vm_version_x86.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/cpu/x86/vm/vm_version_x86.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -65,8 +65,8 @@
 
   address generate_getPsrInfo() {
     // Flags to test CPU type.
-    const uint32_t EFL_AC           = 0x40000;
-    const uint32_t EFL_ID           = 0x200000;
+    const uint32_t HS_EFL_AC           = 0x40000;
+    const uint32_t HS_EFL_ID           = 0x200000;
     // Values for when we don't have a CPUID instruction.
     const int      CPU_FAMILY_SHIFT = 8;
     const uint32_t CPU_FAMILY_386   = (3 << CPU_FAMILY_SHIFT);
@@ -100,7 +100,7 @@
     //
     // if we are unable to change the AC flag, we have a 386
     //
-    __ xorl(rax, EFL_AC);
+    __ xorl(rax, HS_EFL_AC);
     __ push(rax);
     __ popf();
     __ pushf();
@@ -118,7 +118,7 @@
     //
     __ bind(detect_486);
     __ mov(rax, rcx);
-    __ xorl(rax, EFL_ID);
+    __ xorl(rax, HS_EFL_ID);
     __ push(rax);
     __ popf();
     __ pushf();
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/os/bsd/vm/osThread_bsd.cpp
--- a/hotspot/src/os/bsd/vm/osThread_bsd.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/os/bsd/vm/osThread_bsd.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -49,7 +49,11 @@
 
 void OSThread::pd_initialize() {
   assert(this != NULL, "check");
+#ifdef __APPLE__
+  _thread_id        = 0;
+#else
   _thread_id        = NULL;
+#endif
   _pthread_id       = NULL;
   _siginfo = NULL;
   _ucontext = NULL;
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/os/bsd/vm/osThread_bsd.hpp
--- a/hotspot/src/os/bsd/vm/osThread_bsd.hpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/os/bsd/vm/osThread_bsd.hpp	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,10 +40,17 @@
  private:
 
 #ifdef _ALLBSD_SOURCE
-  // _thread_id and _pthread_id are the same on BSD
-  // keep both to minimize code divergence in os_bsd.cpp
+
+#ifdef __APPLE__
+  thread_t  _thread_id;
+#else
   pthread_t _thread_id;
+#endif
+
+  // _pthread_id is the pthread id, which is used by library calls
+  // (e.g. pthread_kill).
   pthread_t _pthread_id;
+
 #else
   // _thread_id is kernel thread id (similar to LWP id on Solaris). Each
   // thread has a unique thread_id (BsdThreads or NPTL). It can be used
@@ -64,9 +71,15 @@
   void    set_caller_sigmask(sigset_t sigmask)  { _caller_sigmask = sigmask; }
 
 #ifdef _ALLBSD_SOURCE
+#ifdef __APPLE__
+  thread_t thread_id() const {
+    return _thread_id;
+  }
+#else
   pthread_t thread_id() const {
     return _thread_id;
   }
+#endif
 #else
   pid_t thread_id() const {
     return _thread_id;
@@ -84,9 +97,15 @@
   }
 #endif // ASSERT
 #ifdef _ALLBSD_SOURCE
+#ifdef __APPLE__
+  void set_thread_id(thread_t id) {
+    _thread_id = id;
+  }
+#else
   void set_thread_id(pthread_t id) {
     _thread_id = id;
   }
+#endif
 #else
   void set_thread_id(pid_t id) {
     _thread_id = id;
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/os/bsd/vm/os_bsd.cpp
--- a/hotspot/src/os/bsd/vm/os_bsd.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/os/bsd/vm/os_bsd.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -568,6 +568,25 @@
             sprintf(ld_library_path, "%s:%s", v, t);
             free(t);
         }
+
+#ifdef __APPLE__
+        // Apple's Java6 has "." at the beginning of java.library.path.
+        // OpenJDK on Windows has "." at the end of java.library.path.
+        // OpenJDK on Linux and Solaris don't have "." in java.library.path
+        // at all. To ease the transition from Apple's Java6 to OpenJDK7,
+        // "." is appended to the end of java.library.path. Yes, this
+        // could cause a change in behavior, but Apple's Java6 behavior
+        // can be achieved by putting "." at the beginning of the
+        // JAVA_LIBRARY_PATH environment variable.
+        {
+            char *t = ld_library_path;
+            // that's +3 for appending ":." and the trailing '\0'
+            ld_library_path = (char *) malloc(strlen(t) + 3);
+            sprintf(ld_library_path, "%s:%s", t, ".");
+            free(t);
+        }
+#endif
+
         Arguments::set_library_path(ld_library_path);
     }
 
@@ -979,8 +998,13 @@
   }
 
 #ifdef _ALLBSD_SOURCE
+#ifdef __APPLE__
+  // thread_id is mach thread on macos
+  osthread->set_thread_id(::mach_thread_self());
+#else
   // thread_id is pthread_id on BSD
   osthread->set_thread_id(::pthread_self());
+#endif
 #else
   // thread_id is kernel thread id (similar to Solaris LWP id)
   osthread->set_thread_id(os::Bsd::gettid());
@@ -1171,7 +1195,11 @@
 
   // Store pthread info into the OSThread
 #ifdef _ALLBSD_SOURCE
+#ifdef __APPLE__
+  osthread->set_thread_id(::mach_thread_self());
+#else
   osthread->set_thread_id(::pthread_self());
+#endif
 #else
   osthread->set_thread_id(os::Bsd::gettid());
 #endif
@@ -1788,7 +1816,13 @@
   return n;
 }
 
-intx os::current_thread_id() { return (intx)pthread_self(); }
+intx os::current_thread_id() {
+#ifdef __APPLE__
+  return (intx)::mach_thread_self();
+#else
+  return (intx)::pthread_self();
+#endif
+}
 int os::current_process_id() {
 
   // Under the old bsd thread library, bsd gives each thread
@@ -5133,9 +5167,9 @@
   struct thread_basic_info tinfo;
   mach_msg_type_number_t tcount = THREAD_INFO_MAX;
   kern_return_t kr;
-  mach_port_t mach_thread;
-
-  mach_thread = pthread_mach_thread_np(thread->osthread()->thread_id());
+  thread_t mach_thread;
+
+  mach_thread = thread->osthread()->thread_id();
   kr = thread_info(mach_thread, THREAD_BASIC_INFO, (thread_info_t)&tinfo, &tcount);
   if (kr != KERN_SUCCESS)
     return -1;
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/os_cpu/bsd_x86/vm/vmStructs_bsd_x86.hpp
--- a/hotspot/src/os_cpu/bsd_x86/vm/vmStructs_bsd_x86.hpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/os_cpu/bsd_x86/vm/vmStructs_bsd_x86.hpp	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,12 +29,18 @@
 // constants required by the Serviceability Agent. This file is
 // referenced by vmStructs.cpp.
 
+#ifdef __APPLE__
+#define OS_THREAD_ID_TYPE thread_t
+#else
+#define OS_THREAD_ID_TYPE pthread_t
+#endif
+
 #define VM_STRUCTS_OS_CPU(nonstatic_field, static_field, unchecked_nonstatic_field, volatile_nonstatic_field, nonproduct_nonstatic_field, c2_nonstatic_field, unchecked_c1_static_field, unchecked_c2_static_field, last_entry) \
                                                                                                                                      \
   /******************************/                                                                                                   \
   /* Threads (NOTE: incomplete) */                                                                                                   \
   /******************************/                                                                                                   \
-  nonstatic_field(OSThread,                      _thread_id,                                      pthread_t)                             \
+  nonstatic_field(OSThread,                      _thread_id,                                      OS_THREAD_ID_TYPE)                 \
   nonstatic_field(OSThread,                      _pthread_id,                                     pthread_t)                         \
   /* This must be the last entry, and must be present */                                                                             \
   last_entry()
@@ -46,7 +52,7 @@
   /* Posix Thread IDs   */                                                \
   /**********************/                                                \
                                                                           \
-  declare_integer_type(pid_t)                                             \
+  declare_unsigned_integer_type(thread_t)                                 \
   declare_unsigned_integer_type(pthread_t)                                \
                                                                           \
   /* This must be the last entry, and must be present */                  \
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_Canonicalizer.cpp
--- a/hotspot/src/share/vm/c1/c1_Canonicalizer.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_Canonicalizer.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -908,3 +908,4 @@
 void Canonicalizer::do_ProfileCall(ProfileCall* x) {}
 void Canonicalizer::do_ProfileInvoke(ProfileInvoke* x) {}
 void Canonicalizer::do_RuntimeCall(RuntimeCall* x) {}
+void Canonicalizer::do_MemBar(MemBar* x) {}
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_Canonicalizer.hpp
--- a/hotspot/src/share/vm/c1/c1_Canonicalizer.hpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_Canonicalizer.hpp	Wed Jul 05 18:03:56 2017 +0200
@@ -104,6 +104,7 @@
   virtual void do_ProfileCall    (ProfileCall*     x);
   virtual void do_ProfileInvoke  (ProfileInvoke*   x);
   virtual void do_RuntimeCall    (RuntimeCall*     x);
+  virtual void do_MemBar         (MemBar*          x);
 };
 
 #endif // SHARE_VM_C1_C1_CANONICALIZER_HPP
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_GraphBuilder.cpp
--- a/hotspot/src/share/vm/c1/c1_GraphBuilder.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_GraphBuilder.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -1418,6 +1418,12 @@
     call_register_finalizer();
   }
 
+  bool need_mem_bar = false;
+  if (method()->name() == ciSymbol::object_initializer_name() &&
+      scope()->wrote_final()) {
+    need_mem_bar = true;
+  }
+
   // Check to see whether we are inlining. If so, Return
   // instructions become Gotos to the continuation point.
   if (continuation() != NULL) {
@@ -1437,6 +1443,10 @@
       monitorexit(state()->lock_at(0), SynchronizationEntryBCI);
     }
 
+    if (need_mem_bar) {
+      append(new MemBar(lir_membar_storestore));
+    }
+
     // State at end of inlined method is the state of the caller
     // without the method parameters on stack, including the
     // return value, if any, of the inlined method on operand stack.
@@ -1456,7 +1466,6 @@
     // the continuation point.
     append_with_bci(goto_callee, scope_data()->continuation()->bci());
     incr_num_returns();
-
     return;
   }
 
@@ -1472,6 +1481,10 @@
     append_split(new MonitorExit(receiver, state()->unlock()));
   }
 
+  if (need_mem_bar) {
+      append(new MemBar(lir_membar_storestore));
+  }
+
   append(new Return(x));
 }
 
@@ -1504,6 +1517,9 @@
     }
   }
 
+  if (field->is_final() && (code == Bytecodes::_putfield)) {
+    scope()->set_wrote_final();
+  }
 
   const int offset = !needs_patching ? field->offset() : -1;
   switch (code) {
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_IR.cpp
--- a/hotspot/src/share/vm/c1/c1_IR.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_IR.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -141,6 +141,7 @@
   _xhandlers          = new XHandlers(method);
   _number_of_locks    = 0;
   _monitor_pairing_ok = method->has_balanced_monitors();
+  _wrote_final        = false;
   _start              = NULL;
 
   if (osr_bci == -1) {
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_IR.hpp
--- a/hotspot/src/share/vm/c1/c1_IR.hpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_IR.hpp	Wed Jul 05 18:03:56 2017 +0200
@@ -149,6 +149,7 @@
   XHandlers*    _xhandlers;                      // the exception handlers
   int           _number_of_locks;                // the number of monitor lock slots needed
   bool          _monitor_pairing_ok;             // the monitor pairing info
+  bool          _wrote_final;                    // has written final field
   BlockBegin*   _start;                          // the start block, successsors are method entries
 
   BitMap        _requires_phi_function;          // bit is set if phi functions at loop headers are necessary for a local variable
@@ -181,6 +182,8 @@
   void          set_min_number_of_locks(int n)   { if (n > _number_of_locks) _number_of_locks = n; }
   bool          monitor_pairing_ok() const       { return _monitor_pairing_ok; }
   BlockBegin*   start() const                    { return _start; }
+  void          set_wrote_final()                { _wrote_final = true; }
+  bool          wrote_final    () const          { return _wrote_final; }
 };
 
 
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_Instruction.hpp
--- a/hotspot/src/share/vm/c1/c1_Instruction.hpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_Instruction.hpp	Wed Jul 05 18:03:56 2017 +0200
@@ -107,6 +107,7 @@
 class   ProfileCall;
 class   ProfileInvoke;
 class   RuntimeCall;
+class   MemBar;
 
 // A Value is a reference to the instruction creating the value
 typedef Instruction* Value;
@@ -204,6 +205,7 @@
   virtual void do_ProfileCall    (ProfileCall*     x) = 0;
   virtual void do_ProfileInvoke  (ProfileInvoke*   x) = 0;
   virtual void do_RuntimeCall    (RuntimeCall*     x) = 0;
+  virtual void do_MemBar         (MemBar*          x) = 0;
 };
 
 
@@ -2351,6 +2353,23 @@
   virtual void state_values_do(ValueVisitor*);
 };
 
+LEAF(MemBar, Instruction)
+ private:
+  LIR_Code _code;
+
+ public:
+  MemBar(LIR_Code code)
+    : Instruction(voidType)
+    , _code(code)
+  {
+    pin();
+  }
+
+  LIR_Code code()           { return _code; }
+
+  virtual void input_values_do(ValueVisitor*)   {}
+};
+
 class BlockPair: public CompilationResourceObj {
  private:
   BlockBegin* _from;
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_InstructionPrinter.cpp
--- a/hotspot/src/share/vm/c1/c1_InstructionPrinter.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_InstructionPrinter.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -855,4 +855,20 @@
   output()->put(')');
 }
 
+void InstructionPrinter::do_MemBar(MemBar* x) {
+  if (os::is_MP()) {
+    LIR_Code code = x->code();
+    switch (code) {
+      case lir_membar_acquire   : output()->print("membar_acquire"); break;
+      case lir_membar_release   : output()->print("membar_release"); break;
+      case lir_membar           : output()->print("membar"); break;
+      case lir_membar_loadload  : output()->print("membar_loadload"); break;
+      case lir_membar_storestore: output()->print("membar_storestore"); break;
+      case lir_membar_loadstore : output()->print("membar_loadstore"); break;
+      case lir_membar_storeload : output()->print("membar_storeload"); break;
+      default                   : ShouldNotReachHere(); break;
+    }
+  }
+}
+
 #endif // PRODUCT
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_InstructionPrinter.hpp
--- a/hotspot/src/share/vm/c1/c1_InstructionPrinter.hpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_InstructionPrinter.hpp	Wed Jul 05 18:03:56 2017 +0200
@@ -132,6 +132,7 @@
   virtual void do_ProfileCall    (ProfileCall*     x);
   virtual void do_ProfileInvoke  (ProfileInvoke*   x);
   virtual void do_RuntimeCall    (RuntimeCall*     x);
+  virtual void do_MemBar         (MemBar*          x);
 };
 #endif // PRODUCT
 
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_LIR.cpp
--- a/hotspot/src/share/vm/c1/c1_LIR.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_LIR.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -464,6 +464,10 @@
     case lir_membar:                   // result and info always invalid
     case lir_membar_acquire:           // result and info always invalid
     case lir_membar_release:           // result and info always invalid
+    case lir_membar_loadload:          // result and info always invalid
+    case lir_membar_storestore:        // result and info always invalid
+    case lir_membar_loadstore:         // result and info always invalid
+    case lir_membar_storeload:         // result and info always invalid
     {
       assert(op->as_Op0() != NULL, "must be");
       assert(op->_info == NULL, "info not used by this instruction");
@@ -1607,6 +1611,10 @@
      case lir_membar:                s = "membar";        break;
      case lir_membar_acquire:        s = "membar_acquire"; break;
      case lir_membar_release:        s = "membar_release"; break;
+     case lir_membar_loadload:       s = "membar_loadload";   break;
+     case lir_membar_storestore:     s = "membar_storestore"; break;
+     case lir_membar_loadstore:      s = "membar_loadstore";  break;
+     case lir_membar_storeload:      s = "membar_storeload";  break;
      case lir_word_align:            s = "word_align";    break;
      case lir_label:                 s = "label";         break;
      case lir_nop:                   s = "nop";           break;
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_LIR.hpp
--- a/hotspot/src/share/vm/c1/c1_LIR.hpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_LIR.hpp	Wed Jul 05 18:03:56 2017 +0200
@@ -866,6 +866,10 @@
       , lir_membar
       , lir_membar_acquire
       , lir_membar_release
+      , lir_membar_loadload
+      , lir_membar_storestore
+      , lir_membar_loadstore
+      , lir_membar_storeload
       , lir_get_thread
   , end_op0
   , begin_op1
@@ -1918,6 +1922,10 @@
   void membar()                                  { append(new LIR_Op0(lir_membar)); }
   void membar_acquire()                          { append(new LIR_Op0(lir_membar_acquire)); }
   void membar_release()                          { append(new LIR_Op0(lir_membar_release)); }
+  void membar_loadload()                         { append(new LIR_Op0(lir_membar_loadload)); }
+  void membar_storestore()                       { append(new LIR_Op0(lir_membar_storestore)); }
+  void membar_loadstore()                        { append(new LIR_Op0(lir_membar_loadstore)); }
+  void membar_storeload()                        { append(new LIR_Op0(lir_membar_storeload)); }
 
   void nop()                                     { append(new LIR_Op0(lir_nop)); }
   void build_frame()                             { append(new LIR_Op0(lir_build_frame)); }
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_LIRAssembler.cpp
--- a/hotspot/src/share/vm/c1/c1_LIRAssembler.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_LIRAssembler.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -664,6 +664,22 @@
       membar_release();
       break;
 
+    case lir_membar_loadload:
+      membar_loadload();
+      break;
+
+    case lir_membar_storestore:
+      membar_storestore();
+      break;
+
+    case lir_membar_loadstore:
+      membar_loadstore();
+      break;
+
+    case lir_membar_storeload:
+      membar_storeload();
+      break;
+
     case lir_get_thread:
       get_thread(op->result_opr());
       break;
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_LIRAssembler.hpp
--- a/hotspot/src/share/vm/c1/c1_LIRAssembler.hpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_LIRAssembler.hpp	Wed Jul 05 18:03:56 2017 +0200
@@ -241,6 +241,10 @@
   void membar();
   void membar_acquire();
   void membar_release();
+  void membar_loadload();
+  void membar_storestore();
+  void membar_loadstore();
+  void membar_storeload();
   void get_thread(LIR_Opr result);
 
   void verify_oop_map(CodeEmitInfo* info);
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_LIRGenerator.cpp
--- a/hotspot/src/share/vm/c1/c1_LIRGenerator.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_LIRGenerator.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -3165,3 +3165,20 @@
   }
   return result;
 }
+
+void LIRGenerator::do_MemBar(MemBar* x) {
+  if (os::is_MP()) {
+    LIR_Code code = x->code();
+    switch(code) {
+      case lir_membar_acquire   : __ membar_acquire(); break;
+      case lir_membar_release   : __ membar_release(); break;
+      case lir_membar           : __ membar(); break;
+      case lir_membar_loadload  : __ membar_loadload(); break;
+      case lir_membar_storestore: __ membar_storestore(); break;
+      case lir_membar_loadstore : __ membar_loadstore(); break;
+      case lir_membar_storeload : __ membar_storeload(); break;
+      default                   : ShouldNotReachHere(); break;
+    }
+  }
+}
+
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_LIRGenerator.hpp
--- a/hotspot/src/share/vm/c1/c1_LIRGenerator.hpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_LIRGenerator.hpp	Wed Jul 05 18:03:56 2017 +0200
@@ -525,6 +525,7 @@
   virtual void do_ProfileCall    (ProfileCall*     x);
   virtual void do_ProfileInvoke  (ProfileInvoke*   x);
   virtual void do_RuntimeCall    (RuntimeCall*     x);
+  virtual void do_MemBar         (MemBar*          x);
 };
 
 
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_Optimizer.cpp
--- a/hotspot/src/share/vm/c1/c1_Optimizer.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_Optimizer.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -509,6 +509,7 @@
   void do_ProfileCall    (ProfileCall*     x);
   void do_ProfileInvoke  (ProfileInvoke*   x);
   void do_RuntimeCall    (RuntimeCall*     x);
+  void do_MemBar         (MemBar*          x);
 };
 
 
@@ -678,6 +679,7 @@
 void NullCheckVisitor::do_ProfileCall    (ProfileCall*     x) { nce()->clear_last_explicit_null_check(); }
 void NullCheckVisitor::do_ProfileInvoke  (ProfileInvoke*   x) {}
 void NullCheckVisitor::do_RuntimeCall    (RuntimeCall*     x) {}
+void NullCheckVisitor::do_MemBar         (MemBar*          x) {}
 
 
 void NullCheckEliminator::visit(Value* p) {
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/c1/c1_ValueMap.hpp
--- a/hotspot/src/share/vm/c1/c1_ValueMap.hpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/c1/c1_ValueMap.hpp	Wed Jul 05 18:03:56 2017 +0200
@@ -200,6 +200,7 @@
   void do_ProfileCall    (ProfileCall*     x) { /* nothing to do */ }
   void do_ProfileInvoke  (ProfileInvoke*   x) { /* nothing to do */ };
   void do_RuntimeCall    (RuntimeCall*     x) { /* nothing to do */ };
+  void do_MemBar         (MemBar*          x) { /* nothing to do */ };
 };
 
 
diff -r 836dfc08398e -r 16ba58282d11 hotspot/src/share/vm/utilities/globalDefinitions_gcc.hpp
--- a/hotspot/src/share/vm/utilities/globalDefinitions_gcc.hpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/hotspot/src/share/vm/utilities/globalDefinitions_gcc.hpp	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -87,14 +87,7 @@
 #endif
 #ifdef __APPLE__
   #include <AvailabilityMacros.h>
-  #if (MAC_OS_X_VERSION_MAX_ALLOWED <= MAC_OS_X_VERSION_10_4)
-    // Mac OS X 10.4 defines EFL_AC and EFL_ID,
-    // which conflict with hotspot variable names.
-    //
-    // This has been fixed in Mac OS X 10.5.
-    #undef EFL_AC
-    #undef EFL_ID
-  #endif
+  #include <mach/mach.h>
 #endif
 #include <sys/time.h>
 #endif // LINUX || _ALLBSD_SOURCE
diff -r 836dfc08398e -r 16ba58282d11 jaxp/.hgtags
--- a/jaxp/.hgtags	Wed Jul 05 18:03:21 2017 +0200
+++ b/jaxp/.hgtags	Wed Jul 05 18:03:56 2017 +0200
@@ -148,3 +148,4 @@
 7836655e2495646c462f13de73dcc3ada197b64f jdk8-b24
 bb694c151fc7b5c8f9edc8af6a80738530feacaf jdk8-b25
 dbb7283c197b27da1fc12ae8a83785c851b68c12 jdk8-b26
+80c47eb83d24fdd64bbb48f288bd6d4f03e0ec88 jdk8-b27
diff -r 836dfc08398e -r 16ba58282d11 jaxws/.hgtags
--- a/jaxws/.hgtags	Wed Jul 05 18:03:21 2017 +0200
+++ b/jaxws/.hgtags	Wed Jul 05 18:03:56 2017 +0200
@@ -148,3 +148,4 @@
 e0d90803439b174fe0b0033e09d50444ba12498f jdk8-b24
 b376d901e006cd9e0c59733c84e190aace23eec6 jdk8-b25
 3518639eab6ce5c7b482bdb0a60342c392ab97a8 jdk8-b26
+38c037af4127289de12efc67f45d19bb67abff69 jdk8-b27
diff -r 836dfc08398e -r 16ba58282d11 jdk/.hgtags
--- a/jdk/.hgtags	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/.hgtags	Wed Jul 05 18:03:56 2017 +0200
@@ -148,3 +148,4 @@
 34029a0c69bba882264a29fc822f8283fd15f104 jdk8-b24
 ec17fbe5b8fbc52da070eec43b4711d9354b2ab8 jdk8-b25
 5aca406e87cb9144a9405be312dadd728a9c6fe2 jdk8-b26
+c68342532e2e7deb3a25fc04ed3e4c142278f747 jdk8-b27
diff -r 836dfc08398e -r 16ba58282d11 jdk/make/java/java/FILES_java.gmk
--- a/jdk/make/java/java/FILES_java.gmk	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/make/java/java/FILES_java.gmk	Wed Jul 05 18:03:56 2017 +0200
@@ -474,6 +474,7 @@
     sun/misc/MessageUtils.java \
     sun/misc/GC.java \
     sun/misc/Service.java \
+    sun/misc/JavaAWTAccess.java \
     sun/misc/JavaLangAccess.java \
     sun/misc/JavaIOAccess.java \
     sun/misc/JavaIOFileDescriptorAccess.java \
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/com/sun/jndi/dns/DnsClient.java
--- a/jdk/src/share/classes/com/sun/jndi/dns/DnsClient.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/com/sun/jndi/dns/DnsClient.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -622,11 +622,7 @@
 
     //-------------------------------------------------------------------------
 
-    private static boolean debug = false;
-
-    public static void setDebug(boolean flag) {
-        debug = flag;
-    }
+    private static final boolean debug = false;
 
     private static void dprint(String mess) {
         if (debug) {
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/com/sun/media/sound/DirectAudioDevice.java
--- a/jdk/src/share/classes/com/sun/media/sound/DirectAudioDevice.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/com/sun/media/sound/DirectAudioDevice.java	Wed Jul 05 18:03:56 2017 +0200
@@ -736,7 +736,7 @@
             if (off < 0) {
                 throw new ArrayIndexOutOfBoundsException(off);
             }
-            if (off + len > b.length) {
+            if ((long)off + (long)len > (long)b.length) {
                 throw new ArrayIndexOutOfBoundsException(b.length);
             }
 
@@ -964,7 +964,7 @@
             if (off < 0) {
                 throw new ArrayIndexOutOfBoundsException(off);
             }
-            if (off + len > b.length) {
+            if ((long)off + (long)len > (long)b.length) {
                 throw new ArrayIndexOutOfBoundsException(b.length);
             }
             if (!isActive() && doIO) {
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java
--- a/jdk/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java	Wed Jul 05 18:03:56 2017 +0200
@@ -130,6 +130,12 @@
         if (len % framesize != 0)
             throw new IllegalArgumentException(
                     "Number of bytes does not represent an integral number of sample frames.");
+        if (off < 0) {
+            throw new ArrayIndexOutOfBoundsException(off);
+        }
+        if ((long)off + (long)len > (long)b.length) {
+            throw new ArrayIndexOutOfBoundsException(b.length);
+        }
 
         byte[] buff = cycling_buffer;
         int buff_len = cycling_buffer.length;
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/java/io/File.java
--- a/jdk/src/share/classes/java/io/File.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/java/io/File.java	Wed Jul 05 18:03:56 2017 +0200
@@ -153,7 +153,7 @@
     /**
      * The FileSystem object representing the platform's local file system.
      */
-    static private FileSystem fs = FileSystem.getFileSystem();
+    private static final FileSystem fs = FileSystem.getFileSystem();
 
     /**
      * This abstract pathname's normalized pathname string.  A normalized
@@ -162,13 +162,13 @@
      *
      * @serial
      */
-    private String path;
+    private final String path;
 
     /**
      * The length of this abstract pathname's prefix, or zero if it has no
      * prefix.
      */
-    private transient int prefixLength;
+    private final transient int prefixLength;
 
     /**
      * Returns the length of this abstract pathname's prefix.
@@ -2023,10 +2023,28 @@
         char sep = s.readChar(); // read the previous separator char
         if (sep != separatorChar)
             pathField = pathField.replace(sep, separatorChar);
-        this.path = fs.normalize(pathField);
-        this.prefixLength = fs.prefixLength(this.path);
+        String path = fs.normalize(pathField);
+        UNSAFE.putObject(this, PATH_OFFSET, path);
+        UNSAFE.putIntVolatile(this, PREFIX_LENGTH_OFFSET, fs.prefixLength(path));
     }
 
+    private static final long PATH_OFFSET;
+    private static final long PREFIX_LENGTH_OFFSET;
+    private static final sun.misc.Unsafe UNSAFE;
+    static {
+        try {
+            sun.misc.Unsafe unsafe = sun.misc.Unsafe.getUnsafe();
+            PATH_OFFSET = unsafe.objectFieldOffset(
+                    File.class.getDeclaredField("path"));
+            PREFIX_LENGTH_OFFSET = unsafe.objectFieldOffset(
+                    File.class.getDeclaredField("prefixLength"));
+            UNSAFE = unsafe;
+        } catch (ReflectiveOperationException e) {
+            throw new Error(e);
+        }
+    }
+
+
     /** use serialVersionUID from JDK 1.0.2 for interoperability */
     private static final long serialVersionUID = 301077366599181567L;
 
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/java/io/ObjectStreamClass.java
--- a/jdk/src/share/classes/java/io/ObjectStreamClass.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/java/io/ObjectStreamClass.java	Wed Jul 05 18:03:56 2017 +0200
@@ -123,14 +123,39 @@
      */
     private boolean hasBlockExternalData = true;
 
+    /**
+     * Contains information about InvalidClassException instances to be thrown
+     * when attempting operations on an invalid class. Note that instances of
+     * this class are immutable and are potentially shared among
+     * ObjectStreamClass instances.
+     */
+    private static class ExceptionInfo {
+        private final String className;
+        private final String message;
+
+        ExceptionInfo(String cn, String msg) {
+            className = cn;
+            message = msg;
+        }
+
+        /**
+         * Returns (does not throw) an InvalidClassException instance created
+         * from the information in this object, suitable for being thrown by
+         * the caller.
+         */
+        InvalidClassException newInvalidClassException() {
+            return new InvalidClassException(className, message);
+        }
+    }
+
     /** exception (if any) thrown while attempting to resolve class */
     private ClassNotFoundException resolveEx;
     /** exception (if any) to throw if non-enum deserialization attempted */
-    private InvalidClassException deserializeEx;
+    private ExceptionInfo deserializeEx;
     /** exception (if any) to throw if non-enum serialization attempted */
-    private InvalidClassException serializeEx;
+    private ExceptionInfo serializeEx;
     /** exception (if any) to throw if default serialization attempted */
-    private InvalidClassException defaultSerializeEx;
+    private ExceptionInfo defaultSerializeEx;
 
     /** serializable fields */
     private ObjectStreamField[] fields;
@@ -444,7 +469,8 @@
                         fields = getSerialFields(cl);
                         computeFieldOffsets();
                     } catch (InvalidClassException e) {
-                        serializeEx = deserializeEx = e;
+                        serializeEx = deserializeEx =
+                            new ExceptionInfo(e.classname, e.getMessage());
                         fields = NO_FIELDS;
                     }
 
@@ -483,15 +509,14 @@
 
         if (deserializeEx == null) {
             if (isEnum) {
-                deserializeEx = new InvalidClassException(name, "enum type");
+                deserializeEx = new ExceptionInfo(name, "enum type");
             } else if (cons == null) {
-                deserializeEx = new InvalidClassException(
-                    name, "no valid constructor");
+                deserializeEx = new ExceptionInfo(name, "no valid constructor");
             }
         }
         for (int i = 0; i < fields.length; i++) {
             if (fields[i].getField() == null) {
-                defaultSerializeEx = new InvalidClassException(
+                defaultSerializeEx = new ExceptionInfo(
                     name, "unmatched serializable field(s) declared");
             }
         }
@@ -601,8 +626,8 @@
                     (externalizable != localDesc.externalizable) ||
                     !(serializable || externalizable))
                 {
-                    deserializeEx = new InvalidClassException(localDesc.name,
-                        "class invalid for deserialization");
+                    deserializeEx = new ExceptionInfo(
+                        localDesc.name, "class invalid for deserialization");
                 }
             }
 
@@ -727,11 +752,7 @@
      */
     void checkDeserialize() throws InvalidClassException {
         if (deserializeEx != null) {
-            InvalidClassException ice =
-                new InvalidClassException(deserializeEx.classname,
-                                          deserializeEx.getMessage());
-            ice.initCause(deserializeEx);
-            throw ice;
+            throw deserializeEx.newInvalidClassException();
         }
     }
 
@@ -742,11 +763,7 @@
      */
     void checkSerialize() throws InvalidClassException {
         if (serializeEx != null) {
-            InvalidClassException ice =
-                new InvalidClassException(serializeEx.classname,
-                                          serializeEx.getMessage());
-            ice.initCause(serializeEx);
-            throw ice;
+            throw serializeEx.newInvalidClassException();
         }
     }
 
@@ -759,11 +776,7 @@
      */
     void checkDefaultSerialize() throws InvalidClassException {
         if (defaultSerializeEx != null) {
-            InvalidClassException ice =
-                new InvalidClassException(defaultSerializeEx.classname,
-                                          defaultSerializeEx.getMessage());
-            ice.initCause(defaultSerializeEx);
-            throw ice;
+            throw defaultSerializeEx.newInvalidClassException();
         }
     }
 
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/java/lang/Math.java
--- a/jdk/src/share/classes/java/lang/Math.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/java/lang/Math.java	Wed Jul 05 18:03:56 2017 +0200
@@ -81,6 +81,22 @@
  * floating-point approximation.  Not all approximations that have 1
  * ulp accuracy will automatically meet the monotonicity requirements.
  *
+ * <p>
+ * The platform uses signed two's complement integer arithmetic with
+ * int and long primitive types.  The developer should choose
+ * the primitive type to ensure that arithmetic operations consistently
+ * produce correct results, which in some cases means the operations
+ * will not overflow the range of values of the computation.
+ * The best practice is to choose the primitive type and algorithm to avoid
+ * overflow. In cases where the size is {@code int} or {@code long} and
+ * overflow errors need to be detected, the methods {@code addExact},
+ * {@code subtractExact}, {@code multiplyExact}, and {@code toIntExact}
+ * throw an {@code ArithmeticException} when the results overflow.
+ * For other arithmetic operations such as divide, absolute value,
+ * increment, decrement, and negation overflow occurs only with
+ * a specific minimum or maximum value and should be checked against
+ * the minimum or maximum as appropriate.
+ *
  * @author  unascribed
  * @author  Joseph D. Darcy
  * @since   JDK1.0
@@ -719,6 +735,137 @@
     }
 
     /**
+     * Returns the sum of its arguments,
+     * throwing an exception if the result overflows an {@code int}.
+     *
+     * @param x the first value
+     * @param y the second value
+     * @return the result
+     * @throws ArithmeticException if the result overflows an int
+     */
+    public static int addExact(int x, int y) {
+        int r = x + y;
+        // HD 2-12 Overflow iff both arguments have the opposite sign of the result
+        if (((x ^ r) & (y ^ r)) < 0) {
+            throw new ArithmeticException("integer overflow");
+        }
+        return r;
+    }
+
+    /**
+     * Returns the sum of its arguments,
+     * throwing an exception if the result overflows a {@code long}.
+     *
+     * @param x the first value
+     * @param y the second value
+     * @return the result
+     * @throws ArithmeticException if the result overflows a long
+     */
+    public static long addExact(long x, long y) {
+        long r = x + y;
+        // HD 2-12 Overflow iff both arguments have the opposite sign of the result
+        if (((x ^ r) & (y ^ r)) < 0) {
+            throw new ArithmeticException("long overflow");
+        }
+        return r;
+    }
+
+    /**
+     * Returns the difference of the arguments,
+     * throwing an exception if the result overflows an {@code int}.
+     *
+     * @param x the first value
+     * @param y the second value to subtract from the first
+     * @return the result
+     * @throws ArithmeticException if the result overflows an int
+     */
+    public static int subtractExact(int x, int y) {
+        int r = x - y;
+        // HD 2-12 Overflow iff the arguments have different signs and
+        // the sign of the result is different than the sign of x
+        if (((x ^ y) & (x ^ r)) < 0) {
+            throw new ArithmeticException("integer overflow");
+        }
+        return r;
+    }
+
+    /**
+     * Returns the difference of the arguments,
+     * throwing an exception if the result overflows a {@code long}.
+     *
+     * @param x the first value
+     * @param y the second value to subtract from the first
+     * @return the result
+     * @throws ArithmeticException if the result overflows a long
+     */
+    public static long subtractExact(long x, long y) {
+        long r = x - y;
+        // HD 2-12 Overflow iff the arguments have different signs and
+        // the sign of the result is different than the sign of x
+        if (((x ^ y) & (x ^ r)) < 0) {
+            throw new ArithmeticException("long overflow");
+        }
+        return r;
+    }
+
+    /**
+     * Returns the product of the arguments,
+     * throwing an exception if the result overflows an {@code int}.
+     *
+     * @param x the first value
+     * @param y the second value
+     * @return the result
+     * @throws ArithmeticException if the result overflows an int
+     */
+    public static int multiplyExact(int x, int y) {
+        long r = (long)x * (long)y;
+        if ((int)r != r) {
+            throw new ArithmeticException("long overflow");
+        }
+        return (int)r;
+    }
+
+    /**
+     * Returns the product of the arguments,
+     * throwing an exception if the result overflows a {@code long}.
+     *
+     * @param x the first value
+     * @param y the second value
+     * @return the result
+     * @throws ArithmeticException if the result overflows a long
+     */
+    public static long multiplyExact(long x, long y) {
+        long r = x * y;
+        long ax = Math.abs(x);
+        long ay = Math.abs(y);
+        if (((ax | ay) >>> 31 != 0)) {
+            // Some bits greater than 2^31 that might cause overflow
+            // Check the result using the divide operator
+            // and check for the special case of Long.MIN_VALUE * -1
+           if (((y != 0) && (r / y != x)) ||
+               (x == Long.MIN_VALUE && y == -1)) {
+                throw new ArithmeticException("long overflow");
+            }
+        }
+        return r;
+    }
+
+    /**
+     * Returns the value of the {@code long} argument;
+     * throwing an exception if the value overflows an {@code int}.
+     *
+     * @param value the long value
+     * @return the argument as an int
+     * @throws ArithmeticException if the {@code argument} overflows an int
+     */
+    public static int toIntExact(long value) {
+        if ((int)value != value) {
+            throw new ArithmeticException("integer overflow");
+        }
+        return (int)value;
+    }
+
+    /**
      * Returns the absolute value of an {@code int} value.
      * If the argument is not negative, the argument is returned.
      * If the argument is negative, the negation of the argument is returned.
@@ -1737,7 +1884,7 @@
     }
 
     /**
-     * Return {@code d} &times;
+     * Returns {@code d} &times;
      * 2<sup>{@code scaleFactor}</sup> rounded as if performed
      * by a single correctly rounded floating-point multiply to a
      * member of the double value set.  See the Java
@@ -1844,7 +1991,7 @@
     }
 
     /**
-     * Return {@code f} &times;
+     * Returns {@code f} &times;
      * 2<sup>{@code scaleFactor}</sup> rounded as if performed
      * by a single correctly rounded floating-point multiply to a
      * member of the float value set.  See the Java
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/java/lang/StrictMath.java
--- a/jdk/src/share/classes/java/lang/StrictMath.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/java/lang/StrictMath.java	Wed Jul 05 18:03:56 2017 +0200
@@ -56,6 +56,22 @@
  * {@code sinh}, {@code cosh}, {@code tanh},
  * {@code hypot}, {@code expm1}, and {@code log1p}.
  *
+ * <p>
+ * The platform uses signed two's complement integer arithmetic with
+ * int and long primitive types.  The developer should choose
+ * the primitive type to ensure that arithmetic operations consistently
+ * produce correct results, which in some cases means the operations
+ * will not overflow the range of values of the computation.
+ * The best practice is to choose the primitive type and algorithm to avoid
+ * overflow. In cases where the size is {@code int} or {@code long} and
+ * overflow errors need to be detected, the methods {@code addExact},
+ * {@code subtractExact}, {@code multiplyExact}, and {@code toIntExact}
+ * throw an {@code ArithmeticException} when the results overflow.
+ * For other arithmetic operations such as divide, absolute value,
+ * increment, decrement, and negation overflow occurs only with
+ * a specific minimum or maximum value and should be checked against
+ * the minimum or maximum as appropriate.
+ *
  * @author  unascribed
  * @author  Joseph D. Darcy
  * @since   1.3
@@ -699,7 +715,111 @@
     }
 
     /**
-     * Returns the absolute value of an {@code int} value..
+     * Returns the sum of its arguments,
+     * throwing an exception if the result overflows an {@code int}.
+     *
+     * @param x the first value
+     * @param y the second value
+     * @return the result
+     * @throws ArithmeticException if the result overflows an int
+     * @see Math#addExact(int,int)
+     * @since 1.8
+     */
+    public static int addExact(int x, int y) {
+        return Math.addExact(x, y);
+    }
+
+    /**
+     * Returns the sum of its arguments,
+     * throwing an exception if the result overflows a {@code long}.
+     *
+     * @param x the first value
+     * @param y the second value
+     * @return the result
+     * @throws ArithmeticException if the result overflows a long
+     * @see Math#addExact(long,long)
+     * @since 1.8
+     */
+    public static long addExact(long x, long y) {
+        return Math.addExact(x, y);
+    }
+
+    /**
+     * Return the difference of the arguments,
+     * throwing an exception if the result overflows an {@code int}.
+     *
+     * @param x the first value
+     * @param y the second value to subtract from the first
+     * @return the result
+     * @throws ArithmeticException if the result overflows an int
+     * @see Math#subtractExact(int,int)
+     * @since 1.8
+     */
+    public static int subtractExact(int x, int y) {
+        return Math.subtractExact(x, y);
+    }
+
+    /**
+     * Return the difference of the arguments,
+     * throwing an exception if the result overflows a {@code long}.
+     *
+     * @param x the first value
+     * @param y the second value to subtract from the first
+     * @return the result
+     * @throws ArithmeticException if the result overflows a long
+     * @see Math#subtractExact(long,long)
+     * @since 1.8
+     */
+    public static long subtractExact(long x, long y) {
+        return Math.subtractExact(x, y);
+    }
+
+    /**
+     * Return the product of the arguments,
+     * throwing an exception if the result overflows an {@code int}.
+     *
+     * @param x the first value
+     * @param y the second value
+     * @return the result
+     * @throws ArithmeticException if the result overflows an int
+     * @see Math#multiplyExact(int,int)
+     * @since 1.8
+     */
+    public static int multiplyExact(int x, int y) {
+        return Math.multiplyExact(x, y);
+    }
+
+    /**
+     * Return the product of the arguments,
+     * throwing an exception if the result overflows a {@code long}.
+     *
+     * @param x the first value
+     * @param y the second value
+     * @return the result
+     * @throws ArithmeticException if the result overflows a long
+     * @see Math#multiplyExact(long,long)
+     * @since 1.8
+     */
+    public static long multiplyExact(long x, long y) {
+        return Math.multiplyExact(x, y);
+    }
+
+    /**
+     * Return the value of the {@code long} argument;
+     * throwing an exception if the value overflows an {@code int}.
+     *
+     * @param value the long value
+     * @return the argument as an int
+     * @throws ArithmeticException if the {@code argument} overflows an int
+     * @see Math#toIntExact(int)
+     * @since 1.8
+     */
+    public static int toIntExact(long value) {
+        return Math.toIntExact(value);
+    }
+
+    /**
+     * Returns the absolute value of an {@code int} value.
      * If the argument is not negative, the argument is returned.
      * If the argument is negative, the negation of the argument is returned.
      *
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/java/lang/System.java
--- a/jdk/src/share/classes/java/lang/System.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/java/lang/System.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1100,6 +1100,19 @@
     public static native String mapLibraryName(String libname);
 
     /**
+     * Create PrintStream for stdout/err based on encoding.
+     */
+    private static PrintStream newPrintStream(FileOutputStream fos, String enc) {
+       if (enc != null) {
+            try {
+                return new PrintStream(new BufferedOutputStream(fos, 128), true, enc);
+            } catch (UnsupportedEncodingException uee) {}
+        }
+        return new PrintStream(new BufferedOutputStream(fos, 128), true);
+    }
+
+
+    /**
      * Initialize the system class.  Called after thread initialization.
      */
     private static void initializeSystemClass() {
@@ -1139,8 +1152,9 @@
         FileOutputStream fdOut = new FileOutputStream(FileDescriptor.out);
         FileOutputStream fdErr = new FileOutputStream(FileDescriptor.err);
         setIn0(new BufferedInputStream(fdIn));
-        setOut0(new PrintStream(new BufferedOutputStream(fdOut, 128), true));
-        setErr0(new PrintStream(new BufferedOutputStream(fdErr, 128), true));
+        setOut0(newPrintStream(fdOut, props.getProperty("sun.stdout.encoding")));
+        setErr0(newPrintStream(fdErr, props.getProperty("sun.stderr.encoding")));
+
         // Load the zip library now in order to keep java.util.zip.ZipFile
         // from trying to use itself to load this library later.
         loadLibrary("zip");
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/java/util/TimeZone.java
--- a/jdk/src/share/classes/java/util/TimeZone.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/java/util/TimeZone.java	Wed Jul 05 18:03:56 2017 +0200
@@ -43,6 +43,8 @@
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.concurrent.ConcurrentHashMap;
+import sun.misc.SharedSecrets;
+import sun.misc.JavaAWTAccess;
 import sun.security.action.GetPropertyAction;
 import sun.util.TimeZoneNameUtility;
 import sun.util.calendar.ZoneInfo;
@@ -615,7 +617,7 @@
      * method doesn't create a clone.
      */
     static TimeZone getDefaultRef() {
-        TimeZone defaultZone = defaultZoneTL.get();
+        TimeZone defaultZone = getDefaultInAppContext();
         if (defaultZone == null) {
             defaultZone = defaultTimeZone;
             if (defaultZone == null) {
@@ -706,10 +708,65 @@
         if (hasPermission()) {
             synchronized (TimeZone.class) {
                 defaultTimeZone = zone;
-                defaultZoneTL.set(null);
+                setDefaultInAppContext(null);
             }
         } else {
-            defaultZoneTL.set(zone);
+            setDefaultInAppContext(zone);
+        }
+    }
+
+    /**
+     * Returns the default TimeZone in an AppContext if any AppContext
+     * has ever used. null is returned if any AppContext hasn't been
+     * used or if the AppContext doesn't have the default TimeZone.
+     */
+    private synchronized static TimeZone getDefaultInAppContext() {
+        // JavaAWTAccess provides access implementation-private methods without using reflection.
+        JavaAWTAccess javaAWTAccess = SharedSecrets.getJavaAWTAccess();
+
+        // Note that javaAWTAccess may be null if sun.awt.AppContext class hasn't
+        // been loaded. If so, it implies that AWTSecurityManager is not our
+        // SecurityManager and we can use a local static variable.
+        // This works around a build time issue.
+        if (javaAWTAccess == null) {
+            return mainAppContextDefault;
+        } else {
+            if (!javaAWTAccess.isDisposed()) {
+                TimeZone tz = (TimeZone)
+                    javaAWTAccess.get(TimeZone.class);
+                if (tz == null && javaAWTAccess.isMainAppContext()) {
+                    return mainAppContextDefault;
+                } else {
+                    return tz;
+                }
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Sets the default TimeZone in the AppContext to the given
+     * tz. null is handled special: do nothing if any AppContext
+     * hasn't been used, remove the default TimeZone in the
+     * AppContext otherwise.
+     */
+    private synchronized static void setDefaultInAppContext(TimeZone tz) {
+        // JavaAWTAccess provides access implementation-private methods without using reflection.
+        JavaAWTAccess javaAWTAccess = SharedSecrets.getJavaAWTAccess();
+
+        // Note that javaAWTAccess may be null if sun.awt.AppContext class hasn't
+        // been loaded. If so, it implies that AWTSecurityManager is not our
+        // SecurityManager and we can use a local static variable.
+        // This works around a build time issue.
+        if (javaAWTAccess == null) {
+            mainAppContextDefault = tz;
+        } else {
+            if (!javaAWTAccess.isDisposed()) {
+                javaAWTAccess.put(TimeZone.class, tz);
+                if (javaAWTAccess.isMainAppContext()) {
+                    mainAppContextDefault = null;
+                }
+            }
         }
     }
 
@@ -760,12 +817,13 @@
      */
     private String           ID;
     private static volatile TimeZone defaultTimeZone;
-    private static final InheritableThreadLocal<TimeZone> defaultZoneTL
-                                        = new InheritableThreadLocal<TimeZone>();
 
     static final String         GMT_ID        = "GMT";
     private static final int    GMT_ID_LENGTH = 3;
 
+    // a static TimeZone we can reference if no AppContext is in place
+    private static TimeZone mainAppContextDefault;
+
     /**
      * Parses a custom time zone identifier and returns a corresponding zone.
      * This method doesn't support the RFC 822 time zone format. (e.g., +hhmm)
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/java/util/concurrent/atomic/AtomicReferenceArray.java
--- a/jdk/src/share/classes/java/util/concurrent/atomic/AtomicReferenceArray.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/java/util/concurrent/atomic/AtomicReferenceArray.java	Wed Jul 05 18:03:56 2017 +0200
@@ -34,8 +34,10 @@
  */
 
 package java.util.concurrent.atomic;
+
+import java.lang.reflect.Array;
+import java.util.Arrays;
 import sun.misc.Unsafe;
-import java.util.*;
 
 /**
  * An array of object references in which elements may be updated
@@ -49,13 +51,23 @@
 public class AtomicReferenceArray<E> implements java.io.Serializable {
     private static final long serialVersionUID = -6209656149925076980L;
 
-    private static final Unsafe unsafe = Unsafe.getUnsafe();
-    private static final int base = unsafe.arrayBaseOffset(Object[].class);
+    private static final Unsafe unsafe;
+    private static final int base;
     private static final int shift;
-    private final Object[] array;
+    private static final long arrayFieldOffset;
+    private final Object[] array; // must have exact type Object[]
 
     static {
-        int scale = unsafe.arrayIndexScale(Object[].class);
+        int scale;
+        try {
+            unsafe = Unsafe.getUnsafe();
+            arrayFieldOffset = unsafe.objectFieldOffset
+                (AtomicReferenceArray.class.getDeclaredField("array"));
+            base = unsafe.arrayBaseOffset(Object[].class);
+            scale = unsafe.arrayIndexScale(Object[].class);
+        } catch (Exception e) {
+            throw new Error(e);
+        }
         if ((scale & (scale - 1)) != 0)
             throw new Error("data type scale not a power of two");
         shift = 31 - Integer.numberOfLeadingZeros(scale);
@@ -91,7 +103,7 @@
      */
     public AtomicReferenceArray(E[] array) {
         // Visibility guaranteed by final field guarantees
-        this.array = array.clone();
+        this.array = Arrays.copyOf(array, array.length, Object[].class);
     }
 
     /**
@@ -197,7 +209,7 @@
      * @return the String representation of the current values of array
      */
     public String toString() {
-           int iMax = array.length - 1;
+        int iMax = array.length - 1;
         if (iMax == -1)
             return "[]";
 
@@ -211,4 +223,19 @@
         }
     }
 
+    /**
+     * Reconstitutes the instance from a stream (that is, deserializes it).
+     * @param s the stream
+     */
+    private void readObject(java.io.ObjectInputStream s)
+        throws java.io.IOException, ClassNotFoundException {
+        // Note: This must be changed if any additional fields are defined
+        Object a = s.readFields().get("array", null);
+        if (a == null || !a.getClass().isArray())
+            throw new java.io.InvalidObjectException("Not array type");
+        if (a.getClass() != Object[].class)
+            a = Arrays.copyOf((Object[])a, Array.getLength(a), Object[].class);
+        unsafe.putObjectVolatile(this, arrayFieldOffset, a);
+    }
+
 }
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/awt/AppContext.java
--- a/jdk/src/share/classes/sun/awt/AppContext.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/awt/AppContext.java	Wed Jul 05 18:03:56 2017 +0200
@@ -787,6 +787,27 @@
         }
         return changeSupport.getPropertyChangeListeners(propertyName);
     }
+
+    // Set up JavaAWTAccess in SharedSecrets
+    static {
+        sun.misc.SharedSecrets.setJavaAWTAccess(new sun.misc.JavaAWTAccess() {
+            public Object get(Object key) {
+                return getAppContext().get(key);
+            }
+            public void put(Object key, Object value) {
+                getAppContext().put(key, value);
+            }
+            public void remove(Object key) {
+                getAppContext().remove(key);
+            }
+            public boolean isDisposed() {
+                return getAppContext().isDisposed();
+            }
+            public boolean isMainAppContext() {
+                return (numAppContexts == 1);
+            }
+        });
+    }
 }
 
 final class MostRecentKeyValue {
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/java2d/SunGraphics2D.java
--- a/jdk/src/share/classes/sun/java2d/SunGraphics2D.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/java2d/SunGraphics2D.java	Wed Jul 05 18:03:56 2017 +0200
@@ -370,6 +370,17 @@
     }
 
     public void validatePipe() {
+        /* This workaround is for the situation when we update the Pipelines
+         * for invalid SurfaceData and run further code when the current
+         * pipeline doesn't support the type of new SurfaceData created during
+         * the current pipeline's work (in place of the invalid SurfaceData).
+         * Usually SurfaceData and Pipelines are repaired (through revalidateAll)
+         * and called again in the exception handlers */
+
+        if (!surfaceData.isValid()) {
+            throw new InvalidPipeException("attempt to validate Pipe with invalid SurfaceData");
+        }
+
         surfaceData.validatePipe(this);
     }
 
@@ -1804,7 +1815,12 @@
             width += x;
             height += y;
         }
-        if (!getCompClip().intersectsQuickCheckXYXY(x, y, width, height)) {
+
+        try {
+            if (!getCompClip().intersectsQuickCheckXYXY(x, y, width, height)) {
+                return false;
+            }
+        } catch (InvalidPipeException e) {
             return false;
         }
         // REMIND: We could go one step further here and examine the
@@ -1988,8 +2004,8 @@
         try {
             doCopyArea(x, y, w, h, dx, dy);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 doCopyArea(x, y, w, h, dx, dy);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2120,8 +2136,8 @@
         try {
             drawpipe.drawLine(this, x1, y1, x2, y2);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 drawpipe.drawLine(this, x1, y1, x2, y2);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2137,8 +2153,8 @@
         try {
             drawpipe.drawRoundRect(this, x, y, w, h, arcW, arcH);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 drawpipe.drawRoundRect(this, x, y, w, h, arcW, arcH);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2154,8 +2170,8 @@
         try {
             fillpipe.fillRoundRect(this, x, y, w, h, arcW, arcH);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 fillpipe.fillRoundRect(this, x, y, w, h, arcW, arcH);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2171,8 +2187,8 @@
         try {
             drawpipe.drawOval(this, x, y, w, h);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 drawpipe.drawOval(this, x, y, w, h);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2188,8 +2204,8 @@
         try {
             fillpipe.fillOval(this, x, y, w, h);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 fillpipe.fillOval(this, x, y, w, h);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2206,8 +2222,8 @@
         try {
             drawpipe.drawArc(this, x, y, w, h, startAngl, arcAngl);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 drawpipe.drawArc(this, x, y, w, h, startAngl, arcAngl);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2224,8 +2240,8 @@
         try {
             fillpipe.fillArc(this, x, y, w, h, startAngl, arcAngl);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 fillpipe.fillArc(this, x, y, w, h, startAngl, arcAngl);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2241,8 +2257,8 @@
         try {
             drawpipe.drawPolyline(this, xPoints, yPoints, nPoints);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 drawpipe.drawPolyline(this, xPoints, yPoints, nPoints);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2258,8 +2274,8 @@
         try {
             drawpipe.drawPolygon(this, xPoints, yPoints, nPoints);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 drawpipe.drawPolygon(this, xPoints, yPoints, nPoints);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2275,8 +2291,8 @@
         try {
             fillpipe.fillPolygon(this, xPoints, yPoints, nPoints);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 fillpipe.fillPolygon(this, xPoints, yPoints, nPoints);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2292,8 +2308,8 @@
         try {
             drawpipe.drawRect(this, x, y, w, h);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 drawpipe.drawRect(this, x, y, w, h);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2309,8 +2325,8 @@
         try {
             fillpipe.fillRect(this, x, y, w, h);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 fillpipe.fillRect(this, x, y, w, h);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2358,7 +2374,6 @@
         Paint p = paint;
         setComposite(AlphaComposite.Src);
         setColor(getBackground());
-        validatePipe();
         fillRect(x, y, w, h);
         setPaint(p);
         setComposite(c);
@@ -2382,8 +2397,8 @@
         try {
             shapepipe.draw(this, s);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 shapepipe.draw(this, s);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2412,8 +2427,8 @@
         try {
             shapepipe.fill(this, s);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 shapepipe.fill(this, s);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2560,10 +2575,17 @@
         // Include padding for interpolation/antialiasing if necessary
         int pad = isIntegerTranslate ? 0 : 3;
 
+        Region clip;
+        try {
+            clip = getCompClip();
+        } catch (InvalidPipeException e) {
+            return;
+        }
+
         // Determine the region of the image that may contribute to
         // the clipped drawing area
         Rectangle region = getImageRegion(img,
-                                          getCompClip(),
+                                          clip,
                                           transform,
                                           xform,
                                           pad, pad);
@@ -2806,8 +2828,8 @@
         try {
             textpipe.drawString(this, str, x, y);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 textpipe.drawString(this, str, x, y);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2835,8 +2857,8 @@
         try {
             textpipe.drawString(this, str, x, y);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 textpipe.drawString(this, str, x, y);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2881,8 +2903,8 @@
         try {
             textpipe.drawGlyphVector(this, gv, x, y);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 textpipe.drawGlyphVector(this, gv, x, y);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2914,8 +2936,8 @@
         try {
             textpipe.drawChars(this, data, offset, length, x, y);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 textpipe.drawChars(this, data, offset, length, x, y);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2951,8 +2973,8 @@
         try {
             textpipe.drawChars(this, chData, 0, length, x, y);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 textpipe.drawChars(this, chData, 0, length, x, y);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -2988,8 +3010,8 @@
             return imagepipe.copyImage(this, img, dx, dy, sx, sy,
                                        width, height, bgcolor, observer);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 return imagepipe.copyImage(this, img, dx, dy, sx, sy,
                                            width, height, bgcolor, observer);
             } catch (InvalidPipeException e2) {
@@ -3025,8 +3047,8 @@
             return imagepipe.scaleImage(this, img, x, y, width, height,
                                         bg, observer);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 return imagepipe.scaleImage(this, img, x, y, width, height,
                                             bg, observer);
             } catch (InvalidPipeException e2) {
@@ -3061,8 +3083,8 @@
         try {
             return imagepipe.copyImage(this, img, x, y, bg, observer);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 return imagepipe.copyImage(this, img, x, y, bg, observer);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -3138,8 +3160,8 @@
                                           sx1, sy1, sx2, sy2, bgcolor,
                                           observer);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 return imagepipe.scaleImage(this, img, dx1, dy1, dx2, dy2,
                                               sx1, sy1, sx2, sy2, bgcolor,
                                               observer);
@@ -3187,8 +3209,8 @@
         try {
             return imagepipe.transformImage(this, img, xform, observer);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 return imagepipe.transformImage(this, img, xform, observer);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
@@ -3213,8 +3235,8 @@
         try {
             imagepipe.transformImage(this, bImg, op, x, y);
         } catch (InvalidPipeException e) {
-            revalidateAll();
             try {
+                revalidateAll();
                 imagepipe.transformImage(this, bImg, op, x, y);
             } catch (InvalidPipeException e2) {
                 // Still catching the exception; we are not yet ready to
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/java2d/opengl/OGLRenderer.java
--- a/jdk/src/share/classes/sun/java2d/opengl/OGLRenderer.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/java2d/opengl/OGLRenderer.java	Wed Jul 05 18:03:56 2017 +0200
@@ -27,6 +27,7 @@
 
 import java.awt.Transparency;
 import java.awt.geom.Path2D;
+import sun.java2d.InvalidPipeException;
 import sun.java2d.SunGraphics2D;
 import sun.java2d.loops.GraphicsPrimitive;
 import sun.java2d.pipe.BufferedRenderPipe;
@@ -46,7 +47,12 @@
         int ctxflags =
             sg2d.paint.getTransparency() == Transparency.OPAQUE ?
                 OGLContext.SRC_IS_OPAQUE : OGLContext.NO_CONTEXT_FLAGS;
-        OGLSurfaceData dstData = (OGLSurfaceData)sg2d.surfaceData;
+        OGLSurfaceData dstData;
+        try {
+            dstData = (OGLSurfaceData)sg2d.surfaceData;
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
         OGLContext.validateContext(dstData, dstData,
                                    sg2d.getCompClip(), sg2d.composite,
                                    null, sg2d.paint, sg2d, ctxflags);
@@ -55,7 +61,12 @@
     @Override
     protected void validateContextAA(SunGraphics2D sg2d) {
         int ctxflags = OGLContext.NO_CONTEXT_FLAGS;
-        OGLSurfaceData dstData = (OGLSurfaceData)sg2d.surfaceData;
+        OGLSurfaceData dstData;
+        try {
+            dstData = (OGLSurfaceData)sg2d.surfaceData;
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
         OGLContext.validateContext(dstData, dstData,
                                    sg2d.getCompClip(), sg2d.composite,
                                    null, sg2d.paint, sg2d, ctxflags);
@@ -69,7 +80,12 @@
             int ctxflags =
                 sg2d.surfaceData.getTransparency() == Transparency.OPAQUE ?
                     OGLContext.SRC_IS_OPAQUE : OGLContext.NO_CONTEXT_FLAGS;
-            OGLSurfaceData dstData = (OGLSurfaceData)sg2d.surfaceData;
+            OGLSurfaceData dstData;
+            try {
+                dstData = (OGLSurfaceData)sg2d.surfaceData;
+            } catch (ClassCastException e) {
+                throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+            }
             OGLContext.validateContext(dstData, dstData,
                                        sg2d.getCompClip(), sg2d.composite,
                                        null, null, null, ctxflags);
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/java2d/pipe/BufferedContext.java
--- a/jdk/src/share/classes/sun/java2d/pipe/BufferedContext.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/java2d/pipe/BufferedContext.java	Wed Jul 05 18:03:56 2017 +0200
@@ -111,6 +111,8 @@
      *
      * Note: must be called while the RenderQueue lock is held.
      *
+     * It's assumed that the type of surfaces has been checked by the Renderer
+     *
      * @throws InvalidPipeException if either src or dest surface is not valid
      * or lost
      * @see RenderQueue#lock
@@ -135,6 +137,8 @@
      *
      * Note: must be called while the RenderQueue lock is held.
      *
+     * It's assumed that the type of surfaces has been checked by the Renderer
+     *
      * @throws InvalidPipeException if the surface is not valid
      * or lost
      * @see RenderQueue#lock
@@ -160,6 +164,8 @@
      *
      * Note: must be called while the RenderQueue lock is held.
      *
+     * It's assumed that the type of surfaces has been checked by the Renderer
+     *
      * @throws InvalidPipeException if either src or dest surface is not valid
      * or lost
      */
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/misc/JavaAWTAccess.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/sun/misc/JavaAWTAccess.java	Wed Jul 05 18:03:56 2017 +0200
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.misc;
+
+public interface JavaAWTAccess {
+    public Object get(Object key);
+    public void put(Object key, Object value);
+    public void remove(Object key);
+    public boolean isDisposed();
+    public boolean isMainAppContext();
+}
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/misc/SharedSecrets.java
--- a/jdk/src/share/classes/sun/misc/SharedSecrets.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java	Wed Jul 05 18:03:56 2017 +0200
@@ -52,6 +52,7 @@
     private static JavaIOFileDescriptorAccess javaIOFileDescriptorAccess;
     private static JavaSecurityProtectionDomainAccess javaSecurityProtectionDomainAccess;
     private static JavaSecurityAccess javaSecurityAccess;
+    private static JavaAWTAccess javaAWTAccess;
 
     public static JavaUtilJarAccess javaUtilJarAccess() {
         if (javaUtilJarAccess == null) {
@@ -150,4 +151,14 @@
         }
         return javaSecurityAccess;
     }
+
+    public static void setJavaAWTAccess(JavaAWTAccess jaa) {
+        javaAWTAccess = jaa;
+    }
+
+    public static JavaAWTAccess getJavaAWTAccess() {
+        // this may return null in which case calling code needs to
+        // provision for.
+        return javaAWTAccess;
+    }
 }
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/net/httpserver/Request.java
--- a/jdk/src/share/classes/sun/net/httpserver/Request.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/net/httpserver/Request.java	Wed Jul 05 18:03:56 2017 +0200
@@ -200,6 +200,13 @@
                 v = new String();
             else
                 v = String.copyValueOf(s, keyend, len - keyend);
+
+            if (hdrs.size() >= ServerConfig.getMaxReqHeaders()) {
+                throw new IOException("Maximum number of request headers (" +
+                        "sun.net.httpserver.maxReqHeaders) exceeded, " +
+                        ServerConfig.getMaxReqHeaders() + ".");
+            }
+
             hdrs.add (k,v);
             len = 0;
         }
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/net/httpserver/ServerConfig.java
--- a/jdk/src/share/classes/sun/net/httpserver/ServerConfig.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/net/httpserver/ServerConfig.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -35,32 +35,33 @@
 
 class ServerConfig {
 
-    static int clockTick;
-
-    static final int DEFAULT_CLOCK_TICK = 10000 ; // 10 sec.
+    private static final int DEFAULT_CLOCK_TICK = 10000 ; // 10 sec.
 
     /* These values must be a reasonable multiple of clockTick */
-    static final long DEFAULT_IDLE_INTERVAL = 30 ; // 5 min
-    static final int DEFAULT_MAX_IDLE_CONNECTIONS = 200 ;
+    private static final long DEFAULT_IDLE_INTERVAL = 30 ; // 5 min
+    private static final int DEFAULT_MAX_IDLE_CONNECTIONS = 200 ;
 
-    static final long DEFAULT_MAX_REQ_TIME = -1; // default: forever
-    static final long DEFAULT_MAX_RSP_TIME = -1; // default: forever
-    static final long DEFAULT_TIMER_MILLIS = 1000;
-
-    static final long DEFAULT_DRAIN_AMOUNT = 64 * 1024;
+    private static final long DEFAULT_MAX_REQ_TIME = -1; // default: forever
+    private static final long DEFAULT_MAX_RSP_TIME = -1; // default: forever
+    private static final long DEFAULT_TIMER_MILLIS = 1000;
+    private static final int  DEFAULT_MAX_REQ_HEADERS = 200;
+    private static final long DEFAULT_DRAIN_AMOUNT = 64 * 1024;
 
-    static long idleInterval;
-    static long drainAmount;    // max # of bytes to drain from an inputstream
-    static int maxIdleConnections;
-
+    private static int clockTick;
+    private static long idleInterval;
+    // The maximum number of bytes to drain from an inputstream
+    private static long drainAmount;
+    private static int maxIdleConnections;
+    // The maximum number of request headers allowable
+    private static int maxReqHeaders;
     // max time a request or response is allowed to take
-    static long maxReqTime;
-    static long maxRspTime;
-    static long timerMillis;
-    static boolean debug;
+    private static long maxReqTime;
+    private static long maxRspTime;
+    private static long timerMillis;
+    private static boolean debug;
 
     // the value of the TCP_NODELAY socket-level option
-    static boolean noDelay;
+    private static boolean noDelay;
 
     static {
         java.security.AccessController.doPrivileged(
@@ -80,6 +81,10 @@
                     drainAmount = Long.getLong("sun.net.httpserver.drainAmount",
                             DEFAULT_DRAIN_AMOUNT);
 
+                    maxReqHeaders = Integer.getInteger(
+                            "sun.net.httpserver.maxReqHeaders",
+                            DEFAULT_MAX_REQ_HEADERS);
+
                     maxReqTime = Long.getLong("sun.net.httpserver.maxReqTime",
                             DEFAULT_MAX_REQ_TIME);
 
@@ -99,8 +104,7 @@
 
     }
 
-
-    static void checkLegacyProperties (final Logger logger) {
+    static void checkLegacyProperties(final Logger logger) {
 
         // legacy properties that are no longer used
         // print a warning to logger if they are set.
@@ -137,35 +141,39 @@
         );
     }
 
-    static boolean debugEnabled () {
+    static boolean debugEnabled() {
         return debug;
     }
 
-    static long getIdleInterval () {
+    static long getIdleInterval() {
         return idleInterval;
     }
 
-    static int getClockTick () {
+    static int getClockTick() {
         return clockTick;
     }
 
-    static int getMaxIdleConnections () {
+    static int getMaxIdleConnections() {
         return maxIdleConnections;
     }
 
-    static long getDrainAmount () {
+    static long getDrainAmount() {
         return drainAmount;
     }
 
-    static long getMaxReqTime () {
+    static int getMaxReqHeaders() {
+        return maxReqHeaders;
+    }
+
+    static long getMaxReqTime() {
         return maxReqTime;
     }
 
-    static long getMaxRspTime () {
+    static long getMaxRspTime() {
         return maxRspTime;
     }
 
-    static long getTimerMillis () {
+    static long getTimerMillis() {
         return timerMillis;
     }
 
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/nio/ch/NativeThreadSet.java
--- a/jdk/src/share/classes/sun/nio/ch/NativeThreadSet.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/nio/ch/NativeThreadSet.java	Wed Jul 05 18:03:56 2017 +0200
@@ -44,8 +44,9 @@
     //
     int add() {
         long th = NativeThread.current();
-        if (th == -1)
-            return -1;
+        // 0 and -1 are treated as placeholders, not real thread handles
+        if (th == 0)
+            th = -1;
         synchronized (this) {
             int start = 0;
             if (used >= elts.length) {
@@ -71,8 +72,6 @@
     // Removes the thread at the given index.
     //
     void remove(int i) {
-        if (i < 0)
-            return;
         synchronized (this) {
             elts[i] = 0;
             used--;
@@ -91,7 +90,8 @@
                 long th = elts[i];
                 if (th == 0)
                     continue;
-                NativeThread.signal(th);
+                if (th != -1)
+                    NativeThread.signal(th);
                 if (--u == 0)
                     break;
             }
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java
--- a/jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java	Wed Jul 05 18:03:56 2017 +0200
@@ -141,7 +141,7 @@
         if (s == null) {
             return getInstance();
         } else {
-            return getInstance0(s);
+            return getInstance0(parse(s));
         }
     }
 
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -661,7 +661,10 @@
                 + "\n  Subject: " + cert.getSubjectX500Principal() + ")");
         }
 
-        ForwardState currState = (ForwardState) currentState;
+        ForwardState currState = (ForwardState)currentState;
+
+        // Don't bother to verify untrusted certificate more.
+        currState.untrustedChecker.check(cert, Collections.<String>emptySet());
 
         /*
          * check for looping - abort a loop if
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -79,6 +79,9 @@
     /* the checker used for revocation status */
     public CrlRevocationChecker crlChecker;
 
+    /* the untrusted certificates checker */
+    UntrustedChecker untrustedChecker;
+
     /* The list of user-defined checkers that support forward checking */
     ArrayList<PKIXCertPathChecker> forwardCheckers;
 
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -314,10 +314,12 @@
                               pkixParam.isAnyPolicyInhibited(),
                               pkixParam.getPolicyQualifiersRejected(),
                               rootNode);
+        UntrustedChecker untrustedChecker = new UntrustedChecker();
 
         ArrayList<PKIXCertPathChecker> certPathCheckers =
             new ArrayList<PKIXCertPathChecker>();
         // add standard checkers that we will be using
+        certPathCheckers.add(untrustedChecker);
         certPathCheckers.add(algorithmChecker);
         certPathCheckers.add(keyChecker);
         certPathCheckers.add(constraintsChecker);
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -347,6 +347,10 @@
             return;
         }
 
+        // Don't bother to verify untrusted certificate more.
+        currentState.untrustedChecker.check(cert,
+                                    Collections.<String>emptySet());
+
         /*
          * check for looping - abort a loop if
          * ((we encounter the same certificate twice) AND
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/provider/certpath/ReverseState.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/ReverseState.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ReverseState.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -99,6 +99,9 @@
     /* the algorithm checker */
     AlgorithmChecker algorithmChecker;
 
+    /* the untrusted certificates checker */
+    UntrustedChecker untrustedChecker;
+
     /* the trust anchor used to validate the path */
     TrustAnchor trustAnchor;
 
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -284,6 +284,7 @@
         Iterator<TrustAnchor> iter = buildParams.getTrustAnchors().iterator();
         while (iter.hasNext()) {
             TrustAnchor anchor = iter.next();
+
             /* check if anchor satisfies target constraints */
             if (anchorIsTarget(anchor, targetSel)) {
                 this.trustAnchor = anchor;
@@ -303,6 +304,7 @@
             currentState.crlChecker =
                 new CrlRevocationChecker(null, buildParams, null, onlyEECert);
             currentState.algorithmChecker = new AlgorithmChecker(anchor);
+            currentState.untrustedChecker = new UntrustedChecker();
             try {
                 depthFirstSearchReverse(null, currentState,
                 new ReverseBuilder(buildParams, targetSubjectDN), adjacencyList,
@@ -349,6 +351,7 @@
         // init the crl checker
         currentState.crlChecker
             = new CrlRevocationChecker(null, buildParams, null, onlyEECert);
+        currentState.untrustedChecker = new UntrustedChecker();
 
         depthFirstSearchForward(targetSubjectDN, currentState,
           new ForwardBuilder
@@ -645,8 +648,8 @@
             vertex.setIndex(adjList.size() - 1);
 
             /* recursively search for matching certs at next dN */
-            depthFirstSearchForward(cert.getIssuerX500Principal(), nextState, builder,
-                adjList, certPathList);
+            depthFirstSearchForward(cert.getIssuerX500Principal(),
+                                    nextState, builder, adjList, certPathList);
 
             /*
              * If path has been completed, return ASAP!
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/provider/certpath/UntrustedChecker.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/sun/security/provider/certpath/UntrustedChecker.java	Wed Jul 05 18:03:56 2017 +0200
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.provider.certpath;
+
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.PKIXCertPathChecker;
+import java.util.Set;
+import java.util.Collection;
+import sun.security.util.Debug;
+import sun.security.util.UntrustedCertificates;
+
+/**
+ * A <code>PKIXCertPathChecker</code> implementation to check whether a
+ * specified certificate is distrusted.
+ *
+ * @see PKIXCertPathChecker
+ * @see PKIXParameters
+ */
+final public class UntrustedChecker extends PKIXCertPathChecker {
+
+    private static final Debug debug = Debug.getInstance("certpath");
+
+    /**
+     * Default Constructor
+     */
+    public UntrustedChecker() {
+        // blank
+    }
+
+    @Override
+    public void init(boolean forward) throws CertPathValidatorException {
+        // Note that this class supports both forward and reverse modes.
+    }
+
+    @Override
+    public boolean isForwardCheckingSupported() {
+        // Note that this class supports both forward and reverse modes.
+        return true;
+    }
+
+    @Override
+    public Set<String> getSupportedExtensions() {
+        return null;
+    }
+
+    @Override
+    public void check(Certificate cert,
+            Collection<String> unresolvedCritExts)
+            throws CertPathValidatorException {
+
+        X509Certificate currCert = (X509Certificate)cert;
+
+        if (UntrustedCertificates.isUntrusted(currCert)) {
+            if (debug != null) {
+                debug.println("UntrustedChecker: untrusted certificate " +
+                        currCert.getSubjectX500Principal());
+            }
+
+            throw new CertPathValidatorException(
+                "Untrusted certificate: " + currCert.getSubjectX500Principal());
+        }
+    }
+}
+
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/ssl/CipherSuite.java
--- a/jdk/src/share/classes/sun/security/ssl/CipherSuite.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/security/ssl/CipherSuite.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,6 +31,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.InvalidKeyException;
 import java.security.SecureRandom;
+import java.security.KeyManagementException;
 
 import javax.crypto.SecretKey;
 import javax.crypto.spec.IvParameterSpec;
@@ -423,6 +424,17 @@
         // Is the cipher algorithm of Cipher Block Chaining (CBC) mode?
         final boolean isCBCMode;
 
+        // The secure random used to detect the cipher availability.
+        private final static SecureRandom secureRandom;
+
+        static {
+            try {
+                secureRandom = JsseJce.getSecureRandom();
+            } catch (KeyManagementException kme) {
+                throw new RuntimeException(kme);
+            }
+        }
+
         BulkCipher(String transformation, int keySize,
                 int expandedKeySize, int ivSize, boolean allowed) {
             this.transformation = transformation;
@@ -505,7 +517,7 @@
                     IvParameterSpec iv =
                         new IvParameterSpec(new byte[cipher.ivSize]);
                     cipher.newCipher(ProtocolVersion.DEFAULT,
-                                                key, iv, null, true);
+                                            key, iv, secureRandom, true);
                     b = Boolean.TRUE;
                 } catch (NoSuchAlgorithmException e) {
                     b = Boolean.FALSE;
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/tools/KeyTool.java
--- a/jdk/src/share/classes/sun/security/tools/KeyTool.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java	Wed Jul 05 18:03:56 2017 +0200
@@ -2117,19 +2117,24 @@
             if (caks != null) {
                 issuer = verifyCRL(caks, crl);
                 if (issuer != null) {
-                    System.out.println("Verified by " + issuer + " in cacerts");
+                    out.printf(rb.getString(
+                            "verified.by.s.in.s"), issuer, "cacerts");
+                    out.println();
                 }
             }
             if (issuer == null && keyStore != null) {
                 issuer = verifyCRL(keyStore, crl);
                 if (issuer != null) {
-                    System.out.println("Verified by " + issuer + " in keystore");
+                    out.printf(rb.getString(
+                            "verified.by.s.in.s"), issuer, "keystore");
+                    out.println();
                 }
             }
             if (issuer == null) {
                 out.println(rb.getString
                         ("STAR"));
-                out.println("WARNING: not verified. Make sure -keystore and -alias are correct.");
+                out.println(rb.getString
+                        ("warning.not.verified.make.sure.keystore.is.correct"));
                 out.println(rb.getString
                         ("STARNN"));
             }
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/util/Resources.java
--- a/jdk/src/share/classes/sun/security/util/Resources.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/security/util/Resources.java	Wed Jul 05 18:03:56 2017 +0200
@@ -409,6 +409,10 @@
         {"Please.provide.keysize.for.secret.key.generation",
                 "Please provide -keysize for secret key generation"},
 
+        {"verified.by.s.in.s", "Verified by %s in %s"},
+        {"warning.not.verified.make.sure.keystore.is.correct",
+            "WARNING: not verified. Make sure -keystore is correct."},
+
         {"Extensions.", "Extensions: "},
         {".Empty.value.", "(Empty value)"},
         {"Extension.Request.", "Extension Request:"},
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/util/UntrustedCertificates.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/sun/security/util/UntrustedCertificates.java	Wed Jul 05 18:03:56 2017 +0200
@@ -0,0 +1,741 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package sun.security.util;
+
+import java.io.IOException;
+import java.io.ByteArrayInputStream;
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateException;
+import java.util.Set;
+import java.util.HashSet;
+
+/**
+ * A utility class to check if a certificate is untrusted. This is an internal
+ * mechanism that explicitly marks a certificate as untrusted, normally in the
+ * case that a certificate is known to be used for malicious reasons.
+ *
+ * <b>Attention</b>: This check is NOT meant to replace the standard PKI-defined
+ * validation check, neither is it used as an alternative to CRL.
+ */
+public final class UntrustedCertificates {
+
+    private final static Set<X509Certificate> untrustedCerts = new HashSet<>();
+
+    /**
+     * Checks if a certificate is untrusted.
+     *
+     * @param cert the certificate to check
+     * @return true if the certificate is untrusted.
+     */
+    public static boolean isUntrusted(X509Certificate cert) {
+        return untrustedCerts.contains(cert);
+    }
+
+    private static void add(String alias, String pemCert) {
+        // generate certificate from PEM certificate
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(pemCert.getBytes())) {
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            X509Certificate cert = (X509Certificate)cf.generateCertificate(is);
+
+            if (!untrustedCerts.add(cert)) {
+                throw new RuntimeException("Duplicate untrusted certificate: " +
+                    cert.getSubjectX500Principal());
+            }
+        } catch (CertificateException | IOException e) {
+            throw new RuntimeException(
+                        "Incorrect untrusted certificate: " + alias, e);
+        }
+    }
+
+    static {
+        // -----------------------------------------------------------------
+        // Compromised CAs of Digicert Malaysia
+        //
+        // Reported by Digicert in its announcement on November 05, 2011.
+        //
+
+        // Digicert Malaysia intermediate, cross-signed by CyberTrust
+        //
+        // Subject: CN=Digisign Server ID (Enrich),
+        //          OU=457608-K,
+        //          O=Digicert Sdn. Bhd.,
+        //          C=MY
+        // Issuer:  CN=GTE CyberTrust Global Root,
+        //          OU=GTE CyberTrust Solutions, Inc.,
+        //          O=GTE Corporation,
+        //          C=US
+        // Serial:  120001705 (07:27:14:a9)
+        add("digicert-server-cross-to-cybertrust-4C0E636A",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIDyzCCAzSgAwIBAgIEBycUqTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV\n" +
+        "UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU\n" +
+        "cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds\n" +
+        "b2JhbCBSb290MB4XDTA3MDcxNzE1MTc0OFoXDTEyMDcxNzE1MTY1NFowYzELMAkG\n" +
+        "A1UEBhMCTVkxGzAZBgNVBAoTEkRpZ2ljZXJ0IFNkbi4gQmhkLjERMA8GA1UECxMI\n" +
+        "NDU3NjA4LUsxJDAiBgNVBAMTG0RpZ2lzaWduIFNlcnZlciBJRCAoRW5yaWNoKTCB\n" +
+        "nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArahkS02Hx4RZufuQRqCmicDx/tXa\n" +
+        "VII3DZkrRSYK6Fawf8qo9I5HhAGCKeOzarWR8/uVhbxyqGToCkCcxfRxrnt7agfq\n" +
+        "kBRPjYmvlKuyBtQCanuYH1m5Os1U+iDfsioK6bjdaZDAKdNO0JftZszFGUkGf/pe\n" +
+        "LHx7hRsyQt97lSUCAwEAAaOCAXgwggF0MBIGA1UdEwEB/wQIMAYBAf8CAQAwXAYD\n" +
+        "VR0gBFUwUzBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcCARYtaHR0cDovL2N5YmVy\n" +
+        "dHJ1c3Qub21uaXJvb3QuY29tL3JlcG9zaXRvcnkuY2ZtMAcGBWCDSgEBMA4GA1Ud\n" +
+        "DwEB/wQEAwIB5jCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYD\n" +
+        "VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv\n" +
+        "bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv\n" +
+        "b3SCAgGlMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVibGljLXRydXN0\n" +
+        "LmNvbS9jZ2ktYmluL0NSTC8yMDE4L2NkcC5jcmwwHQYDVR0OBBYEFMYWk04WF+wW\n" +
+        "royUdvOGbcV0boR3MA0GCSqGSIb3DQEBBQUAA4GBAHYAe6Z4K2Ydjl42xqSOBfIj\n" +
+        "knyTZ9P0wAp9iy3Z6tVvGvPhSilaIoRNUC9LDPL/hcJ7VdREgr5trGeOvLQfkpxR\n" +
+        "gBoU9m6rYYgLrRx/90tQUdZlG6ZHcRVesHHzNRTyN71jyNXwk1o0X9g96F33xR7A\n" +
+        "5c8fhiSpPAdmzcHSNmNZ\n" +
+        "-----END CERTIFICATE-----");
+
+        // Digicert Malaysia intermediate, cross-signed by Entrust
+        //
+        // Subject: CN=Digisign Server ID - (Enrich),
+        //          OU=457608-K,
+        //          O=Digicert Sdn. Bhd.,
+        //          C=MY
+        // Issuer:  CN=Entrust.net Certification Authority (2048)
+        //          OU=(c) 1999 Entrust.net Limited,
+        //          OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
+        //          O=Entrust.net
+        // Serial:  1184644297 (4c:0e:63:6a)
+        add("digicert-server-cross-to-entrust-ca-4C0E636A",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIEzjCCA7agAwIBAgIETA5jajANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML\n" +
+        "RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp\n" +
+        "bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5\n" +
+        "IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp\n" +
+        "ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw0xMDA3MTYxNzIzMzdaFw0xNTA3\n" +
+        "MTYxNzUzMzdaMGUxCzAJBgNVBAYTAk1ZMRswGQYDVQQKExJEaWdpY2VydCBTZG4u\n" +
+        "IEJoZC4xETAPBgNVBAsTCDQ1NzYwOC1LMSYwJAYDVQQDEx1EaWdpc2lnbiBTZXJ2\n" +
+        "ZXIgSUQgLSAoRW5yaWNoKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n" +
+        "AMWJ5PQNBkCSWccaszXRDkwqM/n4r8qef+65p21g9FTob9Wb8xtjMQRoctE0Foy0\n" +
+        "FyyX3nPF2JAVoBor9cuzSIZE8B2ITM5BQhrv9Qze/kDaOSD3BlU6ap1GwdJvpbLI\n" +
+        "Vz4po5zg6YV3ZuiYpyR+vsBZIOVEb7ZX2L7OwmV3WMZhQdF0BMh/SULFcqlyFu6M\n" +
+        "3RJdtErU0a9Qt9iqdXZorT5dqjBtYairEFs+E78z4K9EnTgiW+9ML6ZxJhUmyiiM\n" +
+        "2fqOjqmiFDXimySItPR/hZ2DTwehthSQNsQ0HI0mYW0Tb3i+6I8nx0uElqOGaAwj\n" +
+        "vgvsjJQAqQSKE5D334VsDLECAwEAAaOCATQwggEwMA4GA1UdDwEB/wQEAwIBBjAS\n" +
+        "BgNVHRMBAf8ECDAGAQH/AgEAMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcD\n" +
+        "AgYIKwYBBQUHAwQwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8v\n" +
+        "b2NzcC5lbnRydXN0Lm5ldDBEBgNVHSAEPTA7MDkGBWCDSgEBMDAwLgYIKwYBBQUH\n" +
+        "AgEWImh0dHA6Ly93d3cuZGlnaWNlcnQuY29tLm15L2Nwcy5odG0wMgYDVR0fBCsw\n" +
+        "KTAnoCWgI4YhaHR0cDovL2NybC5lbnRydXN0Lm5ldC8yMDQ4Y2EuY3JsMBEGA1Ud\n" +
+        "DgQKBAhMTswlKAMpgTAfBgNVHSMEGDAWgBRV5IHREYC+2Im5CKMx+aEkCRa5cDAN\n" +
+        "BgkqhkiG9w0BAQUFAAOCAQEAl0zvSjpJrHL8MCBrtClbp8WVBJD5MtXChWreA6E3\n" +
+        "+YkAsFqsVX7bQzX/yQH4Ub7MJsrIaqTEVD4mHucMo82XZ5TdpkLrXM2POXlrM3kh\n" +
+        "Bnn6gkQVmczBtznTRmJ8snDrb84gqj4Zt+l0gpy0pUtNYQA35IfS8hQ6ZHy4qXth\n" +
+        "4JMi59WfPkfmNnagU9gAAzoPtTP+lsrT0oI6Lt3XSOHkp2nMHOmZSufKcEXXCwcO\n" +
+        "mnUb0C+Sb/akB8O9HEumhLZ9qJqp0qcp8QtXaR6XVybsK0Os1EWDBQDp4/BGQAf6\n" +
+        "6rFRc5Mcpd1TETfIKqcVJx20qsx/qjEw/LhFn0gJ7RDixQ==\n" +
+        "-----END CERTIFICATE-----");
+
+
+        // -----------------------------------------------------------------
+        //
+        // No longer used certificates
+        //
+
+        // Subject: CN=Java Media APIs,
+        //          OU=Java Signed Extensions,
+        //          OU=Corporate Object Signing,
+        //          O=Sun Microsystems Inc
+        // Issuer:  CN=Object Signing CA,
+        //          OU=Class 2 OnSite Subscriber CA,
+        //          OU=VeriSign Trust Network,
+        //          O=Sun Microsystems Inc
+        // Serial:  6a:8b:99:91:37:59:4f:89:53:e2:97:18:9f:19:1e:4e
+        add("java-media-pretrusted-9F191E4E",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFdzCCBF+gAwIBAgIQaouZkTdZT4lT4pcYnxkeTjANBgkqhkiG9w0BAQUFADCB\n" +
+        "gzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxHzAdBgNVBAsTFlZlcmlT\n" +
+        "aWduIFRydXN0IE5ldHdvcmsxJTAjBgNVBAsTHENsYXNzIDIgT25TaXRlIFN1YnNj\n" +
+        "cmliZXIgQ0ExGjAYBgNVBAMTEU9iamVjdCBTaWduaW5nIENBMB4XDTA5MDUxMjAw\n" +
+        "MDAwMFoXDTEyMDUxMTIzNTk1OVowfTEdMBsGA1UEChQUU3VuIE1pY3Jvc3lzdGVt\n" +
+        "cyBJbmMxITAfBgNVBAsUGENvcnBvcmF0ZSBPYmplY3QgU2lnbmluZzEfMB0GA1UE\n" +
+        "CxQWSmF2YSBTaWduZWQgRXh0ZW5zaW9uczEYMBYGA1UEAxQPSmF2YSBNZWRpYSBB\n" +
+        "UElzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl5blzoKTVE8y4Hpz\n" +
+        "q6E15RZz1bF5HnYEyYqgHkZXnAKedmYCoMzm1XK8s+gQWShLEvGEAvs5yqarx9gE\n" +
+        "nnC21N28aEZgIJMa2/arKxCUkS4pxdGPYGexL9UzSRkUpoBShCZKEGdmX7gfJE2K\n" +
+        "/sd9MFvGV5/yZtWXrADzvm0Kd/9mg1KRv1gfrZIq0TJbupoXPYYqb73AkI9eT2ZD\n" +
+        "q9MdwD4E5+oojsDFXt8GU/D00fUhtXpYwuplU7D667WHYdJhIah0ST6JywyqcLXG\n" +
+        "XSuFTXOgITT2idSHluZVmx3dqJ72u9kPkO4JdJTMDfaK8zgNLaRkiU8Qcj+qhLYH\n" +
+        "ytaqcwIDAQABo4IB6jCCAeYwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwfwYD\n" +
+        "VR0fBHgwdjB0oHKgcIZuaHR0cDovL29uc2l0ZWNybC52ZXJpc2lnbi5jb20vU3Vu\n" +
+        "TWljcm9zeXN0ZW1zSW5jQ29ycG9yYXRlT2JqZWN0U2lnbmluZ0phdmFTaWduZWRF\n" +
+        "eHRlbnNpb25zQ2xhc3NCL0xhdGVzdENSTC5jcmwwHwYDVR0jBBgwFoAUs0crgn5T\n" +
+        "tHPKuLsZt76BTQeVx+0wHQYDVR0OBBYEFKS32mVx0gNWTeS4ProHEaeSpvvIMDsG\n" +
+        "CCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29uc2l0ZS1vY3NwLnZl\n" +
+        "cmlzaWduLmNvbTCBtQYDVR0gBIGtMIGqMDkGC2CGSAGG+EUBBxcCMCowKAYIKwYB\n" +
+        "BQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwbQYLYIZIAYb3AIN9\n" +
+        "nD8wXjAnBggrBgEFBQcCARYbaHR0cHM6Ly93d3cuc3VuLmNvbS9wa2kvY3BzMDMG\n" +
+        "CCsGAQUFBwICMCcaJVZhbGlkYXRlZCBGb3IgU3VuIEJ1c2luZXNzIE9wZXJhdGlv\n" +
+        "bnMwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQEFBQADggEBAAe6BO4W\n" +
+        "3TSNWfezyelJs6kE3HfulT6Bdyz4UUoh9ykXcV8nRwT+kh25I5MdyG2GfkJoADPR\n" +
+        "VhC5DYo13UFpIsTNVjq+hGYe2hML93bN7ad9SxCCyjHUo3yMz2qgBbHZI3VA9ZHA\n" +
+        "aWM4Tx0saMwbcnVvlbuGh+PXvStfypJqYT6lzcdFfjNVX4FI/QQNGhBswMY51tC8\n" +
+        "GTBCL2qhJon0gSCU4zaawDOf7+XxJWirLamYL1Aal1/h2z2sFrvA/1ftxtU3kZ6I\n" +
+        "7De8DyoHeZg7pYGdrj7g+lPhCga/WvEhN152I+aP08YbFcJHYmK05ngl/Ye4c6Bd\n" +
+        "cdrdfbw6QzEUIYY=\n" +
+        "-----END CERTIFICATE-----");
+
+        // Subject: CN=JavaFX 1.0 Runtime,
+        //          OU=Java Signed Extensions,
+        //          OU=Corporate Object Signing,
+        //          O=Sun Microsystems Inc
+        // Issuer:  CN=Object Signing CA,
+        //          OU=Class 2 OnSite Subscriber CA,
+        //          OU=VeriSign Trust Network,
+        //          O=Sun Microsystems Inc
+        // Serial:  55:c0:e6:44:59:59:79:9e:d9:26:f1:b0:4a:1e:f0:27
+        add("java-fx10-pretrusted-4A1EF027",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFezCCBGOgAwIBAgIQVcDmRFlZeZ7ZJvGwSh7wJzANBgkqhkiG9w0BAQUFADCB\n" +
+        "gzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxHzAdBgNVBAsTFlZlcmlT\n" +
+        "aWduIFRydXN0IE5ldHdvcmsxJTAjBgNVBAsTHENsYXNzIDIgT25TaXRlIFN1YnNj\n" +
+        "cmliZXIgQ0ExGjAYBgNVBAMTEU9iamVjdCBTaWduaW5nIENBMB4XDTA4MTAwOTAw\n" +
+        "MDAwMFoXDTExMTAwOTIzNTk1OVowgYAxHTAbBgNVBAoUFFN1biBNaWNyb3N5c3Rl\n" +
+        "bXMgSW5jMSEwHwYDVQQLFBhDb3Jwb3JhdGUgT2JqZWN0IFNpZ25pbmcxHzAdBgNV\n" +
+        "BAsUFkphdmEgU2lnbmVkIEV4dGVuc2lvbnMxGzAZBgNVBAMUEkphdmFGWCAxLjAg\n" +
+        "UnVudGltZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+WDc6+bu+4\n" +
+        "tmAcS/lBtUc02WOt9QZpVsXg9cG2pu/8bUtmDELa8iiYBVFpIs8DU58HLrGQtCUY\n" +
+        "SIAGOVPsOJoN29UKCDWfY9j5JeVhfhMGqk9DwrWhzgsjy4cpZ1pIp+k/fJ8zT8Ul\n" +
+        "aYLpow1vg3UNddsmwz02tN7cOrMw9WYIG4CRYnY1OrtJSfe2pYzheC4zyvR+aiVl\n" +
+        "nang2OtqikSQsNFOFHsLOJFxngy9LrO8evDSu25VTKI6zlWU6/bMeqtztJPN0VOn\n" +
+        "NyUrJZvkxZ207Jg0T693BGSxNC1n+ihztXogql8950M/pEuUbDjylv5FFvlp6DSB\n" +
+        "dDT2MkutmyMCAwEAAaOCAeowggHmMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeA\n" +
+        "MH8GA1UdHwR4MHYwdKByoHCGbmh0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ24uY29t\n" +
+        "L1N1bk1pY3Jvc3lzdGVtc0luY0NvcnBvcmF0ZU9iamVjdFNpZ25pbmdKYXZhU2ln\n" +
+        "bmVkRXh0ZW5zaW9uc0NsYXNzQi9MYXRlc3RDUkwuY3JsMB8GA1UdIwQYMBaAFLNH\n" +
+        "K4J+U7Rzyri7Gbe+gU0HlcftMB0GA1UdDgQWBBTjgufVi3XJ3gx1ewsA6Rr7BR4Z\n" +
+        "zjA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0dHA6Ly9vbnNpdGUtb2Nz\n" +
+        "cC52ZXJpc2lnbi5jb20wgbUGA1UdIASBrTCBqjA5BgtghkgBhvhFAQcXAjAqMCgG\n" +
+        "CCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMG0GC2CGSAGG\n" +
+        "9wCDfZw/MF4wJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LnN1bi5jb20vcGtpL2Nw\n" +
+        "czAzBggrBgEFBQcCAjAnGiVWYWxpZGF0ZWQgRm9yIFN1biBCdXNpbmVzcyBPcGVy\n" +
+        "YXRpb25zMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBQUAA4IBAQAB\n" +
+        "YVJTTVe7rzyTO4jc3zajErOT/COkdQTfNo0eIX1QbNynFieJvwY/jRzUZwjktIFR\n" +
+        "2p4JtbpHGAtKtjOAOTieQ8xdDOoC1djzpE7/AbMvuvlTavtUKT+F7tPdhfXgWXJV\n" +
+        "6Wbt8jryKyk3zZGiEhauIwZUkfjRkEtffEmZWLUd8c8rURJjfC/XHH2oyurscoxc\n" +
+        "CjX29c9ynxSiS/VvQp1an0HvErGh69N48wj7cj8mtZ1yHzd2XCzSSR1OfTPfk0Pt\n" +
+        "yg51p7yJaFiH21PTZegEL6zyVNOYBTKwwIi2OzpwYalD3uvK6e3OKDrfFCOxu17u\n" +
+        "4PveESbrdyrmvLe7IVez\n" +
+        "-----END CERTIFICATE-----");
+
+        // Subject: CN=JavaFX Runtime,
+        //          OU=Java Signed Extensions,
+        //          OU=Corporate Object Signing,
+        //          O=Sun Microsystems Inc
+        // Issuer:  CN=Object Signing CA,
+        //          OU=Class 2 OnSite Subscriber CA,
+        //          OU=VeriSign Trust Network,
+        //          O=Sun Microsystems Inc
+        // Serial:  47:f4:55:f1:da:4a:5e:f9:e3:f7:a8:03:62:17:c0:ff
+        add("javafx-runtime-pretrusted-6217C0FF",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFdjCCBF6gAwIBAgIQR/RV8dpKXvnj96gDYhfA/zANBgkqhkiG9w0BAQUFADCB\n" +
+        "gzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxHzAdBgNVBAsTFlZlcmlT\n" +
+        "aWduIFRydXN0IE5ldHdvcmsxJTAjBgNVBAsTHENsYXNzIDIgT25TaXRlIFN1YnNj\n" +
+        "cmliZXIgQ0ExGjAYBgNVBAMTEU9iamVjdCBTaWduaW5nIENBMB4XDTA5MDEyOTAw\n" +
+        "MDAwMFoXDTEyMDEyOTIzNTk1OVowfDEdMBsGA1UEChQUU3VuIE1pY3Jvc3lzdGVt\n" +
+        "cyBJbmMxITAfBgNVBAsUGENvcnBvcmF0ZSBPYmplY3QgU2lnbmluZzEfMB0GA1UE\n" +
+        "CxQWSmF2YSBTaWduZWQgRXh0ZW5zaW9uczEXMBUGA1UEAxQOSmF2YUZYIFJ1bnRp\n" +
+        "bWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCIzd0fAk8mI9ONc6RJ\n" +
+        "aGieioK2FLdXEwj8zL3vdGDVmBwyR1zwYkaOIFFgF9IW/8qc4iAYA5sGUY+0g8q3\n" +
+        "5DuYAxfTzBB5KdaYvbuq6GGnoHIWmTirXY+1friFp8lyXSvtuEaGB1VHaBoZchEg\n" +
+        "k+UgeVDA43dHwcT1Ov3DePczJRUes8T/QHzLX+BxUDG43vjyncCEO/AjqLZxXEz2\n" +
+        "xrNbKLcH3lGMJK7hdbfssUfF5BjC38Hn71HauYlA43b2no+2y0Sjulwzez2YPbDC\n" +
+        "0GLR3TnKtA8dqOrnl5t3DniDbfOBNtBE3VOydJO0XW57Ng1HRXD023nm9ECPY2xp\n" +
+        "0N/pAgMBAAGjggHqMIIB5jAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDB/BgNV\n" +
+        "HR8EeDB2MHSgcqBwhm5odHRwOi8vb25zaXRlY3JsLnZlcmlzaWduLmNvbS9TdW5N\n" +
+        "aWNyb3N5c3RlbXNJbmNDb3Jwb3JhdGVPYmplY3RTaWduaW5nSmF2YVNpZ25lZEV4\n" +
+        "dGVuc2lvbnNDbGFzc0IvTGF0ZXN0Q1JMLmNybDAfBgNVHSMEGDAWgBSzRyuCflO0\n" +
+        "c8q4uxm3voFNB5XH7TAdBgNVHQ4EFgQUvOdd0cKPj+Yik/iOBwTdphh5A+gwOwYI\n" +
+        "KwYBBQUHAQEELzAtMCsGCCsGAQUFBzABhh9odHRwOi8vb25zaXRlLW9jc3AudmVy\n" +
+        "aXNpZ24uY29tMIG1BgNVHSAEga0wgaowOQYLYIZIAYb4RQEHFwIwKjAoBggrBgEF\n" +
+        "BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTBtBgtghkgBhvcAg32c\n" +
+        "PzBeMCcGCCsGAQUFBwIBFhtodHRwczovL3d3dy5zdW4uY29tL3BraS9jcHMwMwYI\n" +
+        "KwYBBQUHAgIwJxolVmFsaWRhdGVkIEZvciBTdW4gQnVzaW5lc3MgT3BlcmF0aW9u\n" +
+        "czATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQUFAAOCAQEAbGcf2NjL\n" +
+        "AI93HG6ny2BbepaZA1a8xa/R6uUc7xV+Qw6MgLwFD4Q4i6LWUztQDvg9l68MM2/i\n" +
+        "Y9LEi1KM4lcNbK5+D+t9x98wXBiuojXhVdp5ZmC03EyEBbriopdBsmXVLDSu/Y3+\n" +
+        "zowOO5xwpMK3dbgsSDs2Vt0UosD3FTcRaD3GNfOhXMp+o1grHNiXF9YgkmdQbPPZ\n" +
+        "DQ2KBhFPCRJXBGvyKOqno/DTg0sQ3crGH/C4/4t7mnQXWldZotmJUZ0ONc9oD+Q1\n" +
+        "JAaguUKqIwn9yZ093ie+JWHbYNid9IIIPXYgtRxmf9a376WBhqhu56uJftBJ7x9g\n" +
+        "eQ7Lot6CSWCiFw==\n" +
+        "-----END CERTIFICATE-----");
+
+        //
+        // Compromised Solaris INTERNAL DEVELOPMENT USE ONLY certificate
+        //
+
+        // Subject: CN=Solaris INTERNAL DEVELOPMENT USE ONLY,
+        //          OU=Solaris Cryptographic Framework,
+        //          OU=Corporate Object Signing,
+        //          O=Sun Microsystems Inc
+        // Issuer:  CN=Object Signing CA,
+        //          OU=Class 2 OnSite Subscriber CA,
+        //          OU=VeriSign Trust Network,
+        //          O=Sun Microsystems Inc
+        // Serial:  77:29:77:52:6a:19:7b:9a:a6:a2:c7:99:a0:e1:cd:8c
+        add("solaris-internal-dev-A0E1CD8C",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFHjCCBAagAwIBAgIQdyl3UmoZe5qmoseZoOHNjDANBgkqhkiG9w0BAQUFADCB\n" +
+        "gzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxHzAdBgNVBAsTFlZlcmlT\n" +
+        "aWduIFRydXN0IE5ldHdvcmsxJTAjBgNVBAsTHENsYXNzIDIgT25TaXRlIFN1YnNj\n" +
+        "cmliZXIgQ0ExGjAYBgNVBAMTEU9iamVjdCBTaWduaW5nIENBMB4XDTA3MDEwNDAw\n" +
+        "MDAwMFoXDTEwMDEwMzIzNTk1OVowgZwxHTAbBgNVBAoUFFN1biBNaWNyb3N5c3Rl\n" +
+        "bXMgSW5jMSEwHwYDVQQLFBhDb3Jwb3JhdGUgT2JqZWN0IFNpZ25pbmcxKDAmBgNV\n" +
+        "BAsUH1NvbGFyaXMgQ3J5cHRvZ3JhcGhpYyBGcmFtZXdvcmsxLjAsBgNVBAMUJVNv\n" +
+        "bGFyaXMgSU5URVJOQUwgREVWRUxPUE1FTlQgVVNFIE9OTFkwgZ8wDQYJKoZIhvcN\n" +
+        "AQEBBQADgY0AMIGJAoGBALbNU4hf3mD5ArDI9pjgioAyvV3bjMPRQdCZniIeGJBp\n" +
+        "odFlSEH+Mh64W1DsY8coeZ7FvvGJkx9IpTMJW9k8w1oJK9UNqHyAQfaYjQyXi3xQ\n" +
+        "LJp62EvYdGfDlwOZejEcR/MbzZG+GOPMMvQj5+xyFDvLXNGfQNTnxw2qnBgCJXjj\n" +
+        "AgMBAAGjggH1MIIB8TAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDCBiQYDVR0f\n" +
+        "BIGBMH8wfaB7oHmGd2h0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ24uY29tL1N1bk1p\n" +
+        "Y3Jvc3lzdGVtc0luY0NvcnBvcmF0ZU9iamVjdFNpZ25pbmdTb2xhcmlzQ3J5cHRv\n" +
+        "Z3JhcGhpY0ZyYW1ld29ya0NsYXNzQi9MYXRlc3RDUkwuY3JsMB8GA1UdIwQYMBaA\n" +
+        "FLNHK4J+U7Rzyri7Gbe+gU0HlcftMB0GA1UdDgQWBBRpfiGYkehTnsIzuN2H6AFb\n" +
+        "VCZG8jA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0dHA6Ly9vbnNpdGUt\n" +
+        "b2NzcC52ZXJpc2lnbi5jb20wgbUGA1UdIASBrTCBqjA5BgtghkgBhvhFAQcXAjAq\n" +
+        "MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMG0GC2CG\n" +
+        "SAGG9wCDfZw/MF4wJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LnN1bi5jb20vcGtp\n" +
+        "L2NwczAzBggrBgEFBQcCAjAnFiVWYWxpZGF0ZWQgRm9yIFN1biBCdXNpbmVzcyBP\n" +
+        "cGVyYXRpb25zMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBQUAA4IB\n" +
+        "AQCG5soy3LFHTFbA8/5SzDRhQoJkHUnOP0t3b6nvX6vZYRp649fje7TQOPRm1pFd\n" +
+        "CZ17J+tggdZwgzTqY4aYpJ00jZaK6pV37q/vgFC/ia6jDs8Q+ly9cEcadBZ5loYg\n" +
+        "cmxp9p57W2MNWx8VA8oFdNtKfF0jUNXbLNtvwGHmgR6YcwLrGN1b6/9Lt9bO3ODl\n" +
+        "FO+ZDwkfQz5ClUVrTx2dGBvKRYFqSG5S8JAfsgYhPvcacUQkA7ExyKvfRXLWVrce\n" +
+        "ZiPpcElbx+819H2sAPvVvparVeAruZGMAtejHZp9NFoowKen5drJp9VxePS4eM49\n" +
+        "3DepB6lKRrNRw66LNQol4ZBz\n" +
+        "-----END CERTIFICATE-----");
+
+
+        // -----------------------------------------------------------------
+        // Compromised CAs of DigiNotar
+        //
+        // Reported by Fox-IT in its interim report on September 5, 2011,
+        // "DigiNotar Certificate Authority breach 'Operation Black Tulip'".
+        //
+
+        //
+        // Compromised DigiNotar Cyber CA
+        //
+
+        // DigiNotar intermediate, cross-signed by CyberTrust
+        //
+        // Subject: EMAILADDRESS=info@diginotar.nl, CN=DigiNotar Cyber CA,
+        //          O=DigiNotar, C=NL
+        // Issuer:  CN=GTE CyberTrust Global Root,
+        //          OU=GTE CyberTrust Solutions, Inc.,
+        //          O=GTE Corporation,
+        //          C=US
+        // Serial:  120000525 (07:27:10:0D)
+        add("info-at-diginotar-cyber-ca-cross-to-gte-cybertrust-0727100D",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFWjCCBMOgAwIBAgIEBycQDTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV\n" +
+        "UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU\n" +
+        "cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds\n" +
+        "b2JhbCBSb290MB4XDTA2MTAwNDEwNTQxMVoXDTExMTAwNDEwNTMxMVowYDELMAkG\n" +
+        "A1UEBhMCTkwxEjAQBgNVBAoTCURpZ2lOb3RhcjEbMBkGA1UEAxMSRGlnaU5vdGFy\n" +
+        "IEN5YmVyIENBMSAwHgYJKoZIhvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIw\n" +
+        "DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANLOFQotqF6EZ639vu9Gx8i5z3P8\n" +
+        "9DS5+SxD52ATPXrjss87Z2yQrcC5P4RS8DVC3HTcKDu9UrSnrHJFF8bwieu0qiXy\n" +
+        "XUte0dmHutZ9fPXOMp8QM8WxSrtekTHC0OlBwpFkfglBO9uLCDdqqspS3rU5HsCI\n" +
+        "A6U/i5kTYUO1m4Kz7iBvz6FEouova0CfjytXraFTwoUiaZ2gP1HfC0GRDaXhqKpc\n" +
+        "SQhdvd5wQbEPyWNr0380dAIvNFp4dRxoeoFnivPaQPBgY/SSINcDpj2jHmfEhBtB\n" +
+        "pcmM5r3qSLYFFgizNxJa92E89zhvLpfgb1Y4VNMota0Ubi5LZLUnZbd1JQm2Bz2V\n" +
+        "VgIKgmCyc0XgMyZRdJq51FAc9k1bW1JSE1qmf6cO4ehBVGeYjIfVydNsy9NUkgYJ\n" +
+        "NEH3gW8/nsl8dVWw58Gzd+jDxAA1lUBwEEoF3iW7n1mlZLxHYL9g43aLE1Xd4XR6\n" +
+        "uc8kpmp/3mQiRFhogmoQ+T3lPhu5vfwi9GAEibtVbShV+t6OjRshFNc3izR7Tfay\n" +
+        "shDPM7F9HGKZSMsrbHaWVb8ZDR0fu2WqG46ZtcYokOWCLXhQIJr9eS8kf/CJKWn0\n" +
+        "fc1zvrPtTsHR7VJej/e4142HrbLZG1ES/1az4a80fVykeIgQnp0DxqWqoiRR90kU\n" +
+        "xbHuWUOV36toKDA/AgMBAAGjggGGMIIBgjASBgNVHRMBAf8ECDAGAQH/AgEBMFMG\n" +
+        "A1UdIARMMEowSAYJKwYBBAGxPgEAMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93d3cu\n" +
+        "cHVibGljLXRydXN0LmNvbS9DUFMvT21uaVJvb3QuaHRtbDAOBgNVHQ8BAf8EBAMC\n" +
+        "AQYwgaAGA1UdIwSBmDCBlYAUpgwdn2H/Bxe1vzhG20Mw1Y6wUgaheaR3MHUxCzAJ\n" +
+        "BgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdU\n" +
+        "RSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVy\n" +
+        "VHJ1c3QgR2xvYmFsIFJvb3SCAgGlMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93\n" +
+        "d3cucHVibGljLXRydXN0LmNvbS9jZ2ktYmluL0NSTC8yMDE4L2NkcC5jcmwwHQYD\n" +
+        "VR0OBBYEFKv5aN/PSjfXe0WMX3LeQETDZbvCMA0GCSqGSIb3DQEBBQUAA4GBAI9o\n" +
+        "a6VbB7pEZg4cqFwwezPkCiYE/O+eGjjWLqEf0JlHwnVkJP2eOyh2uSYoYZEMbSz4\n" +
+        "BJ98UAHV42mv7xXSRZskCSpmBU8lgcpdvqrBWSeuM46C9990sFWzjvjnN8huqlZE\n" +
+        "9r1TgSOWPbT6MopTZkQloiXGpjwljPDgKAYityZB\n" +
+        "-----END CERTIFICATE-----");
+
+        // DigiNotar intermediate, cross-signed by CyberTrust
+        //
+        // Subject: CN=DigiNotar Cyber CA, O=DigiNotar, C=NL
+        // Issuer:  CN=GTE CyberTrust Global Root,
+        //          OU=GTE CyberTrust Solutions, Inc.,
+        //          O=GTE Corporation,
+        //          C=US
+        // Serial:  120000505 (07:27:0F:F9)
+        add("diginotar-cyber-ca-cross-to-gte-cybertrust-07270FF9",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFODCCBKGgAwIBAgIEBycP+TANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV\n" +
+        "UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU\n" +
+        "cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds\n" +
+        "b2JhbCBSb290MB4XDTA2MDkyMDA5NDUzMloXDTEzMDkyMDA5NDQwNlowPjELMAkG\n" +
+        "A1UEBhMCTkwxEjAQBgNVBAoTCURpZ2lOb3RhcjEbMBkGA1UEAxMSRGlnaU5vdGFy\n" +
+        "IEN5YmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0s4VCi2o\n" +
+        "XoRnrf2+70bHyLnPc/z0NLn5LEPnYBM9euOyzztnbJCtwLk/hFLwNULcdNwoO71S\n" +
+        "tKesckUXxvCJ67SqJfJdS17R2Ye61n189c4ynxAzxbFKu16RMcLQ6UHCkWR+CUE7\n" +
+        "24sIN2qqylLetTkewIgDpT+LmRNhQ7WbgrPuIG/PoUSi6i9rQJ+PK1etoVPChSJp\n" +
+        "naA/Ud8LQZENpeGoqlxJCF293nBBsQ/JY2vTfzR0Ai80Wnh1HGh6gWeK89pA8GBj\n" +
+        "9JIg1wOmPaMeZ8SEG0GlyYzmvepItgUWCLM3Elr3YTz3OG8ul+BvVjhU0yi1rRRu\n" +
+        "LktktSdlt3UlCbYHPZVWAgqCYLJzReAzJlF0mrnUUBz2TVtbUlITWqZ/pw7h6EFU\n" +
+        "Z5iMh9XJ02zL01SSBgk0QfeBbz+eyXx1VbDnwbN36MPEADWVQHAQSgXeJbufWaVk\n" +
+        "vEdgv2DjdosTVd3hdHq5zySman/eZCJEWGiCahD5PeU+G7m9/CL0YASJu1VtKFX6\n" +
+        "3o6NGyEU1zeLNHtN9rKyEM8zsX0cYplIyytsdpZVvxkNHR+7Zaobjpm1xiiQ5YIt\n" +
+        "eFAgmv15LyR/8IkpafR9zXO+s+1OwdHtUl6P97jXjYetstkbURL/VrPhrzR9XKR4\n" +
+        "iBCenQPGpaqiJFH3SRTFse5ZQ5Xfq2goMD8CAwEAAaOCAYYwggGCMBIGA1UdEwEB\n" +
+        "/wQIMAYBAf8CAQEwUwYDVR0gBEwwSjBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcC\n" +
+        "ARYtaHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL0NQUy9PbW5pUm9vdC5odG1s\n" +
+        "MA4GA1UdDwEB/wQEAwIBBjCBoAYDVR0jBIGYMIGVgBSmDB2fYf8HF7W/OEbbQzDV\n" +
+        "jrBSBqF5pHcwdTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlv\n" +
+        "bjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1c3QgU29sdXRpb25zLCBJbmMuMSMwIQYD\n" +
+        "VQQDExpHVEUgQ3liZXJUcnVzdCBHbG9iYWwgUm9vdIICAaUwRQYDVR0fBD4wPDA6\n" +
+        "oDigNoY0aHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIw\n" +
+        "MTgvY2RwLmNybDAdBgNVHQ4EFgQUq/lo389KN9d7RYxfct5ARMNlu8IwDQYJKoZI\n" +
+        "hvcNAQEFBQADgYEACcpiD427SuDUejUrBi3RKGG2rAH7g0m8rtQvLYauGYOl1h0T\n" +
+        "4he+/jJ06XoUOMqUXvcpAWlxG5Ea/aO7qh3Ke+IW/aGjDvMMX7LhIDGUK16Sdu36\n" +
+        "6bUjpr8KOwOpb1JgVM1f6bcvfKIn/UGDdbYN+3gm87FF6TKVKho1IZXFonU=\n" +
+        "-----END CERTIFICATE-----");
+
+        // DigiNotar intermediate, cross-signed by CyberTrust
+        //
+        // Subject: CN=DigiNotar Cyber CA, O=DigiNotar, C=NL
+        // Issuer:  CN=GTE CyberTrust Global Root,
+        //          OU=GTE CyberTrust Solutions, Inc.,
+        //          O=GTE Corporation,
+        //          C=US
+        // Serial:  120000515 (07:27:10:03)
+        add("diginotar-cyber-ca-cross-to-gte-cybertrust-07271003",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFODCCBKGgAwIBAgIEBycQAzANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV\n" +
+        "UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU\n" +
+        "cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds\n" +
+        "b2JhbCBSb290MB4XDTA2MDkyNzEwNTMzMloXDTExMDkyNzEwNTIzMFowPjELMAkG\n" +
+        "A1UEBhMCTkwxEjAQBgNVBAoTCURpZ2lOb3RhcjEbMBkGA1UEAxMSRGlnaU5vdGFy\n" +
+        "IEN5YmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0s4VCi2o\n" +
+        "XoRnrf2+70bHyLnPc/z0NLn5LEPnYBM9euOyzztnbJCtwLk/hFLwNULcdNwoO71S\n" +
+        "tKesckUXxvCJ67SqJfJdS17R2Ye61n189c4ynxAzxbFKu16RMcLQ6UHCkWR+CUE7\n" +
+        "24sIN2qqylLetTkewIgDpT+LmRNhQ7WbgrPuIG/PoUSi6i9rQJ+PK1etoVPChSJp\n" +
+        "naA/Ud8LQZENpeGoqlxJCF293nBBsQ/JY2vTfzR0Ai80Wnh1HGh6gWeK89pA8GBj\n" +
+        "9JIg1wOmPaMeZ8SEG0GlyYzmvepItgUWCLM3Elr3YTz3OG8ul+BvVjhU0yi1rRRu\n" +
+        "LktktSdlt3UlCbYHPZVWAgqCYLJzReAzJlF0mrnUUBz2TVtbUlITWqZ/pw7h6EFU\n" +
+        "Z5iMh9XJ02zL01SSBgk0QfeBbz+eyXx1VbDnwbN36MPEADWVQHAQSgXeJbufWaVk\n" +
+        "vEdgv2DjdosTVd3hdHq5zySman/eZCJEWGiCahD5PeU+G7m9/CL0YASJu1VtKFX6\n" +
+        "3o6NGyEU1zeLNHtN9rKyEM8zsX0cYplIyytsdpZVvxkNHR+7Zaobjpm1xiiQ5YIt\n" +
+        "eFAgmv15LyR/8IkpafR9zXO+s+1OwdHtUl6P97jXjYetstkbURL/VrPhrzR9XKR4\n" +
+        "iBCenQPGpaqiJFH3SRTFse5ZQ5Xfq2goMD8CAwEAAaOCAYYwggGCMBIGA1UdEwEB\n" +
+        "/wQIMAYBAf8CAQEwUwYDVR0gBEwwSjBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcC\n" +
+        "ARYtaHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL0NQUy9PbW5pUm9vdC5odG1s\n" +
+        "MA4GA1UdDwEB/wQEAwIBBjCBoAYDVR0jBIGYMIGVgBSmDB2fYf8HF7W/OEbbQzDV\n" +
+        "jrBSBqF5pHcwdTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlv\n" +
+        "bjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1c3QgU29sdXRpb25zLCBJbmMuMSMwIQYD\n" +
+        "VQQDExpHVEUgQ3liZXJUcnVzdCBHbG9iYWwgUm9vdIICAaUwRQYDVR0fBD4wPDA6\n" +
+        "oDigNoY0aHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIw\n" +
+        "MTgvY2RwLmNybDAdBgNVHQ4EFgQUq/lo389KN9d7RYxfct5ARMNlu8IwDQYJKoZI\n" +
+        "hvcNAQEFBQADgYEAWcyGZhizJlRP1jjNupZey+yZG6oMDW4Z11boriMHbYPCndBE\n" +
+        "bVh07zmPbZsihOw9w/vm5KbVX5CgxUv4Rhzh/20Faixf3P3bpWg0qgzHVVusNVR/\n" +
+        "P50aKkpdK3hp+QLl56e+lWOddSAINIpmcuyDI1hyuzB+GJEASm9tNU/6rs8=\n" +
+        "-----END CERTIFICATE-----");
+
+        //
+        // Compromised DigiNotar Root CA
+        //
+
+        // DigiNotar intermediate, cross-signed by Entrust
+        //
+        // Subject: EMAILADDRESS=info@diginotar.nl,
+        //          CN=DigiNotar Root CA,
+        //          O=DigiNotar, C=NL
+        // Issuer:  CN=Entrust.net Secure Server Certification Authority
+        //          OU=(c) 1999 Entrust.net Limited,
+        //          OU=www.entrust.net/CPS incorp. by ref. (limits liab.),
+        //          O=Entrust.net,
+        //          C=US,
+        // Serial:  1184644297 (46:9C:3C:C9)
+        add("info-at-diginotar-root-ca-cross-to-entrust-secure-server-469C3CC9",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFSDCCBLGgAwIBAgIERpw8yTANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
+        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
+        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
+        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
+        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA0\n" +
+        "MjYwNTAwMDBaFw0xMzA4MTQyMDEyMzZaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
+        "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" +
+        "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" +
+        "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" +
+        "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" +
+        "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" +
+        "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" +
+        "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" +
+        "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" +
+        "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" +
+        "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" +
+        "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" +
+        "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" +
+        "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" +
+        "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" +
+        "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" +
+        "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" +
+        "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" +
+        "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" +
+        "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" +
+        "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAI979rBep8tu3TeLunapgsZ0jtXp\n" +
+        "GDFjKWSk87dj1jCyYi+q/GyDyZ6ZQZNRP0sF+6twscq05lClWNy3TROMp7QeuoLO\n" +
+        "G7Utw3OJaswUtp4YglANMRTHEe3g9ltifUXRH5tSuy7u6yi4LD4WTm5ULP6r/g6l\n" +
+        "0CnjXYb0+b1Fmz6U\n" +
+        "-----END CERTIFICATE-----");
+
+        // DigiNotar intermediate, cross-signed by Entrust
+        //
+        // Subject: EMAILADDRESS=info@diginotar.nl,
+        //          CN=DigiNotar Root CA,
+        //          O=DigiNotar, C=NL
+        // Issuer:  CN=Entrust.net Secure Server Certification Authority
+        //          OU=(c) 1999 Entrust.net Limited,
+        //          OU=www.entrust.net/CPS incorp. by ref. (limits liab.),
+        //          O=Entrust.net,
+        //          C=US,
+        // Serial:  1184640175 (46:9C:2C:AF)
+        add("info-at-diginotar-root-ca-cross-to-entrust-secure-server-469C2CAF",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFSDCCBLGgAwIBAgIERpwsrzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
+        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
+        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
+        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
+        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" +
+        "MjYxNTU3MzlaFw0xMzA4MjYxNjI3MzlaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
+        "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" +
+        "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" +
+        "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" +
+        "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" +
+        "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" +
+        "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" +
+        "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" +
+        "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" +
+        "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" +
+        "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" +
+        "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" +
+        "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" +
+        "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" +
+        "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" +
+        "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" +
+        "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" +
+        "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" +
+        "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" +
+        "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" +
+        "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAEa6RcDNcEIGUlkDJUY/pWTds4zh\n" +
+        "xbVkp3wSmpwPFhx5fxTyF4HD2L60jl3aqjTB7gPpsL2Pk5QZlNsi3t4UkCV70UOd\n" +
+        "ueJRN3o/LOtk4+bjXY2lC0qTHbN80VMLqPjmaf9ghSA9hwhskdtMgRsgfd90q5QP\n" +
+        "ZFdYf+hthc3m6IcJ\n" +
+        "-----END CERTIFICATE-----");
+
+        //
+        // Compromised DigiNotar PKIoverheid CA Organisatie - G2
+        //
+
+        // DigiNotar intermediate, cross-signed by the Dutch government
+        //
+        // Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,
+        //          O=DigiNotar B.V.,
+        //          C=NL
+        // Issuer:  CN=Staat der Nederlanden Organisatie CA - G2,
+        //          O=Staat der Nederlanden,
+        //          C=NL
+        // Serial:  20001983 (01:31:34:bf)
+        add("diginotar-pkioverheid-organisatie-cross-to-nederlanden-013134BF",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIGnDCCBISgAwIBAgIEATE0vzANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJO\n" +
+        "TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMTIwMAYDVQQDDClTdGFh\n" +
+        "dCBkZXIgTmVkZXJsYW5kZW4gT3JnYW5pc2F0aWUgQ0EgLSBHMjAeFw0xMDA1MTIw\n" +
+        "ODUxMzhaFw0yMDAzMjMwOTUwMDRaMFoxCzAJBgNVBAYTAk5MMRcwFQYDVQQKDA5E\n" +
+        "aWdpTm90YXIgQi5WLjEyMDAGA1UEAwwpRGlnaU5vdGFyIFBLSW92ZXJoZWlkIENB\n" +
+        "IE9yZ2FuaXNhdGllIC0gRzIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC\n" +
+        "AQCxExkPJ+Zs1FWGS9DsiYpFkXisR71HK+T8RetPtCZzWzfTw3/2497Xo/gtaMUI\n" +
+        "PkuU1uSHJTZrhLUYdPMoWHMvm2rPvAQe9t7dr/xLqvXbZmIlASWC3vKXWhBu3V2p\n" +
+        "IrEEqSNzOvhxrR3PhETrR9Gvbch8KKvH8jd6dF9fxQIUiqNa4xtsAeNdjtlo1vQJ\n" +
+        "GzLckbUs9SDrjANtJkm4k8SFXdjSm69WaswFM8ygQp40VUSca6DUEtArVM23iQ3l\n" +
+        "9uvo+4UBM096a/GdcjOWDveyhKWlJ8Qn8VFzKXe6Z27+TNy04qGhgS85SY1DOBPO\n" +
+        "0KVcwoc6AGdlQiPxNlkKHaNRyLyjlCox3+M88p0aPASw77EKMBNzttfzo0wBdRSF\n" +
+        "eMDXijlYhVD6LubFvs+LP6+PNtQlCS3SD6xyk/K/i9RQs/kVUJuZ9RTZ+4uRozIm\n" +
+        "JqD43ztggYaDeVsr6xM9KTrBbd29no6H1kquNJcF7hSm9tw4fkrpJFQHPZdoN0Zr\n" +
+        "DceoIa8TVOQJavFNRgrJXfubT73e+7dUy7g4nKc5+2otwHuNq6WnV+xKkoozxeEg\n" +
+        "XHPYkJIrgNUPhhhpfDlPhIa890xb89W0yqDC8DciynlSH1PmqvOQsDvd8ij9rOvF\n" +
+        "BiSgydQvD1j9tZ7sD8+yWdCiBHo4aq5y+73wJWKUCacFCwIDAQABo4IBYTCCAV0w\n" +
+        "SAYDVR0gBEEwPzA9BgRVHSAAMDUwMwYIKwYBBQUHAgEWJ2h0dHA6Ly93d3cuZGln\n" +
+        "aW5vdGFyLm5sL2Nwcy9wa2lvdmVyaGVpZDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n" +
+        "DwEB/wQEAwIBBjCBhQYDVR0jBH4wfIAUORCLSZJc22ESIM1JnRqO2pxnQLmhXqRc\n" +
+        "MFoxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4x\n" +
+        "KzApBgNVBAMMIlN0YWF0IGRlciBOZWRlcmxhbmRlbiBSb290IENBIC0gRzKCBACY\n" +
+        "lvQwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5wa2lvdmVyaGVpZC5ubC9E\n" +
+        "b21PcmdhbmlzYXRpZUxhdGVzdENSTC1HMi5jcmwwHQYDVR0OBBYEFLxdlDvZq3sD\n" +
+        "JXNhwtst7vyrj2WhMA0GCSqGSIb3DQEBCwUAA4ICAQCP/C1Mt9kt1R+978v0t2gX\n" +
+        "dZ1O1ffdnPEqJu2forYcA9VTs+wIzzTi48P0tRYvyMO+19NzqwA2+RpKftZj6V5G\n" +
+        "uqW2jhW3oyrYQx3vXcgfgYWzi/f/PPTZ9EYIP5y8HaDZqEzNJVJOCrEg9x/pQ9lU\n" +
+        "RoETmsBedGwqmDLq/He7DaWiMZgifnx859qkrey3LhoZcfhIUNpDjyyE3cFAJ+O1\n" +
+        "8BVOltT4XOOGKUYr1zsH6zh/yIZXl9PvKjPEF1DVZGlrK2tFXl0vF8paTs/D1zk8\n" +
+        "9TufRrmb5w5Jl53W1eMbD+qPAU6aE5RZCgIHSEsaYKt/T+0L2FUNaG9VnGllFULs\n" +
+        "wNzdbKzDFs4LHVabpMTE0i7gD+JEJytQaaTcYuiKISlCbMwAOpZ2m+9AwKRed4Qy\n" +
+        "bCYqOWauXeO5ubIsaB8empADOfCqs6TMSYsYNOk3yXspx4R8b0QVL+xhWQTJRcui\n" +
+        "1lKifH8pktZKxYtCqNT+6tjHhyMY5J16fXNAUpigrm7jBT8FD+Clxm1N7YM3iJzH\n" +
+        "89xCmmq21yFJNnfy7xhPxXDZnunetyuL9Lx+KN8NQMmFXK6dxTH/0FwOtah+8Okv\n" +
+        "uq+IruW10Vilr5xxpykBkINpN4IFuvwJwQhujHg7wzMCgD9EhQgd31VWCK0shS1d\n" +
+        "sQPhrqp0xaTzTro3mHuCuQ==\n" +
+        "-----END CERTIFICATE-----");
+
+        //
+        // Compromised DigiNotar PKIoverheid CA Overheid en Bedrijven
+        //
+
+        // DigiNotar intermediate, cross-signed by the Dutch government
+        //
+        // Subject: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven,
+        //          O=DigiNotar B.V.,
+        //          C=NL
+        // Issuer:  CN=Staat der Nederlanden Overheid CA
+        //          O=Staat der Nederlanden,
+        //          C=NL
+        // Serial:  20015536 (01:31:69:b0)
+        add("diginotar-pkioverheid-overheid-enb-cross-to-nederlanden-013169B0",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIEiDCCA3CgAwIBAgIEATFpsDANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJO\n" +
+        "TDEeMBwGA1UEChMVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSowKAYDVQQDEyFTdGFh\n" +
+        "dCBkZXIgTmVkZXJsYW5kZW4gT3ZlcmhlaWQgQ0EwHhcNMDcwNzA1MDg0MjA3WhcN\n" +
+        "MTUwNzI3MDgzOTQ2WjBfMQswCQYDVQQGEwJOTDEXMBUGA1UEChMORGlnaU5vdGFy\n" +
+        "IEIuVi4xNzA1BgNVBAMTLkRpZ2lOb3RhciBQS0lvdmVyaGVpZCBDQSBPdmVyaGVp\n" +
+        "ZCBlbiBCZWRyaWp2ZW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc\n" +
+        "vdKnTmoKuzuiheF/AK2+tDBomAfNoHrElM9x+Yo35FPrV3bMi+Zs/u6HVcg+uwQ5\n" +
+        "AKeAeKxbT370vbhUuHE7BzFJOZNUfCA7eSuPu2GQfbGs5h+QLp1FAalkLU3DL7nn\n" +
+        "UNVOKlyrdnY3Rtd57EKZ96LspIlw3Dgrh6aqJOadkiQbvvb91C8ZF3rmMgeUVAVT\n" +
+        "Q+lsvK9Hy7zL/b07RBKB8WtLu+20z6slTxjSzAL8o0+1QjPLWc0J3NNQ/aB2jKx+\n" +
+        "ZopC9q0ckvO2+xRG603XLzDgbe5bNr5EdLcgBVeFTegAGaL2DOauocBC36esgl3H\n" +
+        "aLcY5olLmmv6znn58yynAgMBAAGjggFQMIIBTDBIBgNVHSAEQTA/MD0GBFUdIAAw\n" +
+        "NTAzBggrBgEFBQcCARYnaHR0cDovL3d3dy5kaWdpbm90YXIubmwvY3BzL3BraW92\n" +
+        "ZXJoZWlkMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMIGABgNVHSME\n" +
+        "eTB3gBQLhtYPd6NosftkCcOIblwEHFfpPaFZpFcwVTELMAkGA1UEBhMCTkwxHjAc\n" +
+        "BgNVBAoTFVN0YWF0IGRlciBOZWRlcmxhbmRlbjEmMCQGA1UEAxMdU3RhYXQgZGVy\n" +
+        "IE5lZGVybGFuZGVuIFJvb3QgQ0GCBACYmnkwPQYDVR0fBDYwNDAyoDCgLoYsaHR0\n" +
+        "cDovL2NybC5wa2lvdmVyaGVpZC5ubC9Eb21PdkxhdGVzdENSTC5jcmwwHQYDVR0O\n" +
+        "BBYEFEwIyY128ZjHPt881y91DbF2eZfMMA0GCSqGSIb3DQEBBQUAA4IBAQAMlIca\n" +
+        "v03jheLu19hjeQ5Q38aEW9K72fUxCho1l3TfFPoqDz7toOMI9tVOW6+mriXiRWsi\n" +
+        "D7dUKH6S3o0UbNEc5W50BJy37zRERd/Jgx0ZH8Apad+J1T/CsFNt5U4X5HNhIxMm\n" +
+        "cUP9TFnLw98iqiEr2b+VERqKpOKrp11Lbyn1UtHk0hWxi/7wA8+nfemZhzizDXMU\n" +
+        "5HIs4c71rQZIZPrTKbmi2Lv01QulQERDjqC/zlqlUkxk0xcxYczopIro5Ij76eUv\n" +
+        "BjMzm5RmZrGrUDqhCYF0U1onuabSJc/Tw6f/ltAv6uAejVLpGBwgCkegllYOQJBR\n" +
+        "RKwa/fHuhR/3Qlpl\n" +
+        "-----END CERTIFICATE-----");
+
+        //
+        // Compromised DigiNotar PKIoverheid CA Overheid
+        //
+
+        // DigiNotar intermediate, cross-signed by the Dutch government
+        //
+        // Subject: CN=DigiNotar PKIoverheid CA Overheid
+        //          O=DigiNotar B.V.,
+        //          C=NL
+        // Issuer:  CN=Staat der Nederlanden Overheid CA
+        //          O=Staat der Nederlanden,
+        //          C=NL
+        // Serial:  20006006 (01:31:44:76)
+        add("diginotar-pkioverheid-overheid-cross-to-nederlanden-01314476",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIEezCCA2OgAwIBAgIEATFEdjANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJO\n" +
+        "TDEeMBwGA1UEChMVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSowKAYDVQQDEyFTdGFh\n" +
+        "dCBkZXIgTmVkZXJsYW5kZW4gT3ZlcmhlaWQgQ0EwHhcNMDQwNjI0MDgxOTMyWhcN\n" +
+        "MTAwNjIzMDgxNzM2WjBSMQswCQYDVQQGEwJOTDEXMBUGA1UEChMORGlnaU5vdGFy\n" +
+        "IEIuVi4xKjAoBgNVBAMTIURpZ2lOb3RhciBQS0lvdmVyaGVpZCBDQSBPdmVyaGVp\n" +
+        "ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSlrubta5tlOjVCi/gb\n" +
+        "yLCvRqfBjxG8H594VcKHu0WAYc99SPZF9cycj5mw2GyfQvy/WIrGrL4iyNq1gSqR\n" +
+        "0QA/mTXKZIaPqzpDhdm+VvrKkmjrbZfaQxgMSs3ChtBsjcP9Lc0X1zXZ4Q8nBe3k\n" +
+        "BTp+zehINfmbjoEgXLxsMR5RQ6GxzKjuC04PQpbJQgTIakglKaqYcDDZbEscWgPV\n" +
+        "Hgj/2aoHlj6leW/ThHZ+O41jUguEmBLZA3mu3HrCfrHntb5dPt0ihzSx7GtD/SaX\n" +
+        "5HBLxnP189YuqMk5iRA95CtiSdKauvon/xRKRLNgG6XAz0ctSoY7xLDdiBVU5kJd\n" +
+        "FScCAwEAAaOCAVAwggFMMEgGA1UdIARBMD8wPQYEVR0gADA1MDMGCCsGAQUFBwIB\n" +
+        "FidodHRwOi8vd3d3LmRpZ2lub3Rhci5ubC9jcHMvcGtpb3ZlcmhlaWQwDwYDVR0T\n" +
+        "AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwgYAGA1UdIwR5MHeAFAuG1g93o2ix\n" +
+        "+2QJw4huXAQcV+k9oVmkVzBVMQswCQYDVQQGEwJOTDEeMBwGA1UEChMVU3RhYXQg\n" +
+        "ZGVyIE5lZGVybGFuZGVuMSYwJAYDVQQDEx1TdGFhdCBkZXIgTmVkZXJsYW5kZW4g\n" +
+        "Um9vdCBDQYIEAJiaeTA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vY3JsLnBraW92\n" +
+        "ZXJoZWlkLm5sL0RvbU92TGF0ZXN0Q1JMLmNybDAdBgNVHQ4EFgQUvRaYQh2+kdE9\n" +
+        "wpcl4CjXWOC1f+IwDQYJKoZIhvcNAQEFBQADggEBAGhQsCWLiaN2EOhPAW+JQP6o\n" +
+        "XBOrLv5w6joahzBFVn1BiefzmlMKjibqKYxURRvMAsMkh82/MfL8V0w6ugxl81lu\n" +
+        "i42dcxl9cKSVXKMw4bbBzJ2VQI5HTIABwefeNuy/eX6idVwYdt3ajAH7fUA8Q9Cq\n" +
+        "vr6H8B+8mwoEqTVTEVlCSsC/EXsokYEUr06PPzRudKjDmijgj7zFaIioZNc8hk7g\n" +
+        "ufEgrs/tmcNGylrwRHgCXjCRBt2NHlZ08l7A1AGU8HcHlSbG9Un/2q9kVHUkps0D\n" +
+        "gtUaEK+x6jpAu/R8Ojezu/+ZEcwwjI/KOhG+84+ejFmtyEkrUdsAdEdLf/2dKsw=\n" +
+        "-----END CERTIFICATE-----");
+
+        //
+        // Compromised DigiNotar Services 1024 CA
+        //
+
+        // DigiNotar intermediate, cross-signed by the Entrust
+        //
+        // Subject: EMAILADDRESS=info@diginotar.nl,
+        //          CN=DigiNotar Services 1024 CA
+        //          O=DigiNotar, C=NL
+        // Issuer:  CN=Entrust.net Secure Server Certification Authority,
+        //          OU=(c) 1999 Entrust.net Limited,
+        //          OU=www.entrust.net/CPS incorp. by ref. (limits liab.),
+        //          O=Entrust.net,
+        //          C=US
+        // Serial:  1184640176 (46:9c:2c:b0)
+        add("diginotar-services-1024-ca-cross-to-entrust-469C2CB0",
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIDzTCCAzagAwIBAgIERpwssDANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
+        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
+        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
+        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
+        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" +
+        "MjYxNTU5MDBaFw0xMzA4MjYxNjI5MDBaMGgxCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
+        "EwlEaWdpTm90YXIxIzAhBgNVBAMTGkRpZ2lOb3RhciBTZXJ2aWNlcyAxMDI0IENB\n" +
+        "MSAwHgYJKoZIhvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCBnzANBgkqhkiG9w0B\n" +
+        "AQEFAAOBjQAwgYkCgYEA2ptNXTz50eKLxsYIIMXZHkjsZlhneWIrQWP0iY1o2q+4\n" +
+        "lDaLGSSkoJPSmQ+yrS01Tc0vauH5mxkrvAQafi09UmTN8T5nD4ku6PJPrqYIoYX+\n" +
+        "oakJ5sarPkP8r3oDkdqmOaZh7phPGKjTs69mgumfvN1y+QYEvRLZGCTnq5NTi1kC\n" +
+        "AwEAAaOCASYwggEiMBIGA1UdEwEB/wQIMAYBAf8CAQAwJwYDVR0lBCAwHgYIKwYB\n" +
+        "BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwMwYI\n" +
+        "KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5l\n" +
+        "dDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L3NlcnZl\n" +
+        "cjEuY3JsMB0GA1UdDgQWBBT+3JRJDG/vXH/G8RKZTxZJrfuCZTALBgNVHQ8EBAMC\n" +
+        "AQYwHwYDVR0jBBgwFoAU8BdiE1U9s/8KAGv7UISX8+1i0BowGQYJKoZIhvZ9B0EA\n" +
+        "BAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEFBQADgYEAY3RqN6k/lpxmyFisCcnv\n" +
+        "9WWUf6MCxDgxvV0jh+zUVrLJsm7kBQb87PX6iHBZ1O7m3bV6oKNgLwIMq94SXa/w\n" +
+        "NUuqikeRGvWFLELHHe+VQ7NeuJWTpdrFKKqtci0xrZlrbP+MISevrZqRK8fdWMNu\n" +
+        "B8WfedLHjFW/TMcnXlEWKz4=\n" +
+        "-----END CERTIFICATE-----");
+
+    }
+}
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/validator/SimpleValidator.java
--- a/jdk/src/share/classes/sun/security/validator/SimpleValidator.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/security/validator/SimpleValidator.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,6 +40,7 @@
 import sun.security.util.ObjectIdentifier;
 
 import sun.security.provider.certpath.AlgorithmChecker;
+import sun.security.provider.certpath.UntrustedChecker;
 
 /**
  * A simple validator implementation. It is based on code from the JSSE
@@ -137,6 +138,9 @@
             date = new Date();
         }
 
+        // create distrusted certificates checker
+        UntrustedChecker untrustedChecker = new UntrustedChecker();
+
         // create default algorithm constraints checker
         TrustAnchor anchor = new TrustAnchor(chain[chain.length - 1], null);
         AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor);
@@ -154,6 +158,17 @@
             X509Certificate issuerCert = chain[i + 1];
             X509Certificate cert = chain[i];
 
+            // check untrusted certificate
+            try {
+                // Untrusted checker does not care about the unresolved
+                // critical extensions.
+                untrustedChecker.check(cert, Collections.<String>emptySet());
+            } catch (CertPathValidatorException cpve) {
+                throw new ValidatorException(
+                    "Untrusted certificate: " + cert.getSubjectX500Principal(),
+                    ValidatorException.T_UNTRUSTED_CERT, cert, cpve);
+            }
+
             // check certificate algorithm
             try {
                 // Algorithm checker does not care about the unresolved
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/classes/sun/security/validator/ValidatorException.java
--- a/jdk/src/share/classes/sun/security/validator/ValidatorException.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/classes/sun/security/validator/ValidatorException.java	Wed Jul 05 18:03:56 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -58,6 +58,9 @@
     public final static Object T_ALGORITHM_DISABLED =
         "Certificate signature algorithm disabled";
 
+    public final static Object T_UNTRUSTED_CERT =
+        "Untrusted certificate";
+
     private Object type;
     private X509Certificate cert;
 
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/native/java/lang/System.c
--- a/jdk/src/share/native/java/lang/System.c	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/native/java/lang/System.c	Wed Jul 05 18:03:56 2017 +0200
@@ -235,7 +235,14 @@
     }
     PUTPROP(props, "file.encoding", sprops->encoding);
     PUTPROP(props, "sun.jnu.encoding", sprops->sun_jnu_encoding);
+    if (sprops->sun_stdout_encoding != NULL) {
+        PUTPROP(props, "sun.stdout.encoding", sprops->sun_stdout_encoding);
+    }
+    if (sprops->sun_stderr_encoding != NULL) {
+        PUTPROP(props, "sun.stderr.encoding", sprops->sun_stderr_encoding);
+    }
     PUTPROP(props, "file.encoding.pkg", "sun.io");
+
     /* unicode_encoding specifies the default endianness */
     PUTPROP(props, "sun.io.unicode.encoding", sprops->unicode_encoding);
     PUTPROP(props, "sun.cpu.isalist",
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/native/java/lang/java_props.h
--- a/jdk/src/share/native/java/lang/java_props.h	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/native/java/lang/java_props.h	Wed Jul 05 18:03:56 2017 +0200
@@ -66,6 +66,8 @@
     char *display_variant;
     char *encoding;
     char *sun_jnu_encoding;
+    char *sun_stdout_encoding;
+    char *sun_stderr_encoding;
     char *timezone;
 
     char *printerJob;
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/share/native/java/util/zip/zip_util.c
--- a/jdk/src/share/native/java/util/zip/zip_util.c	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/share/native/java/util/zip/zip_util.c	Wed Jul 05 18:03:56 2017 +0200
@@ -521,7 +521,7 @@
 {
     jint count = 0;
     ptrdiff_t i;
-    for (i = 0; i + CENHDR < end - beg; i += CENSIZE(beg + i))
+    for (i = 0; i + CENHDR <= end - beg; i += CENSIZE(beg + i))
         count++;
     return count;
 }
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/solaris/native/sun/nio/ch/FileDispatcherImpl.c
--- a/jdk/src/solaris/native/sun/nio/ch/FileDispatcherImpl.c	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/solaris/native/sun/nio/ch/FileDispatcherImpl.c	Wed Jul 05 18:03:56 2017 +0200
@@ -191,7 +191,7 @@
     }
     lockResult = fcntl(fd, cmd, &fl);
     if (lockResult < 0) {
-        if ((cmd == F_SETLK64) && (errno == EAGAIN))
+        if ((cmd == F_SETLK64) && (errno == EAGAIN || errno == EACCES))
             return sun_nio_ch_FileDispatcherImpl_NO_LOCK;
         if (errno == EINTR)
             return sun_nio_ch_FileDispatcherImpl_INTERRUPTED;
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/windows/classes/sun/java2d/d3d/D3DRenderer.java
--- a/jdk/src/windows/classes/sun/java2d/d3d/D3DRenderer.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/windows/classes/sun/java2d/d3d/D3DRenderer.java	Wed Jul 05 18:03:56 2017 +0200
@@ -27,6 +27,7 @@
 
 import java.awt.Transparency;
 import java.awt.geom.Path2D;
+import sun.java2d.InvalidPipeException;
 import sun.java2d.SunGraphics2D;
 import sun.java2d.loops.GraphicsPrimitive;
 import sun.java2d.pipe.BufferedPaints;
@@ -47,7 +48,12 @@
         int ctxflags =
             sg2d.paint.getTransparency() == Transparency.OPAQUE ?
                 D3DContext.SRC_IS_OPAQUE : D3DContext.NO_CONTEXT_FLAGS;
-        D3DSurfaceData dstData = (D3DSurfaceData)sg2d.surfaceData;
+        D3DSurfaceData dstData;
+        try {
+            dstData = (D3DSurfaceData)sg2d.surfaceData;
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
         D3DContext.validateContext(dstData, dstData,
                                    sg2d.getCompClip(), sg2d.composite,
                                    null, sg2d.paint, sg2d, ctxflags);
@@ -56,7 +62,12 @@
     @Override
     protected void validateContextAA(SunGraphics2D sg2d) {
         int ctxflags = D3DContext.NO_CONTEXT_FLAGS;
-        D3DSurfaceData dstData = (D3DSurfaceData)sg2d.surfaceData;
+        D3DSurfaceData dstData;
+        try {
+            dstData = (D3DSurfaceData)sg2d.surfaceData;
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
         D3DContext.validateContext(dstData, dstData,
                                    sg2d.getCompClip(), sg2d.composite,
                                    null, sg2d.paint, sg2d, ctxflags);
@@ -70,7 +81,12 @@
             int ctxflags =
                 sg2d.surfaceData.getTransparency() == Transparency.OPAQUE ?
                     D3DContext.SRC_IS_OPAQUE : D3DContext.NO_CONTEXT_FLAGS;
-            D3DSurfaceData dstData = (D3DSurfaceData)sg2d.surfaceData;
+            D3DSurfaceData dstData;
+            try {
+                dstData = (D3DSurfaceData)sg2d.surfaceData;
+            } catch (ClassCastException e) {
+                throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+            }
             D3DContext.validateContext(dstData, dstData,
                                        sg2d.getCompClip(), sg2d.composite,
                                        null, null, null, ctxflags);
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/windows/classes/sun/java2d/windows/GDIRenderer.java
--- a/jdk/src/windows/classes/sun/java2d/windows/GDIRenderer.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/windows/classes/sun/java2d/windows/GDIRenderer.java	Wed Jul 05 18:03:56 2017 +0200
@@ -29,6 +29,7 @@
 import java.awt.Shape;
 import java.awt.geom.Path2D;
 import java.awt.geom.PathIterator;
+import sun.java2d.InvalidPipeException;
 import sun.java2d.SunGraphics2D;
 import sun.java2d.SurfaceData;
 import sun.java2d.pipe.Region;
@@ -45,7 +46,7 @@
     PixelFillPipe,
     ShapeDrawPipe
 {
-    native void doDrawLine(SurfaceData sData,
+    native void doDrawLine(GDIWindowSurfaceData sData,
                            Region clip, Composite comp, int color,
                            int x1, int y1, int x2, int y2);
 
@@ -54,24 +55,32 @@
     {
         int transx = sg2d.transX;
         int transy = sg2d.transY;
-        doDrawLine(sg2d.surfaceData,
-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                   x1+transx, y1+transy, x2+transx, y2+transy);
+        try {
+            doDrawLine((GDIWindowSurfaceData)sg2d.surfaceData,
+                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                       x1+transx, y1+transy, x2+transx, y2+transy);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
-    native void doDrawRect(SurfaceData sData,
+    native void doDrawRect(GDIWindowSurfaceData sData,
                            Region clip, Composite comp, int color,
                            int x, int y, int w, int h);
 
     public void drawRect(SunGraphics2D sg2d,
                          int x, int y, int width, int height)
     {
-        doDrawRect(sg2d.surfaceData,
-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                   x+sg2d.transX, y+sg2d.transY, width, height);
+        try {
+            doDrawRect((GDIWindowSurfaceData)sg2d.surfaceData,
+                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                       x+sg2d.transX, y+sg2d.transY, width, height);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
-    native void doDrawRoundRect(SurfaceData sData,
+    native void doDrawRoundRect(GDIWindowSurfaceData sData,
                                 Region clip, Composite comp, int color,
                                 int x, int y, int w, int h,
                                 int arcW, int arcH);
@@ -80,25 +89,33 @@
                               int x, int y, int width, int height,
                               int arcWidth, int arcHeight)
     {
-        doDrawRoundRect(sg2d.surfaceData,
-                        sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                        x+sg2d.transX, y+sg2d.transY, width, height,
-                        arcWidth, arcHeight);
+        try {
+            doDrawRoundRect((GDIWindowSurfaceData)sg2d.surfaceData,
+                            sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                            x+sg2d.transX, y+sg2d.transY, width, height,
+                            arcWidth, arcHeight);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
-    native void doDrawOval(SurfaceData sData,
+    native void doDrawOval(GDIWindowSurfaceData sData,
                            Region clip, Composite comp, int color,
                            int x, int y, int w, int h);
 
     public void drawOval(SunGraphics2D sg2d,
                          int x, int y, int width, int height)
     {
-        doDrawOval(sg2d.surfaceData,
-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                   x+sg2d.transX, y+sg2d.transY, width, height);
+        try {
+            doDrawOval((GDIWindowSurfaceData)sg2d.surfaceData,
+                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                       x+sg2d.transX, y+sg2d.transY, width, height);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
-    native void doDrawArc(SurfaceData sData,
+    native void doDrawArc(GDIWindowSurfaceData sData,
                           Region clip, Composite comp, int color,
                           int x, int y, int w, int h,
                           int angleStart, int angleExtent);
@@ -107,13 +124,17 @@
                         int x, int y, int width, int height,
                         int startAngle, int arcAngle)
     {
-        doDrawArc(sg2d.surfaceData,
-                  sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                  x+sg2d.transX, y+sg2d.transY, width, height,
-                  startAngle, arcAngle);
+        try {
+            doDrawArc((GDIWindowSurfaceData)sg2d.surfaceData,
+                      sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                      x+sg2d.transX, y+sg2d.transY, width, height,
+                      startAngle, arcAngle);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
-    native void doDrawPoly(SurfaceData sData,
+    native void doDrawPoly(GDIWindowSurfaceData sData,
                            Region clip, Composite comp, int color,
                            int transx, int transy,
                            int[] xpoints, int[] ypoints,
@@ -123,33 +144,45 @@
                              int xpoints[], int ypoints[],
                              int npoints)
     {
-        doDrawPoly(sg2d.surfaceData,
-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                   sg2d.transX, sg2d.transY, xpoints, ypoints, npoints, false);
+        try {
+            doDrawPoly((GDIWindowSurfaceData)sg2d.surfaceData,
+                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                       sg2d.transX, sg2d.transY, xpoints, ypoints, npoints, false);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
     public void drawPolygon(SunGraphics2D sg2d,
                             int xpoints[], int ypoints[],
                             int npoints)
     {
-        doDrawPoly(sg2d.surfaceData,
-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                   sg2d.transX, sg2d.transY, xpoints, ypoints, npoints, true);
+        try {
+            doDrawPoly((GDIWindowSurfaceData)sg2d.surfaceData,
+                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                       sg2d.transX, sg2d.transY, xpoints, ypoints, npoints, true);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
-    native void doFillRect(SurfaceData sData,
+    native void doFillRect(GDIWindowSurfaceData sData,
                            Region clip, Composite comp, int color,
                            int x, int y, int w, int h);
 
     public void fillRect(SunGraphics2D sg2d,
                          int x, int y, int width, int height)
     {
-        doFillRect(sg2d.surfaceData,
-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                   x+sg2d.transX, y+sg2d.transY, width, height);
+        try {
+            doFillRect((GDIWindowSurfaceData)sg2d.surfaceData,
+                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                       x+sg2d.transX, y+sg2d.transY, width, height);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
-    native void doFillRoundRect(SurfaceData sData,
+    native void doFillRoundRect(GDIWindowSurfaceData sData,
                                 Region clip, Composite comp, int color,
                                 int x, int y, int w, int h,
                                 int arcW, int arcH);
@@ -158,25 +191,33 @@
                               int x, int y, int width, int height,
                               int arcWidth, int arcHeight)
     {
-        doFillRoundRect(sg2d.surfaceData,
-                        sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                        x+sg2d.transX, y+sg2d.transY, width, height,
-                        arcWidth, arcHeight);
+        try {
+            doFillRoundRect((GDIWindowSurfaceData)sg2d.surfaceData,
+                            sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                            x+sg2d.transX, y+sg2d.transY, width, height,
+                            arcWidth, arcHeight);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
-    native void doFillOval(SurfaceData sData,
+    native void doFillOval(GDIWindowSurfaceData sData,
                            Region clip, Composite comp, int color,
                            int x, int y, int w, int h);
 
     public void fillOval(SunGraphics2D sg2d,
                          int x, int y, int width, int height)
     {
-        doFillOval(sg2d.surfaceData,
-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                   x+sg2d.transX, y+sg2d.transY, width, height);
+        try {
+            doFillOval((GDIWindowSurfaceData)sg2d.surfaceData,
+                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                       x+sg2d.transX, y+sg2d.transY, width, height);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
-    native void doFillArc(SurfaceData sData,
+    native void doFillArc(GDIWindowSurfaceData sData,
                           Region clip, Composite comp, int color,
                           int x, int y, int w, int h,
                           int angleStart, int angleExtent);
@@ -185,13 +226,17 @@
                         int x, int y, int width, int height,
                         int startAngle, int arcAngle)
     {
-        doFillArc(sg2d.surfaceData,
-                  sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                  x+sg2d.transX, y+sg2d.transY, width, height,
-                  startAngle, arcAngle);
+        try {
+            doFillArc((GDIWindowSurfaceData)sg2d.surfaceData,
+                      sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                      x+sg2d.transX, y+sg2d.transY, width, height,
+                      startAngle, arcAngle);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
-    native void doFillPoly(SurfaceData sData,
+    native void doFillPoly(GDIWindowSurfaceData sData,
                            Region clip, Composite comp, int color,
                            int transx, int transy,
                            int[] xpoints, int[] ypoints,
@@ -201,12 +246,16 @@
                             int xpoints[], int ypoints[],
                             int npoints)
     {
-        doFillPoly(sg2d.surfaceData,
-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                   sg2d.transX, sg2d.transY, xpoints, ypoints, npoints);
+        try {
+            doFillPoly((GDIWindowSurfaceData)sg2d.surfaceData,
+                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                       sg2d.transX, sg2d.transY, xpoints, ypoints, npoints);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
-    native void doShape(SurfaceData sData,
+    native void doShape(GDIWindowSurfaceData sData,
                         Region clip, Composite comp, int color,
                         int transX, int transY,
                         Path2D.Float p2df, boolean isfill);
@@ -228,9 +277,13 @@
             transX = 0;
             transY = 0;
         }
-        doShape(sg2d.surfaceData,
-                sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
-                transX, transY, p2df, isfill);
+        try {
+            doShape((GDIWindowSurfaceData)sg2d.surfaceData,
+                    sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+                    transX, transY, p2df, isfill);
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
     }
 
     // REMIND: This is just a hack to get WIDE lines to honor the
@@ -239,7 +292,12 @@
     // method that could be filled by the doShape method more quickly.
     public void doFillSpans(SunGraphics2D sg2d, SpanIterator si) {
         int box[] = new int[4];
-        SurfaceData sd = sg2d.surfaceData;
+        GDIWindowSurfaceData sd;
+        try {
+            sd = (GDIWindowSurfaceData)sg2d.surfaceData;
+        } catch (ClassCastException e) {
+            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
+        }
         Region clip = sg2d.getCompClip();
         Composite comp = sg2d.composite;
         int eargb = sg2d.eargb;
@@ -268,7 +326,7 @@
         doShape(sg2d, s, true);
     }
 
-    public native void devCopyArea(SurfaceData sData,
+    public native void devCopyArea(GDIWindowSurfaceData sData,
                                    int srcx, int srcy,
                                    int dx, int dy,
                                    int w, int h);
@@ -278,21 +336,21 @@
     }
 
     public static class Tracer extends GDIRenderer {
-        void doDrawLine(SurfaceData sData,
+        void doDrawLine(GDIWindowSurfaceData sData,
                         Region clip, Composite comp, int color,
                         int x1, int y1, int x2, int y2)
         {
             GraphicsPrimitive.tracePrimitive("GDIDrawLine");
             super.doDrawLine(sData, clip, comp, color, x1, y1, x2, y2);
         }
-        void doDrawRect(SurfaceData sData,
+        void doDrawRect(GDIWindowSurfaceData sData,
                         Region clip, Composite comp, int color,
                         int x, int y, int w, int h)
         {
             GraphicsPrimitive.tracePrimitive("GDIDrawRect");
             super.doDrawRect(sData, clip, comp, color, x, y, w, h);
         }
-        void doDrawRoundRect(SurfaceData sData,
+        void doDrawRoundRect(GDIWindowSurfaceData sData,
                              Region clip, Composite comp, int color,
                              int x, int y, int w, int h,
                              int arcW, int arcH)
@@ -301,14 +359,14 @@
             super.doDrawRoundRect(sData, clip, comp, color,
                                   x, y, w, h, arcW, arcH);
         }
-        void doDrawOval(SurfaceData sData,
+        void doDrawOval(GDIWindowSurfaceData sData,
                         Region clip, Composite comp, int color,
                         int x, int y, int w, int h)
         {
             GraphicsPrimitive.tracePrimitive("GDIDrawOval");
             super.doDrawOval(sData, clip, comp, color, x, y, w, h);
         }
-        void doDrawArc(SurfaceData sData,
+        void doDrawArc(GDIWindowSurfaceData sData,
                        Region clip, Composite comp, int color,
                        int x, int y, int w, int h,
                        int angleStart, int angleExtent)
@@ -317,7 +375,7 @@
             super.doDrawArc(sData, clip, comp, color, x, y, w, h,
                             angleStart, angleExtent);
         }
-        void doDrawPoly(SurfaceData sData,
+        void doDrawPoly(GDIWindowSurfaceData sData,
                         Region clip, Composite comp, int color,
                         int transx, int transy,
                         int[] xpoints, int[] ypoints,
@@ -327,14 +385,14 @@
             super.doDrawPoly(sData, clip, comp, color, transx, transy,
                              xpoints, ypoints, npoints, isclosed);
         }
-        void doFillRect(SurfaceData sData,
+        void doFillRect(GDIWindowSurfaceData sData,
                         Region clip, Composite comp, int color,
                         int x, int y, int w, int h)
         {
             GraphicsPrimitive.tracePrimitive("GDIFillRect");
             super.doFillRect(sData, clip, comp, color, x, y, w, h);
         }
-        void doFillRoundRect(SurfaceData sData,
+        void doFillRoundRect(GDIWindowSurfaceData sData,
                              Region clip, Composite comp, int color,
                              int x, int y, int w, int h,
                              int arcW, int arcH)
@@ -343,14 +401,14 @@
             super.doFillRoundRect(sData, clip, comp, color,
                                   x, y, w, h, arcW, arcH);
         }
-        void doFillOval(SurfaceData sData,
+        void doFillOval(GDIWindowSurfaceData sData,
                         Region clip, Composite comp, int color,
                         int x, int y, int w, int h)
         {
             GraphicsPrimitive.tracePrimitive("GDIFillOval");
             super.doFillOval(sData, clip, comp, color, x, y, w, h);
         }
-        void doFillArc(SurfaceData sData,
+        void doFillArc(GDIWindowSurfaceData sData,
                        Region clip, Composite comp, int color,
                        int x, int y, int w, int h,
                        int angleStart, int angleExtent)
@@ -359,7 +417,7 @@
             super.doFillArc(sData, clip, comp, color, x, y, w, h,
                             angleStart, angleExtent);
         }
-        void doFillPoly(SurfaceData sData,
+        void doFillPoly(GDIWindowSurfaceData sData,
                         Region clip, Composite comp, int color,
                         int transx, int transy,
                         int[] xpoints, int[] ypoints,
@@ -369,7 +427,7 @@
             super.doFillPoly(sData, clip, comp, color, transx, transy,
                              xpoints, ypoints, npoints);
         }
-        void doShape(SurfaceData sData,
+        void doShape(GDIWindowSurfaceData sData,
                      Region clip, Composite comp, int color,
                      int transX, int transY,
                      Path2D.Float p2df, boolean isfill)
@@ -380,7 +438,7 @@
             super.doShape(sData, clip, comp, color,
                           transX, transY, p2df, isfill);
         }
-        public void devCopyArea(SurfaceData sData,
+        public void devCopyArea(GDIWindowSurfaceData sData,
                                 int srcx, int srcy,
                                 int dx, int dy,
                                 int w, int h)
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/windows/classes/sun/nio/ch/NativeThread.java
--- a/jdk/src/windows/classes/sun/nio/ch/NativeThread.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/windows/classes/sun/nio/ch/NativeThread.java	Wed Jul 05 18:03:56 2017 +0200
@@ -31,7 +31,11 @@
 
 class NativeThread {
 
-    static long current() { return -1; }
+    static long current() {
+        // return 0 to ensure that async close of blocking sockets will close
+        // the underlying socket.
+        return 0;
+    }
 
     static void signal(long nt) { }
 
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/windows/classes/sun/nio/ch/SocketDispatcher.java
--- a/jdk/src/windows/classes/sun/nio/ch/SocketDispatcher.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/windows/classes/sun/nio/ch/SocketDispatcher.java	Wed Jul 05 18:03:56 2017 +0200
@@ -55,10 +55,11 @@
         return writev0(fd, address, len);
     }
 
-    void close(FileDescriptor fd) throws IOException {
+    void preClose(FileDescriptor fd) throws IOException {
+        preClose0(fd);
     }
 
-    void preClose(FileDescriptor fd) throws IOException {
+    void close(FileDescriptor fd) throws IOException {
         close0(fd);
     }
 
@@ -75,5 +76,7 @@
     static native long writev0(FileDescriptor fd, long address, int len)
         throws IOException;
 
+    static native void preClose0(FileDescriptor fd) throws IOException;
+
     static native void close0(FileDescriptor fd) throws IOException;
 }
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/windows/native/java/lang/java_props_md.c
--- a/jdk/src/windows/native/java/lang/java_props_md.c	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/windows/native/java/lang/java_props_md.c	Wed Jul 05 18:03:56 2017 +0200
@@ -31,6 +31,9 @@
 #include <sys/timeb.h>
 #include <tchar.h>
 
+#include <stdlib.h>
+#include <Wincon.h>
+
 #include "locale_str.h"
 #include "java_props.h"
 
@@ -123,6 +126,17 @@
     return ret;
 }
 
+static char* getConsoleEncoding()
+{
+    char* buf = malloc(16);
+    int cp = GetConsoleCP();
+    if (cp >= 874 && cp <= 950)
+        sprintf(buf, "ms%d", cp);
+    else
+        sprintf(buf, "cp%d", cp);
+    return buf;
+}
+
 // Exported entries for AWT
 DllExport const char *
 getEncodingFromLangID(LANGID langID)
@@ -562,6 +576,7 @@
 
         {
             char * display_encoding;
+            HANDLE hStdOutErr;
 
             // Windows UI Language selection list only cares "language"
             // information of the UI Language. For example, the list
@@ -606,6 +621,20 @@
                 sprops.encoding = "MS950_HKSCS";
                 sprops.sun_jnu_encoding = "MS950_HKSCS";
             }
+
+            hStdOutErr = GetStdHandle(STD_OUTPUT_HANDLE);
+            if (hStdOutErr != INVALID_HANDLE_VALUE &&
+                GetFileType(hStdOutErr) == FILE_TYPE_CHAR) {
+                sprops.sun_stdout_encoding = getConsoleEncoding();
+            }
+            hStdOutErr = GetStdHandle(STD_ERROR_HANDLE);
+            if (hStdOutErr != INVALID_HANDLE_VALUE &&
+                GetFileType(hStdOutErr) == FILE_TYPE_CHAR) {
+                if (sprops.sun_stdout_encoding != NULL)
+                    sprops.sun_stderr_encoding = sprops.sun_stdout_encoding;
+                else
+                    sprops.sun_stderr_encoding = getConsoleEncoding();
+            }
         }
     }
 
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/windows/native/sun/java2d/windows/GDIRenderer.cpp
--- a/jdk/src/windows/native/sun/java2d/windows/GDIRenderer.cpp	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/windows/native/sun/java2d/windows/GDIRenderer.cpp	Wed Jul 05 18:03:56 2017 +0200
@@ -117,7 +117,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    doDrawLine
- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
+ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
  */
 JNIEXPORT void JNICALL
 Java_sun_java2d_windows_GDIRenderer_doDrawLine
@@ -164,7 +164,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    doDrawRect
- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
+ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
  */
 JNIEXPORT void JNICALL
 Java_sun_java2d_windows_GDIRenderer_doDrawRect
@@ -209,7 +209,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    doDrawRoundRect
- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
+ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
  */
 JNIEXPORT void JNICALL
 Java_sun_java2d_windows_GDIRenderer_doDrawRoundRect
@@ -253,7 +253,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    doDrawOval
- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
+ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
  */
 JNIEXPORT void JNICALL
 Java_sun_java2d_windows_GDIRenderer_doDrawOval
@@ -291,7 +291,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    doDrawArc
- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
+ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
  */
 JNIEXPORT void JNICALL
 Java_sun_java2d_windows_GDIRenderer_doDrawArc
@@ -347,7 +347,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    doDrawPoly
- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;III[I[IIZ)V
+ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;III[I[IIZ)V
  */
 JNIEXPORT void JNICALL
 Java_sun_java2d_windows_GDIRenderer_doDrawPoly
@@ -412,7 +412,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    doFillRect
- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
+ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
  */
 JNIEXPORT void JNICALL
 Java_sun_java2d_windows_GDIRenderer_doFillRect
@@ -445,7 +445,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    doFillRoundRect
- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
+ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
  */
 JNIEXPORT void JNICALL
 Java_sun_java2d_windows_GDIRenderer_doFillRoundRect
@@ -488,7 +488,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    doFillOval
- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
+ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
  */
 JNIEXPORT void JNICALL
 Java_sun_java2d_windows_GDIRenderer_doFillOval
@@ -555,7 +555,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    doFillArc
- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
+ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
  */
 JNIEXPORT void JNICALL
 Java_sun_java2d_windows_GDIRenderer_doFillArc
@@ -615,7 +615,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    doFillPoly
- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;III[I[II)V
+ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;III[I[II)V
  */
 JNIEXPORT void JNICALL
 Java_sun_java2d_windows_GDIRenderer_doFillPoly
@@ -680,7 +680,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    doShape
- * Signature:  (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;
+ * Signature:  (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;
  *              Ljava/awt/Composite;IIILjava/awt/geom/Path2D.Float;Z)V
  */
 JNIEXPORT void JNICALL
@@ -863,7 +863,7 @@
 /*
  * Class:     sun_java2d_windows_GDIRenderer
  * Method:    devCopyArea
- * Signature: (Lsun/awt/windows/SurfaceData;IIIIII)V
+ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;IIIIII)V
  */
 JNIEXPORT void JNICALL
 Java_sun_java2d_windows_GDIRenderer_devCopyArea
diff -r 836dfc08398e -r 16ba58282d11 jdk/src/windows/native/sun/nio/ch/SocketDispatcher.c
--- a/jdk/src/windows/native/sun/nio/ch/SocketDispatcher.c	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/src/windows/native/sun/nio/ch/SocketDispatcher.c	Wed Jul 05 18:03:56 2017 +0200
@@ -238,23 +238,25 @@
 }
 
 JNIEXPORT void JNICALL
-Java_sun_nio_ch_SocketDispatcher_close0(JNIEnv *env, jclass clazz,
-                                         jobject fdo)
+Java_sun_nio_ch_SocketDispatcher_preClose0(JNIEnv *env, jclass clazz,
+                                           jobject fdo)
 {
     jint fd = fdval(env, fdo);
     struct linger l;
     int len = sizeof(l);
-
-    if (fd != -1) {
-        int result = 0;
-        if (getsockopt(fd, SOL_SOCKET, SO_LINGER, (char *)&l, &len) == 0) {
-            if (l.l_onoff == 0) {
-                WSASendDisconnect(fd, NULL);
-            }
-        }
-        result = closesocket(fd);
-        if (result == SOCKET_ERROR) {
-            JNU_ThrowIOExceptionWithLastError(env, "Socket close failed");
+    if (getsockopt(fd, SOL_SOCKET, SO_LINGER, (char *)&l, &len) == 0) {
+        if (l.l_onoff == 0) {
+            WSASendDisconnect(fd, NULL);
         }
     }
 }
+
+JNIEXPORT void JNICALL
+Java_sun_nio_ch_SocketDispatcher_close0(JNIEnv *env, jclass clazz,
+                                         jobject fdo)
+{
+    jint fd = fdval(env, fdo);
+    if (closesocket(fd) == SOCKET_ERROR) {
+        JNU_ThrowIOExceptionWithLastError(env, "Socket close failed");
+    }
+}
diff -r 836dfc08398e -r 16ba58282d11 jdk/test/Makefile
--- a/jdk/test/Makefile	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/test/Makefile	Wed Jul 05 18:03:56 2017 +0200
@@ -432,14 +432,14 @@
          javax/imageio javax/print sun/pisces)
 	$(call RunOthervmBatch)
 
-# Stable agentvm testruns (minus items from PROBLEM_LIST)
+# Stable othervm testruns (minus items from PROBLEM_LIST)
 JDK_ALL_TARGETS += jdk_beans1
 JDK_DEFAULT_TARGETS += jdk_beans1
 jdk_beans1: $(call TestDirs, \
             java/beans/beancontext java/beans/PropertyChangeSupport \
             java/beans/Introspector java/beans/Performance \
             java/beans/VetoableChangeSupport java/beans/Statement)
-	$(call RunAgentvmBatch)
+	$(call RunOthervmBatch)
 
 # Stable othervm testruns (minus items from PROBLEM_LIST)
 #   Using agentvm has serious problems with these tests
diff -r 836dfc08398e -r 16ba58282d11 jdk/test/ProblemList.txt
--- a/jdk/test/ProblemList.txt	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/test/ProblemList.txt	Wed Jul 05 18:03:56 2017 +0200
@@ -114,83 +114,10 @@
 
 # jdk_awt
 
-# None of the awt tests are using samevm, might not be worth the effort due
-#  to the vm overhead not being enough to make a difference.
-# In general, the awt tests are problematic with or without samevm, and there
-#  are issues with using a Xvfb display.
-
-# Fails on solaris sparc, timedout? in othervm mode
-java/awt/event/MouseEvent/AcceptExtraButton/AcceptExtraButton.java generic-all
-
-# Causes hang in samevm mode??? Solaris 11 i586
-java/awt/FullScreen/SetFSWindow/FSFrame.java                    generic-all
-
-# Fails on solaris 11 i586, -client, in othervm mode not sure why
-java/awt/Component/PrintAllXcheckJNI/PrintAllXcheckJNI.java     generic-all
-java/awt/Focus/CloseDialogActivateOwnerTest/CloseDialogActivateOwnerTest.java generic-all
-java/awt/FontClass/FontAccess.java                              generic-all
-java/awt/Mixing/HWDisappear.java                                generic-all
-java/awt/Mixing/MixingInHwPanel.java                            generic-all
-java/awt/Mouse/MaximizedFrameTest/MaximizedFrameTest.html       generic-all
-java/awt/Robot/AcceptExtraMouseButtons/AcceptExtraMouseButtons.java generic-all
-java/awt/Toolkit/SecurityTest/SecurityTest2.java                generic-all
-java/awt/image/mlib/MlibOpsTest.java                            generic-all
-
-# Fails on windows, othervm mode, various errors
-java/awt/Focus/NonFocusableWindowTest/NonfocusableOwnerTest.java        generic-all
-java/awt/Focus/OwnedWindowFocusIMECrashTest/OwnedWindowFocusIMECrashTest.java   generic-all
-java/awt/FullScreen/NoResizeEventOnDMChangeTest/NoResizeEventOnDMChangeTest.java        generic-all
-java/awt/Mouse/MouseModifiersUnitTest/MouseModifiersUnitTest_Standard.java      generic-all
-java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html                 generic-all
-java/awt/font/Threads/FontThread.java                           generic-all
-java/awt/print/PrinterJob/PrtException.java                     generic-all
-
-# Fails with windows X64, othervm, -server
-com/sun/awt/Translucency/WindowOpacity.java                     generic-all
-java/awt/EventDispatchThread/HandleExceptionOnEDT/HandleExceptionOnEDT.java             generic-all
-java/awt/EventDispatchThread/LoopRobustness/LoopRobustness.html generic-all
-java/awt/Focus/AppletInitialFocusTest/AppletInitialFocusTest1.html generic-all
-java/awt/Focus/FocusEmbeddedFrameTest/FocusEmbeddedFrameTest.java generic-all
-java/awt/Frame/LayoutOnMaximizeTest/LayoutOnMaximizeTest.java   generic-all
-java/awt/FullScreen/TranslucentWindow/TranslucentWindow.java    generic-all
-java/awt/Mixing/MixingOnShrinkingHWButton.java                  generic-all
-java/awt/Mouse/MouseModifiersUnitTest/ExtraButtonDrag.java      generic-all
-
 ############################################################################
 
 # jdk_beans
 
-# A large set of the beans tests set the security manager, which would seem
-#  to indicate that a large number of them should be "othervm", yet are all
-#  very small tests and could greatly benefit from a samevm test run.
-#  So a large batch of beans tests are currently run with othervm mode.
-
-# Filed 6986807
-java/beans/Introspector/TestTypeResolver.java                   generic-all
-
-# Filed 6986813
-java/beans/Introspector/memory/Test4508780.java                 generic-all
-
-# Linux, some kind of problems with X11 display
-java/beans/PropertyChangeSupport/Test4682386.java               generic-all
-java/beans/PropertyChangeSupport/TestSynchronization.java       generic-all
-java/beans/Statement/Test4653179.java                           generic-all
-
-# Runs REALLY slow on Solaris sparc for some reason, both -client and -server
-java/beans/XMLEncoder/Test4625418.java                          solaris-sparc
-
-# Problems with samevm and setting security manager (speculation partially)
-java/beans/Introspector/4168475/Test4168475.java                generic-all
-java/beans/Introspector/4520754/Test4520754.java                generic-all
-java/beans/Introspector/6380849/TestBeanInfo.java               generic-all
-java/beans/Introspector/Test4144543.java                        generic-all
-
-# Failed to call method solaris-sparc???
-java/beans/EventHandler/Test6788531.java                        generic-all
-
-# Jar or class not found???
-java/beans/XMLEncoder/6329581/Test6329581.java                  generic-all
-
 ############################################################################
 
 # jdk_lang
@@ -211,6 +138,12 @@
 
 # jdk_management
 
+# 6959636
+javax/management/loading/LibraryLoader/LibraryLoaderTest.java	windows-all
+
+# 7144846
+javax/management/remote/mandatory/connection/ReconnectTest.java	generic-all
+
 # 7073626
 sun/management/jmxremote/bootstrap/RmiBootstrapTest.sh          windows-all
 sun/management/jmxremote/bootstrap/RmiSslBootstrapTest.sh       windows-all
@@ -229,72 +162,6 @@
 # Need to be marked othervm, or changed to be samevm safe
 com/sun/jndi/rmi/registry/RegistryContext/UnbindIdempotent.java generic-all
 
-# Need to be marked othervm, or changed to be samevm safe
-com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java generic-all
-
-# Solaris sparc and others, exception in initializer
-javax/imageio/CachePremissionsTest/CachePermissionsTest.java    generic-all
-
-# Leaves file rgba_* open, fails with windows samevm
-javax/imageio/plugins/png/PngOutputTypeTest.java                generic-all
-
-# Suspect test.png file is left open, windows samevm problems
-javax/imageio/plugins/png/ITXtTest.java                         generic-all
-
-# Solaris sparc and others, failed to compile testcase
-javax/imageio/metadata/DOML3Node.java                           generic-all
-
-# One of these tests is leaving file IMGP1001.JPG open, windows samevm
-javax/imageio/plugins/jpeg/ConcurrentReadingTest.java           generic-all
-javax/imageio/plugins/jpeg/ReadingInterruptionTest.java         generic-all
-
-# One of these files is missing a close on writer_* files, windows samevm
-javax/imageio/plugins/jpeg/ConcurrentWritingTest.java           generic-all
-javax/imageio/plugins/jpeg/WritingInterruptionTest.java         generic-all
-
-# Leaving file test.jpg open, windows samevm
-javax/imageio/plugins/jpeg/ReadAsGrayTest.java                  generic-all
-
-# Missing close on file wbmp*, windows samevm
-javax/imageio/plugins/wbmp/CanDecodeTest.java                   generic-all
-
-# Failures on OpenSolaris, cannot read input files? samevm issues?
-javax/imageio/metadata/BooleanAttributes.java                   generic-all
-javax/imageio/plugins/bmp/BMPSubsamplingTest.java               generic-all
-javax/imageio/plugins/bmp/TopDownTest.java                      generic-all
-javax/imageio/plugins/gif/EncodeSubImageTest.java               generic-all
-javax/imageio/plugins/gif/GifTransparencyTest.java              generic-all
-javax/imageio/plugins/png/GrayPngTest.java                      generic-all
-javax/imageio/plugins/png/ItxtUtf8Test.java                     generic-all
-javax/imageio/plugins/png/MergeStdCommentTest.java              generic-all
-javax/imageio/plugins/png/ShortHistogramTest.java               generic-all
-javax/imageio/plugins/shared/BitDepth.java                      generic-all
-
-# Exclude all javax/print tests, even if they passed, they may need samevm work
-
-# Times out on solaris-sparc, sparcv9, x64 -server, some on i586 -client
-javax/print/attribute/autosense/PrintAutoSenseData.java         generic-all
-javax/print/attribute/Chroma.java                               generic-all
-javax/print/attribute/CollateAttr.java                          generic-all
-javax/print/attribute/PSCopiesFlavorTest.java                   generic-all
-javax/print/LookupServices.java                                 generic-all
-javax/print/TestRaceCond.java                                   generic-all
-
-# These tests really require a printer (might all be windows only tests?)
-javax/print/CheckDupFlavor.java                                 generic-all
-javax/print/PrintSE/PrintSE.sh                                  generic-all
-javax/print/attribute/ChromaticityValues.java                   generic-all
-javax/print/attribute/GetCopiesSupported.java                   generic-all
-javax/print/attribute/SidesPageRangesTest.java                  generic-all
-javax/print/attribute/SupportedPrintableAreas.java              generic-all
-javax/print/attribute/AttributeTest.java                        generic-all
-
-# Only print test left, excluding just because all print tests have been
-javax/print/attribute/MediaMappingsTest.java                    generic-all
-
-# Filed 7058852
-javax/sound/sampled/FileWriter/AlawEncoderSync.java             generic-all
-
 ############################################################################
 
 # jdk_net
@@ -317,6 +184,7 @@
 # failing on vista 32/64 on nightly
 # 7102702
 java/net/PortUnreachableException/OneExceptionOnly.java         windows-all
+
 ############################################################################
 
 # jdk_io
@@ -354,6 +222,12 @@
 
 # jdk_security
 
+# 7145024
+sun/security/ssl/com/sun/net/ssl/internal/ssl/GenSSLConfigs/main.java	solaris-all
+
+# 7147060
+com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java	generic-all
+
 # Failing on Solaris i586, 3/9/2010, not a -samevm issue (jdk_security3)
 sun/security/pkcs11/Secmod/AddPrivateKey.java                   solaris-i586
 sun/security/pkcs11/ec/ReadCertificates.java                    solaris-i586
@@ -409,21 +283,16 @@
 
 ############################################################################
 
-# jdk_swing (not using samevm)
+# jdk_sound
 
-# Fails on solaris 11 i586, with othervm
-javax/swing/JFileChooser/6570445/bug6570445.java                generic-all
-javax/swing/JFileChooser/6738668/bug6738668.java                generic-all
-javax/swing/JPopupMenu/6675802/bug6675802.java                  generic-all
-javax/swing/system/6799345/TestShutdown.java                    generic-all
+############################################################################
+
+# jdk_swing
 
 ############################################################################
 
 # jdk_text
 
-# Linux x64 occasional errors, no details
-java/text/Bidi/Bug6665028.java                                  linux-x64
-
 ############################################################################
 
 # jdk_tools
@@ -452,7 +321,7 @@
 # 7132203
 sun/jvmstat/monitor/MonitoredVm/CR6672135.java			generic-all
 
-# Tests take too long
+# Tests take too long, see 7143279
 tools/pack200/CommandLineTests.java                         	generic-all
 tools/pack200/Pack200Test.java                              	generic-all
 
diff -r 836dfc08398e -r 16ba58282d11 jdk/test/java/io/Serializable/expectedStackTrace/ExpectedStackTrace.java
--- a/jdk/test/java/io/Serializable/expectedStackTrace/ExpectedStackTrace.java	Wed Jul 05 18:03:21 2017 +0200
+++ b/jdk/test/java/io/Serializable/expectedStackTrace/ExpectedStackTrace.java	Wed Jul 05 18:03:56 2017 +0200
@@ -22,7 +22,7 @@
  */
 
 /* @test
- * @bug 6317435
+ * @bug 6317435 7110700
  * @summary Verify that stack trace contains a proper cause of
  *          InvalidClassException (methods: checkSerialize,
  *          checkDeserialize or checkDefaultSerialize)
@@ -59,7 +59,7 @@
     private static final String SER_METHOD_NAME = "checkSerializable";
 
     public static final void main(String[] args) throws Exception {
-        System.err.println("\nRegression test for CR6317435");
+        System.err.println("\nRegression test for CRs 6317435, 7110700");
         checkSerializable(getObject());
     }
 
@@ -99,9 +99,12 @@
                 }
             }
             if (found) {
+                if (ex.getCause() != null) {
+                    throw new Error("\nTest for CR 7110700 FAILED");
+                }
                 System.err.println("\nTEST PASSED");
             } else {
-                throw new Error();
+                throw new Error("\nTest for CR 6317435 FAILED");
             }
         }
     }
diff -r 836dfc08398e -r 16ba58282d11 jdk/test/java/lang/Math/ExactArithTests.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/lang/Math/ExactArithTests.java	Wed Jul 05 18:03:56 2017 +0200
@@ -0,0 +1,266 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.math.BigInteger;
+
+/**
+ * @test Test for Math.*Exact integer and long methods.
+ * @bug 6708398
+ * @summary Basic tests for Math exact arithmetic operations.
+ *
+ * @author Roger Riggs
+ */
+public class ExactArithTests {
+
+    /**
+     * The count of test errors.
+     */
+    private static int errors = 0;
+
+    /**
+     * @param args the command line arguments
+     */
+    public static void main(String[] args) {
+        testIntegerExact();
+        testLongExact();
+
+        if (errors > 0) {
+            throw new RuntimeException(errors + " errors found in ExactArithTests.");
+        }
+    }
+
+    static void fail(String message) {
+        errors++;
+        System.err.println(message);
+    }
+
+    /**
+     * Test Math.addExact, multiplyExact, subtractExact, toIntValue methods
+     * with {@code int} arguments.
+     */
+    static void testIntegerExact() {
+        testIntegerExact(0, 0);
+        testIntegerExact(1, 1);
+        testIntegerExact(1, -1);
+        testIntegerExact(-1, 1);
+        testIntegerExact(1000, 2000);
+
+        testIntegerExact(Integer.MIN_VALUE, Integer.MIN_VALUE);
+        testIntegerExact(Integer.MAX_VALUE, Integer.MAX_VALUE);
+        testIntegerExact(Integer.MIN_VALUE, 1);
+        testIntegerExact(Integer.MAX_VALUE, 1);
+        testIntegerExact(Integer.MIN_VALUE, 2);
+        testIntegerExact(Integer.MAX_VALUE, 2);
+        testIntegerExact(Integer.MIN_VALUE, -1);
+        testIntegerExact(Integer.MAX_VALUE, -1);
+        testIntegerExact(Integer.MIN_VALUE, -2);
+        testIntegerExact(Integer.MAX_VALUE, -2);
+
+    }
+
+    /**
+     * Test exact arithmetic by comparing with the same operations using long
+     * and checking that the result is the same as the integer truncation.
+     * Errors are reported with {@link fail}.
+     *
+     * @param x first parameter
+     * @param y second parameter
+     */
+    static void testIntegerExact(int x, int y) {
+        try {
+            // Test addExact
+            int sum = Math.addExact(x, y);
+            long sum2 = (long) x + (long) y;
+            if ((int) sum2 != sum2) {
+                fail("FAIL: int Math.addExact(" + x + " + " + y + ") = " + sum + "; expected Arithmetic exception");
+            } else if (sum != sum2) {
+                fail("FAIL: long Math.addExact(" + x + " + " + y + ") = " + sum + "; expected: " + sum2);
+            }
+        } catch (ArithmeticException ex) {
+            long sum2 = (long) x + (long) y;
+            if ((int) sum2 == sum2) {
+                fail("FAIL: int Math.addExact(" + x + " + " + y + ")" + "; Unexpected exception: " + ex);
+
+            }
+        }
+
+        try {
+            // Test subtractExact
+            int diff = Math.subtractExact(x, y);
+            long diff2 = (long) x - (long) y;
+            if ((int) diff2 != diff2) {
+                fail("FAIL: int Math.subtractExact(" + x + " - " + y + ") = " + diff + "; expected: " + diff2);
+            }
+
+        } catch (ArithmeticException ex) {
+            long diff2 = (long) x - (long) y;
+            if ((int) diff2 == diff2) {
+                fail("FAIL: int Math.subtractExact(" + x + " - " + y + ")" + "; Unexpected exception: " + ex);
+            }
+        }
+
+        try {
+            // Test multiplyExact
+            int product = Math.multiplyExact(x, y);
+            long m2 = (long) x * (long) y;
+            if ((int) m2 != m2) {
+                fail("FAIL: int Math.multiplyExact(" + x + " * " + y + ") = " + product + "; expected: " + m2);
+            }
+        } catch (ArithmeticException ex) {
+            long m2 = (long) x * (long) y;
+            if ((int) m2 == m2) {
+                fail("FAIL: int Math.multiplyExact(" + x + " * " + y + ")" + "; Unexpected exception: " + ex);
+            }
+        }
+
+    }
+
+    /**
+     * Test Math.addExact, multiplyExact, subtractExact, toIntExact methods
+     * with {@code long} arguments.
+     */
+    static void testLongExact() {
+        testLongExactTwice(0, 0);
+        testLongExactTwice(1, 1);
+        testLongExactTwice(1, -1);
+        testLongExactTwice(1000, 2000);
+
+        testLongExactTwice(Long.MIN_VALUE, Long.MIN_VALUE);
+        testLongExactTwice(Long.MAX_VALUE, Long.MAX_VALUE);
+        testLongExactTwice(Long.MIN_VALUE, 1);
+        testLongExactTwice(Long.MAX_VALUE, 1);
+        testLongExactTwice(Long.MIN_VALUE, 2);
+        testLongExactTwice(Long.MAX_VALUE, 2);
+        testLongExactTwice(Long.MIN_VALUE, -1);
+        testLongExactTwice(Long.MAX_VALUE, -1);
+        testLongExactTwice(Long.MIN_VALUE, -2);
+        testLongExactTwice(Long.MAX_VALUE, -2);
+        testLongExactTwice(Long.MIN_VALUE/2, 2);
+        testLongExactTwice(Long.MAX_VALUE, 2);
+        testLongExactTwice(Integer.MAX_VALUE, Integer.MAX_VALUE);
+        testLongExactTwice(Integer.MAX_VALUE, -Integer.MAX_VALUE);
+        testLongExactTwice(Integer.MAX_VALUE+1, Integer.MAX_VALUE+1);
+        testLongExactTwice(Integer.MAX_VALUE+1, -Integer.MAX_VALUE+1);
+        testLongExactTwice(Integer.MIN_VALUE-1, Integer.MIN_VALUE-1);
+        testLongExactTwice(Integer.MIN_VALUE-1, -Integer.MIN_VALUE-1);
+        testLongExactTwice(Integer.MIN_VALUE/2, 2);
+
+    }
+
+    /**
+     * Test each of the exact operations with the arguments and
+     * with the arguments reversed.
+     * @param x
+     * @param y
+     */
+    static void testLongExactTwice(long x, long y) {
+        testLongExact(x, y);
+        testLongExact(y, x);
+    }
+
+
+    /**
+     * Test long exact arithmetic by comparing with the same operations using BigInteger
+     * and checking that the result is the same as the long truncation.
+     * Errors are reported with {@link fail}.
+     *
+     * @param x first parameter
+     * @param y second parameter
+     */
+    static void testLongExact(long x, long y) {
+        BigInteger resultBig = null;
+        final BigInteger xBig = BigInteger.valueOf(x);
+        final BigInteger yBig = BigInteger.valueOf(y);
+        try {
+            // Test addExact
+            resultBig = xBig.add(yBig);
+            long sum = Math.addExact(x, y);
+            checkResult("long Math.addExact", x, y, sum, resultBig);
+        } catch (ArithmeticException ex) {
+            if (inLongRange(resultBig)) {
+                fail("FAIL: long Math.addExact(" + x + " + " + y + "); Unexpected exception: " + ex);
+            }
+        }
+
+        try {
+            // Test subtractExact
+            resultBig = xBig.subtract(yBig);
+            long diff = Math.subtractExact(x, y);
+            checkResult("long Math.subtractExact", x, y, diff, resultBig);
+        } catch (ArithmeticException ex) {
+            if (inLongRange(resultBig)) {
+                fail("FAIL: long Math.subtractExact(" + x + " - " + y + ")" + "; Unexpected exception: " + ex);
+            }
+        }
+
+        try {
+            // Test multiplyExact
+            resultBig = xBig.multiply(yBig);
+            long product = Math.multiplyExact(x, y);
+            checkResult("long Math.multiplyExact", x, y, product, resultBig);
+        } catch (ArithmeticException ex) {
+            if (inLongRange(resultBig)) {
+                fail("FAIL: long Math.multiplyExact(" + x + " * " + y + ")" + "; Unexpected exception: " + ex);
+            }
+        }
+
+        try {
+            // Test toIntExact
+            int value = Math.toIntExact(x);
+            if ((long)value != x) {
+                fail("FAIL: " + "long Math.toIntExact" + "(" + x + ") = " + value + "; expected an arithmetic exception: ");
+            }
+        } catch (ArithmeticException ex) {
+            if (resultBig.bitLength() <= 32) {
+                fail("FAIL: long Math.toIntExact(" + x + ")" + "; Unexpected exception: " + ex);
+            }
+        }
+
+    }
+
+    /**
+     * Compare the expected and actual results.
+     * @param message message for the error
+     * @param x first argument
+     * @param y second argument
+     * @param result actual result value
+     * @param expected expected result value
+     */
+    static void checkResult(String message, long x, long y, long result, BigInteger expected) {
+        BigInteger resultBig = BigInteger.valueOf(result);
+        if (!inLongRange(expected)) {
+            fail("FAIL: " + message + "(" + x + ", " + y + ") = " + result + "; expected an arithmetic exception: ");
+        } else if (!resultBig.equals(expected)) {
+            fail("FAIL: " + message + "(" + x + ", " + y + ") = " + result + "; expected " + expected);
+        }
+    }
+
+    /**
+     * Check if the value fits in 64 bits (a long).
+     * @param value
+     * @return true if the value fits in 64 bits (including the sign).
+     */
+    static boolean inLongRange(BigInteger value) {
+        return value.bitLength() <= 63;
+    }
+}
diff -r 836dfc08398e -r 16ba58282d11 jdk/test/java/lang/StrictMath/ExactArithTests.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/lang/StrictMath/ExactArithTests.java	Wed Jul 05 18:03:56 2017 +0200
@@ -0,0 +1,266 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.math.BigInteger;
+
+/**
+ * @test Test for StrictMath.*Exact integer and long methods.
+ * @bug 6708398
+ * @summary Basic tests for StrictMath exact arithmetic operations.
+ *
+ * @author Roger Riggs
+ */
+public class ExactArithTests {
+
+    /**
+     * The count of test errors.
+     */
+    private static int errors = 0;
+
+    /**
+     * @param args the command line arguments
+     */
+    public static void main(String[] args) {
+        testIntegerExact();
+        testLongExact();
+
+        if (errors > 0) {
+            throw new RuntimeException(errors + " errors found in ExactArithTests.");
+        }
+    }
+
+    static void fail(String message) {
+        errors++;
+        System.err.println(message);
+    }
+
+    /**
+     * Test StrictMath.addExact, multiplyExact, subtractExact, toIntValue methods
+     * with {@code int} arguments.
+     */
+    static void testIntegerExact() {
+        testIntegerExact(0, 0);
+        testIntegerExact(1, 1);
+        testIntegerExact(1, -1);
+        testIntegerExact(-1, 1);
+        testIntegerExact(1000, 2000);
+
+        testIntegerExact(Integer.MIN_VALUE, Integer.MIN_VALUE);
+        testIntegerExact(Integer.MAX_VALUE, Integer.MAX_VALUE);
+        testIntegerExact(Integer.MIN_VALUE, 1);
+        testIntegerExact(Integer.MAX_VALUE, 1);
+        testIntegerExact(Integer.MIN_VALUE, 2);
+        testIntegerExact(Integer.MAX_VALUE, 2);
+        testIntegerExact(Integer.MIN_VALUE, -1);
+        testIntegerExact(Integer.MAX_VALUE, -1);
+        testIntegerExact(Integer.MIN_VALUE, -2);
+        testIntegerExact(Integer.MAX_VALUE, -2);
+
+    }
+
+    /**
+     * Test exact arithmetic by comparing with the same operations using long
+     * and checking that the result is the same as the integer truncation.
+     * Errors are reported with {@link fail}.
+     *
+     * @param x first parameter
+     * @param y second parameter
+     */
+    static void testIntegerExact(int x, int y) {
+        try {
+            // Test addExact
+            int sum = StrictMath.addExact(x, y);
+            long sum2 = (long) x + (long) y;
+            if ((int) sum2 != sum2) {
+                fail("FAIL: int StrictMath.addExact(" + x + " + " + y + ") = " + sum + "; expected Arithmetic exception");
+            } else if (sum != sum2) {
+                fail("FAIL: long StrictMath.addExact(" + x + " + " + y + ") = " + sum + "; expected: " + sum2);
+            }
+        } catch (ArithmeticException ex) {
+            long sum2 = (long) x + (long) y;
+            if ((int) sum2 == sum2) {
+                fail("FAIL: int StrictMath.addExact(" + x + " + " + y + ")" + "; Unexpected exception: " + ex);
+
+            }
+        }
+
+        try {
+            // Test subtractExact
+            int diff = StrictMath.subtractExact(x, y);
+            long diff2 = (long) x - (long) y;
+            if ((int) diff2 != diff2) {
+                fail("FAIL: int StrictMath.subtractExact(" + x + " - " + y + ") = " + diff + "; expected: " + diff2);
+            }
+
+        } catch (ArithmeticException ex) {
+            long diff2 = (long) x - (long) y;
+            if ((int) diff2 == diff2) {
+                fail("FAIL: int StrictMath.subtractExact(" + x + " - " + y + ")" + "; Unexpected exception: " + ex);
+            }
+        }
+
+        try {
+            // Test multiplyExact
+            int product = StrictMath.multiplyExact(x, y);
+            long m2 = (long) x * (long) y;
+            if ((int) m2 != m2) {
+                fail("FAIL: int StrictMath.multiplyExact(" + x + " * " + y + ") = " + product + "; expected: " + m2);
+            }
+        } catch (ArithmeticException ex) {
+            long m2 = (long) x * (long) y;
+            if ((int) m2 == m2) {
+                fail("FAIL: int StrictMath.multiplyExact(" + x + " * " + y + ")" + "; Unexpected exception: " + ex);
+            }
+        }
+
+    }
+
+    /**
+     * Test StrictMath.addExact, multiplyExact, subtractExact, toIntExact methods
+     * with {@code long} arguments.
+     */
+    static void testLongExact() {
+        testLongExactTwice(0, 0);
+        testLongExactTwice(1, 1);
+        testLongExactTwice(1, -1);
+        testLongExactTwice(1000, 2000);
+
+        testLongExactTwice(Long.MIN_VALUE, Long.MIN_VALUE);
+        testLongExactTwice(Long.MAX_VALUE, Long.MAX_VALUE);
+        testLongExactTwice(Long.MIN_VALUE, 1);
+        testLongExactTwice(Long.MAX_VALUE, 1);
+        testLongExactTwice(Long.MIN_VALUE, 2);
+        testLongExactTwice(Long.MAX_VALUE, 2);
+        testLongExactTwice(Long.MIN_VALUE, -1);
+        testLongExactTwice(Long.MAX_VALUE, -1);
+        testLongExactTwice(Long.MIN_VALUE, -2);
+        testLongExactTwice(Long.MAX_VALUE, -2);
+        testLongExactTwice(Long.MIN_VALUE/2, 2);
+        testLongExactTwice(Long.MAX_VALUE, 2);
+        testLongExactTwice(Integer.MAX_VALUE, Integer.MAX_VALUE);
+        testLongExactTwice(Integer.MAX_VALUE, -Integer.MAX_VALUE);
+        testLongExactTwice(Integer.MAX_VALUE+1, Integer.MAX_VALUE+1);
+        testLongExactTwice(Integer.MAX_VALUE+1, -Integer.MAX_VALUE+1);
+        testLongExactTwice(Integer.MIN_VALUE-1, Integer.MIN_VALUE-1);
+        testLongExactTwice(Integer.MIN_VALUE-1, -Integer.MIN_VALUE-1);
+        testLongExactTwice(Integer.MIN_VALUE/2, 2);
+
+    }
+
+    /**
+     * Test each of the exact operations with the arguments and
+     * with the arguments reversed.
+     * @param x
+     * @param y
+     */
+    static void testLongExactTwice(long x, long y) {
+        testLongExact(x, y);
+        testLongExact(y, x);
+    }
+
+
+    /**
+     * Test long exact arithmetic by comparing with the same operations using BigInteger
+     * and checking that the result is the same as the long truncation.
+     * Errors are reported with {@link fail}.
+     *
+     * @param x first parameter
+     * @param y second parameter
+     */
+    static void testLongExact(long x, long y) {
+        BigInteger resultBig = null;
+        final BigInteger xBig = BigInteger.valueOf(x);
+        final BigInteger yBig = BigInteger.valueOf(y);
+        try {
+            // Test addExact
+            resultBig = xBig.add(yBig);
+            long sum = StrictMath.addExact(x, y);
+            checkResult("long StrictMath.addExact", x, y, sum, resultBig);
+        } catch (ArithmeticException ex) {
+            if (inLongRange(resultBig)) {
+                fail("FAIL: long StrictMath.addExact(" + x + " + " + y + "); Unexpected exception: " + ex);
+            }
+        }
+
+        try {
+            // Test subtractExact
+            resultBig = xBig.subtract(yBig);
+            long diff = StrictMath.subtractExact(x, y);
+            checkResult("long StrictMath.subtractExact", x, y, diff, resultBig);
+        } catch (ArithmeticException ex) {
+            if (inLongRange(resultBig)) {
+                fail("FAIL: long StrictMath.subtractExact(" + x + " - " + y + ")" + "; Unexpected exception: " + ex);
+            }
+        }
+
+        try {
+            // Test multiplyExact
+            resultBig = xBig.multiply(yBig);
+            long product = StrictMath.multiplyExact(x, y);
+            checkResult("long StrictMath.multiplyExact", x, y, product, resultBig);
+        } catch (ArithmeticException ex) {
+            if (inLongRange(resultBig)) {
+                fail("FAIL: long StrictMath.multiplyExact(" + x + " * " + y + ")" + "; Unexpected exception: " + ex);
+            }
+        }
+
+        try {
+            // Test toIntExact
+            int value = StrictMath.toIntExact(x);
+            if ((long)value != x) {
+                fail("FAIL: " + "long StrictMath.toIntExact" + "(" + x + ") = " + value + "; expected an arithmetic exception: ");
+            }
+        } catch (ArithmeticException ex) {
+            if (resultBig.bitLength() <= 32) {
+                fail("FAIL: long StrictMath.toIntExact(" + x + ")" + "; Unexpected exception: " + ex);
+            }
+        }
+
+    }
+
+    /**
+     * Compare the expected and actual results.
+     * @param message message for the error
+     * @param x first argument
+     * @param y second argument
+     * @param result actual result value
+     * @param expected expected result value
+     */
+    static void checkResult(String message, long x, long y, long result, BigInteger expected) {
+        BigInteger resultBig = BigInteger.valueOf(result);
+        if (!inLongRange(expected)) {
+            fail("FAIL: " + message + "(" + x + ", " + y + ") = " + result + "; expected an arithmetic exception: ");
+        } else if (!resultBig.equals(expected)) {
+            fail("FAIL: " + message + "(" + x + ", " + y + ") = " + result + "; expected " + expected);
+        }
+    }
+
+    /**
+     * Check if the value fits in 64 bits (a long).
+     * @param value
+     * @return true if the value fits in 64 bits (including the sign).
+     */
+    static boolean inLongRange(BigInteger value) {
+        return value.bitLength() <= 63;
+    }
+}
diff -r 836dfc08398e -r 16ba58282d11 jdk/test/javax/sound/sampled/DataLine/DataLine_ArrayIndexOutOfBounds.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/javax/sound/sampled/DataLine/DataLine_ArrayIndexOutOfBounds.java	Wed Jul 05 18:03:56 2017 +0200
@@ -0,0 +1,226 @@
+/**
+ * @test
+ * @bug 7088367
+ * @summary SourceDataLine.write and TargetDataLine.read don't throw ArrayIndexOutOfBoundsException
+ * @author Alex Menkov
+ */
+
+import javax.sound.sampled.AudioSystem;
+import javax.sound.sampled.DataLine;
+import javax.sound.sampled.Line;
+import javax.sound.sampled.LineUnavailableException;
+import javax.sound.sampled.Mixer;
+import javax.sound.sampled.SourceDataLine;
+import javax.sound.sampled.TargetDataLine;
+
+public class DataLine_ArrayIndexOutOfBounds {
+
+    static int total = 0;
+    static int failed = 0;
+
+    // shared buffer for all tests
+    static final byte[] buffer = new byte[5000000];
+
+    // the class describes different test scenarios (buffer properties)
+    static abstract class Scenario {
+        abstract int getBufferOffset(DataLine line);
+        abstract int getBufferLength(DataLine line);
+    }
+
+    // scenarios to tests
+    static Scenario[] scenarios = new Scenario[]{
+        new Scenario() {
+            public String toString() {
+                return "offset is near Integer.MAX_VALUE";
+            }
+            public int getBufferOffset(DataLine line) {
+                return Integer.MAX_VALUE - 4096;
+            }
+            public int getBufferLength(DataLine line) {
+                return 65536;
+            }
+        },
+        new Scenario() {
+            public String toString() {
+                return "offset is less than buffer.length, length is large";
+            }
+            int getBufferOffset(DataLine line) {
+                return buffer.length / 10;
+            }
+            int getBufferLength(DataLine line) {
+                return Integer.MAX_VALUE - getBufferOffset(line) + 4096;
+            }
+        }
+    };
+
+    public static void main(String[] args) throws Exception {
+        Mixer.Info[] infos = AudioSystem.getMixerInfo();
+        log("" + infos.length + " mixers detected");
+        for (int i=0; i<infos.length; i++) {
+            Mixer mixer = AudioSystem.getMixer(infos[i]);
+            log("Mixer " + (i+1) + ": " + infos[i]);
+            try {
+                mixer.open();
+                for (Scenario scenario: scenarios) {
+                    testSDL(mixer, scenario);
+                    testTDL(mixer, scenario);
+                }
+                mixer.close();
+            } catch (LineUnavailableException ex) {
+                log("LineUnavailableException: " + ex);
+            }
+        }
+        if (failed == 0) {
+            log("PASSED (" + total + " tests)");
+        } else {
+            log("FAILED (" + failed + " of " + total + " tests)");
+            throw new Exception("Test FAILED");
+        }
+    }
+
+    final static int STOPPER_DELAY = 5000;  // 1 sec
+
+    static class AsyncLineStopper implements Runnable {
+        private final DataLine line;
+        private final long delayMS;  // delay before stop the line
+        private final Thread thread;
+        private final Object readyEvent = new Object();
+        private final Object startEvent = new Object();
+
+        public AsyncLineStopper(DataLine line, long delayMS) {
+            this.line = line;
+            this.delayMS = delayMS;
+            thread = new Thread(this);
+            thread.setDaemon(true);
+            // starts the thread and waits until it becomes ready
+            synchronized (readyEvent) {
+                thread.start();
+                try {
+                    readyEvent.wait();
+                } catch (InterruptedException ex) { }
+            }
+        }
+
+        // makes the delay and then stops the line
+        public void schedule() {
+            synchronized(startEvent) {
+                startEvent.notifyAll();
+            }
+        }
+
+        // force stop/close the line
+        public void force() {
+            thread.interrupt();
+            try {
+                thread.join();
+            } catch (InterruptedException ex) {
+                log("join exception: " + ex);
+            }
+        }
+
+        // Runnable implementation
+        public void run() {
+            try {
+                synchronized(readyEvent) {
+                    readyEvent.notifyAll();
+                }
+                synchronized(startEvent) {
+                    startEvent.wait();
+                }
+                // delay
+                Thread.sleep(delayMS);
+            } catch (InterruptedException ex) {
+                log("    AsyncLineStopper has been interrupted: " + ex);
+            }
+            // and flush
+            log("    stop...");
+            line.stop();
+            log("    close...");
+            line.close();
+        }
+    }
+
+    static void testSDL(Mixer mixer, Scenario scenario) {
+        log("  Testing SDL (scenario: " + scenario + ")...");
+        Line.Info linfo = new Line.Info(SourceDataLine.class);
+        SourceDataLine line = null;
+        try {
+            line = (SourceDataLine)mixer.getLine(linfo);
+            log("    got line: " + line);
+            log("    open...");
+            line.open();
+        } catch (IllegalArgumentException ex) {
+            log("    unsupported (IllegalArgumentException)");
+            return;
+        } catch (LineUnavailableException ex) {
+            log("    unavailable: " + ex);
+            return;
+        }
+
+        total++;
+
+        log("    start...");
+        line.start();
+
+        AsyncLineStopper lineStopper = new AsyncLineStopper(line, STOPPER_DELAY);
+        int offset = scenario.getBufferOffset(line);
+        int len = scenario.getBufferLength(line);
+        // ensure len represents integral number of frames
+        len -= len % line.getFormat().getFrameSize();
+
+        log("    write...");
+        lineStopper.schedule();
+        try {
+            line.write(buffer, offset, len);
+            log("    ERROR: didn't get ArrayIndexOutOfBoundsException");
+            failed++;
+        } catch (ArrayIndexOutOfBoundsException  ex) {
+            log("    OK: got ArrayIndexOutOfBoundsException: " + ex);
+        }
+        lineStopper.force();
+    }
+
+    static void testTDL(Mixer mixer, Scenario scenario) {
+        log("  Testing TDL (scenario: " + scenario + ")...");
+        Line.Info linfo = new Line.Info(TargetDataLine.class);
+        TargetDataLine line = null;
+        try {
+            line = (TargetDataLine)mixer.getLine(linfo);
+            log("    got line: " + line);
+            log("    open...");
+            line.open();
+        } catch (IllegalArgumentException ex) {
+            log("    unsupported (IllegalArgumentException)");
+            return;
+        } catch (LineUnavailableException ex) {
+            log("    unavailable: " + ex);
+            return;
+        }
+
+        total++;
+
+        log("    start...");
+        line.start();
+
+        AsyncLineStopper lineStopper = new AsyncLineStopper(line, STOPPER_DELAY);
+        int offset = scenario.getBufferOffset(line);
+        int len = scenario.getBufferLength(line);
+        // ensure len represents integral number of frames
+        len -= len % line.getFormat().getFrameSize();
+
+        log("    read...");
+        try {
+            line.read(buffer, offset, len);
+            log("    ERROR: didn't get ArrayIndexOutOfBoundsException");
+            failed++;
+        } catch (ArrayIndexOutOfBoundsException  ex) {
+            log("    OK: got ArrayIndexOutOfBoundsException: " + ex);
+        }
+        lineStopper.force();
+    }
+
+    static void log(String s) {
+        System.out.println(s);
+        System.out.flush();
+    }
+}
diff -r 836dfc08398e -r 16ba58282d11 jdk/test/sun/security/krb5/ktab/FileKeyTab.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/ktab/FileKeyTab.java	Wed Jul 05 18:03:56 2017 +0200
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+/*
+ * @test
+ * @bug 7144530
+ * @summary KeyTab.getInstance(String) no longer handles keyTabNames with "file:" prefix
+ */
+import java.io.File;
+import sun.security.krb5.PrincipalName;
+import sun.security.krb5.internal.ktab.KeyTab;
+
+public class FileKeyTab {
+    public static void main(String[] args) throws Exception {
+        String name = "ktab";
+        KeyTab kt = KeyTab.create(name);
+        kt.addEntry(new PrincipalName("a@A"), "x".toCharArray(), 1, true);
+        kt.save();
+        check(name);
+        check("FILE:" + name);
+
+        name = new File(name).getAbsolutePath().toString();
+
+        check(name);
+        check("FILE:" + name);
+
+        // The bug reporter uses this style, should only work for
+        // absolute path
+        check("FILE:/" + name);
+    }
+
+    static void check(String file) throws Exception {
+        System.out.println("Checking for " + file + "...");
+        KeyTab kt2 = KeyTab.getInstance(file);
+        if (kt2.isMissing()) {
+            throw new Exception("FILE:ktab cannot be loaded");
+        }
+    }
+}
diff -r 836dfc08398e -r 16ba58282d11 jdk/test/sun/security/provider/certpath/X509CertPath/ForwardBuildCompromised.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/provider/certpath/X509CertPath/ForwardBuildCompromised.java	Wed Jul 05 18:03:56 2017 +0200
@@ -0,0 +1,312 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7123519
+ * @summary Problem with java/classes_security
+ */
+
+import java.net.*;
+import java.util.*;
+import java.io.*;
+import javax.net.ssl.*;
+import java.security.KeyStore;
+import java.security.cert.*;
+import java.security.spec.*;
+import java.security.interfaces.*;
+
+public class ForwardBuildCompromised {
+    // DigiNotar Root CA, untrusted root certificate
+    static String trustedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
+        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
+        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
+        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
+        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1\n" +
+        "MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE\n" +
+        "ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j\n" +
+        "b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF\n" +
+        "bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg\n" +
+        "U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA\n" +
+        "A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/\n" +
+        "I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3\n" +
+        "wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC\n" +
+        "AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb\n" +
+        "oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5\n" +
+        "BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p\n" +
+        "dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk\n" +
+        "MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp\n" +
+        "b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu\n" +
+        "dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0\n" +
+        "MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi\n" +
+        "E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa\n" +
+        "MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI\n" +
+        "hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN\n" +
+        "95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd\n" +
+        "2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=\n" +
+        "-----END CERTIFICATE-----";
+
+    // DigiNotar Root CA, untrusted cross-certificate
+    static String untrustedCrossCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFSDCCBLGgAwIBAgIERpwsrzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
+        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
+        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
+        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
+        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" +
+        "MjYxNTU3MzlaFw0xMzA4MjYxNjI3MzlaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
+        "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" +
+        "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" +
+        "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" +
+        "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" +
+        "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" +
+        "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" +
+        "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" +
+        "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" +
+        "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" +
+        "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" +
+        "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" +
+        "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" +
+        "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" +
+        "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" +
+        "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" +
+        "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" +
+        "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" +
+        "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" +
+        "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" +
+        "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAEa6RcDNcEIGUlkDJUY/pWTds4zh\n" +
+        "xbVkp3wSmpwPFhx5fxTyF4HD2L60jl3aqjTB7gPpsL2Pk5QZlNsi3t4UkCV70UOd\n" +
+        "ueJRN3o/LOtk4+bjXY2lC0qTHbN80VMLqPjmaf9ghSA9hwhskdtMgRsgfd90q5QP\n" +
+        "ZFdYf+hthc3m6IcJ\n" +
+        "-----END CERTIFICATE-----";
+
+    // DigiNotar Root CA, compromised certificate
+    static String compromisedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFijCCA3KgAwIBAgIQDHbanJEMTiye/hXQWJM8TDANBgkqhkiG9w0BAQUFADBf\n" +
+        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
+        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
+        "HhcNMDcwNTE2MTcxOTM2WhcNMjUwMzMxMTgxOTIxWjBfMQswCQYDVQQGEwJOTDES\n" +
+        "MBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdpTm90YXIgUm9vdCBDQTEg\n" +
+        "MB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmwwggIiMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4ICDwAwggIKAoICAQCssFjBAL3YIQgLK5r+blYwBZ8bd5AQQVzDDYcRd46B\n" +
+        "8cp86Yxq7Th0Nbva3/m7wAk3tJZzgX0zGpg595NvlX89ubF1h7pRSOiLcD6VBMXY\n" +
+        "tsMW2YiwsYcdcNqGtA8Ui3rPENF0NqISe3eGSnnme98CEWilToauNFibJBN4ViIl\n" +
+        "HgGLS1Fx+4LMWZZpiFpoU8W5DQI3y0u8ZkqQfioLBQftFl9VkHXYRskbg+IIvvEj\n" +
+        "zJkd1ioPgyAVWCeCLvriIsJJsbkBgWqdbZ1Ad2h2TiEqbYRAhU52mXyC8/O3AlnU\n" +
+        "JgEbjt+tUwbRrhjd4rI6y9eIOI6sWym5GdOY+RgDz0iChmYLG2kPyes4iHomGgVM\n" +
+        "ktck1JbyrFIto0fVUvY//s6EBnCmqj6i8rZWNBhXouSBbefK8GrTx5FrAoNBfBXv\n" +
+        "a5pkXuPQPOWx63tdhvvL5ndJzaNl3Pe5nLjkC1+Tz8wwGjIczhxjlaX56uF0i57p\n" +
+        "K6kwe6AYHw4YC+VbqdPRbB4HZ4+RS6mKvNJmqpMBiLKR+jFc1abBUggJzQpjotMi\n" +
+        "puih2TkGl/VujQKQjBR7P4DNG5y6xFhyI6+2Vp/GekIzKQc/gsnmHwUNzUwoNovT\n" +
+        "yD4cxojvXu6JZOkd69qJfjKmadHdzIif0dDJZiHcBmfFlHqabWJMfczgZICynkeO\n" +
+        "owIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV\n" +
+        "HQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wDQYJKoZIhvcNAQEFBQADggIBADsC\n" +
+        "jcs8MOhuoK3yc7NfniUTBAXT9uOLuwt5zlPe5JbF0a9zvNXD0EBVfEB/zRtfCdXy\n" +
+        "fJ9oHbtdzno5wozWmHvFg1Wo1X1AyuAe94leY12hE8JdiraKfADzI8PthV9xdvBo\n" +
+        "Y6pFITlIYXg23PFDk9Qlx/KAZeFTAnVR/Ho67zerhChXDNjU1JlWbOOi/lmEtDHo\n" +
+        "M/hklJRRl6s5xUvt2t2AC298KQ3EjopyDedTFLJgQT2EkTFoPSdE2+Xe9PpjRchM\n" +
+        "Ppj1P0G6Tss3DbpmmPHdy59c91Q2gmssvBNhl0L4eLvMyKKfyvBovWsdst+Nbwed\n" +
+        "2o5nx0ceyrm/KkKRt2NTZvFCo+H0Wk1Ya7XkpDOtXHAd3ODy63MUkZoDweoAZbwH\n" +
+        "/M8SESIsrqC9OuCiKthZ6SnTGDWkrBFfGbW1G/8iSlzGeuQX7yCpp/Q/rYqnmgQl\n" +
+        "nQ7KN+ZQ/YxCKQSa7LnPS3K94gg2ryMvYuXKAdNw23yCIywWMQzGNgeQerEfZ1jE\n" +
+        "O1hZibCMjFCz2IbLaKPECudpSyDOwR5WS5WpI2jYMNjD67BVUc3l/Su49bsRn1NU\n" +
+        "9jQZjHkJNsphFyUXC4KYcwx3dMPVDceoEkzHp1RxRy4sGn3J4ys7SN4nhKdjNrN9\n" +
+        "j6BkOSQNPXuHr2ZcdBtLc7LljPCGmbjlxd+Ewbfr\n" +
+        "-----END CERTIFICATE-----";
+
+    // DigiNotar Public CA 2025, intermediate certificate
+    static String intermediateCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIGAzCCA+ugAwIBAgIQHn16Uz1FMEGWQA9xSB9FBDANBgkqhkiG9w0BAQUFADBf\n" +
+        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
+        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
+        "HhcNMDYwMjA2MTYwNzAyWhcNMjUwMzI4MTYwNzAyWjBmMQswCQYDVQQGEwJOTDES\n" +
+        "MBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdpTm90YXIgUHVibGljIENB\n" +
+        "IDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5vdGFyLm5sMIIBIjANBgkq\n" +
+        "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/2eu/I5fMG8lbvPph3e8zfJpZQtg/72\n" +
+        "Yx29+ivtKehiF6A3n785XyoY6IT3vlCrhy1CbMOY3M0x1n4YQlv17B0XZ/DqHyBA\n" +
+        "SQvnDNbkM9j4NoSy/sRtGsP6PetIFFjrhE9whZuvuSUC1PY4PruEEJp8zOCx4+wU\n" +
+        "Zt9xvjy4Xra+bSia5rwccQ/R5FYTGKrYCthOy9C9ud5Fhd++rlVhgdA/78w+Cs2s\n" +
+        "xS4i0MAxG75P3/e/bATJKepbydHdDjkyz9o3RW/wdPUXhzEw4EwUjYg6XJrDzMad\n" +
+        "6aL9M/eaxDjgz6o48EaWRDrGptaE2uJRuErVz7oOO0p/wYKq/BU+/wIDAQABo4IB\n" +
+        "sjCCAa4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vdmFsaWRh\n" +
+        "dGlvbi5kaWdpbm90YXIubmwwHwYDVR0jBBgwFoAUiGi/4I41xDs4a2L3KDuEgcgM\n" +
+        "100wEgYDVR0TAQH/BAgwBgEB/wIBADCBxgYDVR0gBIG+MIG7MIG4Bg5ghBABh2kB\n" +
+        "AQEBBQIGBDCBpTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpbm90YXIubmwv\n" +
+        "Y3BzMHoGCCsGAQUFBwICMG4abENvbmRpdGlvbnMsIGFzIG1lbnRpb25lZCBvbiBv\n" +
+        "dXIgd2Vic2l0ZSAod3d3LmRpZ2lub3Rhci5ubCksIGFyZSBhcHBsaWNhYmxlIHRv\n" +
+        "IGFsbCBvdXIgcHJvZHVjdHMgYW5kIHNlcnZpY2VzLjBDBgNVHR8EPDA6MDigNqA0\n" +
+        "hjJodHRwOi8vc2VydmljZS5kaWdpbm90YXIubmwvY3JsL3Jvb3QvbGF0ZXN0Q1JM\n" +
+        "LmNybDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFN8zwK+S/jf8ttgWFtDZsZHV\n" +
+        "+m6lMA0GCSqGSIb3DQEBBQUAA4ICAQCfV1rmBd9QStEyQ40lT0tqby0/3ez0STuJ\n" +
+        "ESBQLQD56XYdb4VFSuqA6xTtiuSVHLoiv2xyISN9FvX3A5VtifkJ00JEaLQJiSsE\n" +
+        "wGDkYGl1DT7SsqtAVKdMAuCM+e0j0/RV3hZ6kcrM7/wFccHwM+/TiurR9lgZDzB4\n" +
+        "a7++A4XrYyKx9vc9ZwBEnD1nrAe7++gg9cuZgP7e+QL0FBHMjpw+gnCDjr2dzBZC\n" +
+        "4r+b8SOqlbPRPexBuNghlc7PfcPIyFis2LJXDRMWiAd3TcfdALwRsuKMR/T+cwyr\n" +
+        "asy69OEGHplLT57otQ524BDctDXNzlH9bHEh52QzqkWvIDqs42910IUy1nYNPIUG\n" +
+        "yYJV/T7H8Jb6vfMZWe47iUFvtNZCi8+b542gRUwdi+ca+hGviBC9Qr4Wv1pl7CBQ\n" +
+        "Hy1axTkHiQawUo/hgmoetCpftugl9yJTfvsBorUV1ZMxn9B1JLSGtWnbUsFRla7G\n" +
+        "fNa0IsUkzmmha8XCzvNu0d1PDGtcQyUqmDOE1Hx4cIBeuF8ipuIXkrVCr9zAZ4ZC\n" +
+        "hgz6aA1gDTW8whSRJqYEYEQ0pcMEFLyXE+Nz3O8NinO2AuxqKhjMk13203xA7lPY\n" +
+        "MnBQ0v7S3qqbp/pvPMiUhOz/VaYted6QmOY5EATBnFiLCuw87JXoAyp382eJ3WX1\n" +
+        "hOiR4IX9Tg==\n" +
+        "-----END CERTIFICATE-----";
+
+    // The fraudulent certificate issued by above compromised CA
+    static String targetCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm\n" +
+        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp\n" +
+        "Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v\n" +
+        "dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE\n" +
+        "BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp\n" +
+        "ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j\n" +
+        "b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS\n" +
+        "CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q\n" +
+        "7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD\n" +
+        "ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x\n" +
+        "OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8\n" +
+        "vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2\n" +
+        "EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0\n" +
+        "dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43\n" +
+        "/LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH\n" +
+        "aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u\n" +
+        "bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u\n" +
+        "IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg\n" +
+        "dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8\n" +
+        "oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s\n" +
+        "YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn\n" +
+        "b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG\n" +
+        "9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH\n" +
+        "UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB\n" +
+        "pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM\n" +
+        "FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum\n" +
+        "U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK\n" +
+        "baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==\n" +
+        "-----END CERTIFICATE-----";
+
+    public static void main(String args[]) throws Exception {
+
+        Exception reservedException = null;
+        try {
+            build();
+        } catch (CertPathBuilderException cpbe) {
+            reservedException = cpbe;
+        }
+
+        if (reservedException == null) {
+            throw new Exception("Unable to block fraudulent certificate");
+        }
+
+        System.out.println(
+            "The expected untrusted cert exception: " + reservedException);
+    }
+
+    private static X509CertSelector generateSelector() throws Exception {
+
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        X509Certificate target = null;
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(targetCertStr.getBytes())) {
+            target = (X509Certificate)cf.generateCertificate(is);
+        }
+
+        X509CertSelector selector = new X509CertSelector();
+        selector.setCertificate(target);
+
+        return selector;
+    }
+
+
+    private static CertStore generateCertificateStore() throws Exception {
+
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        // generate certification path
+        Set<Certificate> entries = new HashSet();
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(targetCertStr.getBytes())) {
+            entries.add(cf.generateCertificate(is));
+        }
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(intermediateCertStr.getBytes())) {
+            entries.add(cf.generateCertificate(is));
+        }
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(compromisedCertStr.getBytes())) {
+            entries.add(cf.generateCertificate(is));
+        }
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(untrustedCrossCertStr.getBytes())) {
+            entries.add(cf.generateCertificate(is));
+        }
+
+        return CertStore.getInstance("Collection",
+                            new CollectionCertStoreParameters(entries));
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException, IOException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        Certificate trustedCert = null;
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(trustedCertStr.getBytes())) {
+            trustedCert = cf.generateCertificate(is);
+        }
+
+        // generate a trust anchor
+        TrustAnchor anchor =
+            new TrustAnchor((X509Certificate)trustedCert, null);
+
+        return Collections.singleton(anchor);
+    }
+
+    private static void build() throws Exception {
+        X509CertSelector selector = generateSelector();
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+        CertStore certs = generateCertificateStore();
+
+        PKIXBuilderParameters params =
+                new PKIXBuilderParameters(anchors, selector);
+        params.addCertStore(certs);
+        params.setRevocationEnabled(false);
+        params.setDate(new Date(111, 11, 25));   // 2011-12-25
+
+        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
+        PKIXCertPathBuilderResult result =
+                        (PKIXCertPathBuilderResult)builder.build(params);
+    }
+}
+
diff -r 836dfc08398e -r 16ba58282d11 jdk/test/sun/security/provider/certpath/X509CertPath/ReverseBuildCompromised.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/provider/certpath/X509CertPath/ReverseBuildCompromised.java	Wed Jul 05 18:03:56 2017 +0200
@@ -0,0 +1,315 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7123519
+ * @summary Problem with java/classes_security
+ */
+
+import java.net.*;
+import java.util.*;
+import java.io.*;
+import javax.net.ssl.*;
+import java.security.KeyStore;
+import java.security.cert.*;
+import java.security.spec.*;
+import java.security.interfaces.*;
+import sun.security.provider.certpath.SunCertPathBuilderParameters;
+
+public class ReverseBuildCompromised {
+    // DigiNotar Root CA, untrusted root certificate
+    static String trustedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
+        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
+        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
+        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
+        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1\n" +
+        "MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE\n" +
+        "ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j\n" +
+        "b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF\n" +
+        "bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg\n" +
+        "U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA\n" +
+        "A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/\n" +
+        "I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3\n" +
+        "wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC\n" +
+        "AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb\n" +
+        "oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5\n" +
+        "BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p\n" +
+        "dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk\n" +
+        "MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp\n" +
+        "b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu\n" +
+        "dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0\n" +
+        "MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi\n" +
+        "E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa\n" +
+        "MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI\n" +
+        "hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN\n" +
+        "95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd\n" +
+        "2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=\n" +
+        "-----END CERTIFICATE-----";
+
+    // DigiNotar Root CA, untrusted cross-certificate
+    static String untrustedCrossCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFSDCCBLGgAwIBAgIERpwsrzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
+        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
+        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
+        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
+        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" +
+        "MjYxNTU3MzlaFw0xMzA4MjYxNjI3MzlaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
+        "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" +
+        "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" +
+        "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" +
+        "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" +
+        "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" +
+        "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" +
+        "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" +
+        "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" +
+        "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" +
+        "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" +
+        "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" +
+        "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" +
+        "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" +
+        "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" +
+        "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" +
+        "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" +
+        "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" +
+        "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" +
+        "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" +
+        "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAEa6RcDNcEIGUlkDJUY/pWTds4zh\n" +
+        "xbVkp3wSmpwPFhx5fxTyF4HD2L60jl3aqjTB7gPpsL2Pk5QZlNsi3t4UkCV70UOd\n" +
+        "ueJRN3o/LOtk4+bjXY2lC0qTHbN80VMLqPjmaf9ghSA9hwhskdtMgRsgfd90q5QP\n" +
+        "ZFdYf+hthc3m6IcJ\n" +
+        "-----END CERTIFICATE-----";
+
+    // DigiNotar Root CA, compromised certificate
+    static String compromisedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFijCCA3KgAwIBAgIQDHbanJEMTiye/hXQWJM8TDANBgkqhkiG9w0BAQUFADBf\n" +
+        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
+        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
+        "HhcNMDcwNTE2MTcxOTM2WhcNMjUwMzMxMTgxOTIxWjBfMQswCQYDVQQGEwJOTDES\n" +
+        "MBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdpTm90YXIgUm9vdCBDQTEg\n" +
+        "MB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmwwggIiMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4ICDwAwggIKAoICAQCssFjBAL3YIQgLK5r+blYwBZ8bd5AQQVzDDYcRd46B\n" +
+        "8cp86Yxq7Th0Nbva3/m7wAk3tJZzgX0zGpg595NvlX89ubF1h7pRSOiLcD6VBMXY\n" +
+        "tsMW2YiwsYcdcNqGtA8Ui3rPENF0NqISe3eGSnnme98CEWilToauNFibJBN4ViIl\n" +
+        "HgGLS1Fx+4LMWZZpiFpoU8W5DQI3y0u8ZkqQfioLBQftFl9VkHXYRskbg+IIvvEj\n" +
+        "zJkd1ioPgyAVWCeCLvriIsJJsbkBgWqdbZ1Ad2h2TiEqbYRAhU52mXyC8/O3AlnU\n" +
+        "JgEbjt+tUwbRrhjd4rI6y9eIOI6sWym5GdOY+RgDz0iChmYLG2kPyes4iHomGgVM\n" +
+        "ktck1JbyrFIto0fVUvY//s6EBnCmqj6i8rZWNBhXouSBbefK8GrTx5FrAoNBfBXv\n" +
+        "a5pkXuPQPOWx63tdhvvL5ndJzaNl3Pe5nLjkC1+Tz8wwGjIczhxjlaX56uF0i57p\n" +
+        "K6kwe6AYHw4YC+VbqdPRbB4HZ4+RS6mKvNJmqpMBiLKR+jFc1abBUggJzQpjotMi\n" +
+        "puih2TkGl/VujQKQjBR7P4DNG5y6xFhyI6+2Vp/GekIzKQc/gsnmHwUNzUwoNovT\n" +
+        "yD4cxojvXu6JZOkd69qJfjKmadHdzIif0dDJZiHcBmfFlHqabWJMfczgZICynkeO\n" +
+        "owIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV\n" +
+        "HQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wDQYJKoZIhvcNAQEFBQADggIBADsC\n" +
+        "jcs8MOhuoK3yc7NfniUTBAXT9uOLuwt5zlPe5JbF0a9zvNXD0EBVfEB/zRtfCdXy\n" +
+        "fJ9oHbtdzno5wozWmHvFg1Wo1X1AyuAe94leY12hE8JdiraKfADzI8PthV9xdvBo\n" +
+        "Y6pFITlIYXg23PFDk9Qlx/KAZeFTAnVR/Ho67zerhChXDNjU1JlWbOOi/lmEtDHo\n" +
+        "M/hklJRRl6s5xUvt2t2AC298KQ3EjopyDedTFLJgQT2EkTFoPSdE2+Xe9PpjRchM\n" +
+        "Ppj1P0G6Tss3DbpmmPHdy59c91Q2gmssvBNhl0L4eLvMyKKfyvBovWsdst+Nbwed\n" +
+        "2o5nx0ceyrm/KkKRt2NTZvFCo+H0Wk1Ya7XkpDOtXHAd3ODy63MUkZoDweoAZbwH\n" +
+        "/M8SESIsrqC9OuCiKthZ6SnTGDWkrBFfGbW1G/8iSlzGeuQX7yCpp/Q/rYqnmgQl\n" +
+        "nQ7KN+ZQ/YxCKQSa7LnPS3K94gg2ryMvYuXKAdNw23yCIywWMQzGNgeQerEfZ1jE\n" +
+        "O1hZibCMjFCz2IbLaKPECudpSyDOwR5WS5WpI2jYMNjD67BVUc3l/Su49bsRn1NU\n" +
+        "9jQZjHkJNsphFyUXC4KYcwx3dMPVDceoEkzHp1RxRy4sGn3J4ys7SN4nhKdjNrN9\n" +
+        "j6BkOSQNPXuHr2ZcdBtLc7LljPCGmbjlxd+Ewbfr\n" +
+        "-----END CERTIFICATE-----";
+
+    // DigiNotar Public CA 2025, intermediate certificate
+    static String intermediateCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIGAzCCA+ugAwIBAgIQHn16Uz1FMEGWQA9xSB9FBDANBgkqhkiG9w0BAQUFADBf\n" +
+        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
+        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
+        "HhcNMDYwMjA2MTYwNzAyWhcNMjUwMzI4MTYwNzAyWjBmMQswCQYDVQQGEwJOTDES\n" +
+        "MBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdpTm90YXIgUHVibGljIENB\n" +
+        "IDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5vdGFyLm5sMIIBIjANBgkq\n" +
+        "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/2eu/I5fMG8lbvPph3e8zfJpZQtg/72\n" +
+        "Yx29+ivtKehiF6A3n785XyoY6IT3vlCrhy1CbMOY3M0x1n4YQlv17B0XZ/DqHyBA\n" +
+        "SQvnDNbkM9j4NoSy/sRtGsP6PetIFFjrhE9whZuvuSUC1PY4PruEEJp8zOCx4+wU\n" +
+        "Zt9xvjy4Xra+bSia5rwccQ/R5FYTGKrYCthOy9C9ud5Fhd++rlVhgdA/78w+Cs2s\n" +
+        "xS4i0MAxG75P3/e/bATJKepbydHdDjkyz9o3RW/wdPUXhzEw4EwUjYg6XJrDzMad\n" +
+        "6aL9M/eaxDjgz6o48EaWRDrGptaE2uJRuErVz7oOO0p/wYKq/BU+/wIDAQABo4IB\n" +
+        "sjCCAa4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vdmFsaWRh\n" +
+        "dGlvbi5kaWdpbm90YXIubmwwHwYDVR0jBBgwFoAUiGi/4I41xDs4a2L3KDuEgcgM\n" +
+        "100wEgYDVR0TAQH/BAgwBgEB/wIBADCBxgYDVR0gBIG+MIG7MIG4Bg5ghBABh2kB\n" +
+        "AQEBBQIGBDCBpTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpbm90YXIubmwv\n" +
+        "Y3BzMHoGCCsGAQUFBwICMG4abENvbmRpdGlvbnMsIGFzIG1lbnRpb25lZCBvbiBv\n" +
+        "dXIgd2Vic2l0ZSAod3d3LmRpZ2lub3Rhci5ubCksIGFyZSBhcHBsaWNhYmxlIHRv\n" +
+        "IGFsbCBvdXIgcHJvZHVjdHMgYW5kIHNlcnZpY2VzLjBDBgNVHR8EPDA6MDigNqA0\n" +
+        "hjJodHRwOi8vc2VydmljZS5kaWdpbm90YXIubmwvY3JsL3Jvb3QvbGF0ZXN0Q1JM\n" +
+        "LmNybDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFN8zwK+S/jf8ttgWFtDZsZHV\n" +
+        "+m6lMA0GCSqGSIb3DQEBBQUAA4ICAQCfV1rmBd9QStEyQ40lT0tqby0/3ez0STuJ\n" +
+        "ESBQLQD56XYdb4VFSuqA6xTtiuSVHLoiv2xyISN9FvX3A5VtifkJ00JEaLQJiSsE\n" +
+        "wGDkYGl1DT7SsqtAVKdMAuCM+e0j0/RV3hZ6kcrM7/wFccHwM+/TiurR9lgZDzB4\n" +
+        "a7++A4XrYyKx9vc9ZwBEnD1nrAe7++gg9cuZgP7e+QL0FBHMjpw+gnCDjr2dzBZC\n" +
+        "4r+b8SOqlbPRPexBuNghlc7PfcPIyFis2LJXDRMWiAd3TcfdALwRsuKMR/T+cwyr\n" +
+        "asy69OEGHplLT57otQ524BDctDXNzlH9bHEh52QzqkWvIDqs42910IUy1nYNPIUG\n" +
+        "yYJV/T7H8Jb6vfMZWe47iUFvtNZCi8+b542gRUwdi+ca+hGviBC9Qr4Wv1pl7CBQ\n" +
+        "Hy1axTkHiQawUo/hgmoetCpftugl9yJTfvsBorUV1ZMxn9B1JLSGtWnbUsFRla7G\n" +
+        "fNa0IsUkzmmha8XCzvNu0d1PDGtcQyUqmDOE1Hx4cIBeuF8ipuIXkrVCr9zAZ4ZC\n" +
+        "hgz6aA1gDTW8whSRJqYEYEQ0pcMEFLyXE+Nz3O8NinO2AuxqKhjMk13203xA7lPY\n" +
+        "MnBQ0v7S3qqbp/pvPMiUhOz/VaYted6QmOY5EATBnFiLCuw87JXoAyp382eJ3WX1\n" +
+        "hOiR4IX9Tg==\n" +
+        "-----END CERTIFICATE-----";
+
+    // The fraudulent certificate issued by above compromised CA
+    static String targetCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm\n" +
+        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp\n" +
+        "Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v\n" +
+        "dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE\n" +
+        "BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp\n" +
+        "ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j\n" +
+        "b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS\n" +
+        "CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q\n" +
+        "7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD\n" +
+        "ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x\n" +
+        "OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8\n" +
+        "vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2\n" +
+        "EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0\n" +
+        "dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43\n" +
+        "/LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH\n" +
+        "aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u\n" +
+        "bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u\n" +
+        "IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg\n" +
+        "dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8\n" +
+        "oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s\n" +
+        "YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn\n" +
+        "b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG\n" +
+        "9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH\n" +
+        "UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB\n" +
+        "pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM\n" +
+        "FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum\n" +
+        "U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK\n" +
+        "baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==\n" +
+        "-----END CERTIFICATE-----";
+
+    public static void main(String args[]) throws Exception {
+
+        Exception reservedException = null;
+        try {
+            build();
+        } catch (CertPathBuilderException cpbe) {
+            reservedException = cpbe;
+        }
+
+        if (reservedException == null) {
+            throw new Exception("Unable to block fraudulent certificate");
+        }
+
+        System.out.println(
+            "The expected untrusted cert exception: " + reservedException);
+    }
+
+    private static X509CertSelector generateSelector() throws Exception {
+
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        X509Certificate target = null;
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(targetCertStr.getBytes())) {
+            target = (X509Certificate)cf.generateCertificate(is);
+        }
+
+        X509CertSelector selector = new X509CertSelector();
+        selector.setCertificate(target);
+        selector.setSubject(target.getSubjectX500Principal());
+
+        return selector;
+    }
+
+
+    private static CertStore generateCertificateStore() throws Exception {
+
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        // generate certification path
+        Set<Certificate> entries = new HashSet();
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(targetCertStr.getBytes())) {
+            entries.add(cf.generateCertificate(is));
+        }
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(intermediateCertStr.getBytes())) {
+            entries.add(cf.generateCertificate(is));
+        }
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(compromisedCertStr.getBytes())) {
+            entries.add(cf.generateCertificate(is));
+        }
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(untrustedCrossCertStr.getBytes())) {
+            entries.add(cf.generateCertificate(is));
+        }
+
+        return CertStore.getInstance("Collection",
+                            new CollectionCertStoreParameters(entries));
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException, IOException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        Certificate trustedCert = null;
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(trustedCertStr.getBytes())) {
+            trustedCert = cf.generateCertificate(is);
+        }
+
+        // generate a trust anchor
+        TrustAnchor anchor =
+            new TrustAnchor((X509Certificate)trustedCert, null);
+
+        return Collections.singleton(anchor);
+    }
+
+    private static void build() throws Exception {
+        X509CertSelector selector = generateSelector();
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+        CertStore certs = generateCertificateStore();
+
+        SunCertPathBuilderParameters params =
+            new SunCertPathBuilderParameters(anchors, selector);
+        params.setBuildForward(false);
+        params.addCertStore(certs);
+        params.setRevocationEnabled(false);
+        params.setDate(new Date(111, 11, 25));   // 2011-12-25
+
+        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
+        PKIXCertPathBuilderResult result =
+                        (PKIXCertPathBuilderResult)builder.build(params);
+    }
+}
+
diff -r 836dfc08398e -r 16ba58282d11 jdk/test/sun/security/provider/certpath/X509CertPath/ValidateCompromised.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/provider/certpath/X509CertPath/ValidateCompromised.java	Wed Jul 05 18:03:56 2017 +0200
@@ -0,0 +1,297 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7123519
+ * @summary Problem with java/classes_security
+ */
+
+import java.net.*;
+import java.util.*;
+import java.io.*;
+import javax.net.ssl.*;
+import java.security.KeyStore;
+import java.security.cert.*;
+import java.security.spec.*;
+import java.security.interfaces.*;
+
+public class ValidateCompromised {
+    // DigiNotar Root CA, untrusted root certificate
+    static String trustedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
+        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
+        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
+        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
+        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1\n" +
+        "MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE\n" +
+        "ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j\n" +
+        "b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF\n" +
+        "bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg\n" +
+        "U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA\n" +
+        "A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/\n" +
+        "I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3\n" +
+        "wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC\n" +
+        "AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb\n" +
+        "oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5\n" +
+        "BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p\n" +
+        "dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk\n" +
+        "MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp\n" +
+        "b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu\n" +
+        "dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0\n" +
+        "MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi\n" +
+        "E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa\n" +
+        "MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI\n" +
+        "hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN\n" +
+        "95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd\n" +
+        "2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=\n" +
+        "-----END CERTIFICATE-----";
+
+    // DigiNotar Root CA, untrusted cross-certificate
+    static String untrustedCrossCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFSDCCBLGgAwIBAgIERpwsrzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
+        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
+        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
+        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
+        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" +
+        "MjYxNTU3MzlaFw0xMzA4MjYxNjI3MzlaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
+        "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" +
+        "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" +
+        "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" +
+        "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" +
+        "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" +
+        "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" +
+        "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" +
+        "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" +
+        "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" +
+        "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" +
+        "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" +
+        "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" +
+        "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" +
+        "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" +
+        "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" +
+        "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" +
+        "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" +
+        "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" +
+        "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" +
+        "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAEa6RcDNcEIGUlkDJUY/pWTds4zh\n" +
+        "xbVkp3wSmpwPFhx5fxTyF4HD2L60jl3aqjTB7gPpsL2Pk5QZlNsi3t4UkCV70UOd\n" +
+        "ueJRN3o/LOtk4+bjXY2lC0qTHbN80VMLqPjmaf9ghSA9hwhskdtMgRsgfd90q5QP\n" +
+        "ZFdYf+hthc3m6IcJ\n" +
+        "-----END CERTIFICATE-----";
+
+    // DigiNotar Root CA, compromised certificate
+    static String compromisedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFijCCA3KgAwIBAgIQDHbanJEMTiye/hXQWJM8TDANBgkqhkiG9w0BAQUFADBf\n" +
+        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
+        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
+        "HhcNMDcwNTE2MTcxOTM2WhcNMjUwMzMxMTgxOTIxWjBfMQswCQYDVQQGEwJOTDES\n" +
+        "MBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdpTm90YXIgUm9vdCBDQTEg\n" +
+        "MB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmwwggIiMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4ICDwAwggIKAoICAQCssFjBAL3YIQgLK5r+blYwBZ8bd5AQQVzDDYcRd46B\n" +
+        "8cp86Yxq7Th0Nbva3/m7wAk3tJZzgX0zGpg595NvlX89ubF1h7pRSOiLcD6VBMXY\n" +
+        "tsMW2YiwsYcdcNqGtA8Ui3rPENF0NqISe3eGSnnme98CEWilToauNFibJBN4ViIl\n" +
+        "HgGLS1Fx+4LMWZZpiFpoU8W5DQI3y0u8ZkqQfioLBQftFl9VkHXYRskbg+IIvvEj\n" +
+        "zJkd1ioPgyAVWCeCLvriIsJJsbkBgWqdbZ1Ad2h2TiEqbYRAhU52mXyC8/O3AlnU\n" +
+        "JgEbjt+tUwbRrhjd4rI6y9eIOI6sWym5GdOY+RgDz0iChmYLG2kPyes4iHomGgVM\n" +
+        "ktck1JbyrFIto0fVUvY//s6EBnCmqj6i8rZWNBhXouSBbefK8GrTx5FrAoNBfBXv\n" +
+        "a5pkXuPQPOWx63tdhvvL5ndJzaNl3Pe5nLjkC1+Tz8wwGjIczhxjlaX56uF0i57p\n" +
+        "K6kwe6AYHw4YC+VbqdPRbB4HZ4+RS6mKvNJmqpMBiLKR+jFc1abBUggJzQpjotMi\n" +
+        "puih2TkGl/VujQKQjBR7P4DNG5y6xFhyI6+2Vp/GekIzKQc/gsnmHwUNzUwoNovT\n" +
+        "yD4cxojvXu6JZOkd69qJfjKmadHdzIif0dDJZiHcBmfFlHqabWJMfczgZICynkeO\n" +
+        "owIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV\n" +
+        "HQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wDQYJKoZIhvcNAQEFBQADggIBADsC\n" +
+        "jcs8MOhuoK3yc7NfniUTBAXT9uOLuwt5zlPe5JbF0a9zvNXD0EBVfEB/zRtfCdXy\n" +
+        "fJ9oHbtdzno5wozWmHvFg1Wo1X1AyuAe94leY12hE8JdiraKfADzI8PthV9xdvBo\n" +
+        "Y6pFITlIYXg23PFDk9Qlx/KAZeFTAnVR/Ho67zerhChXDNjU1JlWbOOi/lmEtDHo\n" +
+        "M/hklJRRl6s5xUvt2t2AC298KQ3EjopyDedTFLJgQT2EkTFoPSdE2+Xe9PpjRchM\n" +
+        "Ppj1P0G6Tss3DbpmmPHdy59c91Q2gmssvBNhl0L4eLvMyKKfyvBovWsdst+Nbwed\n" +
+        "2o5nx0ceyrm/KkKRt2NTZvFCo+H0Wk1Ya7XkpDOtXHAd3ODy63MUkZoDweoAZbwH\n" +
+        "/M8SESIsrqC9OuCiKthZ6SnTGDWkrBFfGbW1G/8iSlzGeuQX7yCpp/Q/rYqnmgQl\n" +
+        "nQ7KN+ZQ/YxCKQSa7LnPS3K94gg2ryMvYuXKAdNw23yCIywWMQzGNgeQerEfZ1jE\n" +
+        "O1hZibCMjFCz2IbLaKPECudpSyDOwR5WS5WpI2jYMNjD67BVUc3l/Su49bsRn1NU\n" +
+        "9jQZjHkJNsphFyUXC4KYcwx3dMPVDceoEkzHp1RxRy4sGn3J4ys7SN4nhKdjNrN9\n" +
+        "j6BkOSQNPXuHr2ZcdBtLc7LljPCGmbjlxd+Ewbfr\n" +
+        "-----END CERTIFICATE-----";
+
+    // DigiNotar Public CA 2025, intermediate certificate
+    static String intermediateCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIGAzCCA+ugAwIBAgIQHn16Uz1FMEGWQA9xSB9FBDANBgkqhkiG9w0BAQUFADBf\n" +
+        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
+        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
+        "HhcNMDYwMjA2MTYwNzAyWhcNMjUwMzI4MTYwNzAyWjBmMQswCQYDVQQGEwJOTDES\n" +
+        "MBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdpTm90YXIgUHVibGljIENB\n" +
+        "IDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5vdGFyLm5sMIIBIjANBgkq\n" +
+        "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/2eu/I5fMG8lbvPph3e8zfJpZQtg/72\n" +
+        "Yx29+ivtKehiF6A3n785XyoY6IT3vlCrhy1CbMOY3M0x1n4YQlv17B0XZ/DqHyBA\n" +
+        "SQvnDNbkM9j4NoSy/sRtGsP6PetIFFjrhE9whZuvuSUC1PY4PruEEJp8zOCx4+wU\n" +
+        "Zt9xvjy4Xra+bSia5rwccQ/R5FYTGKrYCthOy9C9ud5Fhd++rlVhgdA/78w+Cs2s\n" +
+        "xS4i0MAxG75P3/e/bATJKepbydHdDjkyz9o3RW/wdPUXhzEw4EwUjYg6XJrDzMad\n" +
+        "6aL9M/eaxDjgz6o48EaWRDrGptaE2uJRuErVz7oOO0p/wYKq/BU+/wIDAQABo4IB\n" +
+        "sjCCAa4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vdmFsaWRh\n" +
+        "dGlvbi5kaWdpbm90YXIubmwwHwYDVR0jBBgwFoAUiGi/4I41xDs4a2L3KDuEgcgM\n" +
+        "100wEgYDVR0TAQH/BAgwBgEB/wIBADCBxgYDVR0gBIG+MIG7MIG4Bg5ghBABh2kB\n" +
+        "AQEBBQIGBDCBpTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpbm90YXIubmwv\n" +
+        "Y3BzMHoGCCsGAQUFBwICMG4abENvbmRpdGlvbnMsIGFzIG1lbnRpb25lZCBvbiBv\n" +
+        "dXIgd2Vic2l0ZSAod3d3LmRpZ2lub3Rhci5ubCksIGFyZSBhcHBsaWNhYmxlIHRv\n" +
+        "IGFsbCBvdXIgcHJvZHVjdHMgYW5kIHNlcnZpY2VzLjBDBgNVHR8EPDA6MDigNqA0\n" +
+        "hjJodHRwOi8vc2VydmljZS5kaWdpbm90YXIubmwvY3JsL3Jvb3QvbGF0ZXN0Q1JM\n" +
+        "LmNybDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFN8zwK+S/jf8ttgWFtDZsZHV\n" +
+        "+m6lMA0GCSqGSIb3DQEBBQUAA4ICAQCfV1rmBd9QStEyQ40lT0tqby0/3ez0STuJ\n" +
+        "ESBQLQD56XYdb4VFSuqA6xTtiuSVHLoiv2xyISN9FvX3A5VtifkJ00JEaLQJiSsE\n" +
+        "wGDkYGl1DT7SsqtAVKdMAuCM+e0j0/RV3hZ6kcrM7/wFccHwM+/TiurR9lgZDzB4\n" +
+        "a7++A4XrYyKx9vc9ZwBEnD1nrAe7++gg9cuZgP7e+QL0FBHMjpw+gnCDjr2dzBZC\n" +
+        "4r+b8SOqlbPRPexBuNghlc7PfcPIyFis2LJXDRMWiAd3TcfdALwRsuKMR/T+cwyr\n" +
+        "asy69OEGHplLT57otQ524BDctDXNzlH9bHEh52QzqkWvIDqs42910IUy1nYNPIUG\n" +
+        "yYJV/T7H8Jb6vfMZWe47iUFvtNZCi8+b542gRUwdi+ca+hGviBC9Qr4Wv1pl7CBQ\n" +
+        "Hy1axTkHiQawUo/hgmoetCpftugl9yJTfvsBorUV1ZMxn9B1JLSGtWnbUsFRla7G\n" +
+        "fNa0IsUkzmmha8XCzvNu0d1PDGtcQyUqmDOE1Hx4cIBeuF8ipuIXkrVCr9zAZ4ZC\n" +
+        "hgz6aA1gDTW8whSRJqYEYEQ0pcMEFLyXE+Nz3O8NinO2AuxqKhjMk13203xA7lPY\n" +
+        "MnBQ0v7S3qqbp/pvPMiUhOz/VaYted6QmOY5EATBnFiLCuw87JXoAyp382eJ3WX1\n" +
+        "hOiR4IX9Tg==\n" +
+        "-----END CERTIFICATE-----";
+
+    // The fraudulent certificate issued by above compromised CA
+    static String targetCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm\n" +
+        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp\n" +
+        "Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v\n" +
+        "dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE\n" +
+        "BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp\n" +
+        "ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j\n" +
+        "b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS\n" +
+        "CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q\n" +
+        "7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD\n" +
+        "ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x\n" +
+        "OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8\n" +
+        "vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2\n" +
+        "EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0\n" +
+        "dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43\n" +
+        "/LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH\n" +
+        "aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u\n" +
+        "bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u\n" +
+        "IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg\n" +
+        "dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8\n" +
+        "oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s\n" +
+        "YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn\n" +
+        "b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG\n" +
+        "9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH\n" +
+        "UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB\n" +
+        "pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM\n" +
+        "FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum\n" +
+        "U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK\n" +
+        "baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==\n" +
+        "-----END CERTIFICATE-----";
+
+    public static void main(String args[]) throws Exception {
+
+        Exception reservedException = null;
+        try {
+            validate();
+        } catch (CertPathValidatorException cpve) {
+            reservedException = cpve;
+        }
+
+        if (reservedException == null) {
+            throw new Exception("Unable to block fraudulent certificate");
+        }
+
+        System.out.println(
+            "The expected untrusted cert exception: " + reservedException);
+    }
+
+    private static CertPath generateCertificatePath()
+            throws CertificateException, IOException {
+
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        // generate certification path
+        List<Certificate> list = new ArrayList();
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(targetCertStr.getBytes())) {
+            list.add(cf.generateCertificate(is));
+        }
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(intermediateCertStr.getBytes())) {
+            list.add(cf.generateCertificate(is));
+        }
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(compromisedCertStr.getBytes())) {
+            list.add(cf.generateCertificate(is));
+        }
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(untrustedCrossCertStr.getBytes())) {
+            list.add(cf.generateCertificate(is));
+        }
+
+        return cf.generateCertPath(list);
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException, IOException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        Certificate trustedCert = null;
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(trustedCertStr.getBytes())) {
+            trustedCert = cf.generateCertificate(is);
+        }
+
+        // generate a trust anchor
+        TrustAnchor anchor =
+            new TrustAnchor((X509Certificate)trustedCert, null);
+
+        return Collections.singleton(anchor);
+    }
+
+    private static void validate()
+            throws CertPathValidatorException, Exception {
+
+        CertPath path = generateCertificatePath();
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+
+        PKIXParameters params = new PKIXParameters(anchors);
+
+        // disable certificate revocation checking
+        params.setRevocationEnabled(false);
+
+        // set the validation time
+        params.setDate(new Date(111, 11, 25));   // 2011-12-25
+
+        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+        validator.validate(path, params);
+    }
+}
+
diff -r 836dfc08398e -r 16ba58282d11 jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/ComodoHacker.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/ComodoHacker.java	Wed Jul 05 18:03:56 2017 +0200
@@ -0,0 +1,305 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7123519
+ * @summary Problem with java/classes_security
+ * @run main/othervm ComodoHacker PKIX
+ * @run main/othervm ComodoHacker SunX509
+ */
+
+import java.net.*;
+import java.util.*;
+import java.io.*;
+import javax.net.ssl.*;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateException;
+import java.security.spec.*;
+import java.security.interfaces.*;
+
+public class ComodoHacker {
+    // DigiNotar Root CA, untrusted root certificate
+    static String trustedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
+        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
+        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
+        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
+        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1\n" +
+        "MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE\n" +
+        "ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j\n" +
+        "b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF\n" +
+        "bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg\n" +
+        "U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA\n" +
+        "A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/\n" +
+        "I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3\n" +
+        "wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC\n" +
+        "AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb\n" +
+        "oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5\n" +
+        "BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p\n" +
+        "dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk\n" +
+        "MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp\n" +
+        "b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu\n" +
+        "dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0\n" +
+        "MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi\n" +
+        "E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa\n" +
+        "MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI\n" +
+        "hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN\n" +
+        "95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd\n" +
+        "2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=\n" +
+        "-----END CERTIFICATE-----";
+
+    // DigiNotar Root CA, untrusted cross-certificate
+    static String untrustedCrossCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFSDCCBLGgAwIBAgIERpwsrzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
+        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
+        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
+        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
+        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" +
+        "MjYxNTU3MzlaFw0xMzA4MjYxNjI3MzlaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
+        "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" +
+        "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" +
+        "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" +
+        "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" +
+        "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" +
+        "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" +
+        "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" +
+        "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" +
+        "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" +
+        "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" +
+        "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" +
+        "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" +
+        "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" +
+        "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" +
+        "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" +
+        "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" +
+        "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" +
+        "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" +
+        "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" +
+        "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAEa6RcDNcEIGUlkDJUY/pWTds4zh\n" +
+        "xbVkp3wSmpwPFhx5fxTyF4HD2L60jl3aqjTB7gPpsL2Pk5QZlNsi3t4UkCV70UOd\n" +
+        "ueJRN3o/LOtk4+bjXY2lC0qTHbN80VMLqPjmaf9ghSA9hwhskdtMgRsgfd90q5QP\n" +
+        "ZFdYf+hthc3m6IcJ\n" +
+        "-----END CERTIFICATE-----";
+
+    // DigiNotar Root CA, compromised certificate
+    static String compromisedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFijCCA3KgAwIBAgIQDHbanJEMTiye/hXQWJM8TDANBgkqhkiG9w0BAQUFADBf\n" +
+        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
+        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
+        "HhcNMDcwNTE2MTcxOTM2WhcNMjUwMzMxMTgxOTIxWjBfMQswCQYDVQQGEwJOTDES\n" +
+        "MBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdpTm90YXIgUm9vdCBDQTEg\n" +
+        "MB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmwwggIiMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4ICDwAwggIKAoICAQCssFjBAL3YIQgLK5r+blYwBZ8bd5AQQVzDDYcRd46B\n" +
+        "8cp86Yxq7Th0Nbva3/m7wAk3tJZzgX0zGpg595NvlX89ubF1h7pRSOiLcD6VBMXY\n" +
+        "tsMW2YiwsYcdcNqGtA8Ui3rPENF0NqISe3eGSnnme98CEWilToauNFibJBN4ViIl\n" +
+        "HgGLS1Fx+4LMWZZpiFpoU8W5DQI3y0u8ZkqQfioLBQftFl9VkHXYRskbg+IIvvEj\n" +
+        "zJkd1ioPgyAVWCeCLvriIsJJsbkBgWqdbZ1Ad2h2TiEqbYRAhU52mXyC8/O3AlnU\n" +
+        "JgEbjt+tUwbRrhjd4rI6y9eIOI6sWym5GdOY+RgDz0iChmYLG2kPyes4iHomGgVM\n" +
+        "ktck1JbyrFIto0fVUvY//s6EBnCmqj6i8rZWNBhXouSBbefK8GrTx5FrAoNBfBXv\n" +
+        "a5pkXuPQPOWx63tdhvvL5ndJzaNl3Pe5nLjkC1+Tz8wwGjIczhxjlaX56uF0i57p\n" +
+        "K6kwe6AYHw4YC+VbqdPRbB4HZ4+RS6mKvNJmqpMBiLKR+jFc1abBUggJzQpjotMi\n" +
+        "puih2TkGl/VujQKQjBR7P4DNG5y6xFhyI6+2Vp/GekIzKQc/gsnmHwUNzUwoNovT\n" +
+        "yD4cxojvXu6JZOkd69qJfjKmadHdzIif0dDJZiHcBmfFlHqabWJMfczgZICynkeO\n" +
+        "owIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV\n" +
+        "HQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wDQYJKoZIhvcNAQEFBQADggIBADsC\n" +
+        "jcs8MOhuoK3yc7NfniUTBAXT9uOLuwt5zlPe5JbF0a9zvNXD0EBVfEB/zRtfCdXy\n" +
+        "fJ9oHbtdzno5wozWmHvFg1Wo1X1AyuAe94leY12hE8JdiraKfADzI8PthV9xdvBo\n" +
+        "Y6pFITlIYXg23PFDk9Qlx/KAZeFTAnVR/Ho67zerhChXDNjU1JlWbOOi/lmEtDHo\n" +
+        "M/hklJRRl6s5xUvt2t2AC298KQ3EjopyDedTFLJgQT2EkTFoPSdE2+Xe9PpjRchM\n" +
+        "Ppj1P0G6Tss3DbpmmPHdy59c91Q2gmssvBNhl0L4eLvMyKKfyvBovWsdst+Nbwed\n" +
+        "2o5nx0ceyrm/KkKRt2NTZvFCo+H0Wk1Ya7XkpDOtXHAd3ODy63MUkZoDweoAZbwH\n" +
+        "/M8SESIsrqC9OuCiKthZ6SnTGDWkrBFfGbW1G/8iSlzGeuQX7yCpp/Q/rYqnmgQl\n" +
+        "nQ7KN+ZQ/YxCKQSa7LnPS3K94gg2ryMvYuXKAdNw23yCIywWMQzGNgeQerEfZ1jE\n" +
+        "O1hZibCMjFCz2IbLaKPECudpSyDOwR5WS5WpI2jYMNjD67BVUc3l/Su49bsRn1NU\n" +
+        "9jQZjHkJNsphFyUXC4KYcwx3dMPVDceoEkzHp1RxRy4sGn3J4ys7SN4nhKdjNrN9\n" +
+        "j6BkOSQNPXuHr2ZcdBtLc7LljPCGmbjlxd+Ewbfr\n" +
+        "-----END CERTIFICATE-----";
+
+    // DigiNotar Public CA 2025, intermediate certificate
+    static String intermediateCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIGAzCCA+ugAwIBAgIQHn16Uz1FMEGWQA9xSB9FBDANBgkqhkiG9w0BAQUFADBf\n" +
+        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
+        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
+        "HhcNMDYwMjA2MTYwNzAyWhcNMjUwMzI4MTYwNzAyWjBmMQswCQYDVQQGEwJOTDES\n" +
+        "MBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdpTm90YXIgUHVibGljIENB\n" +
+        "IDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5vdGFyLm5sMIIBIjANBgkq\n" +
+        "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/2eu/I5fMG8lbvPph3e8zfJpZQtg/72\n" +
+        "Yx29+ivtKehiF6A3n785XyoY6IT3vlCrhy1CbMOY3M0x1n4YQlv17B0XZ/DqHyBA\n" +
+        "SQvnDNbkM9j4NoSy/sRtGsP6PetIFFjrhE9whZuvuSUC1PY4PruEEJp8zOCx4+wU\n" +
+        "Zt9xvjy4Xra+bSia5rwccQ/R5FYTGKrYCthOy9C9ud5Fhd++rlVhgdA/78w+Cs2s\n" +
+        "xS4i0MAxG75P3/e/bATJKepbydHdDjkyz9o3RW/wdPUXhzEw4EwUjYg6XJrDzMad\n" +
+        "6aL9M/eaxDjgz6o48EaWRDrGptaE2uJRuErVz7oOO0p/wYKq/BU+/wIDAQABo4IB\n" +
+        "sjCCAa4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vdmFsaWRh\n" +
+        "dGlvbi5kaWdpbm90YXIubmwwHwYDVR0jBBgwFoAUiGi/4I41xDs4a2L3KDuEgcgM\n" +
+        "100wEgYDVR0TAQH/BAgwBgEB/wIBADCBxgYDVR0gBIG+MIG7MIG4Bg5ghBABh2kB\n" +
+        "AQEBBQIGBDCBpTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpbm90YXIubmwv\n" +
+        "Y3BzMHoGCCsGAQUFBwICMG4abENvbmRpdGlvbnMsIGFzIG1lbnRpb25lZCBvbiBv\n" +
+        "dXIgd2Vic2l0ZSAod3d3LmRpZ2lub3Rhci5ubCksIGFyZSBhcHBsaWNhYmxlIHRv\n" +
+        "IGFsbCBvdXIgcHJvZHVjdHMgYW5kIHNlcnZpY2VzLjBDBgNVHR8EPDA6MDigNqA0\n" +
+        "hjJodHRwOi8vc2VydmljZS5kaWdpbm90YXIubmwvY3JsL3Jvb3QvbGF0ZXN0Q1JM\n" +
+        "LmNybDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFN8zwK+S/jf8ttgWFtDZsZHV\n" +
+        "+m6lMA0GCSqGSIb3DQEBBQUAA4ICAQCfV1rmBd9QStEyQ40lT0tqby0/3ez0STuJ\n" +
+        "ESBQLQD56XYdb4VFSuqA6xTtiuSVHLoiv2xyISN9FvX3A5VtifkJ00JEaLQJiSsE\n" +
+        "wGDkYGl1DT7SsqtAVKdMAuCM+e0j0/RV3hZ6kcrM7/wFccHwM+/TiurR9lgZDzB4\n" +
+        "a7++A4XrYyKx9vc9ZwBEnD1nrAe7++gg9cuZgP7e+QL0FBHMjpw+gnCDjr2dzBZC\n" +
+        "4r+b8SOqlbPRPexBuNghlc7PfcPIyFis2LJXDRMWiAd3TcfdALwRsuKMR/T+cwyr\n" +
+        "asy69OEGHplLT57otQ524BDctDXNzlH9bHEh52QzqkWvIDqs42910IUy1nYNPIUG\n" +
+        "yYJV/T7H8Jb6vfMZWe47iUFvtNZCi8+b542gRUwdi+ca+hGviBC9Qr4Wv1pl7CBQ\n" +
+        "Hy1axTkHiQawUo/hgmoetCpftugl9yJTfvsBorUV1ZMxn9B1JLSGtWnbUsFRla7G\n" +
+        "fNa0IsUkzmmha8XCzvNu0d1PDGtcQyUqmDOE1Hx4cIBeuF8ipuIXkrVCr9zAZ4ZC\n" +
+        "hgz6aA1gDTW8whSRJqYEYEQ0pcMEFLyXE+Nz3O8NinO2AuxqKhjMk13203xA7lPY\n" +
+        "MnBQ0v7S3qqbp/pvPMiUhOz/VaYted6QmOY5EATBnFiLCuw87JXoAyp382eJ3WX1\n" +
+        "hOiR4IX9Tg==\n" +
+        "-----END CERTIFICATE-----";
+
+    // The fraudulent certificate issued by above compromised CA
+    static String targetCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm\n" +
+        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp\n" +
+        "Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v\n" +
+        "dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE\n" +
+        "BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp\n" +
+        "ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j\n" +
+        "b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS\n" +
+        "CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q\n" +
+        "7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD\n" +
+        "ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x\n" +
+        "OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8\n" +
+        "vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2\n" +
+        "EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0\n" +
+        "dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43\n" +
+        "/LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH\n" +
+        "aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u\n" +
+        "bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u\n" +
+        "IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg\n" +
+        "dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8\n" +
+        "oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s\n" +
+        "YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn\n" +
+        "b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG\n" +
+        "9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH\n" +
+        "UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB\n" +
+        "pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM\n" +
+        "FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum\n" +
+        "U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK\n" +
+        "baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==\n" +
+        "-----END CERTIFICATE-----";
+
+    private static String tmAlgorithm;               // trust manager
+
+    public static void main(String args[]) throws Exception {
+        // Get the customized arguments.
+        parseArguments(args);
+
+        X509TrustManager tm = getTrustManager();
+        X509Certificate[] chain = getFraudulentChain();
+
+        Exception reservedException = null;
+        try {
+            tm.checkClientTrusted(chain, "RSA");
+        } catch (CertificateException ce) {
+            reservedException = ce;
+        }
+
+        if (reservedException == null) {
+            throw new Exception("Unable to block fraudulent certificate");
+        }
+
+        reservedException = null;
+        try {
+            tm.checkServerTrusted(chain, "RSA");
+        } catch (CertificateException ce) {
+            reservedException = ce;
+        }
+
+        if (reservedException == null) {
+            throw new Exception("Unable to block fraudulent certificate");
+        }
+
+        System.out.println(
+            "The expected untrusted cert exception: " + reservedException);
+    }
+
+    private static void parseArguments(String[] args) {
+        tmAlgorithm = args[0];
+    }
+
+    private static X509TrustManager getTrustManager() throws Exception {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        // create a key store
+        KeyStore ks = KeyStore.getInstance("JKS");
+        ks.load(null, null);
+
+        // import the trusted cert
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(trustedCertStr.getBytes())) {
+            Certificate trustedCert = cf.generateCertificate(is);
+            ks.setCertificateEntry("RSA Export Signer", trustedCert);
+        }
+
+        // create the trust manager
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm);
+        tmf.init(ks);
+
+        return (X509TrustManager)tmf.getTrustManagers()[0];
+    }
+
+    private static X509Certificate[] getFraudulentChain() throws Exception {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        X509Certificate[] chain = new X509Certificate[4];
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(targetCertStr.getBytes())) {
+            chain[0] = (X509Certificate)cf.generateCertificate(is);
+        }
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(intermediateCertStr.getBytes())) {
+            chain[1] = (X509Certificate)cf.generateCertificate(is);
+        }
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(compromisedCertStr.getBytes())) {
+            chain[2] = (X509Certificate)cf.generateCertificate(is);
+        }
+
+        try (ByteArrayInputStream is =
+                new ByteArrayInputStream(untrustedCrossCertStr.getBytes())) {
+            chain[3] = (X509Certificate)cf.generateCertificate(is);
+        }
+
+        return chain;
+    }
+}
+
diff -r 836dfc08398e -r 16ba58282d11 langtools/.hgtags
--- a/langtools/.hgtags	Wed Jul 05 18:03:21 2017 +0200
+++ b/langtools/.hgtags	Wed Jul 05 18:03:56 2017 +0200
@@ -148,3 +148,4 @@
 6c9d21ca92c41ff5fcfa76c5b7fafe0f042f4aef jdk8-b24
 520c30f85bb529a3daf5d7623764c2464f00fd19 jdk8-b25
 b556aa8a99c358469861770aebdce884e06fa178 jdk8-b26
+be456f9c64e818161c789252145d4ddc292ae863 jdk8-b27